@bounded-sh/core 0.0.19 → 0.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -10,8 +10,8 @@ let clientConfig = {
10
10
  // User configured settings
11
11
  name: '',
12
12
  logoUrl: '',
13
- // Bounded production is the out-of-the-box default a Bounded app needs only
14
- // `{ appId }`. Pass `network: 'bounded-staging'` to target staging.
13
+ // Bounded production is the endpoint default. Apps still choose one explicit
14
+ // auth method at init time. Pass `network: 'bounded-staging'` to target staging.
15
15
  network: 'bounded-production',
16
16
  wsApiUrl: 'wss://realtime.bounded.sh',
17
17
  apiUrl: 'https://realtime.bounded.sh',
@@ -19,14 +19,15 @@ let clientConfig = {
19
19
  humanAuthApiUrl: 'https://auth.bounded.sh',
20
20
  functionsUrl: 'https://functions.bounded.sh',
21
21
  appId: '',
22
- // 'email' = Bounded Auth human login (inline email OTP) — the out-of-box default
23
- // for normal apps. Hosted OAuth/social uses loginWithRedirect/loginWithPopup.
22
+ // No hidden auth fallback: browser clients must pass authMethod explicitly
23
+ // (for example 'email', 'guest', 'phantom', 'privy', or 'privy-expo').
24
+ // Hosted OAuth/social uses loginWithRedirect/loginWithPopup with authMethod:'email'.
24
25
  // Text OTP is off by default and uses hosted/headless text helpers only when
25
26
  // Bounded explicitly enables it for the issuer. For
26
27
  // crypto/onchain wallet login use authMethod:'phantom' (Solana / Phantom), or
27
28
  // signInAnonymously() for zero-friction 'guest' accounts. ('wallet' is an
28
29
  // unimplemented stub; don't use.)
29
- authMethod: 'email',
30
+ authMethod: 'none',
30
31
  chain: '',
31
32
  rpcUrl: '',
32
33
  skipBackendInit: true,
@@ -92,10 +93,14 @@ function init(newConfig) {
92
93
  }
93
94
  // Bounded is client-driven: defaults are Bounded production, `network`
94
95
  // switches the whole endpoint set (e.g. 'bounded-staging'), and anything
95
- // passed explicitly wins. No `/config` round-trip `init({ appId })` is
96
- // synchronous and works out of the box.
96
+ // passed explicitly wins. No `/config` round-trip; browser SDKs still pass
97
+ // one explicit authMethod so there is no hidden auth-provider fallback.
97
98
  // defaults (bounded-production) < network preset < explicit newConfig
98
- const preset = (newConfig.network && BOUNDED_NETWORKS[newConfig.network]) || {};
99
+ if (newConfig.network !== undefined && !(newConfig.network in BOUNDED_NETWORKS)) {
100
+ reject(new Error(`Unsupported Bounded network "${String(newConfig.network)}". Expected bounded, bounded-staging, or bounded-production.`));
101
+ return;
102
+ }
103
+ const preset = newConfig.network ? BOUNDED_NETWORKS[newConfig.network] : {};
99
104
  clientConfig = Object.assign(Object.assign(Object.assign({}, clientConfig), preset), newConfig);
100
105
  isInitialized = true;
101
106
  resolve();
@@ -5149,11 +5154,8 @@ async function setMany(many, options) {
5149
5154
  async function handleOffchainTransaction(tx, authProvider, options) {
5150
5155
  var _a, _b, _c, _d, _e, _f;
5151
5156
  const config = await getConfig();
5152
- // 1. Sign the transaction message using mock signing for offchain transactions
5153
- // Use signMessageMock if available (OffchainAuthProvider), otherwise fall back to signMessage
5154
- const signature = authProvider.signMessageMock
5155
- ? await authProvider.signMessageMock(tx.message)
5156
- : await authProvider.signMessage(tx.message);
5157
+ // 1. Sign the transaction message using the provider's canonical signer.
5158
+ const signature = await authProvider.signMessage(tx.message);
5157
5159
  // 2. Create signed transaction
5158
5160
  const signedTx = {
5159
5161
  transaction: tx,