@dexterai/connect 0.1.0

package/README.md

@@ -0,0 +1,16 @@
+# @dexterai/connect
+
+**Sign in with Dexter** — a passkey connector. Tap your face, you're in.
+
+Composes [`@dexterai/vault`](https://www.npmjs.com/package/@dexterai/vault). Two entry points:
+
+- `@dexterai/connect` — framework-free relay client + types
+- `@dexterai/connect/react` — `<SignInWithDexter/>` + `useSignInWithDexter()`
+
+Dependencies: `@dexterai/vault` + `react` (peer) **only**. No payment-layer peers — a
+sign-in button must not inherit a payment graph.
+
+## Status
+
+Scaffolding — Milestone 1. Build plan + frozen contracts:
+`dexter-fe/docs/superpowers/plans/2026-06-20-signin-with-dexter-connect.md`.

package/dist/chunk-65VT7AU2.js

@@ -0,0 +1,118 @@
+// src/types.ts
+var ConnectError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message ?? code);
+    this.code = code;
+    this.name = "ConnectError";
+  }
+};
+
+// src/relay.ts
+var DEFAULT_API_BASE = "https://api.dexter.cash";
+var ANON_SIGN_BASE = "/api/passkey-anon/sign";
+async function passkeyLogin(config = {}) {
+  const apiBase = (config.apiBase ?? DEFAULT_API_BASE).replace(/\/$/, "");
+  const options = await fetchLoginChallenge(apiBase);
+  const credential = await getAssertion(options);
+  return submitLogin(apiBase, credential);
+}
+async function fetchLoginChallenge(apiBase) {
+  const res = await fetch(`${apiBase}${ANON_SIGN_BASE}/login-challenge`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: "{}"
+  });
+  if (!res.ok) {
+    throw new ConnectError("login_challenge_failed", `login-challenge ${res.status}`);
+  }
+  const data = await res.json();
+  if (!data?.options?.challenge) {
+    throw new ConnectError("login_challenge_malformed", "no challenge in response");
+  }
+  return data.options;
+}
+async function getAssertion(options) {
+  if (typeof navigator === "undefined" || !navigator.credentials) {
+    throw new ConnectError("webauthn_unsupported", "WebAuthn unavailable in this environment");
+  }
+  let credential;
+  try {
+    credential = await navigator.credentials.get({
+      publicKey: {
+        challenge: base64urlToBytes(options.challenge).buffer.slice(0),
+        rpId: options.rpId,
+        timeout: options.timeout ?? 6e4,
+        userVerification: options.userVerification ?? "required"
+        // No allowCredentials — discoverable resident-key login.
+      }
+    });
+  } catch (err) {
+    throw new ConnectError("webauthn_failed", err instanceof Error ? err.message : String(err));
+  }
+  if (!credential || credential.type !== "public-key") {
+    throw new ConnectError("no_credential", "WebAuthn returned no credential");
+  }
+  return credential;
+}
+async function submitLogin(apiBase, credential) {
+  const assertion = credential.response;
+  const credentialJson = {
+    id: credential.id,
+    rawId: bytesToBase64url(new Uint8Array(credential.rawId)),
+    type: credential.type,
+    response: {
+      clientDataJSON: bytesToBase64url(new Uint8Array(assertion.clientDataJSON)),
+      authenticatorData: bytesToBase64url(new Uint8Array(assertion.authenticatorData)),
+      signature: bytesToBase64url(new Uint8Array(assertion.signature)),
+      userHandle: assertion.userHandle ? bytesToBase64url(new Uint8Array(assertion.userHandle)) : null
+    },
+    clientExtensionResults: credential.getClientExtensionResults?.() ?? {}
+  };
+  const res = await fetch(`${apiBase}${ANON_SIGN_BASE}/passkey-login`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ credential: credentialJson })
+  });
+  if (!res.ok) {
+    throw new ConnectError(await readErrorCode(res), `passkey-login ${res.status}`);
+  }
+  const data = await res.json();
+  const session = {
+    accessToken: data.accessToken,
+    refreshToken: data.refreshToken,
+    expiresAt: data.expiresAt,
+    expiresIn: data.expiresIn,
+    tokenType: data.tokenType
+  };
+  return data.vault ? { session, vault: data.vault } : { session };
+}
+async function readErrorCode(res) {
+  try {
+    const body = await res.json();
+    if (body?.error) return body.error;
+  } catch {
+  }
+  return `http_${res.status}`;
+}
+function base64ToBytes(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i += 1) out[i] = bin.charCodeAt(i);
+  return out;
+}
+function base64urlToBytes(s) {
+  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - s.length % 4);
+  const b64 = s.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  return base64ToBytes(b64);
+}
+function bytesToBase64url(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i += 1) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+export {
+  ConnectError,
+  passkeyLogin
+};

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+import { D as DexterConnectConfig, S as SignInResult } from './types-DT3KPBOE.js';
+export { C as ConnectError, a as ConnectVault, P as PasskeyLoginTokens } from './types-DT3KPBOE.js';
+
+/**
+ * "Sign in with Dexter" — the discoverable-credential login ceremony.
+ *
+ *   1. POST /login-challenge  → a server-issued challenge (no allow-list:
+ *      the resident passkey itself identifies the user)
+ *   2. navigator.credentials.get over that challenge (no allowCredentials)
+ *   3. POST /passkey-login    → the server resolves the credential + vault,
+ *      verifies the assertion, and returns a Supabase session (+ the vault
+ *      payload once vault-review ships the dexter-api change — ASK 1)
+ *
+ * Relays to dexter-api's ANON router — a first-time third-party user has no
+ * Supabase session, so the Supabase-gated router would 401.
+ */
+declare function passkeyLogin(config?: DexterConnectConfig): Promise<SignInResult>;
+
+export { DexterConnectConfig, SignInResult, passkeyLogin };

package/dist/index.js

@@ -0,0 +1,8 @@
+import {
+  ConnectError,
+  passkeyLogin
+} from "./chunk-65VT7AU2.js";
+export {
+  ConnectError,
+  passkeyLogin
+};

package/dist/react.d.ts

@@ -0,0 +1,63 @@
+import { S as SignInResult, P as PasskeyLoginTokens, a as ConnectVault, C as ConnectError } from './types-DT3KPBOE.js';
+import { ReactElement } from 'react';
+
+type ConnectStatus = 'idle' | 'pending' | 'done' | 'error';
+interface UseSignInWithDexterConfig {
+    /** dexter-api base. Default https://api.dexter.cash. */
+    apiBase?: string;
+    /** RPC for the connected-chip balance read. Default: Dexter's Helius proxy. */
+    rpcUrl?: string;
+}
+interface UseSignInWithDexter {
+    status: ConnectStatus;
+    isVaultConnected: boolean;
+    /** Run the ceremony. Resolves with the result; throws ConnectError on failure
+     *  (error is also captured in `error` + `status==='error'` for declarative UI). */
+    signIn: () => Promise<SignInResult>;
+    disconnect: () => void;
+    session: PasskeyLoginTokens | null;
+    vault: ConnectVault | null;
+    /** Dexter Wallet address (swigAddress, base58). */
+    vaultAddress: string | null;
+    vaultPda: string | null;
+    credentialId: string | null;
+    /** USD available. number once read; null = unknown → chip shows wallet only. */
+    usdcBalance: number | null;
+    refreshBalance: () => Promise<void>;
+    error: ConnectError | null;
+}
+/**
+ * "Sign in with Dexter" — React surface over the login ceremony.
+ *
+ * Returns the Supabase session (always) plus the vault identity + USD balance
+ * (vault-review's login payload is live). dexter.cash login needs only
+ * `session`; the vault fields + balance drive the connected chip. The
+ * passkeySigner (for opening x402 tabs — dexter-agents) lands next, on the
+ * anon ServerPolicy bridge over the now-live publicKey/credentialId.
+ */
+declare function useSignInWithDexter(config?: UseSignInWithDexterConfig): UseSignInWithDexter;
+
+interface SignInWithDexterProps extends UseSignInWithDexterConfig {
+    /** Fired with the result the moment sign-in completes. */
+    onSuccess?: (result: SignInResult) => void;
+    /** Fired with the typed error if the ceremony fails. */
+    onError?: (error: ConnectError) => void;
+    /** Button label when signed out. Default "Sign in with Dexter". */
+    label?: string;
+    /** className on the root (button when signed out, chip when connected) — for
+     *  full restyling. Brand it from the consumer; the inline defaults are a base. */
+    className?: string;
+    /** Render the built-in connected chip (wallet + balance). Default true.
+     *  Set false to render nothing once connected (consumer renders its own UI). */
+    showConnectedChip?: boolean;
+}
+/**
+ * Turnkey "Sign in with Dexter" element. Signed out → an ember button; signed
+ * in → a compact chip with the Dexter Wallet address + USD available. Wraps
+ * useSignInWithDexter; consumers who need the raw vault/passkey data should use
+ * that hook directly. Inline styles are a sensible default — restyle via
+ * className (Dexter Ember, no emojis, "unlock" banned per brand voice).
+ */
+declare function SignInWithDexter(props: SignInWithDexterProps): ReactElement | null;
+
+export { type ConnectStatus, SignInWithDexter, type SignInWithDexterProps, type UseSignInWithDexter, type UseSignInWithDexterConfig, useSignInWithDexter };

package/dist/react.js

@@ -0,0 +1,198 @@
+import {
+  ConnectError,
+  passkeyLogin
+} from "./chunk-65VT7AU2.js";
+
+// src/useSignInWithDexter.ts
+import { useCallback, useEffect, useState } from "react";
+
+// src/balance.ts
+async function fetchUsdcBalance(rpcUrl, usdcAta) {
+  try {
+    const res = await fetch(rpcUrl, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "getAccountInfo",
+        params: [usdcAta, { encoding: "base64", commitment: "confirmed" }]
+      })
+    });
+    if (!res.ok) return null;
+    const json = await res.json();
+    const value = json?.result?.value;
+    if (!value || !value.data) return 0;
+    const b64 = Array.isArray(value.data) ? value.data[0] : value.data;
+    const bytes = base64ToBytes(b64);
+    if (bytes.length < 72) return 0;
+    return Number(readU64LE(bytes, 64)) / 1e6;
+  } catch {
+    return null;
+  }
+}
+function readU64LE(bytes, offset) {
+  let v = 0n;
+  for (let i = 7; i >= 0; i -= 1) v = v << 8n | BigInt(bytes[offset + i]);
+  return v;
+}
+function base64ToBytes(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i += 1) out[i] = bin.charCodeAt(i);
+  return out;
+}
+
+// src/useSignInWithDexter.ts
+var DEFAULT_RPC = "https://api.dexter.cash/proxy/helius/rpc";
+function useSignInWithDexter(config = {}) {
+  const { apiBase, rpcUrl = DEFAULT_RPC } = config;
+  const [status, setStatus] = useState("idle");
+  const [session, setSession] = useState(null);
+  const [vault, setVault] = useState(null);
+  const [usdcBalance, setUsdcBalance] = useState(null);
+  const [error, setError] = useState(null);
+  const refreshBalance = useCallback(async () => {
+    const ata = vault?.usdcAta;
+    if (!ata) return;
+    setUsdcBalance(await fetchUsdcBalance(rpcUrl, ata));
+  }, [vault, rpcUrl]);
+  const signIn = useCallback(async () => {
+    setError(null);
+    setStatus("pending");
+    try {
+      const result = await passkeyLogin(apiBase ? { apiBase } : {});
+      setSession(result.session);
+      setVault(result.vault ?? null);
+      setStatus("done");
+      return result;
+    } catch (err) {
+      const e = err instanceof ConnectError ? err : new ConnectError("sign_in_failed", String(err));
+      setError(e);
+      setStatus("error");
+      throw e;
+    }
+  }, [apiBase]);
+  const disconnect = useCallback(() => {
+    setSession(null);
+    setVault(null);
+    setUsdcBalance(null);
+    setError(null);
+    setStatus("idle");
+  }, []);
+  useEffect(() => {
+    void refreshBalance();
+  }, [refreshBalance]);
+  return {
+    status,
+    isVaultConnected: status === "done" && vault !== null,
+    signIn,
+    disconnect,
+    session,
+    vault,
+    vaultAddress: vault?.swigAddress ?? null,
+    vaultPda: vault?.vaultPda ?? null,
+    credentialId: vault?.credentialId ?? null,
+    usdcBalance,
+    refreshBalance,
+    error
+  };
+}
+
+// src/SignInWithDexter.tsx
+import { jsx, jsxs } from "react/jsx-runtime";
+function shortAddress(addr) {
+  return addr.length > 10 ? `${addr.slice(0, 4)}\u2026${addr.slice(-4)}` : addr;
+}
+function formatUsd(n) {
+  return n.toLocaleString("en-US", { style: "currency", currency: "USD" });
+}
+function SignInWithDexter(props) {
+  const {
+    onSuccess,
+    onError,
+    label = "Sign in with Dexter",
+    className,
+    showConnectedChip = true,
+    ...config
+  } = props;
+  const c = useSignInWithDexter(config);
+  const handleClick = async () => {
+    try {
+      onSuccess?.(await c.signIn());
+    } catch (err) {
+      onError?.(err);
+    }
+  };
+  if (c.isVaultConnected) {
+    if (!showConnectedChip) return null;
+    return /* @__PURE__ */ jsxs("span", { className, style: CHIP, children: [
+      /* @__PURE__ */ jsx("span", { style: DOT, "aria-hidden": true }),
+      /* @__PURE__ */ jsx("span", { children: c.vaultAddress ? shortAddress(c.vaultAddress) : "Connected" }),
+      c.usdcBalance !== null && /* @__PURE__ */ jsxs("span", { style: BALANCE, children: [
+        formatUsd(c.usdcBalance),
+        " available"
+      ] }),
+      /* @__PURE__ */ jsx("button", { type: "button", onClick: c.disconnect, style: DISCONNECT, "aria-label": "Disconnect", children: "\xD7" })
+    ] });
+  }
+  return /* @__PURE__ */ jsx(
+    "button",
+    {
+      type: "button",
+      className,
+      onClick: handleClick,
+      disabled: c.status === "pending",
+      style: BUTTON,
+      children: c.status === "pending" ? "Signing in\u2026" : label
+    }
+  );
+}
+var EMBER = "#ef6820";
+var BUTTON = {
+  display: "inline-flex",
+  alignItems: "center",
+  gap: 8,
+  padding: "10px 16px",
+  border: "none",
+  borderRadius: 6,
+  background: EMBER,
+  color: "#fff",
+  font: "inherit",
+  fontWeight: 600,
+  cursor: "pointer"
+};
+var CHIP = {
+  display: "inline-flex",
+  alignItems: "center",
+  gap: 8,
+  padding: "6px 10px",
+  borderRadius: 6,
+  border: "1px solid rgba(239,104,32,0.35)",
+  font: "inherit",
+  fontVariantNumeric: "tabular-nums"
+};
+var DOT = {
+  width: 7,
+  height: 7,
+  borderRadius: "50%",
+  background: EMBER
+};
+var BALANCE = {
+  fontWeight: 600,
+  opacity: 0.85
+};
+var DISCONNECT = {
+  marginLeft: 2,
+  border: "none",
+  background: "transparent",
+  color: "inherit",
+  cursor: "pointer",
+  fontSize: 16,
+  lineHeight: 1,
+  opacity: 0.6
+};
+export {
+  SignInWithDexter,
+  useSignInWithDexter
+};

package/dist/types-DT3KPBOE.d.ts

@@ -0,0 +1,45 @@
+/** Supabase session tokens returned by dexter-api's passkey-login (camelCase). */
+interface PasskeyLoginTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+    expiresIn: number;
+    tokenType: string;
+}
+/**
+ * Vault identity, returned ALONGSIDE the session by passkey-login once
+ * vault-review ships the dexter-api change (ASK 1). Optional until then —
+ * the connector degrades to session-only. Consumers that open x402 tabs
+ * (dexter-agents) need `vaultPda` + `publicKey` to build a passkey signer.
+ */
+interface ConnectVault {
+    vaultPda: string;
+    /** Swig state address, base58 — the user-facing Dexter Wallet address. */
+    swigAddress: string;
+    /** v2 swig wallet PDA (deposit address); null until the swig is deployed. */
+    receiveAddress: string | null;
+    /** Swig wallet's USDC ATA, base58 (for the connected-chip balance read);
+     *  null until the swig is deployed. Server-resolved (off-curve-safe). */
+    usdcAta: string | null;
+    /** base64 33-byte SEC1 compressed P-256 authority pubkey (for the signer). */
+    publicKey: string;
+    userHandle: string;
+    credentialId: string;
+}
+/** Result of a completed "Sign in with Dexter" ceremony. */
+interface SignInResult {
+    session: PasskeyLoginTokens;
+    /** Present once vault-review ships the vault-in-login change. */
+    vault?: ConnectVault;
+}
+interface DexterConnectConfig {
+    /** dexter-api base. Default https://api.dexter.cash. */
+    apiBase?: string;
+}
+/** Typed error whose `code` is the server's snake_case error string. */
+declare class ConnectError extends Error {
+    readonly code: string;
+    constructor(code: string, message?: string);
+}
+
+export { ConnectError as C, type DexterConnectConfig as D, type PasskeyLoginTokens as P, type SignInResult as S, type ConnectVault as a };

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@dexterai/connect",
+  "version": "0.1.0",
+  "description": "Sign in with Dexter — passkey connector. Composes @dexterai/vault.",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./react": {
+      "types": "./dist/react.d.ts",
+      "import": "./dist/react.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@dexterai/vault": "^0.14.1"
+  },
+  "peerDependencies": {
+    "react": ">=18"
+  },
+  "devDependencies": {
+    "@types/react": "^19.1.12",
+    "react": "^19.2.5",
+    "tsup": "^8.5.0",
+    "typescript": "^5.6.2",
+    "vitest": "^4.1.9"
+  }
+}