@drm3/sdk 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/LICENSE +75 -0
  2. package/README.md +426 -0
  3. package/bin/drm3.js +255 -0
  4. package/dist/alerts-bell.d.ts +7 -0
  5. package/dist/alerts-bell.d.ts.map +1 -0
  6. package/dist/alerts-bell.js +118 -0
  7. package/dist/alerts-bell.js.map +1 -0
  8. package/dist/alerts-fetch.d.ts +41 -0
  9. package/dist/alerts-fetch.d.ts.map +1 -0
  10. package/dist/alerts-fetch.js +60 -0
  11. package/dist/alerts-fetch.js.map +1 -0
  12. package/dist/alerts-styles.d.ts +4 -0
  13. package/dist/alerts-styles.d.ts.map +1 -0
  14. package/dist/alerts-styles.js +49 -0
  15. package/dist/alerts-styles.js.map +1 -0
  16. package/dist/alerts.d.ts +3 -0
  17. package/dist/alerts.d.ts.map +1 -0
  18. package/dist/alerts.global.js +206 -0
  19. package/dist/alerts.global.text.js +2 -0
  20. package/dist/alerts.js +21 -0
  21. package/dist/alerts.js.map +1 -0
  22. package/dist/index.d.ts +64 -0
  23. package/dist/index.d.ts.map +1 -0
  24. package/dist/index.js +117 -0
  25. package/dist/index.js.map +1 -0
  26. package/dist/keys-canonical.d.ts +7 -0
  27. package/dist/keys-canonical.d.ts.map +1 -0
  28. package/dist/keys-canonical.js +57 -0
  29. package/dist/keys-canonical.js.map +1 -0
  30. package/dist/keys-generate.d.ts +39 -0
  31. package/dist/keys-generate.d.ts.map +1 -0
  32. package/dist/keys-generate.js +39 -0
  33. package/dist/keys-generate.js.map +1 -0
  34. package/dist/keys-verify.d.ts +62 -0
  35. package/dist/keys-verify.d.ts.map +1 -0
  36. package/dist/keys-verify.js +68 -0
  37. package/dist/keys-verify.js.map +1 -0
  38. package/dist/keys.d.ts +4 -0
  39. package/dist/keys.d.ts.map +1 -0
  40. package/dist/keys.js +22 -0
  41. package/dist/keys.js.map +1 -0
  42. package/dist/meter/adapter.d.ts +35 -0
  43. package/dist/meter/adapter.d.ts.map +1 -0
  44. package/dist/meter/adapter.js +0 -0
  45. package/dist/meter/adapter.js.map +1 -0
  46. package/dist/meter/cascade.d.ts +56 -0
  47. package/dist/meter/cascade.d.ts.map +1 -0
  48. package/dist/meter/cascade.js +64 -0
  49. package/dist/meter/cascade.js.map +1 -0
  50. package/dist/meter/client.d.ts +78 -0
  51. package/dist/meter/client.d.ts.map +1 -0
  52. package/dist/meter/client.js +84 -0
  53. package/dist/meter/client.js.map +1 -0
  54. package/dist/meter/core.d.ts +37 -0
  55. package/dist/meter/core.d.ts.map +1 -0
  56. package/dist/meter/core.js +49 -0
  57. package/dist/meter/core.js.map +1 -0
  58. package/dist/meter/gate-client.d.ts +94 -0
  59. package/dist/meter/gate-client.d.ts.map +1 -0
  60. package/dist/meter/gate-client.js +77 -0
  61. package/dist/meter/gate-client.js.map +1 -0
  62. package/dist/meter/gate-decide.d.ts +61 -0
  63. package/dist/meter/gate-decide.d.ts.map +1 -0
  64. package/dist/meter/gate-decide.js +54 -0
  65. package/dist/meter/gate-decide.js.map +1 -0
  66. package/dist/meter/gate.d.ts +10 -0
  67. package/dist/meter/gate.d.ts.map +1 -0
  68. package/dist/meter/gate.js +10 -0
  69. package/dist/meter/gate.js.map +1 -0
  70. package/dist/meter/index.d.ts +28 -0
  71. package/dist/meter/index.d.ts.map +1 -0
  72. package/dist/meter/index.js +28 -0
  73. package/dist/meter/index.js.map +1 -0
  74. package/dist/meter/meters-buckets.d.ts +56 -0
  75. package/dist/meter/meters-buckets.d.ts.map +1 -0
  76. package/dist/meter/meters-buckets.js +111 -0
  77. package/dist/meter/meters-buckets.js.map +1 -0
  78. package/dist/meter/meters-charge.d.ts +13 -0
  79. package/dist/meter/meters-charge.d.ts.map +1 -0
  80. package/dist/meter/meters-charge.js +76 -0
  81. package/dist/meter/meters-charge.js.map +1 -0
  82. package/dist/meter/meters.d.ts +63 -0
  83. package/dist/meter/meters.d.ts.map +1 -0
  84. package/dist/meter/meters.js +44 -0
  85. package/dist/meter/meters.js.map +1 -0
  86. package/dist/meter/plans.d.ts +63 -0
  87. package/dist/meter/plans.d.ts.map +1 -0
  88. package/dist/meter/plans.js +114 -0
  89. package/dist/meter/plans.js.map +1 -0
  90. package/dist/meter/pricebook.d.ts +32 -0
  91. package/dist/meter/pricebook.d.ts.map +1 -0
  92. package/dist/meter/pricebook.js +38 -0
  93. package/dist/meter/pricebook.js.map +1 -0
  94. package/dist/meter/resolve.d.ts +103 -0
  95. package/dist/meter/resolve.d.ts.map +1 -0
  96. package/dist/meter/resolve.js +100 -0
  97. package/dist/meter/resolve.js.map +1 -0
  98. package/dist/meter/sink.d.ts +26 -0
  99. package/dist/meter/sink.d.ts.map +1 -0
  100. package/dist/meter/sink.js +9 -0
  101. package/dist/meter/sink.js.map +1 -0
  102. package/dist/meter/sql/d1.d.ts +32 -0
  103. package/dist/meter/sql/d1.d.ts.map +1 -0
  104. package/dist/meter/sql/d1.js +41 -0
  105. package/dist/meter/sql/d1.js.map +1 -0
  106. package/dist/meter/sql/driver.d.ts +34 -0
  107. package/dist/meter/sql/driver.d.ts.map +1 -0
  108. package/dist/meter/sql/driver.js +17 -0
  109. package/dist/meter/sql/driver.js.map +1 -0
  110. package/dist/meter/sql/postgres.d.ts +23 -0
  111. package/dist/meter/sql/postgres.d.ts.map +1 -0
  112. package/dist/meter/sql/postgres.js +36 -0
  113. package/dist/meter/sql/postgres.js.map +1 -0
  114. package/dist/meter/sql/schema.d.ts +13 -0
  115. package/dist/meter/sql/schema.d.ts.map +1 -0
  116. package/dist/meter/sql/schema.js +32 -0
  117. package/dist/meter/sql/schema.js.map +1 -0
  118. package/dist/meter/sql/sql-adapter.d.ts +36 -0
  119. package/dist/meter/sql/sql-adapter.d.ts.map +1 -0
  120. package/dist/meter/sql/sql-adapter.js +124 -0
  121. package/dist/meter/sql/sql-adapter.js.map +1 -0
  122. package/dist/meter/sql/statements.d.ts +30 -0
  123. package/dist/meter/sql/statements.d.ts.map +1 -0
  124. package/dist/meter/sql/statements.js +24 -0
  125. package/dist/meter/sql/statements.js.map +1 -0
  126. package/dist/meter/types.d.ts +48 -0
  127. package/dist/meter/types.d.ts.map +1 -0
  128. package/dist/meter/types.js +8 -0
  129. package/dist/meter/types.js.map +1 -0
  130. package/dist/meter/units.d.ts +33 -0
  131. package/dist/meter/units.d.ts.map +1 -0
  132. package/dist/meter/units.js +45 -0
  133. package/dist/meter/units.js.map +1 -0
  134. package/dist/meter/wallet-buckets.d.ts +63 -0
  135. package/dist/meter/wallet-buckets.d.ts.map +1 -0
  136. package/dist/meter/wallet-buckets.js +131 -0
  137. package/dist/meter/wallet-buckets.js.map +1 -0
  138. package/dist/meter/wallet-charge.d.ts +15 -0
  139. package/dist/meter/wallet-charge.d.ts.map +1 -0
  140. package/dist/meter/wallet-charge.js +64 -0
  141. package/dist/meter/wallet-charge.js.map +1 -0
  142. package/dist/meter/wallet.d.ts +68 -0
  143. package/dist/meter/wallet.d.ts.map +1 -0
  144. package/dist/meter/wallet.js +47 -0
  145. package/dist/meter/wallet.js.map +1 -0
  146. package/dist/receipts-api.d.ts +5 -0
  147. package/dist/receipts-api.d.ts.map +1 -0
  148. package/dist/receipts-api.js +117 -0
  149. package/dist/receipts-api.js.map +1 -0
  150. package/dist/receipts-chain.d.ts +3 -0
  151. package/dist/receipts-chain.d.ts.map +1 -0
  152. package/dist/receipts-chain.js +121 -0
  153. package/dist/receipts-chain.js.map +1 -0
  154. package/dist/receipts-modal.d.ts +14 -0
  155. package/dist/receipts-modal.d.ts.map +1 -0
  156. package/dist/receipts-modal.js +100 -0
  157. package/dist/receipts-modal.js.map +1 -0
  158. package/dist/receipts-registry.d.ts +4 -0
  159. package/dist/receipts-registry.d.ts.map +1 -0
  160. package/dist/receipts-registry.js +54 -0
  161. package/dist/receipts-registry.js.map +1 -0
  162. package/dist/receipts-render.d.ts +9 -0
  163. package/dist/receipts-render.d.ts.map +1 -0
  164. package/dist/receipts-render.js +83 -0
  165. package/dist/receipts-render.js.map +1 -0
  166. package/dist/receipts-types.d.ts +61 -0
  167. package/dist/receipts-types.d.ts.map +1 -0
  168. package/dist/receipts-types.js +12 -0
  169. package/dist/receipts-types.js.map +1 -0
  170. package/dist/receipts-ui.d.ts +10 -0
  171. package/dist/receipts-ui.d.ts.map +1 -0
  172. package/dist/receipts-ui.js +103 -0
  173. package/dist/receipts-ui.js.map +1 -0
  174. package/dist/receipts-verify.d.ts +8 -0
  175. package/dist/receipts-verify.d.ts.map +1 -0
  176. package/dist/receipts-verify.js +113 -0
  177. package/dist/receipts-verify.js.map +1 -0
  178. package/dist/receipts.d.ts +9 -0
  179. package/dist/receipts.d.ts.map +1 -0
  180. package/dist/receipts.global.js +587 -0
  181. package/dist/receipts.global.text.js +2 -0
  182. package/dist/receipts.js +28 -0
  183. package/dist/receipts.js.map +1 -0
  184. package/dist/sso/index.d.ts +4 -0
  185. package/dist/sso/index.d.ts.map +1 -0
  186. package/dist/sso/index.js +10 -0
  187. package/dist/sso/index.js.map +1 -0
  188. package/dist/sso/jwt.d.ts +29 -0
  189. package/dist/sso/jwt.d.ts.map +1 -0
  190. package/dist/sso/jwt.js +73 -0
  191. package/dist/sso/jwt.js.map +1 -0
  192. package/dist/sso/launch.d.ts +70 -0
  193. package/dist/sso/launch.d.ts.map +1 -0
  194. package/dist/sso/launch.js +75 -0
  195. package/dist/sso/launch.js.map +1 -0
  196. package/dist/sso/revocation.d.ts +23 -0
  197. package/dist/sso/revocation.d.ts.map +1 -0
  198. package/dist/sso/revocation.js +53 -0
  199. package/dist/sso/revocation.js.map +1 -0
  200. package/dist/switcher.d.ts +22 -0
  201. package/dist/switcher.d.ts.map +1 -0
  202. package/dist/switcher.js +174 -0
  203. package/dist/switcher.js.map +1 -0
  204. package/dist/x402/chain.d.ts +49 -0
  205. package/dist/x402/chain.d.ts.map +1 -0
  206. package/dist/x402/chain.js +33 -0
  207. package/dist/x402/chain.js.map +1 -0
  208. package/dist/x402/crypto.d.ts +25 -0
  209. package/dist/x402/crypto.d.ts.map +1 -0
  210. package/dist/x402/crypto.js +74 -0
  211. package/dist/x402/crypto.js.map +1 -0
  212. package/dist/x402/eip712.d.ts +20 -0
  213. package/dist/x402/eip712.d.ts.map +1 -0
  214. package/dist/x402/eip712.js +49 -0
  215. package/dist/x402/eip712.js.map +1 -0
  216. package/dist/x402/envelope.d.ts +45 -0
  217. package/dist/x402/envelope.d.ts.map +1 -0
  218. package/dist/x402/envelope.js +50 -0
  219. package/dist/x402/envelope.js.map +1 -0
  220. package/dist/x402/index.d.ts +41 -0
  221. package/dist/x402/index.d.ts.map +1 -0
  222. package/dist/x402/index.js +41 -0
  223. package/dist/x402/index.js.map +1 -0
  224. package/dist/x402/verify.d.ts +51 -0
  225. package/dist/x402/verify.d.ts.map +1 -0
  226. package/dist/x402/verify.js +110 -0
  227. package/dist/x402/verify.js.map +1 -0
  228. package/package.json +100 -0
package/LICENSE ADDED
@@ -0,0 +1,75 @@
1
+ Draft - pending counsel review.
2
+
3
+ DRM3 SDK License
4
+
5
+ Copyright 2026 DRM3 Labs Corp. All rights reserved.
6
+
7
+ This license governs use of the @drm3/sdk software package and the drm3
8
+ command-line tool (together, the "SDK"). By installing or using the SDK, you
9
+ agree to these terms. If you do not agree, do not install or use the SDK.
10
+
11
+ 1. License grant
12
+
13
+ DRM3 Labs Corp. ("DRM3") grants you a non-exclusive, non-transferable,
14
+ revocable license to install and use the SDK, in its compiled form, solely to
15
+ build and operate applications and agents that integrate with the DRM3 network.
16
+ This grant is limited to the purpose stated in this section and conveys no
17
+ other rights.
18
+
19
+ 2. Restrictions
20
+
21
+ You may not:
22
+
23
+ a. redistribute, resell, sublicense, publish, lease, or otherwise make the
24
+ SDK available to any third party, in whole or in part;
25
+
26
+ b. modify, adapt, translate, reverse engineer, decompile, or disassemble the
27
+ SDK, or create derivative works from it, except to the limited extent that
28
+ applicable law expressly permits despite this restriction;
29
+
30
+ c. use the SDK to design, build, or operate a product or service that
31
+ competes with the DRM3 network; or
32
+
33
+ d. remove, alter, or obscure any copyright, trademark, or other proprietary
34
+ notice in or on the SDK.
35
+
36
+ 3. Reservation of rights
37
+
38
+ The SDK, its interfaces, and its design are the property of DRM3 and are
39
+ protected by intellectual property and other laws. DRM3 reserves all rights not
40
+ expressly granted to you in this license. No title to or ownership of the SDK
41
+ is transferred to you. No rights are granted by implication, estoppel, or
42
+ otherwise beyond those expressly stated here.
43
+
44
+ 4. Feedback
45
+
46
+ Ideas, feature requests, and issue reports are welcome (see CONTRIBUTING.md).
47
+ Code contributions are not accepted. If you send DRM3 feedback, you grant DRM3
48
+ a perpetual, irrevocable, royalty-free right to use it without restriction or
49
+ obligation to you.
50
+
51
+ 5. No warranty
52
+
53
+ THE SDK IS PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTY OF ANY KIND,
54
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
55
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT.
56
+ DRM3 DOES NOT WARRANT THAT THE SDK WILL BE UNINTERRUPTED OR ERROR-FREE.
57
+
58
+ 6. Limitation of liability
59
+
60
+ TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL DRM3 BE LIABLE FOR
61
+ ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR
62
+ ANY LOSS OF PROFITS, REVENUE, DATA, OR USE, ARISING OUT OF OR IN CONNECTION
63
+ WITH THE SDK OR THIS LICENSE, WHETHER IN CONTRACT, TORT, OR OTHERWISE, EVEN IF
64
+ DRM3 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
65
+
66
+ 7. Termination
67
+
68
+ This license is effective until terminated. It terminates automatically if you
69
+ breach any of its terms, and DRM3 may revoke it at any time. On termination,
70
+ you must stop using the SDK and destroy all copies in your possession. Sections
71
+ 3 through 8 survive termination.
72
+
73
+ 8. Contact
74
+
75
+ Inquiries: inquiries@drm3.io
package/README.md ADDED
@@ -0,0 +1,426 @@
1
+ <p align="center">
2
+ <picture>
3
+ <source media="(prefers-color-scheme: dark)" srcset="assets/drm3-wordmark-on-dark.png">
4
+ <img alt="DRM3" src="assets/drm3-wordmark-on-light.png" width="180">
5
+ </picture>
6
+ </p>
7
+
8
+ <h1 align="center">@drm3/sdk</h1>
9
+
10
+ <p align="center">
11
+ <strong>One package to put an app or an agent on the DRM3 network.</strong>
12
+ </p>
13
+
14
+ <p align="center">
15
+ Identity &middot; credits &middot; the x402 payment gateway &middot; partner keys &middot;
16
+ receipt verification &middot; a cross-app switcher and alerts bell &middot; the <code>drm3</code> CLI.
17
+ </p>
18
+
19
+ ---
20
+
21
+ ## What it is
22
+
23
+ **The one package to put an app or an agent on the DRM3 network.** Add an account, a credit balance,
24
+ x402 payments, partner keys, and provenance receipts to the code you already have, then ship.
25
+
26
+ `@drm3/sdk` is a thin, typed client. Identity checks, x402 payments, and receipt chains verify
27
+ **locally** with Web Crypto; everything else is a plain HTTPS call to a DRM3 surface. There is no
28
+ service to host, no daemon, and no sidecar. It ships compiled and typed, and it carries the `drm3`
29
+ CLI for key operations in a terminal. Import a subpath into your code, or run `npx drm3`. That is the
30
+ whole SDK.
31
+
32
+ ## Install
33
+
34
+ ```bash
35
+ npm install @drm3/sdk # or: pnpm add @drm3/sdk · yarn add @drm3/sdk · bun add @drm3/sdk
36
+ ```
37
+
38
+ TypeScript types are bundled, and the `drm3` CLI installs alongside the library.
39
+
40
+ ## What you need
41
+
42
+ - **The library**: a JS runtime with `fetch` and Web Crypto (`crypto.subtle`, Ed25519). Every current
43
+ runtime has both: browsers, Node 20+, Deno, Bun, and edge or serverless runtimes including
44
+ Cloudflare Workers, Vercel Edge, and Fly or Docker containers.
45
+ - **The `drm3` CLI**: Node 20 or newer.
46
+ - **One runtime dependency**: `@noble/curves` and `@noble/hashes` (audited, zero-dependency crypto).
47
+ Nothing else.
48
+
49
+ Install works the same on **Windows, macOS, and Linux**: it is a normal npm package, so if `npm`
50
+ runs, it installs. Module format is ESM with subpath exports and `sideEffects: false`, so a bundler
51
+ ships only the code you import.
52
+
53
+ ## What is in it
54
+
55
+ Each capability has its own subpath. A server never pulls the browser UI; a browser never pulls the
56
+ Postgres driver.
57
+
58
+ | Import | What it does | Runs in |
59
+ |--------|--------------|---------|
60
+ | `@drm3/sdk` | Sign-in URLs, the live app catalog, the user's credit balance, Data Passport writes | server or browser |
61
+ | `@drm3/sdk/sso` | Verify the DRM3 identity token locally, per-app launch tokens, a revocation gate | server |
62
+ | `@drm3/sdk/x402` | The x402 "exact" payment gateway: verify a signed payment, build the 402 offer | server |
63
+ | `@drm3/sdk/meter` | Non-custodial credit ledger: authorize / capture / void / settle, plus a multi-bucket wallet | server |
64
+ | `@drm3/sdk/keys` | Partner signing keys: generate, build a CSR, verify a receipt chain to the DRM3 Root | server or browser |
65
+ | `@drm3/sdk/switcher` | The cross-app switcher tile grid, one call | browser |
66
+ | `@drm3/sdk/alerts` | The cross-app alerts bell, one call | browser |
67
+ | `@drm3/sdk/receipts` | The in-browser provenance receipt viewer and a verify button | browser |
68
+ | `drm3` (CLI) | Generate keys, submit a CSR, verify receipts, check partner status | terminal (Node 20+) |
69
+
70
+ Prebuilt browser bundles ship at `@drm3/sdk/receipts/global` and `@drm3/sdk/alerts/global` for a plain
71
+ `<script>` tag, no bundler required.
72
+
73
+ ## The CLI
74
+
75
+ The `drm3` CLI is the terminal half of the SDK: the same signing discipline, for a human or an agent
76
+ at a prompt. Zero install with `npx drm3`. It makes an Ed25519 keypair locally (the private key never
77
+ leaves your machine), builds and submits a CSR, verifies a receipt chain to the DRM3 Root, and reads
78
+ live fleet and registry status.
79
+
80
+ <p align="center">
81
+ <img src="assets/cli.svg" alt="The drm3 CLI: the help menu, and a keys generate run that prints the public key while the private key is written locally." width="800">
82
+ </p>
83
+
84
+ ```bash
85
+ npx drm3 keys generate --out signing.key # Ed25519 keypair, private key stays with you
86
+ npx drm3 keys submit --subject my-app --key signing.key
87
+ npx drm3 keys verify receipt.json
88
+ npx drm3 status
89
+ ```
90
+
91
+ ## The DRM3 surfaces it talks to
92
+
93
+ Four surfaces. Most of the SDK runs locally; the network calls are few and cacheable.
94
+
95
+ | Surface | Host | Used for |
96
+ |---------|------|----------|
97
+ | **Account hub** | `drm3.network` | sign in/out, credit balance, alerts, Passport writes, the revocation feed |
98
+ | **Registry + CA** | `status.drm3.network` | the app catalog, the public key registry, CSR submit and certificate issuance |
99
+ | **Metered inference** | `queue.drm3.network` | the optional shared credit meter |
100
+ | **Base chain** | USDC on Base | where an x402 payment settles, out of band. The SDK never touches it. |
101
+
102
+ ---
103
+
104
+ ## Architecture
105
+
106
+ The app or agent is the center. It verifies identity, payments, and receipts locally, and makes a
107
+ handful of cacheable calls to the DRM3 surfaces. It never holds a wallet key and never settles money.
108
+
109
+ ```mermaid
110
+ %%{init:{'theme':'base','themeVariables':{'primaryColor':'#EEF2FF','primaryBorderColor':'#3B82F6','lineColor':'#64748B','primaryTextColor':'#1e1b4b','fontFamily':'ui-sans-serif, system-ui, sans-serif'}}}%%
111
+ flowchart LR
112
+ U(["Human or agent"])
113
+ subgraph BOX["Your app or agent + @drm3/sdk"]
114
+ direction TB
115
+ ID["sso: verify identity locally"]
116
+ KEYS["keys: signing + CA"]
117
+ PAY["x402: verify payments locally"]
118
+ MET["meter: credit ledger, your DB"]
119
+ UIX["switcher, alerts, receipts"]
120
+ end
121
+ HUB["drm3.network<br/>account hub"]
122
+ REG["status.drm3.network<br/>registry + CA"]
123
+ Q["queue.drm3.network<br/>metered inference"]
124
+ CHAIN["Base chain<br/>USDC"]
125
+
126
+ U -->|"sign in / out"| HUB
127
+ BOX -->|"balance, alerts, Passport, revocations"| HUB
128
+ BOX -->|"app catalog, public keys, CSR / cert"| REG
129
+ MET -->|"shared meter (optional)"| Q
130
+ PAY -.->|"authorization submitted out of band"| CHAIN
131
+
132
+ classDef drm3 fill:#EEF2FF,stroke:#3B82F6,color:#1e1b4b;
133
+ classDef chain fill:#FCE7F3,stroke:#FB3D8E,color:#1e1b4b;
134
+ class HUB,REG,Q drm3;
135
+ class CHAIN chain;
136
+ ```
137
+
138
+ ---
139
+
140
+ ## The interactions
141
+
142
+ Every flow, its exact endpoint, and what stays local. Each diagram reads top to bottom.
143
+
144
+ ### Sign in
145
+
146
+ The user authenticates once at the hub and comes back with a `drm3_sso` token. Your app verifies that
147
+ token locally on every request after that, with no further call to the hub.
148
+
149
+ ```mermaid
150
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
151
+ sequenceDiagram
152
+ actor U as Human or agent
153
+ participant App as Your app
154
+ participant Hub as drm3.network
155
+ U->>App: click sign in
156
+ App-->>U: redirect to signInUrl(returnTo)
157
+ Note over App,Hub: GET /account?login&next=...
158
+ U->>Hub: authenticate once
159
+ Hub-->>App: redirect back with a drm3_sso token
160
+ App->>App: verifySsoToken() runs locally
161
+ ```
162
+
163
+ ```ts
164
+ import { createRevocationGate, verifyActiveSsoToken } from "@drm3/sdk/sso";
165
+
166
+ const gate = createRevocationGate({ url: "https://drm3.network/api/sso/revocations" });
167
+ const claims = await verifyActiveSsoToken(process.env.DRM3_SSO_SECRET!, token, gate);
168
+ if (!claims) return new Response("unauthorized", { status: 401 }); // signature, expiry, revocation, all local
169
+ ```
170
+
171
+ ---
172
+
173
+ ### Sign out
174
+
175
+ One redirect clears the shared session across every DRM3 app, not just yours.
176
+
177
+ ```mermaid
178
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
179
+ sequenceDiagram
180
+ actor U as User
181
+ participant App as Your app
182
+ participant Hub as drm3.network
183
+ U->>App: click sign out
184
+ App-->>U: redirect to signOutUrl(returnTo)
185
+ Note over App,Hub: GET /account/signout?next=...
186
+ Hub->>Hub: clear the shared session
187
+ Hub-->>App: redirect back, signed out everywhere
188
+ ```
189
+
190
+ ---
191
+
192
+ ### Generate a signing key
193
+
194
+ Fully local. The private key is created on your machine and never leaves it. DRM3 is not contacted.
195
+
196
+ ```mermaid
197
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
198
+ sequenceDiagram
199
+ participant You as You (CLI or code)
200
+ You->>You: generateSigningKey()
201
+ Note over You: Ed25519 keypair made locally
202
+ You->>You: store the private key in your secret manager
203
+ ```
204
+
205
+ ```bash
206
+ npx drm3 keys generate --out signing.key # private key stays with you
207
+ ```
208
+
209
+ ---
210
+
211
+ ### Get your key certified
212
+
213
+ You send a self-signed CSR carrying only your public key. A DRM3 operator approves it and the Root
214
+ signs an attestation. DRM3 never sees your private key.
215
+
216
+ ```mermaid
217
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
218
+ sequenceDiagram
219
+ participant You
220
+ participant CA as status.drm3.network
221
+ participant Op as DRM3 operator
222
+ You->>You: buildCSR({ subject, keyPair })
223
+ You->>CA: POST /v1/ca/csr (public key only)
224
+ CA->>Op: queue for approval
225
+ Op->>CA: approve, the Root signs an attestation
226
+ You->>CA: GET /v1/ca/cert/:subject
227
+ CA-->>You: your issuer attestation
228
+ ```
229
+
230
+ ```bash
231
+ npx drm3 keys submit --subject my-app --key signing.key
232
+ ```
233
+
234
+ ---
235
+
236
+ ### Verify a key or a receipt chain
237
+
238
+ Anyone can do this. Fetch the public key registry once, then verify the Ed25519 chain locally: a
239
+ receipt links to its issuer attestation, which links to the DRM3 Root.
240
+
241
+ ```mermaid
242
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
243
+ sequenceDiagram
244
+ participant V as Verifier (anyone)
245
+ participant Reg as status.drm3.network
246
+ V->>Reg: GET /.well-known/drm3-keys.json
247
+ V->>V: verifyChain(receipt, attestation, root)
248
+ Note over V: receipt to attestation to Root, all local
249
+ ```
250
+
251
+ ```bash
252
+ npx drm3 keys verify receipt.json
253
+ ```
254
+
255
+ ---
256
+
257
+ ### Read the credit balance
258
+
259
+ A single call to the hub with the user's identity token.
260
+
261
+ ```mermaid
262
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
263
+ sequenceDiagram
264
+ participant App as Your app
265
+ participant Hub as drm3.network
266
+ App->>Hub: GET /api/sso/balance (Bearer drm3_sso)
267
+ Hub-->>App: { available, credits }
268
+ ```
269
+
270
+ ---
271
+
272
+ ### Meter usage
273
+
274
+ The ledger is yours (SQLite / D1 or Postgres). `authorize` reserves credits and cannot overdraft;
275
+ `capture` settles the real cost and releases the rest. The remote meter is optional, for the shared
276
+ metered-inference path only.
277
+
278
+ ```mermaid
279
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
280
+ sequenceDiagram
281
+ participant App as Your app
282
+ participant DB as Your DB
283
+ participant Q as queue.drm3.network (optional)
284
+ App->>DB: authorize(maxCost) reserve, no overdraft
285
+ App->>App: do the work, measure the real cost
286
+ App->>DB: capture(actual) settle, release the hold
287
+ opt shared metered inference
288
+ App->>Q: POST /api/internal/meter/charge
289
+ end
290
+ ```
291
+
292
+ ```ts
293
+ import { CreditsClient, InMemoryAdapter } from "@drm3/sdk/meter";
294
+
295
+ const credits = new CreditsClient({ adapter: new InMemoryAdapter() }); // or a D1 / Postgres adapter
296
+ const auth = await credits.authorize({ tenant: claims.sub, maxCredits: 100n });
297
+ if (!auth.ok) return new Response("payment required", { status: 402 });
298
+ await credits.capture(auth.reservation.id, { credits: 84n });
299
+ ```
300
+
301
+ ---
302
+
303
+ ### Alerts
304
+
305
+ Read the user's cross-app alerts and mark them read. The same bell mounts in any DRM3 app.
306
+
307
+ ```mermaid
308
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
309
+ sequenceDiagram
310
+ participant App as Your app (the bell)
311
+ participant Hub as drm3.network
312
+ App->>Hub: GET /api/sso/alerts (Bearer drm3_sso)
313
+ Hub-->>App: { alerts, unread }
314
+ App->>Hub: POST /api/sso/alerts/read
315
+ ```
316
+
317
+ ---
318
+
319
+ ### Data access (Passport)
320
+
321
+ The user grants your app a Passport token at the hub's consent screen. Your app then writes into its
322
+ own namespace under the user's record. The hub re-checks the token audience on every write.
323
+
324
+ ```mermaid
325
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
326
+ sequenceDiagram
327
+ actor U as User
328
+ participant App as Your app
329
+ participant Hub as drm3.network
330
+ U->>Hub: grant a Passport token (consent)
331
+ App->>Hub: POST /api/passport/app-write (Bearer passport)
332
+ Note over App,Hub: writes app.{clientId}.{slug}
333
+ ```
334
+
335
+ ---
336
+
337
+ ### x402 payment
338
+
339
+ Your app answers `402` with an offer. The agent signs an EIP-3009 authorization to `payTo` and retries.
340
+ `verifyX402Payment` checks the signature locally: it holds no key and broadcasts nothing. **Settlement
341
+ is out of band** - the signed authorization is submitted on-chain by the caller or a facilitator, which
342
+ moves USDC directly to `payTo`. The SDK does not settle and never custodies funds.
343
+
344
+ ```mermaid
345
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FCE7F3','noteBorderColor':'#FB3D8E','noteTextColor':'#1e1b4b'}}}%%
346
+ sequenceDiagram
347
+ actor A as Paying agent
348
+ participant App as Your app
349
+ participant Chain as Base (USDC)
350
+ A->>App: request, no payment
351
+ App-->>A: 402 + the offer
352
+ A->>A: sign an EIP-3009 authorization to payTo
353
+ A->>App: retry with the X-PAYMENT header
354
+ App->>App: verifyX402Payment() local, no key
355
+ App->>App: your nonce-replay gate
356
+ App-->>A: 200 + the resource
357
+ A-)Chain: submit authorization (out of band)
358
+ ```
359
+
360
+ ```ts
361
+ import { verifyX402Payment, x402Body } from "@drm3/sdk/x402";
362
+
363
+ const cfg = { payTo: process.env.X402_PAY_TO!, priceAtomic: 10_000n }; // 0.01 USDC on Base
364
+ const header = req.headers.get("x-payment");
365
+ if (!header) return Response.json(x402Body(cfg, { resource: "/answer", description: "One answer" }), { status: 402 });
366
+
367
+ const result = verifyX402Payment(header, cfg); // pure, holds no key
368
+ if (!result.ok) return new Response(result.error, { status: 402 });
369
+ // result.payer is recovered from the signature. Run your nonce-replay gate, then serve.
370
+ ```
371
+
372
+ ---
373
+
374
+ ### Offers
375
+
376
+ `x402Body` builds the `402` menu. `accepts` is the machine-payable x402 requirement; `offers` and
377
+ `hint` are additive extras for humans and apps, and x402 clients ignore them.
378
+
379
+ ```mermaid
380
+ %%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
381
+ sequenceDiagram
382
+ participant App as Your app
383
+ participant A as Caller
384
+ App->>App: x402Body(cfg, { resource, description, offers, hint })
385
+ App-->>A: 402 with accepts + optional offers + hint
386
+ ```
387
+
388
+ ---
389
+
390
+ ## Browser drop-ins
391
+
392
+ Three one-call widgets. Mount them into an element and they render, fetch, and stay in sync.
393
+
394
+ ```ts
395
+ import { mountAppSwitcher } from "@drm3/sdk/switcher";
396
+ import { mountAlertsBell } from "@drm3/sdk/alerts";
397
+ import { mountVerifyButton } from "@drm3/sdk/receipts";
398
+
399
+ mountAppSwitcher(document.getElementById("switcher"));
400
+ mountAlertsBell(document.getElementById("bell"));
401
+ mountVerifyButton(document.getElementById("verify"), { receiptId });
402
+ ```
403
+
404
+ ## For agents and LLMs
405
+
406
+ An agent puts itself on the network the same way an app does: `npm install @drm3/sdk`, then import the
407
+ one subpath it needs. For keys, run `npx drm3 keys generate --out signing.key` (the private key stays
408
+ local) and verify receipt chains with `npx drm3 keys verify`. To pay an x402-gated endpoint, sign an
409
+ EIP-3009 authorization to the offer's `payTo` and retry with the `X-PAYMENT` header.
410
+
411
+ A machine-readable summary of the package, its subpaths, the CLI, and the DRM3 surfaces lives in
412
+ [`llms.txt`](./llms.txt).
413
+
414
+ ## Feedback and submissions
415
+
416
+ We do not accept pull requests or code contributions: the SDK is source-managed by DRM3 Labs Corp. so
417
+ every app and agent on the network shares one signed, tested surface. We do want your ideas, feature
418
+ requests, and bug reports. Open a GitHub issue on this repository, or email inquiries@drm3.io. See
419
+ [CONTRIBUTING.md](./CONTRIBUTING.md).
420
+
421
+ ## Legal
422
+
423
+ `@drm3/sdk` is proprietary software under the **DRM3 SDK License**, Copyright 2026 DRM3 Labs Corp., all
424
+ rights reserved. It is licensed for use to build and operate applications and agents that integrate
425
+ with the DRM3 network; the SDK, its interfaces, and its design are DRM3 Labs Corp. intellectual
426
+ property. See [LICENSE](./LICENSE). Inquiries: inquiries@drm3.io.