@cubist-labs/cubesigner-sdk 0.2.28 → 0.3.8

package/package.json

@@ -1,68 +1,41 @@
 {
   "name": "@cubist-labs/cubesigner-sdk",
-  "author": "Cubist, Inc.",
-  "version": "0.2.28",
+  "version": "0.3.8",
   "description": "CubeSigner TypeScript SDK",
-  "homepage": "https://github.com/cubist-labs/CubeSigner-TypeScript-SDK",
-  "bugs": "https://github.com/cubist-labs/CubeSigner-TypeScript-SDK/issues",
   "license": "MIT OR Apache-2.0",
+  "author": "Cubist, Inc.",
+  "main": "dist/cjs/src/index.js",
   "files": [
     "tsconfig.json",
     "src/**",
     "dist/**",
-    "NOTICE",
-    "LICENSE-APACHE",
-    "LICENSE-MIT"
+    "../..NOTICE",
+    "../..LICENSE-APACHE",
+    "../..LICENSE-MIT"
   ],
-  "main": "dist/src/index.js",
-  "types": "dist/src/index.d.ts",
+  "exports": {
+    "require": "./dist/cjs/src/index.js",
+    "import": "./dist/esm/src/index.js"
+  },
   "scripts": {
-    "build": "tsc",
+    "build": "npm run build:cjs && npm run build:mjs",
+    "prepack": "npm run build",
+    "build:cjs": "tsc -p . --outDir dist/cjs --module commonjs --moduleResolution node",
+    "build:mjs": "tsc -p . --outDir dist/esm --module es2022",
+    "gen-schema": "openapi-typescript ./spec/openapi.json --output ./src/schema.ts",
     "test": "jest --maxWorkers=1",
-    "prepack": "tsc",
-    "typedoc": "typedoc",
-    "fix": "eslint . --ext .ts --fix",
-    "lint": "eslint . --ext .ts",
-    "fmt": "prettier --write .",
-    "fmt-check": "prettier --check .",
-    "gen-schema": "npx openapi-typescript ./spec/openapi.json --output ./src/schema.ts"
+    "typedoc": "typedoc"
   },
   "dependencies": {
-    "ethers": "6.7.1",
     "openapi-fetch": "0.6.1"
   },
-  "devDependencies": {
-    "@hpke/core": "^1.2.5",
-    "@types/chai": "^4.3.11",
-    "@types/chai-as-promised": "^7.1.8",
-    "@types/jest": "^29.5.10",
-    "@types/node": "^20.10.4",
-    "@types/node-fetch": "^2.6.9",
-    "@types/tmp": "^0.2.6",
-    "@typescript-eslint/eslint-plugin": "^6.13.2",
-    "chai": "^4.3.10",
-    "chai-as-promised": "^7.1.1",
-    "dotenv": "^16.3.1",
-    "eslint": "^8.55.0",
-    "eslint-config-google": "^0.14.0",
-    "eslint-config-prettier": "^9.1.0",
-    "jest": "^29.7.0",
-    "openapi-typescript": "^6.7.1",
-    "otplib": "^12.0.1",
-    "prettier": "3.1.1",
-    "tmp": "^0.2.1",
-    "ts-jest": "^29.1.0",
-    "ts-node": "^10.9.1",
-    "typescript": "^5.3.3"
-  },
   "optionalDependencies": {
-    "@aws-sdk/client-cognito-identity-provider": "^3.470.0",
     "@hpke/core": "^1.2.5"
   },
-  "prettier": {
-    "printWidth": 100
-  },
   "engines": {
     "node": ">=18.0.0"
+  },
+  "directories": {
+    "test": "test"
   }
 }

package/src/api.ts

@@ -17,6 +17,7 @@ import {
   KeyInRoleInfo,
   KeyInfoApi,
   ListKeysResponse,
+  ListKeyRolesResponse,
   ListRoleKeysResponse,
   ListRoleUsersResponse,
   ListRolesResponse,
@@ -34,6 +35,9 @@ import {
   SessionInfo,
   OrgInfo,
   RatchetConfig,
+  Eip191SignRequest,
+  Eip712SignRequest,
+  Eip191Or712SignResponse,
   EvmSignRequest,
   EvmSignResponse,
   Eth2SignRequest,
@@ -52,11 +56,13 @@ import {
   AvaSignRequest,
   AvaTx,
   MfaRequestInfo,
+  MfaVote,
   MemberRole,
   UserExportCompleteResponse,
   UserExportInitResponse,
   UserExportListResponse,
   Empty,
+  ErrorResponse,
 } from "./schema_types";
 import { encodeToBase64 } from "./util";
 import { AddFidoChallenge, MfaFidoChallenge, MfaReceipt, TotpChallenge } from "./mfa";
@@ -66,9 +72,9 @@ import { Key, KeyType } from "./key";
 import { Page, PageOpts, PageQueryArgs, Paginator } from "./paginator";
 import { KeyPolicy } from "./role";
 import { EnvInterface } from "./env";
-import { NAME, VERSION } from ".";
 import { loadSubtleCrypto } from "./user_export";
 import { EventEmitter } from "./events";
+import { NAME, VERSION } from "./index";
 
 /** @internal */
 export type Client = ReturnType<typeof createClient<paths>>;
@@ -147,14 +153,16 @@ export class OpClient<Op extends keyof operations> {
    */
   private async assertOk<T>(resp: FetchResponse<T>): Promise<FetchResponseSuccessData<T>> {
     if (resp.error) {
+      const errResp = resp.error as unknown as ErrorResponse | undefined;
       const error = new ErrResponse({
         operation: this.op,
-        message: (resp.error as any).message, // eslint-disable-line @typescript-eslint/no-explicit-any
+        message: errResp?.message,
         statusText: resp.response?.statusText,
         status: resp.response?.status,
         url: resp.response?.url,
+        errorCode: errResp?.error_code,
       });
-      this.#eventEmitter.classifyAndEmitError(error);
+      await this.#eventEmitter.classifyAndEmitError(error);
       throw error;
     }
     if (resp.data === undefined) {
@@ -225,9 +233,11 @@ export class OpClient<Op extends keyof operations> {
 export function createHttpClient(baseUrl: string, authToken: string): Client {
   return createClient<paths>({
     baseUrl,
+    cache: "no-store",
     headers: {
       Authorization: authToken,
       ["User-Agent"]: `${NAME}@${VERSION}`,
+      ["X-Cubist-Ts-Sdk"]: `${NAME}@${VERSION}`,
     },
   });
 }
@@ -572,6 +582,31 @@ export class CubeSignerApi {
     });
   }
 
+  /**
+   * List all roles a key is in.
+   *
+   * @param {string} keyId The id of the key to get.
+   * @param {PageOpts} page Pagination options. Defaults to fetching the entire result set.
+   * @return {Paginator<ListKeyRolesResponse, KeyInRoleInfo>} Paginator for iterating over the roles a key is in.
+   */
+  keyRolesList(keyId: string, page?: PageOpts): Paginator<ListKeyRolesResponse, KeyInRoleInfo> {
+    const listFn = async (query: PageQueryArgs) => {
+      const client = await this.client("listKeyRoles");
+      return await client.get("/v0/org/{org_id}/keys/{key_id}/roles", {
+        params: {
+          path: { org_id: this.orgId, key_id: keyId },
+          query,
+        },
+      });
+    };
+    return new Paginator(
+      page ?? Page.default(),
+      listFn,
+      (r) => r.roles,
+      (r) => r.last_evaluated_key,
+    );
+  }
+
   /**
    * Update key.
    * @param {string} keyId The ID of the key to update.
@@ -819,7 +854,7 @@ export class CubeSignerApi {
 
   // #endregion
 
-  // #region ROLE USERS: roleUserAdd, roleUsersList
+  // #region ROLE USERS: roleUserAdd, roleUserRemove, roleUsersList
 
   /**
    * Add an existing user to an existing role.
@@ -834,6 +869,19 @@ export class CubeSignerApi {
     });
   }
 
+  /**
+   * Remove an existing user from an existing role.
+   *
+   * @param {string} roleId The ID of the role.
+   * @param {string} userId The ID of the user to remove from the role.
+   */
+  async roleUserRemove(roleId: string, userId: string) {
+    const client = await this.client("removeUserFromRole");
+    await client.del("/v0/org/{org_id}/roles/{role_id}/users/{user_id}", {
+      params: { path: { org_id: this.orgId, role_id: roleId, user_id: userId } },
+    });
+  }
+
   /**
    * List all users in a role.
    *
@@ -1059,29 +1107,31 @@ export class CubeSignerApi {
   }
 
   /**
-   * Approve a pending MFA request using the current session.
+   * Approve or reject a pending MFA request using the current session.
    *
    * @param {string} mfaId The id of the MFA request
+   * @param {MfaVote} mfaVote Approve or reject the MFA request
    * @return {Promise<MfaRequestInfo>} The result of the MFA request
    */
-  async mfaApprove(mfaId: string): Promise<MfaRequestInfo> {
-    const client = await this.client("mfaApproveCs");
+  async mfaVoteCs(mfaId: string, mfaVote: MfaVote): Promise<MfaRequestInfo> {
+    const client = await this.client("mfaVoteCs");
     return await client.patch("/v0/org/{org_id}/mfa/{mfa_id}", {
-      params: { path: { org_id: this.orgId, mfa_id: mfaId } },
+      params: { path: { org_id: this.orgId, mfa_id: mfaId }, query: { mfa_vote: mfaVote } },
     });
   }
 
   /**
-   * Approve a pending MFA request using TOTP.
+   * Approve or reject a pending MFA request using TOTP.
    *
-   * @param {string} mfaId The MFA request to approve
+   * @param {string} mfaId The ID of the MFA request
    * @param {string} code The TOTP code
+   * @param {MfaVote} mfaVote Approve or reject the MFA request
    * @return {Promise<MfaRequestInfo>} The current status of the MFA request
    */
-  async mfaApproveTotp(mfaId: string, code: string): Promise<MfaRequestInfo> {
-    const client = await this.client("mfaApproveTotp");
+  async mfaVoteTotp(mfaId: string, code: string, mfaVote: MfaVote): Promise<MfaRequestInfo> {
+    const client = await this.client("mfaVoteTotp");
     return await client.patch("/v0/org/{org_id}/mfa/{mfa_id}/totp", {
-      params: { path: { org_id: this.#orgId, mfa_id: mfaId } },
+      params: { path: { org_id: this.#orgId, mfa_id: mfaId }, query: { mfa_vote: mfaVote } },
       body: { code },
     });
   }
@@ -1093,8 +1143,8 @@ export class CubeSignerApi {
    * @param {string} mfaId The MFA request ID.
    * @return {Promise<MfaFidoChallenge>} A challenge that needs to be answered to complete the approval.
    */
-  async mfaApproveFidoInit(mfaId: string): Promise<MfaFidoChallenge> {
-    const client = await this.client("mfaApproveFido");
+  async mfaFidoInit(mfaId: string): Promise<MfaFidoChallenge> {
+    const client = await this.client("mfaFidoInit");
     const challenge = await client.post("/v0/org/{org_id}/mfa/{mfa_id}/fido", {
       params: { path: { org_id: this.orgId, mfa_id: mfaId } },
     });
@@ -1102,24 +1152,26 @@ export class CubeSignerApi {
   }
 
   /**
-   * Complete a previously initiated (via {@link mfaApproveFidoInit}) MFA request approval using FIDO.
+   * Complete a previously initiated (via {@link mfaApproveFidoInit}) MFA request using FIDO.
    *
    * Instead of calling this method directly, prefer {@link MfaFidoChallenge.answer} or
    * {@link MfaFidoChallenge.createCredentialAndAnswer}.
    *
    * @param {string} mfaId The MFA request ID
+   * @param {MfaVote} mfaVote Approve or reject the MFA request
    * @param {string} challengeId The ID of the challenge issued by {@link mfaApproveFidoInit}
    * @param {PublicKeyCredential} credential The answer to the challenge
    * @return {Promise<MfaRequestInfo>} The current status of the MFA request.
    */
-  async mfaApproveFidoComplete(
+  async mfaVoteFidoComplete(
     mfaId: string,
+    mfaVote: MfaVote,
     challengeId: string,
     credential: PublicKeyCredential,
   ): Promise<MfaRequestInfo> {
-    const client = await this.client("mfaApproveFidoComplete");
+    const client = await this.client("mfaVoteFidoComplete");
     return await client.patch("/v0/org/{org_id}/mfa/{mfa_id}/fido", {
-      params: { path: { org_id: this.orgId, mfa_id: mfaId } },
+      params: { path: { org_id: this.orgId, mfa_id: mfaId }, query: { mfa_vote: mfaVote } },
       body: {
         challenge_id: challengeId,
         credential,
@@ -1155,6 +1207,64 @@ export class CubeSignerApi {
     return await CubeSignerResponse.create(signFn, mfaReceipt);
   }
 
+  /**
+   * Sign EIP-191 typed data.
+   *
+   * This requires the key to have a '"AllowEip191Signing"' {@link KeyPolicy}.
+   *
+   * @param {Key | string} key The key to sign with (either {@link Key} or its material ID).
+   * @param {BlobSignRequest} req What to sign
+   * @param {MfaReceipt} mfaReceipt Optional MFA receipt
+   * @return {Promise<EvmSignResponse | AcceptedResponse>} Signature (or MFA approval request).
+   */
+  async signEip191(
+    key: Key | string,
+    req: Eip191SignRequest,
+    mfaReceipt?: MfaReceipt,
+  ): Promise<CubeSignerResponse<Eip191Or712SignResponse>> {
+    const pubkey = typeof key === "string" ? (key as string) : key.materialId;
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("eip191Sign");
+      return await client.post("/v0/org/{org_id}/evm/eip191/sign/{pubkey}", {
+        params: {
+          path: { org_id: this.orgId, pubkey },
+        },
+        body: req,
+        headers,
+      });
+    };
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
+  }
+
+  /**
+   * Sign EIP-712 typed data.
+   *
+   * This requires the key to have a '"AllowEip712Signing"' {@link KeyPolicy}.
+   *
+   * @param {Key | string} key The key to sign with (either {@link Key} or its material ID).
+   * @param {BlobSignRequest} req What to sign
+   * @param {MfaReceipt} mfaReceipt Optional MFA receipt
+   * @return {Promise<EvmSignResponse | AcceptedResponse>} Signature (or MFA approval request).
+   */
+  async signEip712(
+    key: Key | string,
+    req: Eip712SignRequest,
+    mfaReceipt?: MfaReceipt,
+  ): Promise<CubeSignerResponse<Eip191Or712SignResponse>> {
+    const pubkey = typeof key === "string" ? (key as string) : key.materialId;
+    const signFn = async (headers?: HeadersInit) => {
+      const client = await this.client("eip712Sign");
+      return await client.post("/v0/org/{org_id}/evm/eip712/sign/{pubkey}", {
+        params: {
+          path: { org_id: this.orgId, pubkey },
+        },
+        body: req,
+        headers,
+      });
+    };
+    return await CubeSignerResponse.create(signFn, mfaReceipt);
+  }
+
   /**
    * Sign an Eth2/Beacon-chain validation message.
    *
@@ -1457,6 +1567,22 @@ export class CubeSignerApi {
     return await CubeSignerResponse.create(completeFn, mfaReceipt);
   }
   // #endregion
+
+  // #region MISC: heartbeat()
+  /**
+   * Send a heartbeat / upcheck request.
+   *
+   * @return { Promise<void> } The response.
+   */
+  async heartbeat(): Promise<void> {
+    const client = await this.client("cube3signerHeartbeat");
+    await client.post("/v1/org/{org_id}/cube3signer/heartbeat", {
+      params: {
+        path: { org_id: this.orgId },
+      },
+    });
+  }
+  // #endregion
 }
 
 /**

package/src/client.ts

@@ -1,8 +1,7 @@
 import { SignerSessionManager, SignerSessionStorage } from "./session/signer_session_manager";
-import { CognitoSessionManager } from "./session/cognito_manager";
 import { CubeSignerApi, OidcClient } from "./api";
 import { KeyType, Key } from "./key";
-import { OrgInfo, RatchetConfig } from "./schema_types";
+import { MfaRequestInfo, OrgInfo, PublicKeyCredential, RatchetConfig } from "./schema_types";
 import { MfaReceipt } from "./mfa";
 import { PageOpts } from "./paginator";
 import { Role } from "./role";
@@ -49,15 +48,20 @@ export class CubeSignerClient extends CubeSignerApi {
   /**
    * Loads an existing management session and creates a {@link CubeSignerClient} instance.
    *
+   * @param {SignerSessionStorage} storage Storage from which to load the session
    * @return {Promise<CubeSignerClient>} New CubeSigner instance
    */
-  static async loadManagementSession(): Promise<CubeSignerClient> {
-    const mgr = await CognitoSessionManager.loadManagementSession();
-    // HACK: Ignore that sessionMgr may be a CognitoSessionManager and pretend that it
-    //       is a SignerSessionManager; that's fine because the CubeSignerClient will
-    //       almost always just call `await token()` on it, which works in both cases.
-    // NOTE: This will go away once `cs login` starts producing signer sessions.
-    return new CubeSignerClient(mgr as unknown as SignerSessionManager);
+  static async loadManagementSession(storage: SignerSessionStorage): Promise<CubeSignerClient> {
+    // Throw and actionable error if the management session file contains a Cognito session
+    const session = await storage.retrieve();
+    if ((session as unknown as { id_token: string }).id_token) {
+      throw new Error(
+        `It appears that the storage contains the old (Cognito) session; please update your session by updating your 'cs' to version 'v0.37.0' or later and then running 'cs login'`,
+      );
+    }
+
+    const mgr = await SignerSessionManager.loadFromStorage(storage);
+    return new CubeSignerClient(mgr);
   }
 
   /**
@@ -274,6 +278,26 @@ export class CubeSignerClient extends CubeSignerApi {
     return this.orgUsersList.bind(this);
   }
 
+  /**
+   * Approve a pending MFA request using the current session.
+   *
+   * @param {string} mfaId The id of the MFA request
+   * @return {Promise<MfaRequestInfo>} The result of the MFA request
+   */
+  async mfaApprove(mfaId: string): Promise<MfaRequestInfo> {
+    return await this.mfaVoteCs(mfaId, "approve");
+  }
+
+  /**
+   * Reject a pending MFA request using the current session.
+   *
+   * @param {string} mfaId The id of the MFA request
+   * @return {Promise<MfaRequestInfo>} The result of the MFA request
+   */
+  async mfaReject(mfaId: string): Promise<MfaRequestInfo> {
+    return await this.mfaVoteCs(mfaId, "reject");
+  }
+
   /**
    * Approve a pending MFA request.
    *
@@ -283,6 +307,28 @@ export class CubeSignerClient extends CubeSignerApi {
     return this.mfaApprove.bind(this);
   }
 
+  /**
+   * Approve a pending MFA request using TOTP.
+   *
+   * @param {string} mfaId The MFA request to approve
+   * @param {string} code The TOTP code
+   * @return {Promise<MfaRequestInfo>} The current status of the MFA request
+   */
+  async mfaApproveTotp(mfaId: string, code: string): Promise<MfaRequestInfo> {
+    return await this.mfaVoteTotp(mfaId, code, "approve");
+  }
+
+  /**
+   * Reject a pending MFA request using TOTP.
+   *
+   * @param {string} mfaId The MFA request to reject
+   * @param {string} code The TOTP code
+   * @return {Promise<MfaRequestInfo>} The current status of the MFA request
+   */
+  async mfaRejectTotp(mfaId: string, code: string): Promise<MfaRequestInfo> {
+    return await this.mfaVoteTotp(mfaId, code, "reject");
+  }
+
   /**
    * Approve a pending MFA request using TOTP.
    *
@@ -292,6 +338,18 @@ export class CubeSignerClient extends CubeSignerApi {
     return this.mfaApproveTotp.bind(this);
   }
 
+  /**
+   * Initiate approval of an existing MFA request using FIDO.
+   *
+   * Returns a {@link MfaFidoChallenge} that must be answered by calling
+   * {@link MfaFidoChallenge.answer} or {@link fidoApproveComplete}.
+   *
+   * Same as {@link mfaApproveFidoInit}
+   */
+  get fidoApproveFidoInit() {
+    return this.mfaFidoInit.bind(this);
+  }
+
   /**
    * Initiate approval of an existing MFA request using FIDO.
    *
@@ -301,7 +359,45 @@ export class CubeSignerClient extends CubeSignerApi {
    * Same as {@link mfaApproveFidoInit}
    */
   get fidoApproveStart() {
-    return this.mfaApproveFidoInit.bind(this);
+    return this.mfaFidoInit.bind(this);
+  }
+
+  /**
+   * Approve a previously initiated (via {@link mfaApproveFidoInit}) MFA request using FIDO.
+   *
+   * Instead of calling this method directly, prefer {@link MfaFidoChallenge.answer} or
+   * {@link MfaFidoChallenge.createCredentialAndAnswer}.
+   *
+   * @param {string} mfaId The MFA request ID
+   * @param {string} challengeId The ID of the challenge issued by {@link mfaApproveFidoInit}
+   * @param {PublicKeyCredential} credential The answer to the challenge
+   * @return {Promise<MfaRequestInfo>} The current status of the MFA request.
+   */
+  async mfaApproveFidoComplete(
+    mfaId: string,
+    challengeId: string,
+    credential: PublicKeyCredential,
+  ): Promise<MfaRequestInfo> {
+    return await this.mfaVoteFidoComplete(mfaId, "approve", challengeId, credential);
+  }
+
+  /**
+   * Reject a previously initiated (via {@link mfaApproveFidoInit}) MFA request using FIDO.
+   *
+   * Instead of calling this method directly, prefer {@link MfaFidoChallenge.answer} or
+   * {@link MfaFidoChallenge.createCredentialAndAnswer}.
+   *
+   * @param {string} mfaId The MFA request ID
+   * @param {string} challengeId The ID of the challenge issued by {@link mfaApproveFidoInit}
+   * @param {PublicKeyCredential} credential The answer to the challenge
+   * @return {Promise<MfaRequestInfo>} The current status of the MFA request.
+   */
+  async mfaRejectFidoComplete(
+    mfaId: string,
+    challengeId: string,
+    credential: PublicKeyCredential,
+  ): Promise<MfaRequestInfo> {
+    return await this.mfaVoteFidoComplete(mfaId, "reject", challengeId, credential);
   }
 
   /**

package/src/error.ts

@@ -1,3 +1,4 @@
+import { CsErrCode } from "./schema_types";
 import { operations } from "./schema";
 
 /**
@@ -12,6 +13,8 @@ export class ErrResponse extends Error {
   readonly status?: number;
   /** HTTP response url */
   readonly url?: string;
+  /** CubeSigner error code */
+  readonly errorCode?: CsErrCode;
 
   /**
    * @param {Partial<ErrResponse>} init Initializer
@@ -37,6 +40,7 @@ export class SessionExpiredError extends ErrResponse {
       status: 403,
       statusText: "Forbidden",
       operation,
+      errorCode: "SessionExpired",
     });
   }
 }

package/src/events.ts

@@ -2,6 +2,8 @@ import { ErrResponse } from "./error";
 
 export type EventHandler<T> = (event: T) => Promise<void>;
 export type ErrorEvent = ErrResponse;
+
+/* eslint-disable-next-line @typescript-eslint/no-empty-interface */
 export interface SessionExpiredEvent {}
 
 /**

package/src/index.ts

@@ -2,7 +2,6 @@ import { envs, EnvInterface } from "./env";
 import { Client, OidcClient } from "./api";
 import { CubeSignerClient } from "./client";
 import { Org } from "./org";
-import { JsonFileSessionStorage } from "./session/session_storage";
 
 import {
   SignerSessionStorage,
@@ -11,9 +10,6 @@ import {
 } from "./session/signer_session_manager";
 import { CubeSignerResponse } from "./response";
 import { SignerSession } from "./signer_session";
-import { CognitoSessionManager, CognitoSessionStorage } from "./session/cognito_manager";
-import { configDir } from "./util";
-import * as path from "path";
 import { MfaReceipt } from "./mfa";
 import { name, version } from "./../package.json";
 import { IdentityProof, MfaRequestInfo, RatchetConfig, UserInfo } from "./schema_types";
@@ -23,7 +19,7 @@ export interface CubeSignerOptions {
   /** The environment to use */
   env?: EnvInterface;
   /** The management authorization token */
-  sessionMgr?: CognitoSessionManager | SignerSessionManager;
+  sessionMgr?: SignerSessionManager;
   /** Optional organization id */
   orgId?: string;
 }
@@ -35,7 +31,7 @@ export interface CubeSignerOptions {
  */
 export class CubeSigner {
   readonly #env: EnvInterface;
-  readonly sessionMgr?: CognitoSessionManager | SignerSessionManager;
+  readonly sessionMgr?: SignerSessionManager;
   #csc?: CubeSignerClient;
 
   /**
@@ -70,28 +66,22 @@ export class CubeSigner {
   /**
    * Loads an existing management session and creates a CubeSigner instance.
    *
-   * @param {CognitoSessionStorage} storage Optional session storage to load
-   * the session from. If not specified, the management session from the config
-   * directory will be loaded.
+   * @param {SignerSessionStorage} storage Session storage to load the session from.
    * @return {Promise<CubeSigner>} New CubeSigner instance
    */
-  static async loadManagementSession(storage?: CognitoSessionStorage): Promise<CubeSigner> {
+  static async loadManagementSession(storage: SignerSessionStorage): Promise<CubeSigner> {
     return new CubeSigner(<CubeSignerOptions>{
-      sessionMgr: await CognitoSessionManager.loadManagementSession(storage),
+      sessionMgr: await SignerSessionManager.loadFromStorage(storage),
     });
   }
 
   /**
    * Loads a signer session from a session storage (e.g., session file).
-   * @param {SignerSessionStorage} storage Optional session storage to load
-   * the session from. If not specified, the signer session from the config
-   * directory will be loaded.
+   * @param {SignerSessionStorage} storage Session storage to load the session from.
    * @return {Promise<SignerSession>} New signer session
    */
-  static async loadSignerSession(storage?: SignerSessionStorage): Promise<SignerSession> {
-    const defaultFilePath = path.join(configDir(), "signer-session.json");
-    const sss = storage ?? new JsonFileSessionStorage(defaultFilePath);
-    return await SignerSession.loadSignerSession(sss);
+  static async loadSignerSession(storage: SignerSessionStorage): Promise<SignerSession> {
+    return await SignerSession.loadSignerSession(storage);
   }
 
   /**
@@ -318,16 +308,12 @@ export * from "./schema_types";
 export * from "./signer_session";
 /** Session storage */
 export * from "./session/session_storage";
-/** Session manager */
-export * from "./session/session_manager";
-/** Management session manager */
-export * from "./session/cognito_manager";
 /** Signer session manager */
 export * from "./session/signer_session_manager";
+/** Utils */
+export * from "./util";
 /** User-export decryption helper */
 export { userExportDecrypt, userExportKeygen } from "./user_export";
-/** Export ethers.js Signer */
-export * as ethers from "./ethers";
 
 /** CubeSigner SDK package name */
 export const NAME: string = name;