@bandeira-tech/b3nd-web 0.2.7 → 0.3.1

package/dist/{chunk-7O4D7SF6.js → chunk-GWPCZVXV.js}

@@ -1,14 +1,16 @@
-import {
-  MemoryClient
-} from "./chunk-GIMIWVPX.js";
 import {
   WalletServerCore
-} from "./chunk-F3W5GZU6.js";
+} from "./chunk-B4VAPGAO.js";
 import {
   exportPrivateKeyPem,
   generateEncryptionKeyPair,
-  generateSigningKeyPair
+  generateSigningKeyPair,
+  signWithHex
 } from "./chunk-JN75UL5C.js";
+import {
+  MemoryClient,
+  createTestSchema
+} from "./chunk-O53KW746.js";
 
 // wallet/client.ts
 var WalletClient = class {
@@ -142,19 +144,34 @@ var WalletClient = class {
     throw new Error("Use resetPasswordWithToken(appKey, username, resetToken, newPassword)");
   }
   /**
-   * Sign up with app token (scoped to an app)
+   * Sign up with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
    */
-  async signupWithToken(appKey, tokenOrCredentials, maybeCredentials) {
-    const credentials = typeof tokenOrCredentials === "string" ? maybeCredentials : tokenOrCredentials;
-    if (!credentials) throw new Error("credentials are required");
+  async signupWithToken(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
+      type: "password",
+      username: credentials.username,
+      password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
     const response = await this.fetchImpl(this.buildAppKeyUrl("/auth/signup", appKey), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        token: typeof tokenOrCredentials === "string" ? tokenOrCredentials : void 0,
-        type: "password",
-        username: credentials.username,
-        password: credentials.password
+        ...payloadToSign,
+        sessionSignature
       })
     });
     const data = await response.json();
@@ -164,21 +181,34 @@ var WalletClient = class {
     return { username: data.username, token: data.token, expiresIn: data.expiresIn };
   }
   /**
-   * Login with app token and session (scoped to an app)
+   * Login with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
    */
-  async loginWithTokenSession(appKey, tokenOrSession, sessionOrCredentials, maybeCredentials) {
-    const session = typeof sessionOrCredentials === "string" && maybeCredentials ? sessionOrCredentials : tokenOrSession;
-    const credentials = maybeCredentials || sessionOrCredentials;
-    if (!session || typeof session !== "string") throw new Error("session is required");
+  async loginWithTokenSession(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
+      type: "password",
+      username: credentials.username,
+      password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
     const response = await this.fetchImpl(this.buildAppKeyUrl("/auth/login", appKey), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        token: typeof tokenOrSession === "string" && maybeCredentials ? tokenOrSession : void 0,
-        session,
-        type: "password",
-        username: credentials.username,
-        password: credentials.password
+        ...payloadToSign,
+        sessionSignature
       })
     });
     const data = await response.json();
@@ -254,6 +284,8 @@ var WalletClient = class {
    * Proxy a write request through the wallet server
    * The server signs the write with its identity key
    * Requires active authentication session
+   *
+   * @returns ProxyWriteResponse - check `success` field for result
    */
   async proxyWrite(request) {
     if (!this.currentSession) {
@@ -272,17 +304,14 @@ var WalletClient = class {
       })
     });
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(
-        data.error || `Proxy write failed: ${response.statusText}`
-      );
-    }
     return data;
   }
   /**
    * Proxy a read request through the wallet server
    * The server decrypts encrypted data using user's encryption key
    * Requires active authentication session
+   *
+   * @returns ProxyReadResponse - check `success` field for result, `decrypted` for decrypted data
    */
   async proxyRead(request) {
     if (!this.currentSession) {
@@ -297,13 +326,33 @@ var WalletClient = class {
       }
     });
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(
-        data.error || `Proxy read failed: ${response.statusText}`
-      );
-    }
     return data;
   }
+  /**
+   * Proxy multiple read requests through the wallet server
+   * Reads multiple URIs in a single request (max 50 URIs)
+   * The server decrypts encrypted data using user's encryption key
+   * Requires active authentication session
+   *
+   * @returns ProxyReadMultiResponse - check `success` for overall result, `results` for per-URI results
+   */
+  async proxyReadMulti(request) {
+    if (!this.currentSession) {
+      throw new Error("Not authenticated. Please login first.");
+    }
+    const response = await this.fetchImpl(
+      `${this.walletServerUrl}${this.apiBasePath}/proxy/read-multi`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.currentSession.token}`
+        },
+        body: JSON.stringify({ uris: request.uris })
+      }
+    );
+    return await response.json();
+  }
   /**
    * Convenience method: Get current user's public keys
    * Requires active authentication session
@@ -361,22 +410,37 @@ var WalletClient = class {
     };
   }
   /**
-   * Login with Google OAuth (scoped to app token and session)
+   * Login with Google OAuth (scoped to app token and session keypair)
    * Returns session data with Google profile info - call setSession() to activate it
    *
+   * The session must be approved by the app beforehand.
+   *
+   * @param appKey - The app's public key
    * @param token - App token from app server
-   * @param session - Session key from app server
+   * @param session - Session keypair (generated via generateSessionKeypair)
    * @param googleIdToken - Google ID token from Google Sign-In
    * @returns GoogleAuthSession with username, JWT token, and Google profile info
    */
   async loginWithGoogle(appKey, token, session, googleIdToken) {
     if (!token) throw new Error("token is required");
-    if (!session) throw new Error("session is required");
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
     if (!googleIdToken) throw new Error("googleIdToken is required");
+    const payloadToSign = {
+      token,
+      sessionPubkey: session.publicKeyHex,
+      type: "google",
+      googleIdToken
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
     const response = await this.fetchImpl(this.buildAppKeyUrl("/auth/login", appKey), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ token, session, type: "google", googleIdToken })
+      body: JSON.stringify({
+        ...payloadToSign,
+        sessionSignature
+      })
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -392,6 +456,13 @@ var WalletClient = class {
     };
   }
 };
+async function generateSessionKeypair() {
+  const keyPair = await generateSigningKeyPair();
+  return {
+    publicKeyHex: keyPair.publicKeyHex,
+    privateKeyHex: keyPair.privateKeyHex
+  };
+}
 
 // wallet/memory-client.ts
 async function generateTestServerKeys() {
@@ -546,14 +617,32 @@ var MemoryWalletClient = class _MemoryWalletClient {
   async login(_credentials) {
     throw new Error("Use loginWithTokenSession(appKey, session, credentials) \u2014 app token + session required");
   }
-  async signupWithToken(appKey, tokenOrCredentials, maybeCredentials) {
-    const credentials = typeof tokenOrCredentials === "string" ? maybeCredentials : tokenOrCredentials;
-    if (!credentials) throw new Error("credentials are required");
-    const response = await this.request("POST", `/auth/signup/${appKey}`, {
-      token: typeof tokenOrCredentials === "string" ? tokenOrCredentials : void 0,
+  /**
+   * Sign up with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
+   */
+  async signupWithToken(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
       type: "password",
       username: credentials.username,
       password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
+    const response = await this.request("POST", `/auth/signup/${appKey}`, {
+      ...payloadToSign,
+      sessionSignature
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -565,16 +654,32 @@ var MemoryWalletClient = class _MemoryWalletClient {
       expiresIn: data.expiresIn
     };
   }
-  async loginWithTokenSession(appKey, tokenOrSession, sessionOrCredentials, maybeCredentials) {
-    const session = typeof sessionOrCredentials === "string" && maybeCredentials ? sessionOrCredentials : tokenOrSession;
-    const credentials = maybeCredentials || sessionOrCredentials;
-    if (!session || typeof session !== "string") throw new Error("session is required");
-    const response = await this.request("POST", `/auth/login/${appKey}`, {
-      token: typeof tokenOrSession === "string" && maybeCredentials ? tokenOrSession : void 0,
-      session,
+  /**
+   * Login with session keypair (scoped to an app)
+   *
+   * The session must be approved by the app beforehand:
+   * 1. Client writes request to: immutable://inbox/{appKey}/sessions/{sessionPubkey} = 1
+   * 2. App approves by writing: mutable://accounts/{appKey}/sessions/{sessionPubkey} = 1
+   * 3. Client calls this method with the session keypair
+   *
+   * @param appKey - The app's public key
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param credentials - User credentials (username/password)
+   */
+  async loginWithTokenSession(appKey, session, credentials) {
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
+    const payloadToSign = {
+      sessionPubkey: session.publicKeyHex,
       type: "password",
       username: credentials.username,
       password: credentials.password
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
+    const response = await this.request("POST", `/auth/login/${appKey}`, {
+      ...payloadToSign,
+      sessionSignature
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -672,20 +777,20 @@ var MemoryWalletClient = class _MemoryWalletClient {
       encrypt: request.encrypt
     });
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(data.error || `Proxy write failed: ${response.statusText}`);
-    }
     return data;
   }
   async proxyRead(request) {
     const url = `/proxy/read?uri=${encodeURIComponent(request.uri)}`;
     const response = await this.authRequest("GET", url);
     const data = await response.json();
-    if (!response.ok || !data.success) {
-      throw new Error(data.error || `Proxy read failed: ${response.statusText}`);
-    }
     return data;
   }
+  async proxyReadMulti(request) {
+    const response = await this.authRequest("POST", "/proxy/read-multi", {
+      uris: request.uris
+    });
+    return await response.json();
+  }
   // ============================================================
   // Google OAuth (for completeness - may not work without real Google)
   // ============================================================
@@ -710,15 +815,34 @@ var MemoryWalletClient = class _MemoryWalletClient {
       picture: data.picture
     };
   }
+  /**
+   * Login with Google OAuth (scoped to app token and session keypair)
+   * Returns session data with Google profile info - call setSession() to activate it
+   *
+   * The session must be approved by the app beforehand.
+   *
+   * @param appKey - The app's public key
+   * @param token - App token from app server
+   * @param session - Session keypair (generated via generateSessionKeypair)
+   * @param googleIdToken - Google ID token from Google Sign-In
+   * @returns GoogleAuthSession with username, JWT token, and Google profile info
+   */
   async loginWithGoogle(appKey, token, session, googleIdToken) {
     if (!token) throw new Error("token is required");
-    if (!session) throw new Error("session is required");
+    if (!session?.publicKeyHex || !session?.privateKeyHex) {
+      throw new Error("session keypair is required");
+    }
     if (!googleIdToken) throw new Error("googleIdToken is required");
-    const response = await this.request("POST", `/auth/login/${appKey}`, {
+    const payloadToSign = {
       token,
-      session,
+      sessionPubkey: session.publicKeyHex,
       type: "google",
       googleIdToken
+    };
+    const sessionSignature = await signWithHex(session.privateKeyHex, payloadToSign);
+    const response = await this.request("POST", `/auth/login/${appKey}`, {
+      ...payloadToSign,
+      sessionSignature
     });
     const data = await response.json();
     if (!response.ok || !data.success) {
@@ -750,8 +874,58 @@ var MemoryWalletClient = class _MemoryWalletClient {
   }
 };
 
+// wallet/testing.ts
+async function createTestEnvironment(config = {}) {
+  const schema = config.schema || createTestSchema();
+  const serverKeys = config.serverKeys || await generateTestServerKeys();
+  const backend = new MemoryClient({ schema });
+  const walletConfig = {
+    serverKeys,
+    jwtSecret: config.jwtSecret,
+    backend
+  };
+  const wallet = await MemoryWalletClient.create(walletConfig);
+  return {
+    backend,
+    wallet,
+    serverKeys,
+    async signupTestUser(appKey, username, password) {
+      const keypair = await generateSigningKeyPair();
+      const sessionKeypair = {
+        publicKeyHex: keypair.publicKeyHex,
+        privateKeyHex: keypair.privateKeyHex
+      };
+      const sessionUri = `mutable://accounts/${appKey}/sessions/${sessionKeypair.publicKeyHex}`;
+      await backend.write(sessionUri, 1);
+      const session = await wallet.signupWithToken(appKey, sessionKeypair, { username, password });
+      wallet.setSession(session);
+      const keys = await wallet.getPublicKeys(appKey);
+      return { session, keys, sessionKeypair };
+    },
+    async loginTestUser(appKey, username, password) {
+      const keypair = await generateSigningKeyPair();
+      const sessionKeypair = {
+        publicKeyHex: keypair.publicKeyHex,
+        privateKeyHex: keypair.privateKeyHex
+      };
+      const sessionUri = `mutable://accounts/${appKey}/sessions/${sessionKeypair.publicKeyHex}`;
+      await backend.write(sessionUri, 1);
+      const session = await wallet.loginWithTokenSession(appKey, sessionKeypair, { username, password });
+      wallet.setSession(session);
+      const keys = await wallet.getPublicKeys(appKey);
+      return { session, keys, sessionKeypair };
+    },
+    async cleanup() {
+      await backend.cleanup();
+      wallet.logout();
+    }
+  };
+}
+
 export {
   WalletClient,
+  generateSessionKeypair,
   generateTestServerKeys,
-  MemoryWalletClient
+  MemoryWalletClient,
+  createTestEnvironment
 };

package/dist/{chunk-GIMIWVPX.js → chunk-O53KW746.js}

@@ -1,4 +1,7 @@
 // clients/memory/mod.ts
+function validateSchemaKey(key) {
+  return /^[a-z]+:\/\/[a-z0-9-]+$/.test(key);
+}
 function target(uri, schema, storage) {
   const url = URL.parse(uri);
   const program = `${url.protocol}//${url.hostname}`;
@@ -19,7 +22,19 @@ function target(uri, schema, storage) {
   };
 }
 var MemoryClient = class {
+  /**
+   * Create a new MemoryClient
+   *
+   * @param config - Configuration with schema mapping
+   * @throws Error if schema keys are not in "protocol://hostname" format
+   */
   constructor(config) {
+    const invalidKeys = Object.keys(config.schema).filter((key) => !validateSchemaKey(key));
+    if (invalidKeys.length > 0) {
+      throw new Error(
+        `Invalid schema key format: ${invalidKeys.map((k) => `"${k}"`).join(", ")}. Keys must be in "protocol://hostname" format (e.g., "mutable://accounts", "immutable://data").`
+      );
+    }
     this.schema = config.schema;
     this.storage = config.storage || /* @__PURE__ */ new Map();
     this.cleanup();
@@ -86,6 +101,30 @@ var MemoryClient = class {
       record: current.value
     });
   }
+  async readMulti(uris) {
+    if (uris.length > 50) {
+      return {
+        success: false,
+        results: [],
+        summary: { total: uris.length, succeeded: 0, failed: uris.length }
+      };
+    }
+    const results = await Promise.all(
+      uris.map(async (uri) => {
+        const result = await this.read(uri);
+        if (result.success && result.record) {
+          return { uri, success: true, record: result.record };
+        }
+        return { uri, success: false, error: result.error || "Read failed" };
+      })
+    );
+    const succeeded = results.filter((r) => r.success).length;
+    return {
+      success: succeeded > 0,
+      results,
+      summary: { total: uris.length, succeeded, failed: uris.length - succeeded }
+    };
+  }
   list(uri, options) {
     const result = target(uri, this.schema, this.storage);
     if (!result.success) {
@@ -115,7 +154,7 @@ var MemoryClient = class {
       });
     }
     let items = Array.from(current.children.entries()).map(([key, child]) => ({
-      uri: path.endsWith("/") ? `${program}://${path}${key}` : `${program}://${path}/${key}`,
+      uri: path.endsWith("/") ? `${program}${path}${key}` : `${program}${path}/${key}`,
       type: child.value ? "file" : "directory"
     }));
     if (options?.pattern) {
@@ -196,7 +235,19 @@ var MemoryClient = class {
     });
   }
 };
+function createTestSchema() {
+  const acceptAll = async () => ({ valid: true });
+  return {
+    "mutable://accounts": acceptAll,
+    "mutable://open": acceptAll,
+    "mutable://data": acceptAll,
+    "immutable://accounts": acceptAll,
+    "immutable://open": acceptAll,
+    "immutable://data": acceptAll
+  };
+}
 
 export {
-  MemoryClient
+  MemoryClient,
+  createTestSchema
 };

package/dist/{chunk-LFUC4ETD.js → chunk-OY4CDOHY.js}

@@ -102,6 +102,51 @@ var HttpClient = class {
       };
     }
   }
+  async readMulti(uris) {
+    if (uris.length > 50) {
+      return {
+        success: false,
+        results: [],
+        summary: { total: uris.length, succeeded: 0, failed: uris.length }
+      };
+    }
+    try {
+      const response = await this.request("/api/v1/read-multi", {
+        method: "POST",
+        body: JSON.stringify({ uris })
+      });
+      if (!response.ok) {
+        if (response.status === 404) {
+          return this.readMultiFallback(uris);
+        }
+        return {
+          success: false,
+          results: uris.map((uri) => ({ uri, success: false, error: response.statusText })),
+          summary: { total: uris.length, succeeded: 0, failed: uris.length }
+        };
+      }
+      return await response.json();
+    } catch (error) {
+      return this.readMultiFallback(uris);
+    }
+  }
+  async readMultiFallback(uris) {
+    const results = await Promise.all(
+      uris.map(async (uri) => {
+        const result = await this.read(uri);
+        if (result.success && result.record) {
+          return { uri, success: true, record: result.record };
+        }
+        return { uri, success: false, error: result.error || "Read failed" };
+      })
+    );
+    const succeeded = results.filter((r) => r.success).length;
+    return {
+      success: succeeded > 0,
+      results,
+      summary: { total: uris.length, succeeded, failed: uris.length - succeeded }
+    };
+  }
   async list(uri, options) {
     try {
       const { protocol, domain, path } = this.parseUri(uri);

package/dist/{chunk-7U5JDFQW.js → chunk-PZFEKQ7F.js}

@@ -104,6 +104,30 @@ var LocalStorageClient = class {
       };
     }
   }
+  async readMulti(uris) {
+    if (uris.length > 50) {
+      return {
+        success: false,
+        results: [],
+        summary: { total: uris.length, succeeded: 0, failed: uris.length }
+      };
+    }
+    const results = await Promise.all(
+      uris.map(async (uri) => {
+        const result = await this.read(uri);
+        if (result.success && result.record) {
+          return { uri, success: true, record: result.record };
+        }
+        return { uri, success: false, error: result.error || "Read failed" };
+      })
+    );
+    const succeeded = results.filter((r) => r.success).length;
+    return {
+      success: succeeded > 0,
+      results,
+      summary: { total: uris.length, succeeded, failed: uris.length - succeeded }
+    };
+  }
   async list(uri, options) {
     try {
       const { page = 1, limit = 50, pattern, sortBy = "name", sortOrder = "asc" } = options || {};

package/dist/{chunk-T43IWAQK.js → chunk-UUHVOWVI.js}

@@ -195,6 +195,35 @@ var WebSocketClient = class {
       };
     }
   }
+  async readMulti(uris) {
+    if (uris.length > 50) {
+      return {
+        success: false,
+        results: [],
+        summary: { total: uris.length, succeeded: 0, failed: uris.length }
+      };
+    }
+    try {
+      const result = await this.sendRequest("readMulti", { uris });
+      return result;
+    } catch {
+      const results = await Promise.all(
+        uris.map(async (uri) => {
+          const result = await this.read(uri);
+          if (result.success && result.record) {
+            return { uri, success: true, record: result.record };
+          }
+          return { uri, success: false, error: result.error || "Read failed" };
+        })
+      );
+      const succeeded = results.filter((r) => r.success).length;
+      return {
+        success: succeeded > 0,
+        results,
+        summary: { total: uris.length, succeeded, failed: uris.length - succeeded }
+      };
+    }
+  }
   async list(uri, options) {
     try {
       const result = await this.sendRequest("list", { uri, options });