@drm3/sdk 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +75 -0
- package/README.md +426 -0
- package/bin/drm3.js +255 -0
- package/dist/alerts-bell.d.ts +7 -0
- package/dist/alerts-bell.d.ts.map +1 -0
- package/dist/alerts-bell.js +118 -0
- package/dist/alerts-bell.js.map +1 -0
- package/dist/alerts-fetch.d.ts +41 -0
- package/dist/alerts-fetch.d.ts.map +1 -0
- package/dist/alerts-fetch.js +60 -0
- package/dist/alerts-fetch.js.map +1 -0
- package/dist/alerts-styles.d.ts +4 -0
- package/dist/alerts-styles.d.ts.map +1 -0
- package/dist/alerts-styles.js +49 -0
- package/dist/alerts-styles.js.map +1 -0
- package/dist/alerts.d.ts +3 -0
- package/dist/alerts.d.ts.map +1 -0
- package/dist/alerts.global.js +206 -0
- package/dist/alerts.global.text.js +2 -0
- package/dist/alerts.js +21 -0
- package/dist/alerts.js.map +1 -0
- package/dist/index.d.ts +64 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +117 -0
- package/dist/index.js.map +1 -0
- package/dist/keys-canonical.d.ts +7 -0
- package/dist/keys-canonical.d.ts.map +1 -0
- package/dist/keys-canonical.js +57 -0
- package/dist/keys-canonical.js.map +1 -0
- package/dist/keys-generate.d.ts +39 -0
- package/dist/keys-generate.d.ts.map +1 -0
- package/dist/keys-generate.js +39 -0
- package/dist/keys-generate.js.map +1 -0
- package/dist/keys-verify.d.ts +62 -0
- package/dist/keys-verify.d.ts.map +1 -0
- package/dist/keys-verify.js +68 -0
- package/dist/keys-verify.js.map +1 -0
- package/dist/keys.d.ts +4 -0
- package/dist/keys.d.ts.map +1 -0
- package/dist/keys.js +22 -0
- package/dist/keys.js.map +1 -0
- package/dist/meter/adapter.d.ts +35 -0
- package/dist/meter/adapter.d.ts.map +1 -0
- package/dist/meter/adapter.js +0 -0
- package/dist/meter/adapter.js.map +1 -0
- package/dist/meter/cascade.d.ts +56 -0
- package/dist/meter/cascade.d.ts.map +1 -0
- package/dist/meter/cascade.js +64 -0
- package/dist/meter/cascade.js.map +1 -0
- package/dist/meter/client.d.ts +78 -0
- package/dist/meter/client.d.ts.map +1 -0
- package/dist/meter/client.js +84 -0
- package/dist/meter/client.js.map +1 -0
- package/dist/meter/core.d.ts +37 -0
- package/dist/meter/core.d.ts.map +1 -0
- package/dist/meter/core.js +49 -0
- package/dist/meter/core.js.map +1 -0
- package/dist/meter/gate-client.d.ts +94 -0
- package/dist/meter/gate-client.d.ts.map +1 -0
- package/dist/meter/gate-client.js +77 -0
- package/dist/meter/gate-client.js.map +1 -0
- package/dist/meter/gate-decide.d.ts +61 -0
- package/dist/meter/gate-decide.d.ts.map +1 -0
- package/dist/meter/gate-decide.js +54 -0
- package/dist/meter/gate-decide.js.map +1 -0
- package/dist/meter/gate.d.ts +10 -0
- package/dist/meter/gate.d.ts.map +1 -0
- package/dist/meter/gate.js +10 -0
- package/dist/meter/gate.js.map +1 -0
- package/dist/meter/index.d.ts +28 -0
- package/dist/meter/index.d.ts.map +1 -0
- package/dist/meter/index.js +28 -0
- package/dist/meter/index.js.map +1 -0
- package/dist/meter/meters-buckets.d.ts +56 -0
- package/dist/meter/meters-buckets.d.ts.map +1 -0
- package/dist/meter/meters-buckets.js +111 -0
- package/dist/meter/meters-buckets.js.map +1 -0
- package/dist/meter/meters-charge.d.ts +13 -0
- package/dist/meter/meters-charge.d.ts.map +1 -0
- package/dist/meter/meters-charge.js +76 -0
- package/dist/meter/meters-charge.js.map +1 -0
- package/dist/meter/meters.d.ts +63 -0
- package/dist/meter/meters.d.ts.map +1 -0
- package/dist/meter/meters.js +44 -0
- package/dist/meter/meters.js.map +1 -0
- package/dist/meter/plans.d.ts +63 -0
- package/dist/meter/plans.d.ts.map +1 -0
- package/dist/meter/plans.js +114 -0
- package/dist/meter/plans.js.map +1 -0
- package/dist/meter/pricebook.d.ts +32 -0
- package/dist/meter/pricebook.d.ts.map +1 -0
- package/dist/meter/pricebook.js +38 -0
- package/dist/meter/pricebook.js.map +1 -0
- package/dist/meter/resolve.d.ts +103 -0
- package/dist/meter/resolve.d.ts.map +1 -0
- package/dist/meter/resolve.js +100 -0
- package/dist/meter/resolve.js.map +1 -0
- package/dist/meter/sink.d.ts +26 -0
- package/dist/meter/sink.d.ts.map +1 -0
- package/dist/meter/sink.js +9 -0
- package/dist/meter/sink.js.map +1 -0
- package/dist/meter/sql/d1.d.ts +32 -0
- package/dist/meter/sql/d1.d.ts.map +1 -0
- package/dist/meter/sql/d1.js +41 -0
- package/dist/meter/sql/d1.js.map +1 -0
- package/dist/meter/sql/driver.d.ts +34 -0
- package/dist/meter/sql/driver.d.ts.map +1 -0
- package/dist/meter/sql/driver.js +17 -0
- package/dist/meter/sql/driver.js.map +1 -0
- package/dist/meter/sql/postgres.d.ts +23 -0
- package/dist/meter/sql/postgres.d.ts.map +1 -0
- package/dist/meter/sql/postgres.js +36 -0
- package/dist/meter/sql/postgres.js.map +1 -0
- package/dist/meter/sql/schema.d.ts +13 -0
- package/dist/meter/sql/schema.d.ts.map +1 -0
- package/dist/meter/sql/schema.js +32 -0
- package/dist/meter/sql/schema.js.map +1 -0
- package/dist/meter/sql/sql-adapter.d.ts +36 -0
- package/dist/meter/sql/sql-adapter.d.ts.map +1 -0
- package/dist/meter/sql/sql-adapter.js +124 -0
- package/dist/meter/sql/sql-adapter.js.map +1 -0
- package/dist/meter/sql/statements.d.ts +30 -0
- package/dist/meter/sql/statements.d.ts.map +1 -0
- package/dist/meter/sql/statements.js +24 -0
- package/dist/meter/sql/statements.js.map +1 -0
- package/dist/meter/types.d.ts +48 -0
- package/dist/meter/types.d.ts.map +1 -0
- package/dist/meter/types.js +8 -0
- package/dist/meter/types.js.map +1 -0
- package/dist/meter/units.d.ts +33 -0
- package/dist/meter/units.d.ts.map +1 -0
- package/dist/meter/units.js +45 -0
- package/dist/meter/units.js.map +1 -0
- package/dist/meter/wallet-buckets.d.ts +63 -0
- package/dist/meter/wallet-buckets.d.ts.map +1 -0
- package/dist/meter/wallet-buckets.js +131 -0
- package/dist/meter/wallet-buckets.js.map +1 -0
- package/dist/meter/wallet-charge.d.ts +15 -0
- package/dist/meter/wallet-charge.d.ts.map +1 -0
- package/dist/meter/wallet-charge.js +64 -0
- package/dist/meter/wallet-charge.js.map +1 -0
- package/dist/meter/wallet.d.ts +68 -0
- package/dist/meter/wallet.d.ts.map +1 -0
- package/dist/meter/wallet.js +47 -0
- package/dist/meter/wallet.js.map +1 -0
- package/dist/receipts-api.d.ts +5 -0
- package/dist/receipts-api.d.ts.map +1 -0
- package/dist/receipts-api.js +117 -0
- package/dist/receipts-api.js.map +1 -0
- package/dist/receipts-chain.d.ts +3 -0
- package/dist/receipts-chain.d.ts.map +1 -0
- package/dist/receipts-chain.js +121 -0
- package/dist/receipts-chain.js.map +1 -0
- package/dist/receipts-modal.d.ts +14 -0
- package/dist/receipts-modal.d.ts.map +1 -0
- package/dist/receipts-modal.js +100 -0
- package/dist/receipts-modal.js.map +1 -0
- package/dist/receipts-registry.d.ts +4 -0
- package/dist/receipts-registry.d.ts.map +1 -0
- package/dist/receipts-registry.js +54 -0
- package/dist/receipts-registry.js.map +1 -0
- package/dist/receipts-render.d.ts +9 -0
- package/dist/receipts-render.d.ts.map +1 -0
- package/dist/receipts-render.js +83 -0
- package/dist/receipts-render.js.map +1 -0
- package/dist/receipts-types.d.ts +61 -0
- package/dist/receipts-types.d.ts.map +1 -0
- package/dist/receipts-types.js +12 -0
- package/dist/receipts-types.js.map +1 -0
- package/dist/receipts-ui.d.ts +10 -0
- package/dist/receipts-ui.d.ts.map +1 -0
- package/dist/receipts-ui.js +103 -0
- package/dist/receipts-ui.js.map +1 -0
- package/dist/receipts-verify.d.ts +8 -0
- package/dist/receipts-verify.d.ts.map +1 -0
- package/dist/receipts-verify.js +113 -0
- package/dist/receipts-verify.js.map +1 -0
- package/dist/receipts.d.ts +9 -0
- package/dist/receipts.d.ts.map +1 -0
- package/dist/receipts.global.js +587 -0
- package/dist/receipts.global.text.js +2 -0
- package/dist/receipts.js +28 -0
- package/dist/receipts.js.map +1 -0
- package/dist/sso/index.d.ts +4 -0
- package/dist/sso/index.d.ts.map +1 -0
- package/dist/sso/index.js +10 -0
- package/dist/sso/index.js.map +1 -0
- package/dist/sso/jwt.d.ts +29 -0
- package/dist/sso/jwt.d.ts.map +1 -0
- package/dist/sso/jwt.js +73 -0
- package/dist/sso/jwt.js.map +1 -0
- package/dist/sso/launch.d.ts +70 -0
- package/dist/sso/launch.d.ts.map +1 -0
- package/dist/sso/launch.js +75 -0
- package/dist/sso/launch.js.map +1 -0
- package/dist/sso/revocation.d.ts +23 -0
- package/dist/sso/revocation.d.ts.map +1 -0
- package/dist/sso/revocation.js +53 -0
- package/dist/sso/revocation.js.map +1 -0
- package/dist/switcher.d.ts +22 -0
- package/dist/switcher.d.ts.map +1 -0
- package/dist/switcher.js +174 -0
- package/dist/switcher.js.map +1 -0
- package/dist/x402/chain.d.ts +49 -0
- package/dist/x402/chain.d.ts.map +1 -0
- package/dist/x402/chain.js +33 -0
- package/dist/x402/chain.js.map +1 -0
- package/dist/x402/crypto.d.ts +25 -0
- package/dist/x402/crypto.d.ts.map +1 -0
- package/dist/x402/crypto.js +74 -0
- package/dist/x402/crypto.js.map +1 -0
- package/dist/x402/eip712.d.ts +20 -0
- package/dist/x402/eip712.d.ts.map +1 -0
- package/dist/x402/eip712.js +49 -0
- package/dist/x402/eip712.js.map +1 -0
- package/dist/x402/envelope.d.ts +45 -0
- package/dist/x402/envelope.d.ts.map +1 -0
- package/dist/x402/envelope.js +50 -0
- package/dist/x402/envelope.js.map +1 -0
- package/dist/x402/index.d.ts +41 -0
- package/dist/x402/index.d.ts.map +1 -0
- package/dist/x402/index.js +41 -0
- package/dist/x402/index.js.map +1 -0
- package/dist/x402/verify.d.ts +51 -0
- package/dist/x402/verify.d.ts.map +1 -0
- package/dist/x402/verify.js +110 -0
- package/dist/x402/verify.js.map +1 -0
- package/package.json +100 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
Draft - pending counsel review.
|
|
2
|
+
|
|
3
|
+
DRM3 SDK License
|
|
4
|
+
|
|
5
|
+
Copyright 2026 DRM3 Labs Corp. All rights reserved.
|
|
6
|
+
|
|
7
|
+
This license governs use of the @drm3/sdk software package and the drm3
|
|
8
|
+
command-line tool (together, the "SDK"). By installing or using the SDK, you
|
|
9
|
+
agree to these terms. If you do not agree, do not install or use the SDK.
|
|
10
|
+
|
|
11
|
+
1. License grant
|
|
12
|
+
|
|
13
|
+
DRM3 Labs Corp. ("DRM3") grants you a non-exclusive, non-transferable,
|
|
14
|
+
revocable license to install and use the SDK, in its compiled form, solely to
|
|
15
|
+
build and operate applications and agents that integrate with the DRM3 network.
|
|
16
|
+
This grant is limited to the purpose stated in this section and conveys no
|
|
17
|
+
other rights.
|
|
18
|
+
|
|
19
|
+
2. Restrictions
|
|
20
|
+
|
|
21
|
+
You may not:
|
|
22
|
+
|
|
23
|
+
a. redistribute, resell, sublicense, publish, lease, or otherwise make the
|
|
24
|
+
SDK available to any third party, in whole or in part;
|
|
25
|
+
|
|
26
|
+
b. modify, adapt, translate, reverse engineer, decompile, or disassemble the
|
|
27
|
+
SDK, or create derivative works from it, except to the limited extent that
|
|
28
|
+
applicable law expressly permits despite this restriction;
|
|
29
|
+
|
|
30
|
+
c. use the SDK to design, build, or operate a product or service that
|
|
31
|
+
competes with the DRM3 network; or
|
|
32
|
+
|
|
33
|
+
d. remove, alter, or obscure any copyright, trademark, or other proprietary
|
|
34
|
+
notice in or on the SDK.
|
|
35
|
+
|
|
36
|
+
3. Reservation of rights
|
|
37
|
+
|
|
38
|
+
The SDK, its interfaces, and its design are the property of DRM3 and are
|
|
39
|
+
protected by intellectual property and other laws. DRM3 reserves all rights not
|
|
40
|
+
expressly granted to you in this license. No title to or ownership of the SDK
|
|
41
|
+
is transferred to you. No rights are granted by implication, estoppel, or
|
|
42
|
+
otherwise beyond those expressly stated here.
|
|
43
|
+
|
|
44
|
+
4. Feedback
|
|
45
|
+
|
|
46
|
+
Ideas, feature requests, and issue reports are welcome (see CONTRIBUTING.md).
|
|
47
|
+
Code contributions are not accepted. If you send DRM3 feedback, you grant DRM3
|
|
48
|
+
a perpetual, irrevocable, royalty-free right to use it without restriction or
|
|
49
|
+
obligation to you.
|
|
50
|
+
|
|
51
|
+
5. No warranty
|
|
52
|
+
|
|
53
|
+
THE SDK IS PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTY OF ANY KIND,
|
|
54
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
55
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT.
|
|
56
|
+
DRM3 DOES NOT WARRANT THAT THE SDK WILL BE UNINTERRUPTED OR ERROR-FREE.
|
|
57
|
+
|
|
58
|
+
6. Limitation of liability
|
|
59
|
+
|
|
60
|
+
TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL DRM3 BE LIABLE FOR
|
|
61
|
+
ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR
|
|
62
|
+
ANY LOSS OF PROFITS, REVENUE, DATA, OR USE, ARISING OUT OF OR IN CONNECTION
|
|
63
|
+
WITH THE SDK OR THIS LICENSE, WHETHER IN CONTRACT, TORT, OR OTHERWISE, EVEN IF
|
|
64
|
+
DRM3 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
|
65
|
+
|
|
66
|
+
7. Termination
|
|
67
|
+
|
|
68
|
+
This license is effective until terminated. It terminates automatically if you
|
|
69
|
+
breach any of its terms, and DRM3 may revoke it at any time. On termination,
|
|
70
|
+
you must stop using the SDK and destroy all copies in your possession. Sections
|
|
71
|
+
3 through 8 survive termination.
|
|
72
|
+
|
|
73
|
+
8. Contact
|
|
74
|
+
|
|
75
|
+
Inquiries: inquiries@drm3.io
|
package/README.md
ADDED
|
@@ -0,0 +1,426 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<picture>
|
|
3
|
+
<source media="(prefers-color-scheme: dark)" srcset="assets/drm3-wordmark-on-dark.png">
|
|
4
|
+
<img alt="DRM3" src="assets/drm3-wordmark-on-light.png" width="180">
|
|
5
|
+
</picture>
|
|
6
|
+
</p>
|
|
7
|
+
|
|
8
|
+
<h1 align="center">@drm3/sdk</h1>
|
|
9
|
+
|
|
10
|
+
<p align="center">
|
|
11
|
+
<strong>One package to put an app or an agent on the DRM3 network.</strong>
|
|
12
|
+
</p>
|
|
13
|
+
|
|
14
|
+
<p align="center">
|
|
15
|
+
Identity · credits · the x402 payment gateway · partner keys ·
|
|
16
|
+
receipt verification · a cross-app switcher and alerts bell · the <code>drm3</code> CLI.
|
|
17
|
+
</p>
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## What it is
|
|
22
|
+
|
|
23
|
+
**The one package to put an app or an agent on the DRM3 network.** Add an account, a credit balance,
|
|
24
|
+
x402 payments, partner keys, and provenance receipts to the code you already have, then ship.
|
|
25
|
+
|
|
26
|
+
`@drm3/sdk` is a thin, typed client. Identity checks, x402 payments, and receipt chains verify
|
|
27
|
+
**locally** with Web Crypto; everything else is a plain HTTPS call to a DRM3 surface. There is no
|
|
28
|
+
service to host, no daemon, and no sidecar. It ships compiled and typed, and it carries the `drm3`
|
|
29
|
+
CLI for key operations in a terminal. Import a subpath into your code, or run `npx drm3`. That is the
|
|
30
|
+
whole SDK.
|
|
31
|
+
|
|
32
|
+
## Install
|
|
33
|
+
|
|
34
|
+
```bash
|
|
35
|
+
npm install @drm3/sdk # or: pnpm add @drm3/sdk · yarn add @drm3/sdk · bun add @drm3/sdk
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
TypeScript types are bundled, and the `drm3` CLI installs alongside the library.
|
|
39
|
+
|
|
40
|
+
## What you need
|
|
41
|
+
|
|
42
|
+
- **The library**: a JS runtime with `fetch` and Web Crypto (`crypto.subtle`, Ed25519). Every current
|
|
43
|
+
runtime has both: browsers, Node 20+, Deno, Bun, and edge or serverless runtimes including
|
|
44
|
+
Cloudflare Workers, Vercel Edge, and Fly or Docker containers.
|
|
45
|
+
- **The `drm3` CLI**: Node 20 or newer.
|
|
46
|
+
- **One runtime dependency**: `@noble/curves` and `@noble/hashes` (audited, zero-dependency crypto).
|
|
47
|
+
Nothing else.
|
|
48
|
+
|
|
49
|
+
Install works the same on **Windows, macOS, and Linux**: it is a normal npm package, so if `npm`
|
|
50
|
+
runs, it installs. Module format is ESM with subpath exports and `sideEffects: false`, so a bundler
|
|
51
|
+
ships only the code you import.
|
|
52
|
+
|
|
53
|
+
## What is in it
|
|
54
|
+
|
|
55
|
+
Each capability has its own subpath. A server never pulls the browser UI; a browser never pulls the
|
|
56
|
+
Postgres driver.
|
|
57
|
+
|
|
58
|
+
| Import | What it does | Runs in |
|
|
59
|
+
|--------|--------------|---------|
|
|
60
|
+
| `@drm3/sdk` | Sign-in URLs, the live app catalog, the user's credit balance, Data Passport writes | server or browser |
|
|
61
|
+
| `@drm3/sdk/sso` | Verify the DRM3 identity token locally, per-app launch tokens, a revocation gate | server |
|
|
62
|
+
| `@drm3/sdk/x402` | The x402 "exact" payment gateway: verify a signed payment, build the 402 offer | server |
|
|
63
|
+
| `@drm3/sdk/meter` | Non-custodial credit ledger: authorize / capture / void / settle, plus a multi-bucket wallet | server |
|
|
64
|
+
| `@drm3/sdk/keys` | Partner signing keys: generate, build a CSR, verify a receipt chain to the DRM3 Root | server or browser |
|
|
65
|
+
| `@drm3/sdk/switcher` | The cross-app switcher tile grid, one call | browser |
|
|
66
|
+
| `@drm3/sdk/alerts` | The cross-app alerts bell, one call | browser |
|
|
67
|
+
| `@drm3/sdk/receipts` | The in-browser provenance receipt viewer and a verify button | browser |
|
|
68
|
+
| `drm3` (CLI) | Generate keys, submit a CSR, verify receipts, check partner status | terminal (Node 20+) |
|
|
69
|
+
|
|
70
|
+
Prebuilt browser bundles ship at `@drm3/sdk/receipts/global` and `@drm3/sdk/alerts/global` for a plain
|
|
71
|
+
`<script>` tag, no bundler required.
|
|
72
|
+
|
|
73
|
+
## The CLI
|
|
74
|
+
|
|
75
|
+
The `drm3` CLI is the terminal half of the SDK: the same signing discipline, for a human or an agent
|
|
76
|
+
at a prompt. Zero install with `npx drm3`. It makes an Ed25519 keypair locally (the private key never
|
|
77
|
+
leaves your machine), builds and submits a CSR, verifies a receipt chain to the DRM3 Root, and reads
|
|
78
|
+
live fleet and registry status.
|
|
79
|
+
|
|
80
|
+
<p align="center">
|
|
81
|
+
<img src="assets/cli.svg" alt="The drm3 CLI: the help menu, and a keys generate run that prints the public key while the private key is written locally." width="800">
|
|
82
|
+
</p>
|
|
83
|
+
|
|
84
|
+
```bash
|
|
85
|
+
npx drm3 keys generate --out signing.key # Ed25519 keypair, private key stays with you
|
|
86
|
+
npx drm3 keys submit --subject my-app --key signing.key
|
|
87
|
+
npx drm3 keys verify receipt.json
|
|
88
|
+
npx drm3 status
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
## The DRM3 surfaces it talks to
|
|
92
|
+
|
|
93
|
+
Four surfaces. Most of the SDK runs locally; the network calls are few and cacheable.
|
|
94
|
+
|
|
95
|
+
| Surface | Host | Used for |
|
|
96
|
+
|---------|------|----------|
|
|
97
|
+
| **Account hub** | `drm3.network` | sign in/out, credit balance, alerts, Passport writes, the revocation feed |
|
|
98
|
+
| **Registry + CA** | `status.drm3.network` | the app catalog, the public key registry, CSR submit and certificate issuance |
|
|
99
|
+
| **Metered inference** | `queue.drm3.network` | the optional shared credit meter |
|
|
100
|
+
| **Base chain** | USDC on Base | where an x402 payment settles, out of band. The SDK never touches it. |
|
|
101
|
+
|
|
102
|
+
---
|
|
103
|
+
|
|
104
|
+
## Architecture
|
|
105
|
+
|
|
106
|
+
The app or agent is the center. It verifies identity, payments, and receipts locally, and makes a
|
|
107
|
+
handful of cacheable calls to the DRM3 surfaces. It never holds a wallet key and never settles money.
|
|
108
|
+
|
|
109
|
+
```mermaid
|
|
110
|
+
%%{init:{'theme':'base','themeVariables':{'primaryColor':'#EEF2FF','primaryBorderColor':'#3B82F6','lineColor':'#64748B','primaryTextColor':'#1e1b4b','fontFamily':'ui-sans-serif, system-ui, sans-serif'}}}%%
|
|
111
|
+
flowchart LR
|
|
112
|
+
U(["Human or agent"])
|
|
113
|
+
subgraph BOX["Your app or agent + @drm3/sdk"]
|
|
114
|
+
direction TB
|
|
115
|
+
ID["sso: verify identity locally"]
|
|
116
|
+
KEYS["keys: signing + CA"]
|
|
117
|
+
PAY["x402: verify payments locally"]
|
|
118
|
+
MET["meter: credit ledger, your DB"]
|
|
119
|
+
UIX["switcher, alerts, receipts"]
|
|
120
|
+
end
|
|
121
|
+
HUB["drm3.network<br/>account hub"]
|
|
122
|
+
REG["status.drm3.network<br/>registry + CA"]
|
|
123
|
+
Q["queue.drm3.network<br/>metered inference"]
|
|
124
|
+
CHAIN["Base chain<br/>USDC"]
|
|
125
|
+
|
|
126
|
+
U -->|"sign in / out"| HUB
|
|
127
|
+
BOX -->|"balance, alerts, Passport, revocations"| HUB
|
|
128
|
+
BOX -->|"app catalog, public keys, CSR / cert"| REG
|
|
129
|
+
MET -->|"shared meter (optional)"| Q
|
|
130
|
+
PAY -.->|"authorization submitted out of band"| CHAIN
|
|
131
|
+
|
|
132
|
+
classDef drm3 fill:#EEF2FF,stroke:#3B82F6,color:#1e1b4b;
|
|
133
|
+
classDef chain fill:#FCE7F3,stroke:#FB3D8E,color:#1e1b4b;
|
|
134
|
+
class HUB,REG,Q drm3;
|
|
135
|
+
class CHAIN chain;
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
---
|
|
139
|
+
|
|
140
|
+
## The interactions
|
|
141
|
+
|
|
142
|
+
Every flow, its exact endpoint, and what stays local. Each diagram reads top to bottom.
|
|
143
|
+
|
|
144
|
+
### Sign in
|
|
145
|
+
|
|
146
|
+
The user authenticates once at the hub and comes back with a `drm3_sso` token. Your app verifies that
|
|
147
|
+
token locally on every request after that, with no further call to the hub.
|
|
148
|
+
|
|
149
|
+
```mermaid
|
|
150
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
|
|
151
|
+
sequenceDiagram
|
|
152
|
+
actor U as Human or agent
|
|
153
|
+
participant App as Your app
|
|
154
|
+
participant Hub as drm3.network
|
|
155
|
+
U->>App: click sign in
|
|
156
|
+
App-->>U: redirect to signInUrl(returnTo)
|
|
157
|
+
Note over App,Hub: GET /account?login&next=...
|
|
158
|
+
U->>Hub: authenticate once
|
|
159
|
+
Hub-->>App: redirect back with a drm3_sso token
|
|
160
|
+
App->>App: verifySsoToken() runs locally
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
```ts
|
|
164
|
+
import { createRevocationGate, verifyActiveSsoToken } from "@drm3/sdk/sso";
|
|
165
|
+
|
|
166
|
+
const gate = createRevocationGate({ url: "https://drm3.network/api/sso/revocations" });
|
|
167
|
+
const claims = await verifyActiveSsoToken(process.env.DRM3_SSO_SECRET!, token, gate);
|
|
168
|
+
if (!claims) return new Response("unauthorized", { status: 401 }); // signature, expiry, revocation, all local
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
---
|
|
172
|
+
|
|
173
|
+
### Sign out
|
|
174
|
+
|
|
175
|
+
One redirect clears the shared session across every DRM3 app, not just yours.
|
|
176
|
+
|
|
177
|
+
```mermaid
|
|
178
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
|
|
179
|
+
sequenceDiagram
|
|
180
|
+
actor U as User
|
|
181
|
+
participant App as Your app
|
|
182
|
+
participant Hub as drm3.network
|
|
183
|
+
U->>App: click sign out
|
|
184
|
+
App-->>U: redirect to signOutUrl(returnTo)
|
|
185
|
+
Note over App,Hub: GET /account/signout?next=...
|
|
186
|
+
Hub->>Hub: clear the shared session
|
|
187
|
+
Hub-->>App: redirect back, signed out everywhere
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
---
|
|
191
|
+
|
|
192
|
+
### Generate a signing key
|
|
193
|
+
|
|
194
|
+
Fully local. The private key is created on your machine and never leaves it. DRM3 is not contacted.
|
|
195
|
+
|
|
196
|
+
```mermaid
|
|
197
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
|
|
198
|
+
sequenceDiagram
|
|
199
|
+
participant You as You (CLI or code)
|
|
200
|
+
You->>You: generateSigningKey()
|
|
201
|
+
Note over You: Ed25519 keypair made locally
|
|
202
|
+
You->>You: store the private key in your secret manager
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
```bash
|
|
206
|
+
npx drm3 keys generate --out signing.key # private key stays with you
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
---
|
|
210
|
+
|
|
211
|
+
### Get your key certified
|
|
212
|
+
|
|
213
|
+
You send a self-signed CSR carrying only your public key. A DRM3 operator approves it and the Root
|
|
214
|
+
signs an attestation. DRM3 never sees your private key.
|
|
215
|
+
|
|
216
|
+
```mermaid
|
|
217
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
|
|
218
|
+
sequenceDiagram
|
|
219
|
+
participant You
|
|
220
|
+
participant CA as status.drm3.network
|
|
221
|
+
participant Op as DRM3 operator
|
|
222
|
+
You->>You: buildCSR({ subject, keyPair })
|
|
223
|
+
You->>CA: POST /v1/ca/csr (public key only)
|
|
224
|
+
CA->>Op: queue for approval
|
|
225
|
+
Op->>CA: approve, the Root signs an attestation
|
|
226
|
+
You->>CA: GET /v1/ca/cert/:subject
|
|
227
|
+
CA-->>You: your issuer attestation
|
|
228
|
+
```
|
|
229
|
+
|
|
230
|
+
```bash
|
|
231
|
+
npx drm3 keys submit --subject my-app --key signing.key
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
---
|
|
235
|
+
|
|
236
|
+
### Verify a key or a receipt chain
|
|
237
|
+
|
|
238
|
+
Anyone can do this. Fetch the public key registry once, then verify the Ed25519 chain locally: a
|
|
239
|
+
receipt links to its issuer attestation, which links to the DRM3 Root.
|
|
240
|
+
|
|
241
|
+
```mermaid
|
|
242
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
|
|
243
|
+
sequenceDiagram
|
|
244
|
+
participant V as Verifier (anyone)
|
|
245
|
+
participant Reg as status.drm3.network
|
|
246
|
+
V->>Reg: GET /.well-known/drm3-keys.json
|
|
247
|
+
V->>V: verifyChain(receipt, attestation, root)
|
|
248
|
+
Note over V: receipt to attestation to Root, all local
|
|
249
|
+
```
|
|
250
|
+
|
|
251
|
+
```bash
|
|
252
|
+
npx drm3 keys verify receipt.json
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
---
|
|
256
|
+
|
|
257
|
+
### Read the credit balance
|
|
258
|
+
|
|
259
|
+
A single call to the hub with the user's identity token.
|
|
260
|
+
|
|
261
|
+
```mermaid
|
|
262
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
|
|
263
|
+
sequenceDiagram
|
|
264
|
+
participant App as Your app
|
|
265
|
+
participant Hub as drm3.network
|
|
266
|
+
App->>Hub: GET /api/sso/balance (Bearer drm3_sso)
|
|
267
|
+
Hub-->>App: { available, credits }
|
|
268
|
+
```
|
|
269
|
+
|
|
270
|
+
---
|
|
271
|
+
|
|
272
|
+
### Meter usage
|
|
273
|
+
|
|
274
|
+
The ledger is yours (SQLite / D1 or Postgres). `authorize` reserves credits and cannot overdraft;
|
|
275
|
+
`capture` settles the real cost and releases the rest. The remote meter is optional, for the shared
|
|
276
|
+
metered-inference path only.
|
|
277
|
+
|
|
278
|
+
```mermaid
|
|
279
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
|
|
280
|
+
sequenceDiagram
|
|
281
|
+
participant App as Your app
|
|
282
|
+
participant DB as Your DB
|
|
283
|
+
participant Q as queue.drm3.network (optional)
|
|
284
|
+
App->>DB: authorize(maxCost) reserve, no overdraft
|
|
285
|
+
App->>App: do the work, measure the real cost
|
|
286
|
+
App->>DB: capture(actual) settle, release the hold
|
|
287
|
+
opt shared metered inference
|
|
288
|
+
App->>Q: POST /api/internal/meter/charge
|
|
289
|
+
end
|
|
290
|
+
```
|
|
291
|
+
|
|
292
|
+
```ts
|
|
293
|
+
import { CreditsClient, InMemoryAdapter } from "@drm3/sdk/meter";
|
|
294
|
+
|
|
295
|
+
const credits = new CreditsClient({ adapter: new InMemoryAdapter() }); // or a D1 / Postgres adapter
|
|
296
|
+
const auth = await credits.authorize({ tenant: claims.sub, maxCredits: 100n });
|
|
297
|
+
if (!auth.ok) return new Response("payment required", { status: 402 });
|
|
298
|
+
await credits.capture(auth.reservation.id, { credits: 84n });
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
---
|
|
302
|
+
|
|
303
|
+
### Alerts
|
|
304
|
+
|
|
305
|
+
Read the user's cross-app alerts and mark them read. The same bell mounts in any DRM3 app.
|
|
306
|
+
|
|
307
|
+
```mermaid
|
|
308
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
|
|
309
|
+
sequenceDiagram
|
|
310
|
+
participant App as Your app (the bell)
|
|
311
|
+
participant Hub as drm3.network
|
|
312
|
+
App->>Hub: GET /api/sso/alerts (Bearer drm3_sso)
|
|
313
|
+
Hub-->>App: { alerts, unread }
|
|
314
|
+
App->>Hub: POST /api/sso/alerts/read
|
|
315
|
+
```
|
|
316
|
+
|
|
317
|
+
---
|
|
318
|
+
|
|
319
|
+
### Data access (Passport)
|
|
320
|
+
|
|
321
|
+
The user grants your app a Passport token at the hub's consent screen. Your app then writes into its
|
|
322
|
+
own namespace under the user's record. The hub re-checks the token audience on every write.
|
|
323
|
+
|
|
324
|
+
```mermaid
|
|
325
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FEF3C7','noteBorderColor':'#FBBF24','noteTextColor':'#1e1b4b'}}}%%
|
|
326
|
+
sequenceDiagram
|
|
327
|
+
actor U as User
|
|
328
|
+
participant App as Your app
|
|
329
|
+
participant Hub as drm3.network
|
|
330
|
+
U->>Hub: grant a Passport token (consent)
|
|
331
|
+
App->>Hub: POST /api/passport/app-write (Bearer passport)
|
|
332
|
+
Note over App,Hub: writes app.{clientId}.{slug}
|
|
333
|
+
```
|
|
334
|
+
|
|
335
|
+
---
|
|
336
|
+
|
|
337
|
+
### x402 payment
|
|
338
|
+
|
|
339
|
+
Your app answers `402` with an offer. The agent signs an EIP-3009 authorization to `payTo` and retries.
|
|
340
|
+
`verifyX402Payment` checks the signature locally: it holds no key and broadcasts nothing. **Settlement
|
|
341
|
+
is out of band** - the signed authorization is submitted on-chain by the caller or a facilitator, which
|
|
342
|
+
moves USDC directly to `payTo`. The SDK does not settle and never custodies funds.
|
|
343
|
+
|
|
344
|
+
```mermaid
|
|
345
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B','noteBkgColor':'#FCE7F3','noteBorderColor':'#FB3D8E','noteTextColor':'#1e1b4b'}}}%%
|
|
346
|
+
sequenceDiagram
|
|
347
|
+
actor A as Paying agent
|
|
348
|
+
participant App as Your app
|
|
349
|
+
participant Chain as Base (USDC)
|
|
350
|
+
A->>App: request, no payment
|
|
351
|
+
App-->>A: 402 + the offer
|
|
352
|
+
A->>A: sign an EIP-3009 authorization to payTo
|
|
353
|
+
A->>App: retry with the X-PAYMENT header
|
|
354
|
+
App->>App: verifyX402Payment() local, no key
|
|
355
|
+
App->>App: your nonce-replay gate
|
|
356
|
+
App-->>A: 200 + the resource
|
|
357
|
+
A-)Chain: submit authorization (out of band)
|
|
358
|
+
```
|
|
359
|
+
|
|
360
|
+
```ts
|
|
361
|
+
import { verifyX402Payment, x402Body } from "@drm3/sdk/x402";
|
|
362
|
+
|
|
363
|
+
const cfg = { payTo: process.env.X402_PAY_TO!, priceAtomic: 10_000n }; // 0.01 USDC on Base
|
|
364
|
+
const header = req.headers.get("x-payment");
|
|
365
|
+
if (!header) return Response.json(x402Body(cfg, { resource: "/answer", description: "One answer" }), { status: 402 });
|
|
366
|
+
|
|
367
|
+
const result = verifyX402Payment(header, cfg); // pure, holds no key
|
|
368
|
+
if (!result.ok) return new Response(result.error, { status: 402 });
|
|
369
|
+
// result.payer is recovered from the signature. Run your nonce-replay gate, then serve.
|
|
370
|
+
```
|
|
371
|
+
|
|
372
|
+
---
|
|
373
|
+
|
|
374
|
+
### Offers
|
|
375
|
+
|
|
376
|
+
`x402Body` builds the `402` menu. `accepts` is the machine-payable x402 requirement; `offers` and
|
|
377
|
+
`hint` are additive extras for humans and apps, and x402 clients ignore them.
|
|
378
|
+
|
|
379
|
+
```mermaid
|
|
380
|
+
%%{init:{'theme':'base','themeVariables':{'actorBkg':'#EEF2FF','actorBorder':'#3B82F6','actorTextColor':'#1e1b4b','lineColor':'#64748B'}}}%%
|
|
381
|
+
sequenceDiagram
|
|
382
|
+
participant App as Your app
|
|
383
|
+
participant A as Caller
|
|
384
|
+
App->>App: x402Body(cfg, { resource, description, offers, hint })
|
|
385
|
+
App-->>A: 402 with accepts + optional offers + hint
|
|
386
|
+
```
|
|
387
|
+
|
|
388
|
+
---
|
|
389
|
+
|
|
390
|
+
## Browser drop-ins
|
|
391
|
+
|
|
392
|
+
Three one-call widgets. Mount them into an element and they render, fetch, and stay in sync.
|
|
393
|
+
|
|
394
|
+
```ts
|
|
395
|
+
import { mountAppSwitcher } from "@drm3/sdk/switcher";
|
|
396
|
+
import { mountAlertsBell } from "@drm3/sdk/alerts";
|
|
397
|
+
import { mountVerifyButton } from "@drm3/sdk/receipts";
|
|
398
|
+
|
|
399
|
+
mountAppSwitcher(document.getElementById("switcher"));
|
|
400
|
+
mountAlertsBell(document.getElementById("bell"));
|
|
401
|
+
mountVerifyButton(document.getElementById("verify"), { receiptId });
|
|
402
|
+
```
|
|
403
|
+
|
|
404
|
+
## For agents and LLMs
|
|
405
|
+
|
|
406
|
+
An agent puts itself on the network the same way an app does: `npm install @drm3/sdk`, then import the
|
|
407
|
+
one subpath it needs. For keys, run `npx drm3 keys generate --out signing.key` (the private key stays
|
|
408
|
+
local) and verify receipt chains with `npx drm3 keys verify`. To pay an x402-gated endpoint, sign an
|
|
409
|
+
EIP-3009 authorization to the offer's `payTo` and retry with the `X-PAYMENT` header.
|
|
410
|
+
|
|
411
|
+
A machine-readable summary of the package, its subpaths, the CLI, and the DRM3 surfaces lives in
|
|
412
|
+
[`llms.txt`](./llms.txt).
|
|
413
|
+
|
|
414
|
+
## Feedback and submissions
|
|
415
|
+
|
|
416
|
+
We do not accept pull requests or code contributions: the SDK is source-managed by DRM3 Labs Corp. so
|
|
417
|
+
every app and agent on the network shares one signed, tested surface. We do want your ideas, feature
|
|
418
|
+
requests, and bug reports. Open a GitHub issue on this repository, or email inquiries@drm3.io. See
|
|
419
|
+
[CONTRIBUTING.md](./CONTRIBUTING.md).
|
|
420
|
+
|
|
421
|
+
## Legal
|
|
422
|
+
|
|
423
|
+
`@drm3/sdk` is proprietary software under the **DRM3 SDK License**, Copyright 2026 DRM3 Labs Corp., all
|
|
424
|
+
rights reserved. It is licensed for use to build and operate applications and agents that integrate
|
|
425
|
+
with the DRM3 network; the SDK, its interfaces, and its design are DRM3 Labs Corp. intellectual
|
|
426
|
+
property. See [LICENSE](./LICENSE). Inquiries: inquiries@drm3.io.
|