npm - @arinova-ai/spaces-sdk - Versions diffs - 0.1.1 → 0.1.3 - Mend

@arinova-ai/spaces-sdk 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -1,109 +1,91 @@
-# @arinova-ai/spaces-sdk
+# @arinova/spaces-sdk
-Official SDK for integrating external games with the Arinova platform.
+OAuth PKCE SDK for Arinova Spaces — authenticate users without exposing secrets.
-## Install
+## Installation
 ```bash
-npm install @arinova-ai/spaces-sdk
+npm install @arinova/spaces-sdk
 ```
 ## Quick Start
-### 1. Initialize
+```js
+import { Arinova } from "@arinova/spaces-sdk";
-```typescript
-import { Arinova } from "@arinova-ai/spaces-sdk";
+const arinova = new Arinova({ appId: "your-client-id" });
-Arinova.init({
-  appId: "your-client-id",
-  baseUrl: "https://api.arinova.ai", // optional, defaults to production
-});
+// Trigger login (opens popup)
+const token = await arinova.login();
+console.log(token.user.name);       // "Alice"
+console.log(token.access_token);    // Bearer token for API calls
 ```
-### 2a. Connect (Recommended)
+## Setup
-The easiest way to authenticate. Works automatically in both contexts:
+1. Register your app: `arinova-cli app create --name "My App" --redirect-uri "https://myapp.com"`
+2. Copy the `Client ID` from the output
+3. No `client_secret` needed — all apps use PKCE
-- **Embedded in Arinova Chat iframe**: receives auth via `postMessage` from the parent window (no redirect needed).
-- **Standalone (outside iframe)**: falls back to the OAuth login flow.
+## API
-```typescript
-const { user, accessToken, agents } = await Arinova.connect({ timeout: 5000 });
-// user: { id, name, email, image }
-// accessToken: session token for API calls
-// agents: user's connected agents (may be empty)
-```
+### `new Arinova(config)`
-### 2b. Login (Manual OAuth Flow)
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `appId` | `string` | *required* | Your OAuth app client_id |
+| `endpoint` | `string` | `https://chat.arinova.ai` | Arinova server URL |
+| `redirectUri` | `string` | `{origin}/callback` | OAuth callback URL |
+| `scope` | `string` | `"profile"` | OAuth scope |
-```typescript
-// Redirect to Arinova login
-Arinova.login({ scope: ["profile", "agents"] });
+### `arinova.login(): Promise<TokenResponse>`
-// Handle callback (on your redirect page)
-const { user, accessToken } = await Arinova.handleCallback({
-  code: urlParams.get("code"),
-  clientId: "your-client-id",
-  clientSecret: "your-client-secret",
-  redirectUri: window.location.origin + "/callback",
-});
+Opens a popup for user authorization (PKCE flow). Returns:
+```ts
+{
+  access_token: string;
+  token_type: "Bearer";
+  expires_in: 604800;  // 7 days
+  scope: "profile";
+  user: { id, name, email, image };
+}
 ```
-### 3. Use Agent API
+### `arinova.handleCallback(): Promise<TokenResponse>`
-```typescript
-// Get user's agents
-const agents = await Arinova.user.agents(accessToken);
+Call on your redirect_uri page to complete the flow (for redirect mode instead of popup).
-// Chat with agent (sync)
-const { response } = await Arinova.agent.chat({
-  agentId: agents[0].id,
-  prompt: "Your board state...",
-  accessToken,
-});
+## PKCE Flow
-// Chat with agent (streaming)
-const result = await Arinova.agent.chatStream({
-  agentId: agents[0].id,
-  prompt: "Your move?",
-  accessToken,
-  onChunk: (chunk) => console.log("Streaming:", chunk),
-});
-```
+1. SDK generates `code_verifier` (random) and `code_challenge = BASE64URL(SHA256(code_verifier))`
+2. User is redirected to Arinova with `code_challenge`
+3. After authorization, Arinova redirects back with `code`
+4. SDK exchanges `code` + `code_verifier` for `access_token` (no secret needed)
+## redirect_uri Rules
+- Origin match: scheme + host + port must match your registered URI
+- Path can differ (SDK uses `window.location.origin + /callback` by default)
+- Must use HTTPS in production
+- `http://localhost` is allowed for development
+## Example: Redirect Mode
-### 4. Economy (Server-to-Server)
+If popups are blocked, use redirect mode:
-```typescript
-// Charge coins
-const { newBalance } = await Arinova.economy.charge({
-  userId: "user-id",
-  amount: 10,
-  description: "Game entry fee",
-  clientId: "your-client-id",
-  clientSecret: "your-client-secret",
+```js
+// On login page:
+const arinova = new Arinova({
+  appId: "your-client-id",
+  redirectUri: "https://myapp.com/auth/callback",
 });
+arinova.login(); // Will redirect if popup is blocked
-// Award coins
-const { newBalance, platformFee } = await Arinova.economy.award({
-  userId: "user-id",
-  amount: 20,
-  description: "Game prize",
-  clientId: "your-client-id",
-  clientSecret: "your-client-secret",
+// On callback page (/auth/callback):
+const arinova = new Arinova({
+  appId: "your-client-id",
+  redirectUri: "https://myapp.com/auth/callback",
 });
+const token = await arinova.handleCallback();
 ```
-## API Reference
-### `Arinova.init(config)`
-### `Arinova.connect(options?)`
-### `Arinova.login(options?)`
-### `Arinova.handleCallback(params)`
-### `Arinova.user.profile(accessToken)`
-### `Arinova.user.agents(accessToken)`
-### `Arinova.agent.chat(options)`
-### `Arinova.agent.chatStream(options)`
-### `Arinova.economy.charge(options)`
-### `Arinova.economy.award(options)`
-### `Arinova.economy.balance(accessToken)`

package/dist/index.d.ts CHANGED Viewed

@@ -1,80 +1,85 @@
-import type { ArinovaConfig, LoginOptions, LoginResult, ConnectOptions, ConnectResult, ArinovaUser, AgentInfo, AgentChatOptions, AgentChatResponse, AgentChatStreamOptions, AgentChatStreamResponse, ChargeOptions, ChargeResponse, AwardOptions, AwardResponse, BalanceResponse } from "./types.js";
-export type * from "./types.js";
-export declare const Arinova: {
-    /**
-     * Initialize the SDK with your app configuration.
-     */
-    init(config: ArinovaConfig & {
-        clientId?: string;
-        clientSecret?: string;
-    }): void;
+/**
+ * Arinova Spaces SDK
+ *
+ * Public client OAuth with PKCE — no client_secret needed.
+ *
+ * Usage:
+ *   const arinova = new Arinova({ appId: "my-app-abc123" });
+ *   const token = await arinova.login();
+ *   // token.access_token is ready to use
+ */
+export interface ArinovaConfig {
+    /** Your OAuth app's client_id (from Developer Console) */
+    appId: string;
+    /** Arinova server URL (default: https://chat.arinova.ai) */
+    endpoint?: string;
+    /** OAuth redirect URI (default: current page origin + /callback) */
+    redirectUri?: string;
+    /** OAuth scope (default: "profile") */
+    scope?: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+    user: {
+        id: string;
+        name: string;
+        email: string;
+        image: string | null;
+    };
+}
+export interface BalanceResponse {
+    balance: number;
+}
+export interface PurchaseResponse {
+    transactionId: string;
+    newBalance: number;
+}
+export interface TransactionRecord {
+    id: string;
+    type: string;
+    amount: number;
+    description: string | null;
+    createdAt: string;
+}
+export interface TransactionsResponse {
+    transactions: TransactionRecord[];
+    total: number;
+    limit: number;
+    offset: number;
+}
+export declare class Arinova {
+    private appId;
+    private endpoint;
+    private redirectUri;
+    private scope;
+    /** The access token from the most recent login/handleCallback. */
+    accessToken: string | null;
+    constructor(config: ArinovaConfig);
     /**
-     * Connect to Arinova — works seamlessly in both iframe and standalone contexts.
-     *
-     * - **Inside an iframe** (embedded in Arinova Chat): receives auth via postMessage from the parent window.
-     * - **Outside an iframe** (standalone): falls back to the OAuth login() flow.
-     *
-     * @param options.timeout - How long to wait for postMessage in iframe mode (default: 5000ms)
-     * @returns Promise resolving with user, accessToken, and agents
+     * Start the OAuth PKCE login flow.
+     * Opens a popup window for authorization.
+     * Returns the token response on success.
      */
-    connect(options?: ConnectOptions): Promise<ConnectResult>;
+    login(): Promise<TokenResponse>;
     /**
-     * Redirect to Arinova OAuth login page.
-     * Call this from your game's frontend.
+     * Handle the OAuth callback (call this on your redirect_uri page).
+     * Reads code and state from URL, exchanges for token.
      */
-    login(options?: LoginOptions): void;
+    handleCallback(): Promise<TokenResponse>;
+    private getToken;
+    private apiFetch;
+    /** Get the current user's coin balance. */
+    balance(): Promise<BalanceResponse>;
     /**
-     * Handle the OAuth callback. Call this on your redirect page.
-     * Exchanges the authorization code for an access token.
+     * Purchase / charge coins from the user's balance.
+     * Requires the "economy" scope.
      */
-    handleCallback(params: {
-        code: string;
-        clientId: string;
-        clientSecret: string;
-        redirectUri: string;
-    }): Promise<LoginResult>;
-    user: {
-        /**
-         * Get the authenticated user's profile.
-         */
-        profile(accessToken: string): Promise<ArinovaUser>;
-        /**
-         * Get the authenticated user's agents.
-         * Requires "agents" scope.
-         */
-        agents(accessToken: string): Promise<AgentInfo[]>;
-    };
-    agent: {
-        /**
-         * Send a prompt to a user's agent and get a complete response.
-         */
-        chat(options: AgentChatOptions): Promise<AgentChatResponse>;
-        /**
-         * Send a prompt to a user's agent and receive a streaming response via SSE.
-         */
-        chatStream(options: AgentChatStreamOptions): Promise<AgentChatStreamResponse>;
-    };
-    economy: {
-        /**
-         * Charge coins from a user's balance (server-to-server).
-         * Requires clientId and clientSecret.
-         */
-        charge(options: ChargeOptions & {
-            clientId: string;
-            clientSecret: string;
-        }): Promise<ChargeResponse>;
-        /**
-         * Award coins to a user (server-to-server).
-         * Requires clientId and clientSecret.
-         */
-        award(options: AwardOptions & {
-            clientId: string;
-            clientSecret: string;
-        }): Promise<AwardResponse>;
-        /**
-         * Get a user's coin balance (uses OAuth access token).
-         */
-        balance(accessToken: string): Promise<BalanceResponse>;
-    };
-};
-//# sourceMappingURL=index.d.ts.map
+    purchase(productId: string, amount: number, description?: string): Promise<PurchaseResponse>;
+    /** Get the user's transaction history. */
+    transactions(limit?: number, offset?: number): Promise<TransactionsResponse>;
+    private exchangeCode;
+}
+export default Arinova;

package/dist/index.js CHANGED Viewed

@@ -1,284 +1,209 @@
-let _config = null;
-let _oauthClientInfo = null;
-function getBaseUrl() {
-    if (!_config)
-        throw new Error("Arinova SDK not initialized. Call Arinova.init() first.");
-    return _config.baseUrl || "https://api.arinova.ai";
-}
-function getConfig() {
-    if (!_config)
-        throw new Error("Arinova SDK not initialized. Call Arinova.init() first.");
-    return _config;
-}
-export const Arinova = {
-    /**
-     * Initialize the SDK with your app configuration.
-     */
-    init(config) {
-        _config = config;
-        if (config.clientId && config.clientSecret) {
-            _oauthClientInfo = { clientId: config.clientId, clientSecret: config.clientSecret };
-        }
-    },
+/**
+ * Arinova Spaces SDK
+ *
+ * Public client OAuth with PKCE — no client_secret needed.
+ *
+ * Usage:
+ *   const arinova = new Arinova({ appId: "my-app-abc123" });
+ *   const token = await arinova.login();
+ *   // token.access_token is ready to use
+ */
+export class Arinova {
+    constructor(config) {
+        /** The access token from the most recent login/handleCallback. */
+        this.accessToken = null;
+        this.appId = config.appId;
+        this.endpoint = (config.endpoint ?? "https://chat.arinova.ai").replace(/\/+$/, "");
+        this.redirectUri =
+            config.redirectUri ?? `${window.location.origin}/callback`;
+        this.scope = config.scope ?? "profile";
+    }
     /**
-     * Connect to Arinova — works seamlessly in both iframe and standalone contexts.
-     *
-     * - **Inside an iframe** (embedded in Arinova Chat): receives auth via postMessage from the parent window.
-     * - **Outside an iframe** (standalone): falls back to the OAuth login() flow.
-     *
-     * @param options.timeout - How long to wait for postMessage in iframe mode (default: 5000ms)
-     * @returns Promise resolving with user, accessToken, and agents
+     * Start the OAuth PKCE login flow.
+     * Opens a popup window for authorization.
+     * Returns the token response on success.
      */
-    async connect(options) {
-        const timeout = options?.timeout ?? 5000;
-        const inIframe = typeof window !== "undefined" && window.self !== window.top;
-        if (!inIframe) {
-            // Not in iframe — fall back to OAuth login flow
-            this.login();
-            // login() redirects, so this promise never resolves in practice
-            return new Promise(() => { });
-        }
-        // In iframe — listen for postMessage auth from parent
+    async login() {
+        const { verifier, challenge } = await generatePKCE();
+        const state = generateRandom(32);
+        // Store state + verifier for callback validation
+        sessionStorage.setItem("arinova_pkce_verifier", verifier);
+        sessionStorage.setItem("arinova_pkce_state", state);
+        const params = new URLSearchParams({
+            client_id: this.appId,
+            redirect_uri: this.redirectUri,
+            scope: this.scope,
+            state,
+            code_challenge: challenge,
+            code_challenge_method: "S256",
+            response_type: "code",
+        });
+        const authUrl = `${this.endpoint}/oauth/authorize?${params}`;
         return new Promise((resolve, reject) => {
-            let settled = false;
-            const timer = setTimeout(() => {
-                if (!settled) {
-                    settled = true;
-                    window.removeEventListener("message", handler);
-                    reject(new Error("Arinova connect timeout: no auth message received from parent window within " + timeout + "ms"));
-                }
-            }, timeout);
-            function handler(event) {
-                if (event.data?.type !== "arinova:auth")
-                    return;
-                if (settled)
-                    return;
-                settled = true;
-                clearTimeout(timer);
-                window.removeEventListener("message", handler);
-                const { user, accessToken, agents } = event.data.payload;
-                resolve({ user, accessToken, agents: agents ?? [] });
+            const popup = window.open(authUrl, "arinova_auth", "width=500,height=600");
+            if (!popup) {
+                // Fallback: redirect instead of popup
+                window.location.href = authUrl;
+                reject(new Error("Popup blocked — redirecting instead"));
+                return;
             }
-            window.addEventListener("message", handler);
+            const interval = setInterval(() => {
+                try {
+                    if (popup.closed) {
+                        clearInterval(interval);
+                        reject(new Error("Login cancelled"));
+                    }
+                    const popupUrl = popup.location.href;
+                    if (popupUrl.startsWith(this.redirectUri)) {
+                        clearInterval(interval);
+                        popup.close();
+                        const url = new URL(popupUrl);
+                        const code = url.searchParams.get("code");
+                        const returnedState = url.searchParams.get("state");
+                        if (returnedState !== state) {
+                            reject(new Error("State mismatch — possible CSRF attack"));
+                            return;
+                        }
+                        if (!code) {
+                            reject(new Error(url.searchParams.get("error_description") ?? "No code received"));
+                            return;
+                        }
+                        this.exchangeCode(code, verifier).then((token) => {
+                            this.accessToken = token.access_token;
+                            resolve(token);
+                        }).catch(reject);
+                    }
+                }
+                catch {
+                    // Cross-origin — popup is on a different domain, ignore
+                }
+            }, 200);
+            // Timeout after 5 minutes
+            setTimeout(() => {
+                clearInterval(interval);
+                try {
+                    popup.close();
+                }
+                catch { /* ignore */ }
+                reject(new Error("Login timed out"));
+            }, 300000);
         });
-    },
+    }
     /**
-     * Redirect to Arinova OAuth login page.
-     * Call this from your game's frontend.
+     * Handle the OAuth callback (call this on your redirect_uri page).
+     * Reads code and state from URL, exchanges for token.
      */
-    login(options) {
-        const config = getConfig();
-        const baseUrl = getBaseUrl();
-        const scope = options?.scope?.join(" ") || "profile";
-        // Store current URL for callback
-        const currentUrl = typeof window !== "undefined" ? window.location.href : "";
-        const params = new URLSearchParams({
-            client_id: config.appId,
-            redirect_uri: currentUrl,
-            scope,
-            state: crypto.randomUUID(),
+    async handleCallback() {
+        const url = new URL(window.location.href);
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const verifier = sessionStorage.getItem("arinova_pkce_verifier");
+        const expectedState = sessionStorage.getItem("arinova_pkce_state");
+        sessionStorage.removeItem("arinova_pkce_verifier");
+        sessionStorage.removeItem("arinova_pkce_state");
+        if (!code) {
+            throw new Error(url.searchParams.get("error_description") ?? "No authorization code");
+        }
+        if (state !== expectedState) {
+            throw new Error("State mismatch");
+        }
+        if (!verifier) {
+            throw new Error("No PKCE verifier found — did you start login()?");
+        }
+        const token = await this.exchangeCode(code, verifier);
+        this.accessToken = token.access_token;
+        return token;
+    }
+    // ── Economy Methods ───────────────────────────────────────────
+    getToken() {
+        if (!this.accessToken) {
+            throw new Error("Not logged in — call login() or handleCallback() first");
+        }
+        return this.accessToken;
+    }
+    async apiFetch(path, init) {
+        const token = this.getToken();
+        const res = await fetch(`${this.endpoint}${path}`, {
+            ...init,
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${token}`,
+                ...init?.headers,
+            },
         });
-        window.location.href = `${baseUrl}/oauth/authorize?${params}`;
-    },
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            throw new Error(body.error_description ??
+                body.error ??
+                `API error (${res.status})`);
+        }
+        return res.json();
+    }
+    /** Get the current user's coin balance. */
+    async balance() {
+        return this.apiFetch("/api/v1/economy/balance");
+    }
     /**
-     * Handle the OAuth callback. Call this on your redirect page.
-     * Exchanges the authorization code for an access token.
+     * Purchase / charge coins from the user's balance.
+     * Requires the "economy" scope.
      */
-    async handleCallback(params) {
-        const baseUrl = getBaseUrl();
-        const res = await fetch(`${baseUrl}/oauth/token`, {
+    async purchase(productId, amount, description) {
+        return this.apiFetch("/api/v1/economy/purchase", {
+            method: "POST",
+            body: JSON.stringify({ productId, amount, description }),
+        });
+    }
+    /** Get the user's transaction history. */
+    async transactions(limit, offset) {
+        const params = new URLSearchParams();
+        if (limit != null)
+            params.set("limit", String(limit));
+        if (offset != null)
+            params.set("offset", String(offset));
+        const qs = params.toString();
+        return this.apiFetch(`/api/v1/economy/transactions${qs ? `?${qs}` : ""}`);
+    }
+    async exchangeCode(code, codeVerifier) {
+        const res = await fetch(`${this.endpoint}/oauth/token`, {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify({
                 grant_type: "authorization_code",
-                code: params.code,
-                client_id: params.clientId,
-                client_secret: params.clientSecret,
-                redirect_uri: params.redirectUri,
+                client_id: this.appId,
+                code,
+                redirect_uri: this.redirectUri,
+                code_verifier: codeVerifier,
             }),
         });
         if (!res.ok) {
-            const error = await res.json().catch(() => ({ error: "token_exchange_failed" }));
-            throw new Error(error.error || "Token exchange failed");
+            const body = await res.json().catch(() => ({}));
+            throw new Error(body.error_description ??
+                body.error ??
+                `Token exchange failed (${res.status})`);
         }
-        const data = await res.json();
-        return {
-            user: data.user,
-            accessToken: data.access_token,
-        };
-    },
-    user: {
-        /**
-         * Get the authenticated user's profile.
-         */
-        async profile(accessToken) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/user/profile`, {
-                headers: { Authorization: `Bearer ${accessToken}` },
-            });
-            if (!res.ok)
-                throw new Error("Failed to get user profile");
-            return res.json();
-        },
-        /**
-         * Get the authenticated user's agents.
-         * Requires "agents" scope.
-         */
-        async agents(accessToken) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/user/agents`, {
-                headers: { Authorization: `Bearer ${accessToken}` },
-            });
-            if (!res.ok)
-                throw new Error("Failed to get user agents");
-            const data = await res.json();
-            return data.agents;
-        },
-    },
-    agent: {
-        /**
-         * Send a prompt to a user's agent and get a complete response.
-         */
-        async chat(options) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/agent/chat`, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    Authorization: `Bearer ${options.accessToken}`,
-                },
-                body: JSON.stringify({
-                    agentId: options.agentId,
-                    prompt: options.prompt,
-                    systemPrompt: options.systemPrompt,
-                }),
-            });
-            if (!res.ok) {
-                const error = await res.json().catch(() => ({ error: "agent_chat_failed" }));
-                throw new Error(error.error || "Agent chat failed");
-            }
-            return res.json();
-        },
-        /**
-         * Send a prompt to a user's agent and receive a streaming response via SSE.
-         */
-        async chatStream(options) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/agent/chat/stream`, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    Authorization: `Bearer ${options.accessToken}`,
-                },
-                body: JSON.stringify({
-                    agentId: options.agentId,
-                    prompt: options.prompt,
-                    systemPrompt: options.systemPrompt,
-                }),
-            });
-            if (!res.ok) {
-                const error = await res.json().catch(() => ({ error: "agent_stream_failed" }));
-                throw new Error(error.error || "Agent stream failed");
-            }
-            const reader = res.body.getReader();
-            const decoder = new TextDecoder();
-            let fullContent = "";
-            let buffer = "";
-            while (true) {
-                const { done, value } = await reader.read();
-                if (done)
-                    break;
-                buffer += decoder.decode(value, { stream: true });
-                const lines = buffer.split("\n");
-                buffer = lines.pop() || "";
-                for (const line of lines) {
-                    if (!line.startsWith("data: "))
-                        continue;
-                    try {
-                        const event = JSON.parse(line.slice(6));
-                        if (event.type === "chunk") {
-                            options.onChunk(event.content);
-                            fullContent = event.content;
-                        }
-                        else if (event.type === "done") {
-                            fullContent = event.content;
-                        }
-                        else if (event.type === "error") {
-                            throw new Error(event.error);
-                        }
-                    }
-                    catch (e) {
-                        if (e instanceof Error && e.message !== "Unexpected end of JSON input")
-                            throw e;
-                    }
-                }
-            }
-            return { content: fullContent, agentId: options.agentId };
-        },
-    },
-    economy: {
-        /**
-         * Charge coins from a user's balance (server-to-server).
-         * Requires clientId and clientSecret.
-         */
-        async charge(options) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/economy/charge`, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    "X-Client-Id": options.clientId,
-                    "X-App-Secret": options.clientSecret,
-                },
-                body: JSON.stringify({
-                    userId: options.userId,
-                    amount: options.amount,
-                    description: options.description,
-                }),
-            });
-            if (!res.ok) {
-                const error = await res.json().catch(() => ({ error: "charge_failed" }));
-                throw new Error(error.error || "Charge failed");
-            }
-            return res.json();
-        },
-        /**
-         * Award coins to a user (server-to-server).
-         * Requires clientId and clientSecret.
-         */
-        async award(options) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/economy/award`, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    "X-Client-Id": options.clientId,
-                    "X-App-Secret": options.clientSecret,
-                },
-                body: JSON.stringify({
-                    userId: options.userId,
-                    amount: options.amount,
-                    description: options.description,
-                }),
-            });
-            if (!res.ok) {
-                const error = await res.json().catch(() => ({ error: "award_failed" }));
-                throw new Error(error.error || "Award failed");
-            }
-            return res.json();
-        },
-        /**
-         * Get a user's coin balance (uses OAuth access token).
-         */
-        async balance(accessToken) {
-            const baseUrl = getBaseUrl();
-            const res = await fetch(`${baseUrl}/api/v1/economy/balance`, {
-                headers: { Authorization: `Bearer ${accessToken}` },
-            });
-            if (!res.ok)
-                throw new Error("Failed to get balance");
-            return res.json();
-        },
-    },
-};
-//# sourceMappingURL=index.js.map
+        return res.json();
+    }
+}
+// ── PKCE Helpers ──────────────────────────────────────────────
+function generateRandom(length) {
+    const array = new Uint8Array(length);
+    crypto.getRandomValues(array);
+    return Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function generatePKCE() {
+    const verifier = generateRandom(32); // 64 hex chars
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    const challenge = base64UrlEncode(new Uint8Array(hash));
+    return { verifier, challenge };
+}
+function base64UrlEncode(buffer) {
+    let binary = "";
+    for (const byte of buffer) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// Default export for convenience
+export default Arinova;

package/dist/types.d.ts CHANGED Viewed

@@ -68,6 +68,28 @@ export interface AwardResponse {
 export interface BalanceResponse {
     balance: number;
 }
+export interface PurchaseOptions {
+    productId: string;
+    amount: number;
+    description?: string;
+}
+export interface PurchaseResponse {
+    transactionId: string;
+    newBalance: number;
+}
+export interface TransactionRecord {
+    id: string;
+    type: string;
+    amount: number;
+    description: string | null;
+    createdAt: string;
+}
+export interface TransactionsResponse {
+    transactions: TransactionRecord[];
+    total: number;
+    limit: number;
+    offset: number;
+}
 export interface SSEChunkEvent {
     type: "chunk";
     content: string;
@@ -81,4 +103,3 @@ export interface SSEErrorEvent {
     error: string;
 }
 export type SSEEvent = SSEChunkEvent | SSEDoneEvent | SSEErrorEvent;
-//# sourceMappingURL=types.d.ts.map

package/dist/types.js CHANGED Viewed

	@@ -1,2 +1 @@
1 1	export {};
2	- //# sourceMappingURL=types.js.map

package/package.json CHANGED Viewed

@@ -1,20 +1,15 @@
 {
   "name": "@arinova-ai/spaces-sdk",
-  "version": "0.1.1",
+  "version": "0.1.3",
+  "description": "Arinova Spaces SDK — OAuth PKCE login for third-party apps",
   "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
-    }
-  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": ["dist"],
   "scripts": {
-    "build": "tsc",
-    "dev": "tsc --watch"
+    "build": "tsc"
   },
   "devDependencies": {
-    "typescript": "^5.6.0"
+    "typescript": "^5.4.0"
   }
 }

package/.turbo/turbo-build.log DELETED Viewed

@@ -1,4 +0,0 @@
-> @arinova-ai/spaces-sdk@0.0.2 build /Users/ripple/.openclaw/workspace/projects/arinova-chat/packages/spaces-sdk
-> tsc

package/src/index.ts DELETED Viewed

@@ -1,336 +0,0 @@
-import type {
-  ArinovaConfig,
-  LoginOptions,
-  LoginResult,
-  ConnectOptions,
-  ConnectResult,
-  ArinovaUser,
-  AgentInfo,
-  AgentChatOptions,
-  AgentChatResponse,
-  AgentChatStreamOptions,
-  AgentChatStreamResponse,
-  ChargeOptions,
-  ChargeResponse,
-  AwardOptions,
-  AwardResponse,
-  BalanceResponse,
-  SSEEvent,
-} from "./types.js";
-export type * from "./types.js";
-let _config: ArinovaConfig | null = null;
-let _oauthClientInfo: { clientId: string; clientSecret: string } | null = null;
-function getBaseUrl(): string {
-  if (!_config) throw new Error("Arinova SDK not initialized. Call Arinova.init() first.");
-  return _config.baseUrl || "https://api.arinova.ai";
-}
-function getConfig(): ArinovaConfig {
-  if (!_config) throw new Error("Arinova SDK not initialized. Call Arinova.init() first.");
-  return _config;
-}
-export const Arinova = {
-  /**
-   * Initialize the SDK with your app configuration.
-   */
-  init(config: ArinovaConfig & { clientId?: string; clientSecret?: string }) {
-    _config = config;
-    if (config.clientId && config.clientSecret) {
-      _oauthClientInfo = { clientId: config.clientId, clientSecret: config.clientSecret };
-    }
-  },
-  /**
-   * Connect to Arinova — works seamlessly in both iframe and standalone contexts.
-   *
-   * - **Inside an iframe** (embedded in Arinova Chat): receives auth via postMessage from the parent window.
-   * - **Outside an iframe** (standalone): falls back to the OAuth login() flow.
-   *
-   * @param options.timeout - How long to wait for postMessage in iframe mode (default: 5000ms)
-   * @returns Promise resolving with user, accessToken, and agents
-   */
-  async connect(options?: ConnectOptions): Promise<ConnectResult> {
-    const timeout = options?.timeout ?? 5000;
-    const inIframe = typeof window !== "undefined" && window.self !== window.top;
-    if (!inIframe) {
-      // Not in iframe — fall back to OAuth login flow
-      this.login();
-      // login() redirects, so this promise never resolves in practice
-      return new Promise(() => {});
-    }
-    // In iframe — listen for postMessage auth from parent
-    return new Promise<ConnectResult>((resolve, reject) => {
-      let settled = false;
-      const timer = setTimeout(() => {
-        if (!settled) {
-          settled = true;
-          window.removeEventListener("message", handler);
-          reject(new Error("Arinova connect timeout: no auth message received from parent window within " + timeout + "ms"));
-        }
-      }, timeout);
-      function handler(event: MessageEvent) {
-        if (event.data?.type !== "arinova:auth") return;
-        if (settled) return;
-        settled = true;
-        clearTimeout(timer);
-        window.removeEventListener("message", handler);
-        const { user, accessToken, agents } = event.data.payload as ConnectResult;
-        resolve({ user, accessToken, agents: agents ?? [] });
-      }
-      window.addEventListener("message", handler);
-    });
-  },
-  /**
-   * Redirect to Arinova OAuth login page.
-   * Call this from your game's frontend.
-   */
-  login(options?: LoginOptions): void {
-    const config = getConfig();
-    const baseUrl = getBaseUrl();
-    const scope = options?.scope?.join(" ") || "profile";
-    // Store current URL for callback
-    const currentUrl = typeof window !== "undefined" ? window.location.href : "";
-    const params = new URLSearchParams({
-      client_id: config.appId,
-      redirect_uri: currentUrl,
-      scope,
-      state: crypto.randomUUID(),
-    });
-    window.location.href = `${baseUrl}/oauth/authorize?${params}`;
-  },
-  /**
-   * Handle the OAuth callback. Call this on your redirect page.
-   * Exchanges the authorization code for an access token.
-   */
-  async handleCallback(params: {
-    code: string;
-    clientId: string;
-    clientSecret: string;
-    redirectUri: string;
-  }): Promise<LoginResult> {
-    const baseUrl = getBaseUrl();
-    const res = await fetch(`${baseUrl}/oauth/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        grant_type: "authorization_code",
-        code: params.code,
-        client_id: params.clientId,
-        client_secret: params.clientSecret,
-        redirect_uri: params.redirectUri,
-      }),
-    });
-    if (!res.ok) {
-      const error = await res.json().catch(() => ({ error: "token_exchange_failed" }));
-      throw new Error(error.error || "Token exchange failed");
-    }
-    const data = await res.json();
-    return {
-      user: data.user,
-      accessToken: data.access_token,
-    };
-  },
-  user: {
-    /**
-     * Get the authenticated user's profile.
-     */
-    async profile(accessToken: string): Promise<ArinovaUser> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/user/profile`, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-      });
-      if (!res.ok) throw new Error("Failed to get user profile");
-      return res.json();
-    },
-    /**
-     * Get the authenticated user's agents.
-     * Requires "agents" scope.
-     */
-    async agents(accessToken: string): Promise<AgentInfo[]> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/user/agents`, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-      });
-      if (!res.ok) throw new Error("Failed to get user agents");
-      const data = await res.json();
-      return data.agents;
-    },
-  },
-  agent: {
-    /**
-     * Send a prompt to a user's agent and get a complete response.
-     */
-    async chat(options: AgentChatOptions): Promise<AgentChatResponse> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/agent/chat`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${options.accessToken}`,
-        },
-        body: JSON.stringify({
-          agentId: options.agentId,
-          prompt: options.prompt,
-          systemPrompt: options.systemPrompt,
-        }),
-      });
-      if (!res.ok) {
-        const error = await res.json().catch(() => ({ error: "agent_chat_failed" }));
-        throw new Error(error.error || "Agent chat failed");
-      }
-      return res.json();
-    },
-    /**
-     * Send a prompt to a user's agent and receive a streaming response via SSE.
-     */
-    async chatStream(options: AgentChatStreamOptions): Promise<AgentChatStreamResponse> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/agent/chat/stream`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${options.accessToken}`,
-        },
-        body: JSON.stringify({
-          agentId: options.agentId,
-          prompt: options.prompt,
-          systemPrompt: options.systemPrompt,
-        }),
-      });
-      if (!res.ok) {
-        const error = await res.json().catch(() => ({ error: "agent_stream_failed" }));
-        throw new Error(error.error || "Agent stream failed");
-      }
-      const reader = res.body!.getReader();
-      const decoder = new TextDecoder();
-      let fullContent = "";
-      let buffer = "";
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        buffer += decoder.decode(value, { stream: true });
-        const lines = buffer.split("\n");
-        buffer = lines.pop() || "";
-        for (const line of lines) {
-          if (!line.startsWith("data: ")) continue;
-          try {
-            const event: SSEEvent = JSON.parse(line.slice(6));
-            if (event.type === "chunk") {
-              options.onChunk(event.content);
-              fullContent = event.content;
-            } else if (event.type === "done") {
-              fullContent = event.content;
-            } else if (event.type === "error") {
-              throw new Error(event.error);
-            }
-          } catch (e) {
-            if (e instanceof Error && e.message !== "Unexpected end of JSON input") throw e;
-          }
-        }
-      }
-      return { content: fullContent, agentId: options.agentId };
-    },
-  },
-  economy: {
-    /**
-     * Charge coins from a user's balance (server-to-server).
-     * Requires clientId and clientSecret.
-     */
-    async charge(options: ChargeOptions & { clientId: string; clientSecret: string }): Promise<ChargeResponse> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/economy/charge`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "X-Client-Id": options.clientId,
-          "X-App-Secret": options.clientSecret,
-        },
-        body: JSON.stringify({
-          userId: options.userId,
-          amount: options.amount,
-          description: options.description,
-        }),
-      });
-      if (!res.ok) {
-        const error = await res.json().catch(() => ({ error: "charge_failed" }));
-        throw new Error(error.error || "Charge failed");
-      }
-      return res.json();
-    },
-    /**
-     * Award coins to a user (server-to-server).
-     * Requires clientId and clientSecret.
-     */
-    async award(options: AwardOptions & { clientId: string; clientSecret: string }): Promise<AwardResponse> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/economy/award`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "X-Client-Id": options.clientId,
-          "X-App-Secret": options.clientSecret,
-        },
-        body: JSON.stringify({
-          userId: options.userId,
-          amount: options.amount,
-          description: options.description,
-        }),
-      });
-      if (!res.ok) {
-        const error = await res.json().catch(() => ({ error: "award_failed" }));
-        throw new Error(error.error || "Award failed");
-      }
-      return res.json();
-    },
-    /**
-     * Get a user's coin balance (uses OAuth access token).
-     */
-    async balance(accessToken: string): Promise<BalanceResponse> {
-      const baseUrl = getBaseUrl();
-      const res = await fetch(`${baseUrl}/api/v1/economy/balance`, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-      });
-      if (!res.ok) throw new Error("Failed to get balance");
-      return res.json();
-    },
-  },
-};

package/src/types.ts DELETED Viewed

@@ -1,107 +0,0 @@
-// ===== Config =====
-export interface ArinovaConfig {
-  appId: string;
-  baseUrl?: string; // defaults to "https://api.arinova.ai"
-}
-// ===== Auth =====
-export interface LoginOptions {
-  scope?: string[]; // defaults to ["profile"]
-}
-export interface LoginResult {
-  user: ArinovaUser;
-  accessToken: string;
-}
-export interface ConnectOptions {
-  timeout?: number; // milliseconds, defaults to 5000
-}
-export interface ConnectResult {
-  user: ArinovaUser;
-  accessToken: string;
-  agents: AgentInfo[];
-}
-export interface ArinovaUser {
-  id: string;
-  name: string;
-  email: string;
-  image: string | null;
-}
-// ===== Agent =====
-export interface AgentInfo {
-  id: string;
-  name: string;
-  description: string | null;
-  avatarUrl: string | null;
-}
-export interface AgentChatOptions {
-  agentId: string;
-  prompt: string;
-  systemPrompt?: string;
-  accessToken: string;
-}
-export interface AgentChatResponse {
-  response: string;
-  agentId: string;
-}
-export interface AgentChatStreamOptions extends AgentChatOptions {
-  onChunk: (chunk: string) => void;
-}
-export interface AgentChatStreamResponse {
-  content: string;
-  agentId: string;
-}
-// ===== Economy =====
-export interface ChargeOptions {
-  userId: string;
-  amount: number;
-  description?: string;
-}
-export interface ChargeResponse {
-  transactionId: string;
-  newBalance: number;
-}
-export interface AwardOptions {
-  userId: string;
-  amount: number;
-  description?: string;
-}
-export interface AwardResponse {
-  transactionId: string;
-  newBalance: number;
-  platformFee: number;
-}
-export interface BalanceResponse {
-  balance: number;
-}
-// ===== SSE Event =====
-export interface SSEChunkEvent {
-  type: "chunk";
-  content: string;
-}
-export interface SSEDoneEvent {
-  type: "done";
-  content: string;
-}
-export interface SSEErrorEvent {
-  type: "error";
-  error: string;
-}
-export type SSEEvent = SSEChunkEvent | SSEDoneEvent | SSEErrorEvent;

package/tsconfig.json DELETED Viewed

@@ -1,19 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2022",
-    "module": "ESNext",
-    "moduleResolution": "bundler",
-    "lib": ["ES2022", "DOM"],
-    "outDir": "./dist",
-    "rootDir": "./src",
-    "declaration": true,
-    "declarationMap": true,
-    "sourceMap": true,
-    "strict": true,
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules", "dist"]
-}