@bandeira-tech/b3nd-web 0.2.6 → 0.3.0

package/dist/{chunk-F3W5GZU6.js → chunk-4C4YY2X7.js}

@@ -446,27 +446,42 @@ async function proxyWrite(proxyClient, credentialClient, serverPublicKey, userna
     };
   }
 }
-async function proxyRead(proxyClient, uri, serverEncryptionPrivateKeyPem) {
+async function proxyRead(proxyClient, credentialClient, serverPublicKey, username, serverEncryptionPrivateKeyPem, uri) {
   try {
-    const result = await proxyClient.read(uri);
+    const accountKey = await loadUserAccountKey(
+      credentialClient,
+      serverPublicKey,
+      username,
+      serverEncryptionPrivateKeyPem
+    );
+    const resolvedUri = uri.replace(/:key/g, accountKey.publicKeyHex);
+    const result = await proxyClient.read(resolvedUri);
     if (!result.success) {
       return {
         success: false,
+        uri: resolvedUri,
         error: result.error || "Read failed"
       };
     }
     const response = {
       success: true,
+      uri: resolvedUri,
       record: result.record
     };
-    if (serverEncryptionPrivateKeyPem && result.record?.data) {
+    if (result.record?.data) {
       try {
         const data = result.record.data;
         if (typeof data === "object" && data.payload && typeof data.payload === "object") {
           const payload = data.payload;
           if (payload.data && payload.nonce && payload.ephemeralPublicKey) {
+            const userEncryptionKey = await loadUserEncryptionKey(
+              credentialClient,
+              serverPublicKey,
+              username,
+              serverEncryptionPrivateKeyPem
+            );
             const privateKey = await pemToCryptoKey(
-              serverEncryptionPrivateKeyPem,
+              userEncryptionKey.privateKeyPem,
               "X25519"
             );
             const encryptedPayload = {
@@ -491,6 +506,7 @@ async function proxyRead(proxyClient, uri, serverEncryptionPrivateKeyPem) {
   } catch (error) {
     return {
       success: false,
+      uri,
       error: `Proxy read failed: ${error instanceof Error ? error.message : String(error)}`
     };
   }
@@ -1704,22 +1720,25 @@ var WalletServerCore = class {
           return c.json({ success: false, error: "Authorization required" }, 401);
         }
         const token = authHeader.substring(7);
-        await verifyJwt(token, this.config.jwtSecret);
+        const payload = await verifyJwt(token, this.config.jwtSecret);
         const uri = c.req.query("uri");
         if (!uri) {
           return c.json({ success: false, error: "uri query parameter is required" }, 400);
         }
         const result = await proxyRead(
           this.proxyClient,
-          uri,
-          serverEncryptionPrivateKeyPem
+          this.credentialClient,
+          serverPublicKey,
+          payload.username,
+          serverEncryptionPrivateKeyPem,
+          uri
         );
         if (!result.success) {
           return c.json({ success: false, error: result.error }, 400);
         }
         return c.json({
           success: true,
-          uri,
+          uri: result.uri,
           record: result.record,
           decrypted: result.decrypted
         });

package/dist/{chunk-FVLXYKYS.js → chunk-IILPY4TK.js}

@@ -1,14 +1,15 @@
+import {
+  MemoryClient,
+  createTestSchema
+} from "./chunk-OXHGNAQJ.js";
 import {
   WalletServerCore
-} from "./chunk-F3W5GZU6.js";
+} from "./chunk-4C4YY2X7.js";
 import {
   exportPrivateKeyPem,
   generateEncryptionKeyPair,
   generateSigningKeyPair
 } from "./chunk-JN75UL5C.js";
-import {
-  MemoryClient
-} from "./chunk-GIMIWVPX.js";
 
 // wallet/client.ts
 var WalletClient = class {
@@ -254,6 +255,8 @@ var WalletClient = class {
    * Proxy a write request through the wallet server
    * The server signs the write with its identity key
    * Requires active authentication session
+   *
+   * @returns ProxyWriteResponse - check `success` field for result
    */
   async proxyWrite(request) {
     if (!this.currentSession) {
@@ -272,17 +275,14 @@ var WalletClient = class {
       })
     });
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(
-        data.error || `Proxy write failed: ${response.statusText}`
-      );
-    }
     return data;
   }
   /**
    * Proxy a read request through the wallet server
    * The server decrypts encrypted data using user's encryption key
    * Requires active authentication session
+   *
+   * @returns ProxyReadResponse - check `success` field for result, `decrypted` for decrypted data
    */
   async proxyRead(request) {
     if (!this.currentSession) {
@@ -297,11 +297,6 @@ var WalletClient = class {
       }
     });
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(
-        data.error || `Proxy read failed: ${response.statusText}`
-      );
-    }
     return data;
   }
   /**
@@ -442,14 +437,14 @@ var MemoryWalletClient = class _MemoryWalletClient {
    */
   static async create(config = {}) {
     const serverKeys = config.serverKeys || await generateTestServerKeys();
-    const storageClient = config.storageClient || createWalletMemoryClient();
+    const backend = config.backend || createWalletMemoryClient();
     const serverConfig = {
       serverKeys,
       jwtSecret: config.jwtSecret || "test-jwt-secret-for-memory-wallet-client!!",
       jwtExpirationSeconds: config.jwtExpirationSeconds || 3600,
       deps: {
-        credentialClient: storageClient,
-        proxyClient: storageClient,
+        credentialClient: backend,
+        proxyClient: backend,
         logger: {
           log: () => {
           },
@@ -672,18 +667,12 @@ var MemoryWalletClient = class _MemoryWalletClient {
       encrypt: request.encrypt
     });
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(data.error || `Proxy write failed: ${response.statusText}`);
-    }
     return data;
   }
   async proxyRead(request) {
     const url = `/proxy/read?uri=${encodeURIComponent(request.uri)}`;
     const response = await this.authRequest("GET", url);
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(data.error || `Proxy read failed: ${response.statusText}`);
-    }
     return data;
   }
   // ============================================================
@@ -750,8 +739,43 @@ var MemoryWalletClient = class _MemoryWalletClient {
   }
 };
 
+// wallet/testing.ts
+async function createTestEnvironment(config = {}) {
+  const schema = config.schema || createTestSchema();
+  const serverKeys = config.serverKeys || await generateTestServerKeys();
+  const backend = new MemoryClient({ schema });
+  const walletConfig = {
+    serverKeys,
+    jwtSecret: config.jwtSecret,
+    backend
+  };
+  const wallet = await MemoryWalletClient.create(walletConfig);
+  return {
+    backend,
+    wallet,
+    serverKeys,
+    async signupTestUser(appKey, username, password) {
+      const session = await wallet.signupWithToken(appKey, { username, password });
+      wallet.setSession(session);
+      const keys = await wallet.getPublicKeys(appKey);
+      return { session, keys };
+    },
+    async loginTestUser(appKey, sessionKey, username, password) {
+      const session = await wallet.loginWithTokenSession(appKey, sessionKey, { username, password });
+      wallet.setSession(session);
+      const keys = await wallet.getPublicKeys(appKey);
+      return { session, keys };
+    },
+    async cleanup() {
+      await backend.cleanup();
+      wallet.logout();
+    }
+  };
+}
+
 export {
   WalletClient,
   generateTestServerKeys,
-  MemoryWalletClient
+  MemoryWalletClient,
+  createTestEnvironment
 };

package/dist/{chunk-GIMIWVPX.js → chunk-OXHGNAQJ.js}

@@ -1,4 +1,7 @@
 // clients/memory/mod.ts
+function validateSchemaKey(key) {
+  return /^[a-z]+:\/\/[a-z0-9-]+$/.test(key);
+}
 function target(uri, schema, storage) {
   const url = URL.parse(uri);
   const program = `${url.protocol}//${url.hostname}`;
@@ -19,7 +22,19 @@ function target(uri, schema, storage) {
   };
 }
 var MemoryClient = class {
+  /**
+   * Create a new MemoryClient
+   *
+   * @param config - Configuration with schema mapping
+   * @throws Error if schema keys are not in "protocol://hostname" format
+   */
   constructor(config) {
+    const invalidKeys = Object.keys(config.schema).filter((key) => !validateSchemaKey(key));
+    if (invalidKeys.length > 0) {
+      throw new Error(
+        `Invalid schema key format: ${invalidKeys.map((k) => `"${k}"`).join(", ")}. Keys must be in "protocol://hostname" format (e.g., "mutable://accounts", "immutable://data").`
+      );
+    }
     this.schema = config.schema;
     this.storage = config.storage || /* @__PURE__ */ new Map();
     this.cleanup();
@@ -196,7 +211,19 @@ var MemoryClient = class {
     });
   }
 };
+function createTestSchema() {
+  const acceptAll = async () => ({ valid: true });
+  return {
+    "mutable://accounts": acceptAll,
+    "mutable://open": acceptAll,
+    "mutable://data": acceptAll,
+    "immutable://accounts": acceptAll,
+    "immutable://open": acceptAll,
+    "immutable://data": acceptAll
+  };
+}
 
 export {
-  MemoryClient
+  MemoryClient,
+  createTestSchema
 };

package/dist/{client-B0Ekm99R.d.ts → client-fsiY-9VW.d.ts}

@@ -3,6 +3,50 @@
  *
  * Type definitions for the B3nd Wallet Client that interacts with wallet servers.
  */
+/**
+ * Common interface for wallet clients (WalletClient and MemoryWalletClient)
+ *
+ * Implement this interface to create custom wallet clients or use
+ * for dependency injection in tests.
+ *
+ * @example
+ * ```typescript
+ * function setupApp(wallet: WalletClientInterface) {
+ *   // Works with both WalletClient and MemoryWalletClient
+ *   await wallet.proxyWrite({ uri: "...", data: {...} });
+ * }
+ *
+ * // Production
+ * setupApp(new WalletClient({ walletServerUrl: "...", apiBasePath: "/api/v1" }));
+ *
+ * // Tests
+ * setupApp(await MemoryWalletClient.create());
+ * ```
+ */
+interface WalletClientInterface {
+    getSession(): AuthSession | null;
+    setSession(session: AuthSession | null): void;
+    isAuthenticated(): boolean;
+    getUsername(): string | null;
+    getToken(): string | null;
+    logout(): void;
+    health(): Promise<HealthResponse>;
+    getServerKeys(): Promise<{
+        identityPublicKeyHex: string;
+        encryptionPublicKeyHex: string;
+    }>;
+    signupWithToken(appKey: string, tokenOrCredentials: string | UserCredentials, maybeCredentials?: UserCredentials): Promise<AuthSession>;
+    loginWithTokenSession(appKey: string, tokenOrSession: string, sessionOrCredentials: string | UserCredentials, maybeCredentials?: UserCredentials): Promise<AuthSession>;
+    changePassword(appKey: string, oldPassword: string, newPassword: string): Promise<void>;
+    requestPasswordResetWithToken(appKey: string, tokenOrUsername: string, maybeUsername?: string): Promise<PasswordResetToken>;
+    resetPasswordWithToken(appKey: string, tokenOrUsername: string, usernameOrReset: string, resetToken?: string, newPassword?: string): Promise<AuthSession>;
+    getPublicKeys(appKey: string): Promise<UserPublicKeys>;
+    getMyPublicKeys(appKey: string): Promise<UserPublicKeys>;
+    proxyWrite(request: ProxyWriteRequest): Promise<ProxyWriteResponse>;
+    proxyRead(request: ProxyReadRequest): Promise<ProxyReadResponse>;
+    signupWithGoogle(appKey: string, token: string, googleIdToken: string): Promise<GoogleAuthSession>;
+    loginWithGoogle(appKey: string, token: string, session: string, googleIdToken: string): Promise<GoogleAuthSession>;
+}
 /**
  * Configuration for wallet client
  */
@@ -307,12 +351,16 @@ declare class WalletClient {
      * Proxy a write request through the wallet server
      * The server signs the write with its identity key
      * Requires active authentication session
+     *
+     * @returns ProxyWriteResponse - check `success` field for result
      */
     proxyWrite(request: ProxyWriteRequest): Promise<ProxyWriteResponse>;
     /**
      * Proxy a read request through the wallet server
      * The server decrypts encrypted data using user's encryption key
      * Requires active authentication session
+     *
+     * @returns ProxyReadResponse - check `success` field for result, `decrypted` for decrypted data
      */
     proxyRead(request: ProxyReadRequest): Promise<ProxyReadResponse>;
     /**
@@ -351,4 +399,4 @@ declare class WalletClient {
     loginWithGoogle(appKey: string, token: string, session: string, googleIdToken: string): Promise<GoogleAuthSession>;
 }
 
-export { type AuthSession as A, type ChangePasswordResponse as C, type GoogleAuthSession as G, type HealthResponse as H, type LoginResponse as L, type PasswordResetToken as P, type RequestPasswordResetResponse as R, type SignupResponse as S, type UserCredentials as U, WalletClient as W, type UserPublicKeys as a, type ProxyWriteRequest as b, type ProxyWriteResponse as c, type ProxyReadRequest as d, type ProxyReadResponse as e, type WalletClientConfig as f, type ApiResponse as g, type PublicKeysResponse as h, type ResetPasswordResponse as i, type GoogleSignupResponse as j, type GoogleLoginResponse as k };
+export { type AuthSession as A, type ChangePasswordResponse as C, type GoogleAuthSession as G, type HealthResponse as H, type LoginResponse as L, type PasswordResetToken as P, type RequestPasswordResetResponse as R, type SignupResponse as S, type UserCredentials as U, WalletClient as W, type UserPublicKeys as a, type ProxyWriteRequest as b, type ProxyWriteResponse as c, type ProxyReadRequest as d, type ProxyReadResponse as e, type WalletClientInterface as f, type WalletClientConfig as g, type ApiResponse as h, type PublicKeysResponse as i, type ResetPasswordResponse as j, type GoogleSignupResponse as k, type GoogleLoginResponse as l };

package/dist/clients/memory/mod.d.ts

@@ -6,12 +6,33 @@ type MemoryClientStorageNode<T> = {
 };
 type MemoryClientStorage = Map<string, MemoryClientStorageNode<unknown>>;
 interface MemoryClientConfig {
+    /**
+     * Schema mapping protocol://hostname to validators.
+     *
+     * Keys MUST be in format: "protocol://hostname"
+     * Examples: "mutable://accounts", "immutable://data", "mutable://open"
+     *
+     * @example
+     * ```typescript
+     * const schema = {
+     *   "mutable://accounts": async () => ({ valid: true }),
+     *   "immutable://accounts": async () => ({ valid: true }),
+     * };
+     * const client = new MemoryClient({ schema });
+     * ```
+     */
     schema: Schema;
     storage?: MemoryClientStorage;
 }
 declare class MemoryClient implements NodeProtocolInterface {
     protected storage: MemoryClientStorage;
     protected schema: Schema;
+    /**
+     * Create a new MemoryClient
+     *
+     * @param config - Configuration with schema mapping
+     * @throws Error if schema keys are not in "protocol://hostname" format
+     */
     constructor(config: MemoryClientConfig);
     write<T = unknown>(uri: string, payload: T): Promise<WriteResult<T>>;
     read<T>(uri: string): Promise<ReadResult<T>>;
@@ -21,5 +42,17 @@ declare class MemoryClient implements NodeProtocolInterface {
     cleanup(): Promise<void>;
     delete(uri: string): Promise<DeleteResult>;
 }
+/**
+ * Default schema for testing that accepts all writes.
+ * Includes common b3nd protocol prefixes.
+ *
+ * @example
+ * ```typescript
+ * import { MemoryClient, createTestSchema } from "@bandeira-tech/b3nd-web/clients/memory";
+ *
+ * const backend = new MemoryClient({ schema: createTestSchema() });
+ * ```
+ */
+declare function createTestSchema(): Schema;
 
-export { MemoryClient, type MemoryClientConfig };
+export { MemoryClient, type MemoryClientConfig, createTestSchema };

package/dist/clients/memory/mod.js

@@ -1,7 +1,9 @@
 import {
-  MemoryClient
-} from "../../chunk-GIMIWVPX.js";
+  MemoryClient,
+  createTestSchema
+} from "../../chunk-OXHGNAQJ.js";
 import "../../chunk-MLKGABMK.js";
 export {
-  MemoryClient
+  MemoryClient,
+  createTestSchema
 };

package/dist/{core-CgxQpSVM.d.ts → core-BLTm0eu6.d.ts}

@@ -169,6 +169,7 @@ interface ProxyWriteResponse {
  */
 interface ProxyReadResponse {
     success: boolean;
+    uri?: string;
     error?: string;
     record?: {
         data: unknown;

package/dist/src/mod.web.d.ts

@@ -2,6 +2,6 @@ export { C as ClientError, D as DeleteResult, H as HealthStatus, a as HttpClient
 export { HttpClient } from '../clients/http/mod.js';
 export { WebSocketClient } from '../clients/websocket/mod.js';
 export { LocalStorageClient } from '../clients/local-storage/mod.js';
-export { W as WalletClient } from '../client-B0Ekm99R.js';
+export { W as WalletClient } from '../client-fsiY-9VW.js';
 export { AppsClient } from '../apps/mod.js';
 export { m as encrypt } from '../mod-CII9wqu2.js';

package/dist/src/mod.web.js

@@ -1,13 +1,11 @@
-import {
-  WebSocketClient
-} from "../chunk-T43IWAQK.js";
 import {
   AppsClient
 } from "../chunk-VAZUCGED.js";
 import {
   WalletClient
-} from "../chunk-FVLXYKYS.js";
-import "../chunk-F3W5GZU6.js";
+} from "../chunk-IILPY4TK.js";
+import "../chunk-OXHGNAQJ.js";
+import "../chunk-4C4YY2X7.js";
 import {
   mod_exports
 } from "../chunk-JN75UL5C.js";
@@ -17,7 +15,9 @@ import {
 import {
   LocalStorageClient
 } from "../chunk-7U5JDFQW.js";
-import "../chunk-GIMIWVPX.js";
+import {
+  WebSocketClient
+} from "../chunk-T43IWAQK.js";
 import "../chunk-MLKGABMK.js";
 export {
   AppsClient,

package/dist/wallet/mod.d.ts

@@ -1,9 +1,9 @@
-import { A as AuthSession, H as HealthResponse, U as UserCredentials, P as PasswordResetToken, a as UserPublicKeys, b as ProxyWriteRequest, c as ProxyWriteResponse, d as ProxyReadRequest, e as ProxyReadResponse, G as GoogleAuthSession } from '../client-B0Ekm99R.js';
-export { g as ApiResponse, C as ChangePasswordResponse, k as GoogleLoginResponse, j as GoogleSignupResponse, L as LoginResponse, h as PublicKeysResponse, R as RequestPasswordResetResponse, i as ResetPasswordResponse, S as SignupResponse, W as WalletClient, f as WalletClientConfig } from '../client-B0Ekm99R.js';
-import { S as ServerKeys, W as WalletServerCore } from '../core-CgxQpSVM.js';
+import { A as AuthSession, H as HealthResponse, U as UserCredentials, P as PasswordResetToken, a as UserPublicKeys, b as ProxyWriteRequest, c as ProxyWriteResponse, d as ProxyReadRequest, e as ProxyReadResponse, G as GoogleAuthSession } from '../client-fsiY-9VW.js';
+export { h as ApiResponse, C as ChangePasswordResponse, l as GoogleLoginResponse, k as GoogleSignupResponse, L as LoginResponse, i as PublicKeysResponse, R as RequestPasswordResetResponse, j as ResetPasswordResponse, S as SignupResponse, W as WalletClient, g as WalletClientConfig, f as WalletClientInterface } from '../client-fsiY-9VW.js';
+import { N as NodeProtocolInterface, S as Schema } from '../types-oQCx3U-_.js';
+import { S as ServerKeys, W as WalletServerCore } from '../core-BLTm0eu6.js';
 import { MemoryClient } from '../clients/memory/mod.js';
 import 'hono';
-import '../types-oQCx3U-_.js';
 
 /**
  * Memory Wallet Client
@@ -16,16 +16,22 @@ import '../types-oQCx3U-_.js';
  * @example
  * ```typescript
  * // Production
+ * const backend = new HttpClient({ baseUrl: "http://localhost:8842" });
  * const wallet = new WalletClient({
  *   walletServerUrl: "http://localhost:8843",
  *   apiBasePath: "/api/v1"
  * });
  *
- * // Tests
- * const wallet = await MemoryWalletClient.create();
+ * // Tests - share same backend between wallet and direct operations
+ * const backend = new MemoryClient({ schema: { "mutable://accounts": ... } });
+ * const wallet = await MemoryWalletClient.create({ backend });
  *
  * // Same API works for both
  * await wallet.signupWithToken(appKey, { username: "alice", password: "secret" });
+ * await wallet.proxyWrite({ uri: "mutable://data/test", data: { foo: "bar" } });
+ *
+ * // Direct backend access in tests
+ * const result = await backend.read("mutable://accounts/...");
  * ```
  */
 
@@ -43,10 +49,21 @@ interface MemoryWalletClientConfig {
      */
     jwtExpirationSeconds?: number;
     /**
-     * Optional existing MemoryClient to use as storage backend.
-     * If not provided, a new one is created.
+     * Shared backend storage (e.g., MemoryClient).
+     * Use this to share the same storage between wallet and direct operations.
+     * If not provided, a new MemoryClient is created.
+     *
+     * @example
+     * ```typescript
+     * const backend = new MemoryClient({ schema: { ... } });
+     * const wallet = await MemoryWalletClient.create({ backend });
+     *
+     * // Both use the same storage
+     * await backend.write("mutable://accounts/...", data);
+     * await wallet.proxyWrite({ uri: "mutable://...", data });
+     * ```
      */
-    storageClient?: MemoryClient;
+    backend?: NodeProtocolInterface;
 }
 /**
  * Generate server keys for testing
@@ -116,4 +133,138 @@ declare class MemoryWalletClient {
     };
 }
 
-export { AuthSession, GoogleAuthSession, HealthResponse, MemoryWalletClient, type MemoryWalletClientConfig, PasswordResetToken, ProxyReadRequest, ProxyReadResponse, ProxyWriteRequest, ProxyWriteResponse, UserCredentials, UserPublicKeys, generateTestServerKeys };
+/**
+ * Test Utilities for B3nd Wallet
+ *
+ * Provides helpers for setting up test environments with shared in-memory storage.
+ *
+ * @example
+ * ```typescript
+ * import { createTestEnvironment } from "@bandeira-tech/b3nd-web/wallet";
+ *
+ * const { backend, wallet, signupTestUser, cleanup } = await createTestEnvironment();
+ *
+ * // Sign up a test user
+ * const { session, keys } = await signupTestUser("app-key", "testuser", "pass123");
+ *
+ * // Now wallet.proxyRead/proxyWrite work with the shared backend
+ * const writeResult = await wallet.proxyWrite({ uri: "mutable://data/test", data: { foo: "bar" }, encrypt: true });
+ * const readResult = await wallet.proxyRead({ uri: "mutable://data/test" });
+ * console.log(readResult.decrypted); // { foo: "bar" }
+ *
+ * // Direct backend access also works
+ * const raw = await backend.read("mutable://data/test");
+ * ```
+ */
+
+/**
+ * Test environment configuration
+ */
+interface TestEnvironmentConfig {
+    /**
+     * Custom schema for the backend.
+     * If not provided, uses createTestSchema() which accepts all writes.
+     */
+    schema?: Schema;
+    /**
+     * Custom server keys.
+     * If not provided, keys are auto-generated.
+     */
+    serverKeys?: ServerKeys;
+    /**
+     * Custom JWT secret.
+     * Defaults to a test secret.
+     */
+    jwtSecret?: string;
+}
+/**
+ * Test environment with shared backend
+ */
+interface TestEnvironment {
+    /**
+     * The shared in-memory backend storage.
+     * Use this for direct reads/writes in tests.
+     */
+    backend: MemoryClient;
+    /**
+     * The wallet client connected to the shared backend.
+     * Same API as WalletClient but runs in-memory.
+     */
+    wallet: MemoryWalletClient;
+    /**
+     * Server keys (for advanced testing)
+     */
+    serverKeys: ServerKeys;
+    /**
+     * Sign up a test user and set the session.
+     *
+     * @param appKey - App key for the signup
+     * @param username - Username
+     * @param password - Password
+     * @returns Session and user public keys
+     */
+    signupTestUser(appKey: string, username: string, password: string): Promise<{
+        session: AuthSession;
+        keys: UserPublicKeys;
+    }>;
+    /**
+     * Login a test user and set the session.
+     *
+     * @param appKey - App key for the login
+     * @param sessionKey - Session key (can be any string for tests)
+     * @param username - Username
+     * @param password - Password
+     * @returns Session and user public keys
+     */
+    loginTestUser(appKey: string, sessionKey: string, username: string, password: string): Promise<{
+        session: AuthSession;
+        keys: UserPublicKeys;
+    }>;
+    /**
+     * Clean up the test environment.
+     * Clears all data from the backend.
+     */
+    cleanup(): Promise<void>;
+}
+/**
+ * Create a test environment with shared in-memory backend.
+ *
+ * This sets up a MemoryClient and MemoryWalletClient that share the same storage,
+ * enabling you to test wallet operations alongside direct backend access.
+ *
+ * @param config - Optional configuration
+ * @returns Test environment with backend, wallet, and helper functions
+ *
+ * @example
+ * ```typescript
+ * // Basic usage
+ * const { backend, wallet, signupTestUser } = await createTestEnvironment();
+ * const { keys } = await signupTestUser("my-app", "alice", "password123");
+ *
+ * // Write encrypted data
+ * await wallet.proxyWrite({
+ *   uri: "mutable://data/:key/profile",
+ *   data: { name: "Alice" },
+ *   encrypt: true
+ * });
+ *
+ * // Read and decrypt
+ * const result = await wallet.proxyRead({ uri: "mutable://data/:key/profile" });
+ * console.log(result.decrypted); // { name: "Alice" }
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // With custom schema
+ * const { backend, wallet } = await createTestEnvironment({
+ *   schema: {
+ *     "mutable://myapp": async () => ({ valid: true }),
+ *     "mutable://accounts": async () => ({ valid: true }),
+ *     "immutable://accounts": async () => ({ valid: true }),
+ *   }
+ * });
+ * ```
+ */
+declare function createTestEnvironment(config?: TestEnvironmentConfig): Promise<TestEnvironment>;
+
+export { AuthSession, GoogleAuthSession, HealthResponse, MemoryWalletClient, type MemoryWalletClientConfig, PasswordResetToken, ProxyReadRequest, ProxyReadResponse, ProxyWriteRequest, ProxyWriteResponse, type TestEnvironment, type TestEnvironmentConfig, UserCredentials, UserPublicKeys, createTestEnvironment, generateTestServerKeys };

package/dist/wallet/mod.js

@@ -1,15 +1,17 @@
 import {
   MemoryWalletClient,
   WalletClient,
+  createTestEnvironment,
   generateTestServerKeys
-} from "../chunk-FVLXYKYS.js";
-import "../chunk-F3W5GZU6.js";
+} from "../chunk-IILPY4TK.js";
+import "../chunk-OXHGNAQJ.js";
+import "../chunk-4C4YY2X7.js";
 import "../chunk-JN75UL5C.js";
 import "../chunk-LFUC4ETD.js";
-import "../chunk-GIMIWVPX.js";
 import "../chunk-MLKGABMK.js";
 export {
   MemoryWalletClient,
   WalletClient,
+  createTestEnvironment,
   generateTestServerKeys
 };

package/dist/wallet-server/adapters/browser.d.ts

@@ -1,5 +1,5 @@
-import { F as FileStorage, S as ServerKeys, W as WalletServerCore } from '../../core-CgxQpSVM.js';
-export { C as BrowserEnvironment, M as BrowserMemoryStorage } from '../../core-CgxQpSVM.js';
+import { F as FileStorage, S as ServerKeys, W as WalletServerCore } from '../../core-BLTm0eu6.js';
+export { C as BrowserEnvironment, M as BrowserMemoryStorage } from '../../core-BLTm0eu6.js';
 import 'hono';
 import '../../types-oQCx3U-_.js';
 

package/dist/wallet-server/adapters/browser.js

@@ -2,7 +2,7 @@ import {
   ConfigEnvironment,
   MemoryFileStorage,
   WalletServerCore
-} from "../../chunk-F3W5GZU6.js";
+} from "../../chunk-4C4YY2X7.js";
 import "../../chunk-JN75UL5C.js";
 import "../../chunk-LFUC4ETD.js";
 import {

package/dist/wallet-server/mod.d.ts

@@ -1,5 +1,5 @@
-import { P as ProxyWriteRequest, a as ProxyWriteResponse, b as ProxyReadResponse, U as UserKeys, L as Logger, H as HttpFetch } from '../core-CgxQpSVM.js';
-export { A as AppBackendConfig, f as AuthSessionResponse, C as ConfigEnvironment, E as Environment, F as FileStorage, h as HealthResponse, M as MemoryFileStorage, g as PublicKeysResponse, R as ResolvedWalletServerConfig, e as ServerKeyPair, S as ServerKeys, i as ServerKeysResponse, c as WalletServerConfig, W as WalletServerCore, d as WalletServerDeps, j as defaultLogger } from '../core-CgxQpSVM.js';
+import { P as ProxyWriteRequest, a as ProxyWriteResponse, b as ProxyReadResponse, U as UserKeys, L as Logger, H as HttpFetch } from '../core-BLTm0eu6.js';
+export { A as AppBackendConfig, f as AuthSessionResponse, C as ConfigEnvironment, E as Environment, F as FileStorage, h as HealthResponse, M as MemoryFileStorage, g as PublicKeysResponse, R as ResolvedWalletServerConfig, e as ServerKeyPair, S as ServerKeys, i as ServerKeysResponse, c as WalletServerConfig, W as WalletServerCore, d as WalletServerDeps, j as defaultLogger } from '../core-BLTm0eu6.js';
 import { N as NodeProtocolInterface } from '../types-oQCx3U-_.js';
 import { S as SignedEncryptedMessage, E as EncryptedPayload } from '../mod-CII9wqu2.js';
 import 'hono';
@@ -43,8 +43,11 @@ declare function extractUsernameFromJwt(token: string): string | null;
 declare function proxyWrite(proxyClient: NodeProtocolInterface, credentialClient: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, request: ProxyWriteRequest): Promise<ProxyWriteResponse>;
 /**
  * Proxy a read request (with optional decryption)
+ *
+ * Data encrypted with proxyWrite is encrypted with the user's encryption key,
+ * so we need to load the user's encryption key to decrypt it.
  */
-declare function proxyRead(proxyClient: NodeProtocolInterface, uri: string, serverEncryptionPrivateKeyPem?: string): Promise<ProxyReadResponse>;
+declare function proxyRead(proxyClient: NodeProtocolInterface, credentialClient: NodeProtocolInterface, serverPublicKey: string, username: string, serverEncryptionPrivateKeyPem: string, uri: string): Promise<ProxyReadResponse>;
 
 /**
  * User Key Management

package/dist/wallet-server/mod.js

@@ -34,7 +34,7 @@ import {
   userExists,
   verifyGoogleIdToken,
   verifyJwt
-} from "../chunk-F3W5GZU6.js";
+} from "../chunk-4C4YY2X7.js";
 import "../chunk-JN75UL5C.js";
 import "../chunk-LFUC4ETD.js";
 import "../chunk-MLKGABMK.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bandeira-tech/b3nd-web",
-  "version": "0.2.6",
+  "version": "0.3.0",
   "description": "Browser-focused B3nd SDK bundle",
   "type": "module",
   "main": "./dist/src/mod.web.js",