@cybersidecar/sdk 0.1.0

package/dist/browser/index.js

@@ -0,0 +1 @@
+export * from "../../src/sidecar_sdk_browser.js";

package/dist/core/index.js

@@ -0,0 +1 @@
+export { SidecarClient } from "../../src/sidecar_sdk_core.js";

package/dist/node/index.cjs

@@ -0,0 +1 @@
+module.exports = require("./index.js");

package/dist/node/index.js

@@ -0,0 +1 @@
+export * from "../core/index.js";

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@cybersidecar/sdk",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "./dist/node/index.cjs",
+  "module": "./dist/node/index.js",
+  "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+        "import": "./dist/node/index.js",
+        "require": "./dist/node/index.cjs"
+    },
+    "./node": {
+        "import": "./dist/node/index.js",
+        "require": "./dist/node/index.cjs"
+    },
+    "./browser": {
+        "import": "./dist/browser/index.js"
+    }
+},
+  "files": [
+    "dist",
+    "src",
+    "package.json"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "build:browser:single": "tsup src/browser.js --format=iife --global-name=SidecarSDK --out-dir dist/browser-single --minify"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "tsup": "^8.0.0"
+  }
+}

package/src/sidecar_sdk_browser.js

@@ -0,0 +1,51 @@
+// sidecar_sdk_browser.js (ESM)
+import { SidecarClient } from "../src/sidecar_sdk_core.js";
+
+const DB_NAME = "sidecar-dpop";
+const STORE = "keys";
+const KEY_ID = "dpop_keypair";
+
+function openDb() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(DB_NAME, 1);
+    req.onupgradeneeded = () => req.result.createObjectStore(STORE);
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+
+async function idbGet(db, key) {
+  return await new Promise((resolve, reject) => {
+    const tx = db.transaction(STORE, "readonly");
+    const st = tx.objectStore(STORE);
+    const req = st.get(key);
+    req.onsuccess = () => resolve(req.result || null);
+    req.onerror = () => reject(req.error);
+  });
+}
+
+async function idbPut(db, key, value) {
+  return await new Promise((resolve, reject) => {
+    const tx = db.transaction(STORE, "readwrite");
+    const st = tx.objectStore(STORE);
+    const req = st.put(value, key);
+    req.onsuccess = () => resolve(true);
+    req.onerror = () => reject(req.error);
+  });
+}
+
+const browserStorage = {
+  async get() {
+    const db = await openDb();
+    return await idbGet(db, KEY_ID);
+  },
+  async set(obj) {
+    const db = await openDb();
+    await idbPut(db, KEY_ID, obj);
+  },
+};
+
+export { SidecarClient };
+export function createBrowserSidecarClient(opts) {
+  return new SidecarClient({ ...opts, storage: browserStorage });
+}

package/src/sidecar_sdk_core.js

@@ -0,0 +1,246 @@
+// sidecar_sdk_core.js (ESM)
+
+// ---- storage (browser/node) -------------------------------------------
+// Core expects a store with async get(key) + set(key,value).
+// Browser build will inject IndexedDB store.
+// Node build must not crash if none is provided (use in-memory Map).
+const KEYPAIR_STORAGE_KEY = "dpop:keypair";
+const __memStore = new Map();
+
+function normalizeStore(store) {
+  if (store && typeof store.get === "function" && typeof store.set === "function") {
+    return store;
+  }
+  return {
+    async get(k) {
+      return __memStore.has(k) ? __memStore.get(k) : null;
+    },
+    async set(k, v) {
+      __memStore.set(k, v);
+    },
+  };
+}
+
+function b64url(bytes) {
+  const bin = String.fromCharCode(...new Uint8Array(bytes));
+  const b64 = btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+  return b64;
+}
+
+async function sha256B64Url(str) {
+  const data = new TextEncoder().encode(str);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return b64url(digest);
+}
+
+function canonicalHtu(url) {
+  // DPoP spec: exact URL minus fragment; keep query
+  const u = new URL(url);
+  u.hash = "";
+  return u.toString();
+}
+
+async function exportJwk(key) {
+  return await crypto.subtle.exportKey("jwk", key);
+}
+
+async function importPrivateJwk(jwk) {
+  return await crypto.subtle.importKey(
+    "jwk",
+    jwk,
+    { name: "ECDSA", namedCurve: "P-256" },
+    true,
+    ["sign"]
+  );
+}
+
+async function signEs256(privateKey, dataBytes) {
+  const sig = await crypto.subtle.sign(
+    { name: "ECDSA", hash: "SHA-256" },
+    privateKey,
+    dataBytes
+  );
+  return b64url(sig);
+}
+
+async function getOrCreateKeypair(store) {
+  store = normalizeStore(store);
+
+  // NOTE: store.get(key) returns what you saved with store.set(key, value)
+  const saved = await store.get(KEYPAIR_STORAGE_KEY);
+  if (saved?.privateJwk && saved?.publicJwk) {
+    const privateKey = await importPrivateJwk(saved.privateJwk);
+    return { privateKey, publicJwk: saved.publicJwk };
+  }
+
+  const kp = await crypto.subtle.generateKey(
+    { name: "ECDSA", namedCurve: "P-256" },
+    true,
+    ["sign", "verify"]
+  );
+
+  const privateJwk = await exportJwk(kp.privateKey);
+  const publicJwk  = await exportJwk(kp.publicKey);
+
+  await store.set(KEYPAIR_STORAGE_KEY, { privateJwk, publicJwk });
+
+  return { privateKey: kp.privateKey, publicJwk };
+}
+
+async function makeDpopProof({ storage, method, url, tone, deviceId, orgId }) {
+  const store = normalizeStore(storage);
+  const { privateKey, publicJwk } = await getOrCreateKeypair(store);
+
+  const now = Math.floor(Date.now() / 1000);
+  const jti = (await sha256B64Url(`${now}:${method}:${url}:${Math.random()}`)).slice(0, 22);
+
+  const header = {
+    typ: "dpop+jwt",
+    alg: "ES256",
+    jwk: publicJwk,
+  };
+
+  const payload = {
+    htm: method.toUpperCase(),
+    htu: canonicalHtu(url),
+    iat: now,
+    jti,
+
+    // bindings
+    did: deviceId,
+    oid: orgId,
+
+    // tone binding (include both for backwards compatibility)
+    tsh: await sha256B64Url(tone),
+    th:  await sha256B64Url(tone),
+  };
+
+  const enc = new TextEncoder();
+  const h = b64url(enc.encode(JSON.stringify(header)));
+  const p = b64url(enc.encode(JSON.stringify(payload)));
+  const toSign = enc.encode(`${h}.${p}`);
+  const s = await signEs256(privateKey, toSign);
+
+  return `${h}.${p}.${s}`;
+}
+
+export class SidecarClient {
+  constructor({
+    sidecarBaseUrl,
+    orgId,
+    userId,
+    deviceId,
+    sessionId,
+    clientIp,
+    userAgent = "sidecar-sdk",
+    storage,
+  }) {
+    this.sidecarBaseUrl = sidecarBaseUrl.replace(/\/+$/, "");
+    this.storage = storage;
+    this.store = normalizeStore(this.storage);
+
+    this.baseHeaders = {
+      "X-Org-Id": orgId,
+      "X-User-Id": userId,
+      "X-Device-Id": deviceId,
+      "X-Session-Id": sessionId,
+      "X-Client-Ip": clientIp,
+      "User-Agent": userAgent,
+      "Content-Type": "application/json",
+    };
+
+    this.tone = null;
+  }
+
+  async _callProxy({ targetUrl, method, headers = {}, body = null, extraHeaders = {} }) {
+    const payload = {
+      target_url: targetUrl,
+      method,
+      headers,
+      body,
+    };
+
+    const res = await fetch(`${this.sidecarBaseUrl}/proxy/http`, {
+      method: "POST",
+      headers: { ...this.baseHeaders, ...extraHeaders },
+      body: JSON.stringify(payload),
+      mode: "cors",
+    });
+
+    const text = await res.text();
+    let json = null;
+    try {
+      json = text ? JSON.parse(text) : null;
+    } catch {
+      json = null;
+    }
+
+    return {
+      ok: res.ok,
+      status: res.status,
+      json,
+      raw: text,
+      headers: res.headers,
+    };
+  }
+
+  async fetchThroughSidecar({ targetUrl, method, headers = {}, body = null }) {
+    const orgId = this.baseHeaders["X-Org-Id"];
+    const deviceId = this.baseHeaders["X-Device-Id"];
+
+    // 1) If no tone yet, do one probe to obtain it (expect 409 + tone)
+    if (!this.tone) {
+      const probe = await this._callProxy({ targetUrl, method, headers, body });
+      const tone = probe?.json?.tone;
+      if (probe.status === 409 && tone) {
+        this.tone = tone;
+      } else {
+        // If proxy didn't return tone, return probe as-is
+        return probe;
+      }
+    }
+
+    // 2) Attempt real request with tone + DPoP
+    const proof1 = await makeDpopProof({
+      storage: this.storage,
+      method,
+      url: targetUrl,
+      tone: this.tone,
+      deviceId,
+      orgId,
+    });
+
+    let r = await this._callProxy({
+      targetUrl,
+      method,
+      headers,
+      body,
+      extraHeaders: { "X-Tone": this.tone, "DPoP": proof1 },
+    });
+
+    // 3) If tone rotated/invalid, retry once with new tone
+    const rotated = r.status === 409 && r?.json?.tone;
+    if (rotated) {
+      this.tone = r.json.tone;
+
+      const proof2 = await makeDpopProof({
+        storage: this.storage,
+        method,
+        url: targetUrl,
+        tone: this.tone,
+        deviceId,
+        orgId,
+      });
+
+      r = await this._callProxy({
+        targetUrl,
+        method,
+        headers,
+        body,
+        extraHeaders: { "X-Tone": this.tone, "DPoP": proof2 },
+      });
+    }
+
+    return r;
+  }
+}

package/src/sidecar_sdk_node.js

@@ -0,0 +1,61 @@
+// sdk/src/sidecar_sdk_node.js
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import { SidecarClient as CoreSidecarClient } from "./sidecar_sdk_core.js";
+
+/**
+ * Persistent JSON file store for Node.
+ * Keeps the same DPoP key across runs (required for Level 3 binding).
+ */
+export function createFileStore({
+  filePath = path.join(os.homedir(), ".cybersidecar", "sdk_store.json"),
+} = {}) {
+  const dir = path.dirname(filePath);
+
+  function readAll() {
+    try {
+      const raw = fs.readFileSync(filePath, "utf8");
+      return raw ? JSON.parse(raw) : {};
+    } catch {
+      return {};
+    }
+  }
+
+  function writeAll(obj) {
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(filePath, JSON.stringify(obj, null, 2), "utf8");
+  }
+
+  return {
+    async get(key) {
+      const all = readAll();
+      return all[key];
+    },
+    async set(key, value) {
+      const all = readAll();
+      all[key] = value;
+      writeAll(all);
+      return true;
+    },
+    async del(key) {
+      const all = readAll();
+      delete all[key];
+      writeAll(all);
+      return true;
+    },
+  };
+}
+
+/**
+ * Node-friendly SidecarClient:
+ * - Re-exports the core client
+ * - Injects persistent storage by default
+ */
+export class SidecarClient extends CoreSidecarClient {
+  constructor(opts = {}) {
+    const storage = opts.storage ?? createFileStore();
+    super({ ...opts, storage });
+  }
+}