@dynamic-labs-sdk/client 0.21.0 → 0.22.1

package/dist/{InvalidParamError-D7XZbzuT.esm.js → InvalidParamError-uk3RG_2n.esm.js}

@@ -2,11 +2,11 @@ import { AuthStorageEnum, Configuration, SDKApi, isDeviceNonceSignatureRequiredF
 
 //#region package.json
 var name = "@dynamic-labs-sdk/client";
-var version = "0.21.0";
+var version = "0.22.1";
 var dependencies = {
 	"@dynamic-labs-sdk/assert-package-version": "workspace:*",
 	"@dynamic-labs-wallet/browser-wallet-client": "0.0.286",
-	"@dynamic-labs/sdk-api-core": "0.0.918",
+	"@dynamic-labs/sdk-api-core": "0.0.921",
 	"@simplewebauthn/browser": "13.1.0",
 	"ably": "2.17.1",
 	"buffer": "6.0.3",
@@ -194,6 +194,357 @@ const isCookieEnabled = (client) => {
 	return dynamicCookiesEnabled || byoJwtCookieEnabled;
 };
 
+//#endregion
+//#region src/modules/auth/extractSessionId/extractSessionId.ts
+/**
+* Extracts the session ID (`sid` claim) from a JWT token string.
+*
+* Decodes the base64url-encoded payload segment of the token and reads the
+* `sid` field. This is used to correlate instrumentation events with the
+* authenticated session, without ever forwarding the full token.
+*
+* Returns `null` when no token is present, when the token is malformed, or
+* when the payload does not contain a `sid` claim.
+* @not-instrumented
+*/
+const extractSessionId = (token) => {
+	try {
+		const payload = token.split(".")[1];
+		return JSON.parse(atob(payload)).sid ?? null;
+	} catch {
+		return null;
+	}
+};
+
+//#endregion
+//#region src/utils/getUserAgent/getUserAgent.ts
+/**
+* Returns the browser's `navigator.userAgent` string for inclusion in
+* instrumentation events.
+*
+* Falls back to an empty string in environments where `navigator` is not
+* available (e.g., Node.js SSR, service workers) so that callers never need
+* to guard against undefined.
+* @not-instrumented
+*/
+const getUserAgent = () => {
+	try {
+		return navigator.userAgent;
+	} catch {
+		return "";
+	}
+};
+
+//#endregion
+//#region src/services/instrumentation/constants.ts
+const DEFAULT_PII_FIELDS = [
+	"password",
+	"token",
+	"secret",
+	"privateKey",
+	"mnemonic",
+	"seed",
+	"email",
+	"phone",
+	"ssn",
+	"address",
+	"authorization"
+];
+const REDACTED_VALUE = "[REDACTED]";
+const MAX_STRING_LENGTH = 500;
+const TRUNCATED_SUFFIX = "...[truncated]";
+/**
+* Label prefix for binary data placeholders. The full placeholder includes the
+* byte length, e.g. `[Binary:16 bytes]`, so consumers can gauge data size
+* without the actual bytes appearing in logs.
+*/
+const BINARY_LABEL = "Binary";
+/**
+* Placeholder emitted when a circular reference is detected in the value tree.
+* Using a named constant makes it easy to search for or filter in downstream
+* log tooling.
+*/
+const CIRCULAR_VALUE = "[Circular]";
+
+//#endregion
+//#region src/services/instrumentation/scrubParameters/scrubParameters.ts
+const scrubString = ({ key, piiFieldsLower, redactAll, value }) => {
+	if (piiFieldsLower.includes(key.toLowerCase())) return REDACTED_VALUE;
+	if (redactAll) return REDACTED_VALUE;
+	if (value.length > MAX_STRING_LENGTH) return value.slice(0, MAX_STRING_LENGTH) + TRUNCATED_SUFFIX;
+	return value;
+};
+const scrubArray = ({ context, value }) => {
+	if (context.visited.has(value)) return [CIRCULAR_VALUE];
+	context.visited.add(value);
+	const result = value.map((item, index) => scrubValue({
+		context,
+		key: String(index),
+		value: item
+	}));
+	context.visited.delete(value);
+	return result;
+};
+const scrubObject = ({ context, value }) => {
+	if (context.visited.has(value)) return { [CIRCULAR_VALUE]: true };
+	context.visited.add(value);
+	const result = Object.create(null);
+	for (const key of Object.keys(value)) result[key] = scrubValue({
+		context,
+		key,
+		value: value[key]
+	});
+	context.visited.delete(value);
+	return result;
+};
+const scrubValue = ({ context, key, value }) => {
+	if (value === null || value === void 0) return value;
+	if (value instanceof Uint8Array) return `[${BINARY_LABEL}:${value.byteLength} bytes]`;
+	if (context.piiFieldsLower.includes(key.toLowerCase())) return REDACTED_VALUE;
+	if (typeof value === "string") return scrubString({
+		key,
+		piiFieldsLower: context.piiFieldsLower,
+		redactAll: context.redactAll,
+		value
+	});
+	if (Array.isArray(value)) return scrubArray({
+		context,
+		value
+	});
+	if (value instanceof Set) {
+		if (context.visited.has(value)) return [CIRCULAR_VALUE];
+		context.visited.add(value);
+		const setResult = scrubArray({
+			context,
+			value: [...value]
+		});
+		context.visited.delete(value);
+		return setResult;
+	}
+	if (value instanceof Map) {
+		if (context.visited.has(value)) return { [CIRCULAR_VALUE]: true };
+		context.visited.add(value);
+		const asObject = Object.create(null);
+		for (const [k, v] of value.entries()) asObject[String(k)] = v;
+		const mapResult = scrubObject({
+			context,
+			value: asObject
+		});
+		context.visited.delete(value);
+		return mapResult;
+	}
+	if (value instanceof WeakMap) return "[WeakMap]";
+	if (value instanceof WeakSet) return "[WeakSet]";
+	if (value instanceof Date) return value.toISOString();
+	if (value instanceof Error) return `[Error: ${value.message}]`;
+	if (typeof value === "object") return scrubObject({
+		context,
+		value
+	});
+	return value;
+};
+/** @not-instrumented */
+const scrubParameters = ({ piiFields, redactAll, value }) => {
+	return scrubObject({
+		context: {
+			piiFieldsLower: piiFields.map((field) => field.toLowerCase()),
+			redactAll,
+			visited: /* @__PURE__ */ new WeakSet()
+		},
+		value
+	});
+};
+
+//#endregion
+//#region src/services/instrumentation/instrumentFunction/extractParams/extractParams.ts
+/**
+* Normalises the raw positional arguments of an instrumented function call
+* into a flat `Record<string, unknown>` suitable for structured logging.
+*
+* ## Why this is needed
+*
+* Instrumented functions are wrapped with `(...args: unknown[])`, so their
+* parameters arrive as an array. Logging a raw array loses the semantic names
+* of each argument. This function recovers a named representation:
+*
+* - **No arguments** → `{}`
+* - **Single plain-object argument** → that object is returned as-is, because
+*   SDK functions follow the single-object-parameter convention, so the object
+*   already carries named keys (`{ amount, to }`, etc.).
+* - **Everything else** (multiple args, a single primitive, a single array) →
+*   each value is indexed as `arg0`, `arg1`, …
+*
+* ## Why arrays are NOT treated as plain objects
+*
+* `typeof [] === 'object'` and `[] !== null`, so without the `Array.isArray`
+* guard a single-array argument would be returned as-is. That would produce
+* an object with numeric string keys (`{ '0': ..., '1': ... }`), which is
+* misleading and inconsistent with how multi-arg calls are handled. Instead,
+* arrays fall through to the indexed `arg0` path.
+* @not-instrumented
+*/
+const extractParams = (args) => {
+	if (args.length === 0) return {};
+	if (args.length === 1 && typeof args[0] === "object" && args[0] !== null && !Array.isArray(args[0])) return args[0];
+	const result = {};
+	for (let i = 0; i < args.length; i++) result[`arg${i}`] = args[i];
+	return result;
+};
+
+//#endregion
+//#region src/services/instrumentation/instrumentFunction/scrubResolvedValue/scrubResolvedValue.ts
+/**
+* Scrubs a resolved return value of any type before logging it.
+* Routes through `scrubParameters` by wrapping the value so that strings,
+* arrays, Dates, Errors, and all other types are handled identically to
+* nested object fields.
+* @not-instrumented
+*/
+const scrubResolvedValue = ({ piiFields, redactAll, value }) => scrubParameters({
+	piiFields,
+	redactAll,
+	value: { result: value }
+}).result;
+
+//#endregion
+//#region src/services/instrumentation/instrumentFunction/instrumentFunction.ts
+const serializeError = (error) => {
+	if (error instanceof Error) return {
+		message: error.message,
+		name: error.name,
+		stack: error.stack
+	};
+	return {
+		message: String(error),
+		name: "UnknownError"
+	};
+};
+/**
+* Wraps a function so that each invocation emits a structured
+* `FunctionInstrumentationEvent` at three lifecycle points:
+*
+* - **started** — immediately before the function body executes, with the
+*   PII-scrubbed call parameters.
+* - **resolved** — after the function (or its returned Promise) settles
+*   successfully, with the PII-scrubbed return value.
+* - **rejected** — if the function throws synchronously or its returned
+*   Promise rejects.
+*
+* The original return value (or thrown error) is always forwarded to the
+* caller unchanged — instrumentation is purely observational.
+*
+* ## Usage
+*
+* ```ts
+* const transfer = instrumentFunction({
+*   fn: rawTransfer,
+*   functionName: 'transfer',
+*   getCore: () => core,
+* });
+*
+* // When called, three events are emitted automatically:
+* await transfer({ amount: 1, to: '0xabc' });
+* ```
+*
+* ## How functions are wrapped
+*
+* `instrumentFunction` is not called manually in application code. Instead,
+* the esbuild instrumentation plugin (`tools/instrumentation-plugin`) injects
+* it at build time: any exported function annotated with `@instrumented` in its
+* JSDoc is automatically wrapped by the plugin during the build step.
+* The plugin strips the original `export`, renames the function, and re-exports
+* it under the original name via `instrumentFunction(...)` — so the public API
+* is unchanged and no call sites need to be updated.
+*
+* ## Opting out
+*
+* Instrumentation is skipped entirely when:
+* - `getCore()` returns `undefined` (SDK not initialised), or
+* - `core.instrumentation.config.enabled` is `false`.
+*
+* In both cases the original function is called directly with no overhead.
+*
+* ## PII scrubbing
+*
+* All string values whose key appears in `piiFields` are replaced with
+* `"[redacted]"` before events are emitted. Pass `redactAll: true` to redact
+* every field, regardless of key name.
+* @not-instrumented
+*/
+const instrumentFunction = ({ fn, functionName, getCore: getCore$1, redactAll }) => {
+	const wrapped = (...args) => {
+		const core = getCore$1();
+		if (!core) return fn(...args);
+		if (!core.instrumentation.config.enabled) return fn(...args);
+		const instrumentation = core.instrumentation;
+		const state = core.state.get();
+		const baseEvent = {
+			environmentId: core.environmentId,
+			functionName,
+			parameters: scrubParameters({
+				piiFields: instrumentation.config.piiFields,
+				redactAll,
+				value: extractParams(args)
+			}),
+			sdkSessionId: core.sdkSessionId,
+			sdkVersion: core.version,
+			status: "info",
+			tokenSessionId: state.token ? extractSessionId(state.token) : null,
+			userAgent: getUserAgent(),
+			userId: state.user?.id ?? null
+		};
+		instrumentation.logFunction({
+			...baseEvent,
+			phase: "started",
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		try {
+			const result = fn(...args);
+			if (result instanceof Promise) return result.then((value) => {
+				instrumentation.logFunction({
+					...baseEvent,
+					phase: "resolved",
+					resolvedValue: scrubResolvedValue({
+						piiFields: instrumentation.config.piiFields,
+						redactAll,
+						value
+					}),
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				return value;
+			}).catch((error) => {
+				instrumentation.logFunction({
+					...baseEvent,
+					phase: "rejected",
+					rejectedError: serializeError(error),
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				throw error;
+			});
+			instrumentation.logFunction({
+				...baseEvent,
+				phase: "resolved",
+				resolvedValue: scrubResolvedValue({
+					piiFields: instrumentation.config.piiFields,
+					redactAll,
+					value: result
+				}),
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			return result;
+		} catch (error) {
+			instrumentation.logFunction({
+				...baseEvent,
+				phase: "rejected",
+				rejectedError: serializeError(error),
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			throw error;
+		}
+	};
+	return wrapped;
+};
+
 //#endregion
 //#region src/modules/sessionKeys/getSessionKeys/getSessionKeys.ts
 /** @instrumented */
@@ -202,6 +553,18 @@ const getSessionKeys = (client) => {
 	if (!publicKey) return;
 	return { publicKey };
 };
+const __getSessionKeys_impl = getSessionKeys;
+const __getSessionKeys_wrapped = instrumentFunction({
+	fn: __getSessionKeys_impl,
+	functionName: "getSessionKeys",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/modules/auth/getElevatedAccessToken/getElevatedAccessToken.ts
@@ -245,6 +608,18 @@ const getElevatedAccessToken = ({ consume = true, scope }, client = getDefaultCl
 	}
 	return token.token;
 };
+const __getElevatedAccessToken_impl = getElevatedAccessToken;
+const __getElevatedAccessToken_wrapped = instrumentFunction({
+	fn: __getElevatedAccessToken_impl,
+	functionName: "getElevatedAccessToken",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/errors/APIError/APIError.ts
@@ -427,6 +802,18 @@ const getNonce = async (client) => {
 	await fetchAndStoreNonces(client);
 	return getNonce(client);
 };
+const __getNonce_impl = getNonce;
+const __getNonce_wrapped = instrumentFunction({
+	fn: __getNonce_impl,
+	functionName: "getNonce",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/modules/deviceRegistration/getDeviceSigner/getDeviceSigner.ts
@@ -445,6 +832,18 @@ const getDeviceSigner = async (client) => {
 		sign: (payload) => keychain.sign(keyName, payload)
 	};
 };
+const __getDeviceSigner_impl = getDeviceSigner;
+const __getDeviceSigner_wrapped = instrumentFunction({
+	fn: __getDeviceSigner_impl,
+	functionName: "getDeviceSigner",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/modules/deviceRegistration/getHeadersForNonceSignedByDeviceSigners/getHeadersForNonceSignedByDeviceSigners.ts
@@ -458,8 +857,8 @@ const getHeadersForNonceSignedByDeviceSigners = async (client) => {
 	* Then we dont need to provide the headers
 	*/
 	if (isCookieEnabled(client)) return {};
-	const deviceSigner = await getDeviceSigner(client);
-	const nonce = await getNonce(client);
+	const deviceSigner = await __getDeviceSigner_wrapped(client);
+	const nonce = await __getNonce_wrapped(client);
 	const signedNonce = await deviceSigner.sign(nonce);
 	const publicKey = await deviceSigner.getPublicKey();
 	return {
@@ -468,6 +867,18 @@ const getHeadersForNonceSignedByDeviceSigners = async (client) => {
 		"x-dynamic-device-signed-nonce": signedNonce
 	};
 };
+const __getHeadersForNonceSignedByDeviceSigners_impl = getHeadersForNonceSignedByDeviceSigners;
+const __getHeadersForNonceSignedByDeviceSigners_wrapped = instrumentFunction({
+	fn: __getHeadersForNonceSignedByDeviceSigners_impl,
+	functionName: "getHeadersForNonceSignedByDeviceSigners",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/modules/apiClient/utils/deviceSignatureHeadersMiddleware/createDeviceSignatureHeadersMiddleware.ts
@@ -478,7 +889,7 @@ const createDeviceSignatureHeadersMiddleware = (client) => {
 		* The signed nonce is not required for cookie based environments.
 		*/
 		if (isDeviceNonceSignatureRequiredForUrl(context.url) && !isCookieEnabled(client)) {
-			const deviceSignerHeaders = await getHeadersForNonceSignedByDeviceSigners(client);
+			const deviceSignerHeaders = await __getHeadersForNonceSignedByDeviceSigners_wrapped(client);
 			return {
 				init: {
 					...context.init,
@@ -492,6 +903,18 @@ const createDeviceSignatureHeadersMiddleware = (client) => {
 		}
 	} };
 };
+const __createDeviceSignatureHeadersMiddleware_impl = createDeviceSignatureHeadersMiddleware;
+const __createDeviceSignatureHeadersMiddleware_wrapped = instrumentFunction({
+	fn: __createDeviceSignatureHeadersMiddleware_impl,
+	functionName: "createDeviceSignatureHeadersMiddleware",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/errors/UnauthorizedError.ts
@@ -549,22 +972,34 @@ const createApiClient = (options = {}, client) => {
 	if (client.projectSettings && isCookieEnabled(client)) settings.credentials = "include";
 	if (options.includeMfaToken && coreState.mfaToken) settings.headers[MFA_TOKEN_HEADER] = coreState.mfaToken;
 	if (options.elevatedAccessTokenScope) {
-		const elevatedToken = getElevatedAccessToken({ scope: options.elevatedAccessTokenScope }, client);
+		const elevatedToken = __getElevatedAccessToken_wrapped({ scope: options.elevatedAccessTokenScope }, client);
 		if (elevatedToken) settings.headers[ELEVATED_ACCESS_TOKEN_HEADER] = elevatedToken;
 	}
-	const sessionPublicKey = getSessionKeys(client)?.publicKey;
+	const sessionPublicKey = __getSessionKeys_wrapped(client)?.publicKey;
 	const isSessionPublicKeyHeaderPresent = settings.headers[SESSION_PUBLIC_KEY_HEADER] !== void 0;
 	if (sessionPublicKey && !isSessionPublicKeyHeaderPresent) settings.headers[SESSION_PUBLIC_KEY_HEADER] = sessionPublicKey;
 	return new SDKApi(new Configuration({
 		...settings,
 		fetchApi: core.fetch,
 		middleware: [
-			createDeviceSignatureHeadersMiddleware(client),
+			__createDeviceSignatureHeadersMiddleware_wrapped(client),
 			createConvertToApiErrorMiddleware({ errorMappers: [...options.errorMappers || [], clientErrorMapper] }),
 			createUnauthorizedMiddleware()
 		]
 	}));
 };
+const __createApiClient_impl = createApiClient;
+const __createApiClient_wrapped = instrumentFunction({
+	fn: __createApiClient_impl,
+	functionName: "createApiClient",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/utils/getNonce/fetchAndStoreNonces/fetchAndStoreNonces.ts
@@ -582,7 +1017,7 @@ const createApiClient = (options = {}, client) => {
 const fetchAndStoreNonces = async (client) => {
 	const core = getCore(client);
 	const { environmentId } = core;
-	const { nonces } = await createApiClient({}, client).getNonces({
+	const { nonces } = await __createApiClient_wrapped({}, client).getNonces({
 		count: NONCE_POOL_SIZE,
 		environmentId
 	});
@@ -691,6 +1126,18 @@ const getChainFromVerifiedCredentialChain = (verifiedCredentialChain) => {
 	assertDefined(chain, `Unknown chain: ${verifiedCredentialChain}`);
 	return chain;
 };
+const __getChainFromVerifiedCredentialChain_impl = getChainFromVerifiedCredentialChain;
+const __getChainFromVerifiedCredentialChain_wrapped = instrumentFunction({
+	fn: __getChainFromVerifiedCredentialChain_impl,
+	functionName: "getChainFromVerifiedCredentialChain",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
 
 //#endregion
 //#region src/constants.ts
@@ -722,5 +1169,5 @@ var InvalidParamError = class extends BaseError {
 };
 
 //#endregion
-export { NONCE_POOL_SIZE as A, getSessionKeys as C, randomString as D, ValueMustBeDefinedError as E, getCore as F, name as I, version as L, setDefaultClient as M, ClientNotFoundError as N, CLIENT_SDK_NAME as O, BaseError as P, getElevatedAccessToken as S, assertDefined as T, MfaRateLimitedError as _, DYNAMIC_ICONIC_SPRITE_URL as a, InvalidExternalAuthError as b, CHAINS_INFO_MAP as c, UnauthorizedError as d, createDeviceSignatureHeadersMiddleware as f, SandboxMaximumThresholdReachedError as g, getNonce as h, DYNAMIC_WAAS_METADATA as i, getDefaultClient as j, DYNAMIC_SDK_API_VERSION as k, fetchAndStoreNonces as l, getDeviceSigner as m, DEFAULT_WAAS_BASE_API_URL as n, SDK_API_CORE_VERSION as o, getHeadersForNonceSignedByDeviceSigners as p, DEFAULT_WAAS_BASE_MPC_RELAY_API_URL as r, getChainFromVerifiedCredentialChain as s, InvalidParamError as t, createApiClient as u, MfaInvalidOtpError as v, isCookieEnabled as w, APIError as x, LinkCredentialError as y };
-//# sourceMappingURL=InvalidParamError-D7XZbzuT.esm.js.map
+export { ValueMustBeDefinedError as A, name as B, __getSessionKeys_wrapped as C, extractSessionId as D, getUserAgent as E, getDefaultClient as F, setDefaultClient as I, ClientNotFoundError as L, CLIENT_SDK_NAME as M, DYNAMIC_SDK_API_VERSION as N, isCookieEnabled as O, NONCE_POOL_SIZE as P, BaseError as R, __getElevatedAccessToken_wrapped as S, DEFAULT_PII_FIELDS as T, version as V, MfaRateLimitedError as _, DYNAMIC_ICONIC_SPRITE_URL as a, InvalidExternalAuthError as b, CHAINS_INFO_MAP as c, UnauthorizedError as d, __createDeviceSignatureHeadersMiddleware_wrapped as f, SandboxMaximumThresholdReachedError as g, __getNonce_wrapped as h, DYNAMIC_WAAS_METADATA as i, randomString as j, assertDefined as k, fetchAndStoreNonces as l, __getDeviceSigner_wrapped as m, DEFAULT_WAAS_BASE_API_URL as n, SDK_API_CORE_VERSION as o, __getHeadersForNonceSignedByDeviceSigners_wrapped as p, DEFAULT_WAAS_BASE_MPC_RELAY_API_URL as r, __getChainFromVerifiedCredentialChain_wrapped as s, InvalidParamError as t, __createApiClient_wrapped as u, MfaInvalidOtpError as v, instrumentFunction as w, APIError as x, LinkCredentialError as y, getCore as z };
+//# sourceMappingURL=InvalidParamError-uk3RG_2n.esm.js.map