@casfa/client 0.2.0 → 0.3.0

package/dist/store/token-selector.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Token selector — ensures the client has valid auth for API calls.
+ *
+ * The server auto-creates the root delegate on first JWT request,
+ * so the client just needs a valid user JWT. No explicit root delegate
+ * creation step is required.
+ */
+import type { StoredAccessToken } from "../types/tokens.ts";
+import type { TokenStore } from "./token-store.ts";
+export type TokenSelectorConfig = {
+    store: TokenStore;
+    baseUrl: string;
+    realm: string;
+};
+export type TokenSelector = {
+    /**
+     * Get an auth token for realm API calls.
+     *
+     * Returns a StoredAccessToken where `tokenBase64` is the user's JWT.
+     * The server's unified auth middleware detects JWT (contains '.') and
+     * auto-creates the root delegate if needed.
+     */
+    ensureAccessToken: () => Promise<StoredAccessToken | null>;
+};
+/**
+ * Create a token selector instance.
+ */
+export declare const createTokenSelector: (config: TokenSelectorConfig) => TokenSelector;
+//# sourceMappingURL=token-selector.d.ts.map

package/dist/store/token-selector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-selector.d.ts","sourceRoot":"","sources":["../../src/store/token-selector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAE5D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAMnD,MAAM,MAAM,mBAAmB,GAAG;IAChC,KAAK,EAAE,UAAU,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;;;OAMG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAAC;CAC5D,CAAC;AAMF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAAI,QAAQ,mBAAmB,KAAG,aAuBjE,CAAC"}

package/dist/store/token-store.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Token store - manages the two-tier token state.
+ *
+ * Provides a closure-based store for token state management with
+ * automatic persistence and change notifications.
+ */
+import type { OnAuthRequiredCallback, OnTokenChangeCallback, TokenStorageProvider } from "../types/client.ts";
+import type { StoredRootDelegate, StoredUserToken, TokenState } from "../types/tokens.ts";
+export type TokenStore = {
+    /** Get current token state (immutable snapshot) */
+    getState: () => TokenState;
+    /** Set user JWT token */
+    setUser: (token: StoredUserToken | null) => void;
+    /** Set root delegate (RT + AT pair) */
+    setRootDelegate: (delegate: StoredRootDelegate | null) => void;
+    /** Clear all tokens */
+    clear: () => void;
+    /** Initialize from storage provider */
+    initialize: () => Promise<void>;
+};
+export type TokenStoreConfig = {
+    storage?: TokenStorageProvider;
+    onTokenChange?: OnTokenChangeCallback;
+    onAuthRequired?: OnAuthRequiredCallback;
+};
+/**
+ * Create a token store instance.
+ */
+export declare const createTokenStore: (config?: TokenStoreConfig) => TokenStore;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/store/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/store/token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,EACrB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,kBAAkB,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAO1F,MAAM,MAAM,UAAU,GAAG;IACvB,mDAAmD;IACnD,QAAQ,EAAE,MAAM,UAAU,CAAC;IAE3B,yBAAyB;IACzB,OAAO,EAAE,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI,KAAK,IAAI,CAAC;IAEjD,uCAAuC;IACvC,eAAe,EAAE,CAAC,QAAQ,EAAE,kBAAkB,GAAG,IAAI,KAAK,IAAI,CAAC;IAE/D,uBAAuB;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAElB,uCAAuC;IACvC,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,CAAC,EAAE,oBAAoB,CAAC;IAC/B,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,cAAc,CAAC,EAAE,sBAAsB,CAAC;CACzC,CAAC;AAMF;;GAEG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAQ,gBAAqB,KAAG,UAiDhE,CAAC"}

package/dist/types/client.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Client configuration and callback types.
+ */
+import type { TokenState } from "./tokens.ts";
+/**
+ * Token storage provider for persistence.
+ * Allows users to persist tokens to localStorage, file, etc.
+ */
+export type TokenStorageProvider = {
+    /** Load persisted token state */
+    load: () => Promise<TokenState | null>;
+    /** Save token state */
+    save: (state: TokenState) => Promise<void>;
+    /** Clear all persisted tokens */
+    clear: () => Promise<void>;
+};
+/**
+ * Callback when token state changes.
+ * Called after any token is added, removed, or refreshed.
+ */
+export type OnTokenChangeCallback = (state: TokenState) => void;
+/**
+ * Callback when authentication is required.
+ * Called when token refresh fails and user needs to re-login.
+ */
+export type OnAuthRequiredCallback = () => void;
+/**
+ * Configuration for creating a CASFA client.
+ */
+export type ClientConfig = {
+    /** Base URL of the CASFA server (e.g., "https://api.casfa.app") */
+    baseUrl: string;
+    /** Realm ID this client operates on (e.g., "usr_abc123") */
+    realm: string;
+    /** Optional token storage provider for persistence */
+    tokenStorage?: TokenStorageProvider;
+    /** Default TTL for auto-issued tokens (seconds). If not set, uses server max. */
+    defaultTokenTtl?: number;
+    /** Callback when token state changes */
+    onTokenChange?: OnTokenChangeCallback;
+    /** Callback when auth is required (refresh failed) */
+    onAuthRequired?: OnAuthRequiredCallback;
+};
+/**
+ * Fetch result type.
+ */
+export type FetchResult<T> = {
+    ok: true;
+    data: T;
+    status: number;
+} | {
+    ok: false;
+    error: ClientError;
+};
+/**
+ * Client error type.
+ */
+export type ClientError = {
+    code: string;
+    message: string;
+    status?: number;
+    details?: unknown;
+};
+//# sourceMappingURL=client.d.ts.map

package/dist/types/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/types/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAM9C;;;GAGG;AACH,MAAM,MAAM,oBAAoB,GAAG;IACjC,iCAAiC;IACjC,IAAI,EAAE,MAAM,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACvC,uBAAuB;IACvB,IAAI,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,iCAAiC;IACjC,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC;AAMF;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,KAAK,EAAE,UAAU,KAAK,IAAI,CAAC;AAEhE;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAAG,MAAM,IAAI,CAAC;AAMhD;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB,mEAAmE;IACnE,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,KAAK,EAAE,MAAM,CAAC;IACd,sDAAsD;IACtD,YAAY,CAAC,EAAE,oBAAoB,CAAC;IACpC,iFAAiF;IACjF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,wCAAwC;IACxC,aAAa,CAAC,EAAE,qBAAqB,CAAC;IACtC,sDAAsD;IACtD,cAAc,CAAC,EAAE,sBAAsB,CAAC;CACzC,CAAC;AAMF;;GAEG;AACH,MAAM,MAAM,WAAW,CAAC,CAAC,IACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,CAAC,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,CAAC;AAEtC;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC"}

package/dist/types/index.d.ts

@@ -1,144 +1,7 @@
 /**
- * Token types for the stateful client.
- *
- * Three-tier token hierarchy:
- * - User JWT: OAuth login token, highest authority
- * - Delegate Token: Re-delegation token, can issue child tokens
- * - Access Token: Data access token, used for CAS operations
+ * Type exports for @casfa/client
  */
-/**
- * User JWT token with refresh capability.
- */
-type StoredUserToken = {
-    /** JWT access token */
-    accessToken: string;
-    /** Refresh token for token renewal */
-    refreshToken: string;
-    /** User ID (usr_xxx format) */
-    userId: string;
-    /** Token expiration time (epoch ms) */
-    expiresAt: number;
-};
-/**
- * Delegate Token (re-delegation token).
- */
-type StoredDelegateToken = {
-    /** Token ID (dlt1_xxx format) */
-    tokenId: string;
-    /** Token binary as Base64 */
-    tokenBase64: string;
-    /** Token type: always "delegate" */
-    type: "delegate";
-    /** Issuer ID (usr_xxx or dlt1_xxx) */
-    issuerId: string;
-    /** Token expiration time (epoch ms) */
-    expiresAt: number;
-    /** Whether the token can upload nodes */
-    canUpload: boolean;
-    /** Whether the token can manage depots */
-    canManageDepot: boolean;
-};
-/**
- * Access Token (data access token).
- */
-type StoredAccessToken = {
-    /** Token ID (dlt1_xxx format) */
-    tokenId: string;
-    /** Token binary as Base64 */
-    tokenBase64: string;
-    /** Token type: always "access" */
-    type: "access";
-    /** Issuer ID (usr_xxx or dlt1_xxx) */
-    issuerId: string;
-    /** Token expiration time (epoch ms) */
-    expiresAt: number;
-    /** Whether the token can upload nodes */
-    canUpload: boolean;
-    /** Whether the token can manage depots */
-    canManageDepot: boolean;
-};
-/**
- * Complete token state held by the client.
- */
-type TokenState = {
-    /** User JWT (optional) */
-    user: StoredUserToken | null;
-    /** Delegate Token (optional) */
-    delegate: StoredDelegateToken | null;
-    /** Access Token (optional) */
-    access: StoredAccessToken | null;
-};
-/**
- * Empty token state.
- */
-declare const emptyTokenState: () => TokenState;
-/**
- * Token requirement for API calls.
- */
-type TokenRequirement = "none" | "user" | "delegate" | "access";
-
-/**
- * Client configuration and callback types.
- */
-
-/**
- * Token storage provider for persistence.
- * Allows users to persist tokens to localStorage, file, etc.
- */
-type TokenStorageProvider = {
-    /** Load persisted token state */
-    load: () => Promise<TokenState | null>;
-    /** Save token state */
-    save: (state: TokenState) => Promise<void>;
-    /** Clear all persisted tokens */
-    clear: () => Promise<void>;
-};
-/**
- * Callback when token state changes.
- * Called after any token is added, removed, or refreshed.
- */
-type OnTokenChangeCallback = (state: TokenState) => void;
-/**
- * Callback when authentication is required.
- * Called when token refresh fails and user needs to re-login.
- */
-type OnAuthRequiredCallback = () => void;
-/**
- * Configuration for creating a CASFA client.
- */
-type ClientConfig = {
-    /** Base URL of the CASFA server (e.g., "https://api.casfa.app") */
-    baseUrl: string;
-    /** Realm ID this client operates on (e.g., "usr_abc123") */
-    realm: string;
-    /** Optional token storage provider for persistence */
-    tokenStorage?: TokenStorageProvider;
-    /** Default TTL for auto-issued tokens (seconds). If not set, uses server max. */
-    defaultTokenTtl?: number;
-    /** Callback when token state changes */
-    onTokenChange?: OnTokenChangeCallback;
-    /** Callback when auth is required (refresh failed) */
-    onAuthRequired?: OnAuthRequiredCallback;
-};
-/**
- * Fetch result type.
- */
-type FetchResult<T> = {
-    ok: true;
-    data: T;
-    status: number;
-} | {
-    ok: false;
-    error: ClientError;
-};
-/**
- * Client error type.
- */
-type ClientError = {
-    code: string;
-    message: string;
-    status?: number;
-    details?: unknown;
-};
-
-export { type ClientConfig, type ClientError, type FetchResult, type OnAuthRequiredCallback, type OnTokenChangeCallback, type StoredAccessToken, type StoredDelegateToken, type StoredUserToken, type TokenRequirement, type TokenState, type TokenStorageProvider, emptyTokenState };
+export type { ClientConfig, ClientError, FetchResult, OnAuthRequiredCallback, OnTokenChangeCallback, TokenStorageProvider, } from "./client.ts";
+export type { StoredAccessToken, StoredRootDelegate, StoredUserToken, TokenRequirement, TokenState, } from "./tokens.ts";
+export { emptyTokenState } from "./tokens.ts";
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,YAAY,EACV,YAAY,EACZ,WAAW,EACX,WAAW,EACX,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB,YAAY,EACV,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,UAAU,GACX,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC"}

package/dist/types/index.js

@@ -1,10 +1,21 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+
 // src/types/tokens.ts
 var emptyTokenState = () => ({
   user: null,
-  delegate: null,
-  access: null
+  rootDelegate: null
 });
 export {
   emptyTokenState
 };
-//# sourceMappingURL=index.js.map
+
+//# debugId=A0C6D6CF107A032564756E2164756E21

package/dist/types/index.js.map

@@ -1 +1,10 @@
-{"version":3,"sources":["../../src/types/tokens.ts"],"sourcesContent":["/**\n * Token types for the stateful client.\n *\n * Three-tier token hierarchy:\n * - User JWT: OAuth login token, highest authority\n * - Delegate Token: Re-delegation token, can issue child tokens\n * - Access Token: Data access token, used for CAS operations\n */\n\n// ============================================================================\n// Stored Token Types\n// ============================================================================\n\n/**\n * User JWT token with refresh capability.\n */\nexport type StoredUserToken = {\n  /** JWT access token */\n  accessToken: string;\n  /** Refresh token for token renewal */\n  refreshToken: string;\n  /** User ID (usr_xxx format) */\n  userId: string;\n  /** Token expiration time (epoch ms) */\n  expiresAt: number;\n};\n\n/**\n * Delegate Token (re-delegation token).\n */\nexport type StoredDelegateToken = {\n  /** Token ID (dlt1_xxx format) */\n  tokenId: string;\n  /** Token binary as Base64 */\n  tokenBase64: string;\n  /** Token type: always \"delegate\" */\n  type: \"delegate\";\n  /** Issuer ID (usr_xxx or dlt1_xxx) */\n  issuerId: string;\n  /** Token expiration time (epoch ms) */\n  expiresAt: number;\n  /** Whether the token can upload nodes */\n  canUpload: boolean;\n  /** Whether the token can manage depots */\n  canManageDepot: boolean;\n};\n\n/**\n * Access Token (data access token).\n */\nexport type StoredAccessToken = {\n  /** Token ID (dlt1_xxx format) */\n  tokenId: string;\n  /** Token binary as Base64 */\n  tokenBase64: string;\n  /** Token type: always \"access\" */\n  type: \"access\";\n  /** Issuer ID (usr_xxx or dlt1_xxx) */\n  issuerId: string;\n  /** Token expiration time (epoch ms) */\n  expiresAt: number;\n  /** Whether the token can upload nodes */\n  canUpload: boolean;\n  /** Whether the token can manage depots */\n  canManageDepot: boolean;\n};\n\n/**\n * Complete token state held by the client.\n */\nexport type TokenState = {\n  /** User JWT (optional) */\n  user: StoredUserToken | null;\n  /** Delegate Token (optional) */\n  delegate: StoredDelegateToken | null;\n  /** Access Token (optional) */\n  access: StoredAccessToken | null;\n};\n\n/**\n * Empty token state.\n */\nexport const emptyTokenState = (): TokenState => ({\n  user: null,\n  delegate: null,\n  access: null,\n});\n\n// ============================================================================\n// Token Requirement Types\n// ============================================================================\n\n/**\n * Token requirement for API calls.\n */\nexport type TokenRequirement = \"none\" | \"user\" | \"delegate\" | \"access\";\n\n/**\n * Auth header format.\n */\nexport type AuthHeader = {\n  Authorization: string;\n};\n\n/**\n * Get issuer ID from current state (for signing new tokens).\n * Priority: User JWT > Delegate Token\n */\nexport const getMaxIssuerId = (state: TokenState): string | null => {\n  if (state.user) {\n    return state.user.userId;\n  }\n  if (state.delegate) {\n    return state.delegate.tokenId;\n  }\n  return null;\n};\n\n/**\n * Check if Access Token was issued by the current max issuer.\n */\nexport const isAccessTokenFromMaxIssuer = (state: TokenState): boolean => {\n  if (!state.access) return false;\n\n  const maxIssuerId = getMaxIssuerId(state);\n  if (!maxIssuerId) return false;\n\n  return state.access.issuerId === maxIssuerId;\n};\n\n/**\n * Check if Delegate Token was issued by current user.\n */\nexport const isDelegateTokenFromCurrentUser = (state: TokenState): boolean => {\n  if (!state.delegate || !state.user) return false;\n  return state.delegate.issuerId === state.user.userId;\n};\n"],"mappings":";AAkFO,IAAM,kBAAkB,OAAmB;AAAA,EAChD,MAAM;AAAA,EACN,UAAU;AAAA,EACV,QAAQ;AACV;","names":[]}
+{
+  "version": 3,
+  "sources": ["../src/types/tokens.ts"],
+  "sourcesContent": [
+    "/**\n * Token types for the stateful client.\n *\n * Two-tier hierarchy:\n * - User JWT: OAuth login token, highest authority, used for all root operations\n * - Root Delegate: metadata-only entity (no RT/AT), anchor of the delegate tree\n *\n * Root operations use JWT directly via the server's unified auth middleware.\n * Child delegates (created via Delegate API) use their own AT/RT pairs.\n */\n\n// ============================================================================\n// Stored Token Types\n// ============================================================================\n\n/**\n * User JWT token with refresh capability.\n */\nexport type StoredUserToken = {\n  /** JWT access token */\n  accessToken: string;\n  /** Refresh token for token renewal */\n  refreshToken: string;\n  /** User ID (usr_xxx format) */\n  userId: string;\n  /** Token expiration time (epoch ms) */\n  expiresAt: number;\n};\n\n/**\n * Root Delegate metadata (no RT/AT — root uses JWT directly).\n *\n * Auto-created by the server's auth middleware on first JWT request.\n * All root realm operations use the user's JWT as the Bearer token;\n * the server's unified auth middleware resolves the root delegate automatically.\n */\nexport type StoredRootDelegate = {\n  /** Delegate entity ID */\n  delegateId: string;\n  /** Realm this delegate belongs to */\n  realm: string;\n  /** Delegate depth (0 = root) */\n  depth: number;\n  /** Whether the delegate can upload nodes */\n  canUpload: boolean;\n  /** Whether the delegate can manage depots */\n  canManageDepot: boolean;\n};\n\n/**\n * Complete token state held by the client.\n */\nexport type TokenState = {\n  /** User JWT (optional) */\n  user: StoredUserToken | null;\n  /** Root Delegate metadata (optional) */\n  rootDelegate: StoredRootDelegate | null;\n};\n\n/**\n * Empty token state.\n */\nexport const emptyTokenState = (): TokenState => ({\n  user: null,\n  rootDelegate: null,\n});\n\n// ============================================================================\n// Token Requirement Types\n// ============================================================================\n\n/**\n * Token requirement for API calls.\n */\nexport type TokenRequirement = \"none\" | \"user\" | \"access\";\n\n/**\n * Auth header format.\n */\nexport type AuthHeader = {\n  Authorization: string;\n};\n\n// ============================================================================\n// Access Token View (for client module API surface)\n// ============================================================================\n\n/**\n * Stored Access Token — used by client methods for API calls.\n *\n * In root mode: `tokenBase64` is the user's JWT string, `tokenBytes` is empty.\n * In child delegate mode: `tokenBase64` is AT base64, `tokenBytes` is raw AT bytes.\n *\n * The server's unified auth middleware detects JWT vs AT automatically.\n */\nexport type StoredAccessToken = {\n  /** Token string (JWT or AT base64) to use in Authorization: Bearer header */\n  tokenBase64: string;\n  /** Raw token bytes (empty for JWT mode, 32 bytes for AT mode) */\n  tokenBytes: Uint8Array;\n  /** Token expiration time (epoch ms) */\n  expiresAt: number;\n  /** Whether the delegate can upload nodes */\n  canUpload: boolean;\n  /** Whether the delegate can manage depots */\n  canManageDepot: boolean;\n};\n"
+  ],
+  "mappings": ";;;;;;;;;;;;AA8DO,IAAM,kBAAkB,OAAmB;AAAA,EAChD,MAAM;AAAA,EACN,cAAc;AAChB;",
+  "debugId": "A0C6D6CF107A032564756E2164756E21",
+  "names": []
+}

package/dist/types/tokens.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Token types for the stateful client.
+ *
+ * Two-tier hierarchy:
+ * - User JWT: OAuth login token, highest authority, used for all root operations
+ * - Root Delegate: metadata-only entity (no RT/AT), anchor of the delegate tree
+ *
+ * Root operations use JWT directly via the server's unified auth middleware.
+ * Child delegates (created via Delegate API) use their own AT/RT pairs.
+ */
+/**
+ * User JWT token with refresh capability.
+ */
+export type StoredUserToken = {
+    /** JWT access token */
+    accessToken: string;
+    /** Refresh token for token renewal */
+    refreshToken: string;
+    /** User ID (usr_xxx format) */
+    userId: string;
+    /** Token expiration time (epoch ms) */
+    expiresAt: number;
+};
+/**
+ * Root Delegate metadata (no RT/AT — root uses JWT directly).
+ *
+ * Auto-created by the server's auth middleware on first JWT request.
+ * All root realm operations use the user's JWT as the Bearer token;
+ * the server's unified auth middleware resolves the root delegate automatically.
+ */
+export type StoredRootDelegate = {
+    /** Delegate entity ID */
+    delegateId: string;
+    /** Realm this delegate belongs to */
+    realm: string;
+    /** Delegate depth (0 = root) */
+    depth: number;
+    /** Whether the delegate can upload nodes */
+    canUpload: boolean;
+    /** Whether the delegate can manage depots */
+    canManageDepot: boolean;
+};
+/**
+ * Complete token state held by the client.
+ */
+export type TokenState = {
+    /** User JWT (optional) */
+    user: StoredUserToken | null;
+    /** Root Delegate metadata (optional) */
+    rootDelegate: StoredRootDelegate | null;
+};
+/**
+ * Empty token state.
+ */
+export declare const emptyTokenState: () => TokenState;
+/**
+ * Token requirement for API calls.
+ */
+export type TokenRequirement = "none" | "user" | "access";
+/**
+ * Auth header format.
+ */
+export type AuthHeader = {
+    Authorization: string;
+};
+/**
+ * Stored Access Token — used by client methods for API calls.
+ *
+ * In root mode: `tokenBase64` is the user's JWT string, `tokenBytes` is empty.
+ * In child delegate mode: `tokenBase64` is AT base64, `tokenBytes` is raw AT bytes.
+ *
+ * The server's unified auth middleware detects JWT vs AT automatically.
+ */
+export type StoredAccessToken = {
+    /** Token string (JWT or AT base64) to use in Authorization: Bearer header */
+    tokenBase64: string;
+    /** Raw token bytes (empty for JWT mode, 32 bytes for AT mode) */
+    tokenBytes: Uint8Array;
+    /** Token expiration time (epoch ms) */
+    expiresAt: number;
+    /** Whether the delegate can upload nodes */
+    canUpload: boolean;
+    /** Whether the delegate can manage depots */
+    canManageDepot: boolean;
+};
+//# sourceMappingURL=tokens.d.ts.map

package/dist/types/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../src/types/tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B,uBAAuB;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B,yBAAyB;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,gCAAgC;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,0BAA0B;IAC1B,IAAI,EAAE,eAAe,GAAG,IAAI,CAAC;IAC7B,wCAAwC;IACxC,YAAY,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACzC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,eAAe,QAAO,UAGjC,CAAC;AAMH;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAMF;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,6EAA6E;IAC7E,WAAW,EAAE,MAAM,CAAC;IACpB,iEAAiE;IACjE,UAAU,EAAE,UAAU,CAAC;IACvB,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC"}

package/dist/utils/http.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Fetch utilities for the stateful client.
+ */
+import type { ClientError, FetchResult } from "../types/client.ts";
+/**
+ * Map HTTP status to error code.
+ */
+export declare const statusToErrorCode: (status: number) => string;
+/**
+ * Create error from HTTP response.
+ */
+export declare const createErrorFromResponse: (response: Response) => Promise<ClientError>;
+/**
+ * Create a network error.
+ */
+export declare const createNetworkError: (err: unknown) => ClientError;
+export type FetchOptions = {
+    method?: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+    headers?: Record<string, string>;
+    body?: unknown;
+    /** Expected response type */
+    responseType?: "json" | "blob" | "text" | "none";
+};
+/**
+ * Make a fetch request with error handling.
+ */
+export declare const fetchApi: <T>(url: string, options?: FetchOptions) => Promise<FetchResult<T>>;
+/**
+ * Make an authenticated fetch request.
+ */
+export declare const fetchWithAuth: <T>(url: string, authHeader: string | null, options?: FetchOptions) => Promise<FetchResult<T>>;
+//# sourceMappingURL=http.d.ts.map

package/dist/utils/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/utils/http.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAMnE;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAAI,QAAQ,MAAM,KAAG,MAkBlD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,GAAU,UAAU,QAAQ,KAAG,OAAO,CAAC,WAAW,CA+BrF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAAI,KAAK,OAAO,KAAG,WAIhD,CAAC;AAMH,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,6BAA6B;IAC7B,YAAY,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;CAClD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,QAAQ,GAAU,CAAC,EAC9B,KAAK,MAAM,EACX,UAAS,YAAiB,KACzB,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CA2CxB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,GAAU,CAAC,EACnC,KAAK,MAAM,EACX,YAAY,MAAM,GAAG,IAAI,EACzB,UAAS,YAAiB,KACzB,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAQxB,CAAC"}

package/package.json

@@ -1,20 +1,23 @@
 {
   "name": "@casfa/client",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "CASFA client library with unified authorization strategies",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
+      "bun": "./src/index.ts",
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
     "./types": {
+      "bun": "./src/types/index.ts",
       "types": "./dist/types/index.d.ts",
       "import": "./dist/types/index.js"
     },
     "./api": {
+      "bun": "./src/api/index.ts",
       "types": "./dist/api/index.d.ts",
       "import": "./dist/api/index.js"
     }
@@ -23,8 +26,9 @@
     "dist"
   ],
   "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
+    "build": "bun ../../scripts/build-pkg.ts",
+    "test": "bun run test:unit",
+    "test:unit": "bun test src/",
     "typecheck": "tsc --noEmit",
     "lint": "biome check .",
     "lint:fix": "biome check --write .",