@dynamic-labs-wallet/core 1.0.28 → 1.0.29

package/index.cjs

@@ -768,8 +768,8 @@ const getElapsedTime = (startTime)=>{
                 }
                 if (event.type === SuccessEventType.CeremonyComplete) {
                     ceremonyCompleteSeen = true;
-                    const { accountAddress, walletId, shareSetId, shareSetType } = event.data;
-                    onCeremonyComplete == null ? void 0 : onCeremonyComplete(accountAddress, walletId, shareSetId, shareSetType);
+                    const { accountAddress, walletId, shareSetId, shareSetType, targetUserId, clientKeyshareBackupGrant } = event.data;
+                    onCeremonyComplete == null ? void 0 : onCeremonyComplete(accountAddress, walletId, shareSetId, shareSetType, targetUserId, clientKeyshareBackupGrant);
                 }
                 if (event.type === 'error') {
                     settled = true;
@@ -915,7 +915,7 @@ const getRequiredExternalKeyShareId = (ks)=>{
  * before it is posted and surfaces in Datadog exactly as the recovery path does.
  */ const assertDynamicLocationsHaveExternalKeyShareId = (locations)=>locations.filter((location)=>location.location === BackupLocation.DYNAMIC).forEach((location)=>getRequiredExternalKeyShareId(location));
 
-var version = "1.0.28";
+var version = "1.0.29";
 
 class BaseClient {
     /**
@@ -1047,7 +1047,7 @@ class DynamicApiClient extends BaseClient {
             }
         });
     }
-    async createWalletAccount({ chainName, clientKeygenIds, dynamicRequestId, thresholdSignatureScheme, skipLock, bitcoinConfig, onError, onCeremonyComplete, traceContext }) {
+    async createWalletAccount({ chainName, clientKeygenIds, dynamicRequestId, thresholdSignatureScheme, skipLock, bitcoinConfig, businessAccountId, onError, onCeremonyComplete, traceContext }) {
         const { addressType } = bitcoinConfig || {};
         const requestBody = _extends({
             chain: chainName,
@@ -1057,6 +1057,8 @@ class DynamicApiClient extends BaseClient {
             skipLock
         } : {}, addressType ? {
             addressType
+        } : {}, businessAccountId ? {
+            businessAccountId
         } : {});
         return createEventStreamPromise({
             apiClient: this.apiClient,
@@ -1387,7 +1389,7 @@ class DynamicApiClient extends BaseClient {
         });
         return data;
     }
-    async markKeySharesAsBackedUp({ walletId, shareSetId, locations, dynamicRequestId, traceContext, passwordUpdateBatchId }) {
+    async markKeySharesAsBackedUp({ walletId, shareSetId, locations, dynamicRequestId, traceContext, passwordUpdateBatchId, businessAccountId }) {
         assertDynamicLocationsHaveExternalKeyShareId(locations);
         const { data } = await this.apiClient.post(`${this.waasRoutePrefix}/${walletId}/keyShares/backup/locations`, _extends({
             locations
@@ -1395,6 +1397,8 @@ class DynamicApiClient extends BaseClient {
             passwordUpdateBatchId
         }, shareSetId ? {
             shareSetId
+        } : {}, businessAccountId ? {
+            businessAccountId
         } : {}), {
             headers: {
                 [DynamicRequestIdHeader]: dynamicRequestId,
@@ -1534,6 +1538,158 @@ class DynamicApiClient extends BaseClient {
         });
         return data;
     }
+    // --- Business accounts (SDK routes, JWT-authed, membership-scoped) ---
+    /** Create a business account; the caller's JWT user is seeded as the first owner. */ async createBusinessAccount({ request, traceContext }) {
+        const { data } = await this.apiClient.post(this.businessAccountsRoutePrefix, request, {
+            headers: {
+                [DynamicRequestIdHeader]: uuid.v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /** List business accounts the caller is a member of. */ async listBusinessAccounts({ traceContext } = {}) {
+        const { data } = await this.apiClient.get(this.businessAccountsRoutePrefix, {
+            headers: {
+                [DynamicRequestIdHeader]: uuid.v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /** Get a business account with embedded members + signers. 404 if the caller is not a member. */ async getBusinessAccountById({ businessAccountId, traceContext }) {
+        const { data } = await this.apiClient.get(`${this.businessAccountsRoutePrefix}/${businessAccountId}`, {
+            headers: {
+                [DynamicRequestIdHeader]: uuid.v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /**
+   * Add an existing wallet to a business account. No ceremony — the server
+   * transfers ownership and registers the caller as owner + signer bound to
+   * their existing share set. Omit `businessAccountId` to find-or-create the
+   * per-wallet business account. Returns the business-account detail. Idempotent.
+   */ async linkWalletToBusinessAccount({ walletId, businessAccountId, traceContext }) {
+        const { data } = await this.apiClient.post(`${this.businessAccountsRoutePrefix}/linkWallet`, _extends({
+            walletId
+        }, businessAccountId ? {
+            businessAccountId
+        } : {}), {
+            headers: {
+                [DynamicRequestIdHeader]: uuid.v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /** Add a member to a business account by user id. Caller must be an owner/admin. */ async addBusinessAccountMember({ businessAccountId, userId, role, traceContext }) {
+        const { data } = await this.apiClient.post(`${this.businessAccountsRoutePrefix}/${businessAccountId}/members`, _extends({
+            userId
+        }, role ? {
+            role
+        } : {}), {
+            headers: {
+                [DynamicRequestIdHeader]: uuid.v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /**
+   * Add a signer to a business-account wallet. Resolve the target by `userId`, or by
+   * `identifier` + `identifierType` (e.g. an email). Returns a PENDING signer
+   * (HTTP 202, `shareSetId: null`) — the reshare ceremony that mints the share
+   * is a follow-up and not yet performed server-side.
+   */ async addBusinessAccountSigner({ businessAccountId, walletId, signerType, userId, identifier, identifierType, traceContext }) {
+        const { data } = await this.apiClient.post(`${this.businessAccountsRoutePrefix}/${businessAccountId}/wallets/${walletId}/signers`, _extends({
+            signerType
+        }, userId ? {
+            userId
+        } : {}, identifier ? {
+            identifier
+        } : {}, identifierType ? {
+            type: identifierType
+        } : {}), {
+            headers: {
+                [DynamicRequestIdHeader]: uuid.v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /**
+   * SSE ceremony variant of addSigner (WIP — DYNT-1072). Same-parties
+   * 2/2 -> 2/2 reshare on the signers endpoint: the caller's existing client
+   * share participates as a remaining party (clientKeygenIds = [existing], no
+   * new party). The server runs the degenerate reshare with
+   * `newServerKeygenIds=[]` and persists the result as a NEW isolated share set
+   * for the target signer — it must NOT refresh the caller's set in place.
+   *
+   * Returns the room (createEventStreamPromise) + the new `shareSetId` via
+   * onCeremonyComplete. The resulting client share is reshared locally and
+   * seeded to the client-keyshare-service on the target's behalf (see
+   * `seedBusinessAccountSignerShare`). Not wired into the live addSigner until the
+   * redcoast signers SSE endpoint exists.
+   */ async addBusinessAccountSignerCeremony({ businessAccountId, walletId, clientKeygenIds, oldThresholdSignatureScheme, signerType, userId, identifier, identifierType, dynamicRequestId, onError, onCeremonyComplete, traceContext }) {
+        return createEventStreamPromise({
+            apiClient: this.apiClient,
+            dynamicRequestId,
+            endpoint: `${this.businessAccountsRoutePrefix}/${businessAccountId}/wallets/${walletId}/signers`,
+            body: _extends({
+                signerType,
+                clientKeygenIds,
+                oldThresholdSignatureScheme,
+                // FF-on share-set semantics: always reshare to a NEW 2/2 share set.
+                newThresholdSignatureScheme: ThresholdSignatureScheme.TWO_OF_TWO
+            }, userId ? {
+                userId
+            } : {}, identifier ? {
+                identifier
+            } : {}, identifierType ? {
+                type: identifierType
+            } : {}),
+            successEventType: SuccessEventType.RoomCreated,
+            timeoutMessage: 'Add signer reshare timed out',
+            onError,
+            onCeremonyComplete,
+            traceContext
+        });
+    }
+    /**
+   * On-behalf KSS write for addSigner: store the added signer's freshly-reshared
+   * client share in the client-keyshare-service keyed to the ADDED signer's
+   * partition via `targetUserId` in the body. Uses the caller's relay auth (the
+   * business-account-membership gate is FF-bypassed for now; the client-keyshare-service
+   * reads `targetUserId` and inserts-if-empty). Returns the stored keyShareId(s)
+   * to thread as `externalKeyShareId` into `markKeySharesAsBackedUp`.
+   * Hardened auth (scoped grant token) is the follow-up — DYNT-1071/1072.
+   */ async backupOnBehalfOfAddedSigner({ walletId, targetUserId, encryptedAccountCredentials, passwordEncrypted, encryptionVersion, clientKeyshareBackupGrant, signedSessionId, dynamicRequestId, traceContext }) {
+        const { data } = await this.clientRelayApiClient.post(`${this.waasRoutePrefix}/${walletId}/keyShares/backup`, {
+            encryptedAccountCredentials,
+            passwordEncrypted,
+            encryptionVersion,
+            targetUserId
+        }, {
+            headers: _extends({
+                [DynamicRequestIdHeader]: dynamicRequestId,
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }, signedSessionId && {
+                [DynamicClientSessionSignature]: signedSessionId
+            }, clientKeyshareBackupGrant && {
+                Authorization: `Bearer ${clientKeyshareBackupGrant}`
+            })
+        });
+        return data;
+    }
     async delegatedSignMessage({ walletId, shareSetId, message, isFormatted, dynamicRequestId, onError, context, traceContext }) {
         return createEventStreamPromise({
             apiClient: this.apiClient,
@@ -1629,6 +1785,103 @@ class DynamicApiClient extends BaseClient {
         });
         this.sdkRoutePrefix = isServerSdk ? SERVER_SDK_ROUTE_PREFIX : BROWSER_SDK_ROUTE_PREFIX;
         this.waasRoutePrefix = `${this.sdkRoutePrefix}/${this.environmentId}/waas`;
+        this.businessAccountsRoutePrefix = `${this.sdkRoutePrefix}/${this.environmentId}/businessAccounts`;
+    }
+}
+
+// Local mirror of the business-account models generated into
+// `@dynamic-labs/sdk-api-core`. Swap these for the generated imports once that
+// package is bumped with the SDK routes (redcoast PR #9792).
+var BusinessAccountMemberRole = /*#__PURE__*/ function(BusinessAccountMemberRole) {
+    BusinessAccountMemberRole["Owner"] = "owner";
+    BusinessAccountMemberRole["Admin"] = "admin";
+    BusinessAccountMemberRole["Viewer"] = "viewer";
+    return BusinessAccountMemberRole;
+}({});
+var BusinessAccountSignerType = /*#__PURE__*/ function(BusinessAccountSignerType) {
+    BusinessAccountSignerType["EndUser"] = "endUser";
+    BusinessAccountSignerType["Server"] = "server";
+    return BusinessAccountSignerType;
+}({});
+
+// Subset redcoast's addSigner endpoint supports today (sdkController.ts).
+// Other identifier types in the TS union are reserved for future endpoints.
+const ADD_SIGNER_SUPPORTED_IDENTIFIER_TYPES = new Set([
+    'email',
+    'externalUserId',
+    'id'
+]);
+/**
+ * Business-account orchestration. Lives in core (not on the monolithic wallet
+ * client) so both browser and node clients can compose it. Pure REST today.
+ */ class BusinessAccountClient {
+    /** Create a business account; the authenticated caller is seeded as the first owner member. */ async createBusinessAccount(request = {}, options) {
+        return this.apiClient.createBusinessAccount({
+            request,
+            traceContext: options == null ? void 0 : options.traceContext
+        });
+    }
+    /** List business accounts the caller is a member of. */ async listBusinessAccounts(options) {
+        return this.apiClient.listBusinessAccounts({
+            traceContext: options == null ? void 0 : options.traceContext
+        });
+    }
+    /** Full account detail (members + signers). 404 if the caller is not a member. */ async getBusinessAccount(businessAccountId, options) {
+        return this.apiClient.getBusinessAccountById({
+            businessAccountId,
+            traceContext: options == null ? void 0 : options.traceContext
+        });
+    }
+    /**
+   * Bring an existing wallet under a business account so signers can be added to it.
+   * Pure REST, no ceremony — the owner already holds a valid share set, so the
+   * server just transfers ownership and registers the caller as owner + signer.
+   * Omit `businessAccountId` to find-or-create the per-wallet business account.
+   * Idempotent.
+   */ async addWalletToBusinessAccount({ walletId, businessAccountId, traceContext }) {
+        return this.apiClient.linkWalletToBusinessAccount({
+            walletId,
+            businessAccountId,
+            traceContext
+        });
+    }
+    /** Add a member to a business account by user id. Caller must be an owner/admin. */ async addMember({ businessAccountId, userId, role, traceContext }) {
+        return this.apiClient.addBusinessAccountMember({
+            businessAccountId,
+            userId,
+            role,
+            traceContext
+        });
+    }
+    /**
+   * Add a signer to a business-account wallet, resolved by `email` (or explicit
+   * `userId`). Server creates the user if absent, auto-adds them as a member,
+   * and writes a PENDING signer row. Returns the pending signer — the reshare
+   * ceremony that mints the share lives in the browser SDK.
+   */ async addSigner({ businessAccountId, walletId, targetSignerIdentity, signerType = 'endUser', traceContext }) {
+        const { userId, identifier, identifierType } = targetSignerIdentity;
+        if (!userId && !(identifier && identifierType)) {
+            throw new Error('BusinessAccountClient.addSigner requires targetSignerIdentity.userId, or identifier + identifierType');
+        }
+        if (identifierType && !ADD_SIGNER_SUPPORTED_IDENTIFIER_TYPES.has(identifierType)) {
+            throw new Error(`BusinessAccountClient.addSigner: identifierType '${identifierType}' is not supported. Use one of: ${[
+                ...ADD_SIGNER_SUPPORTED_IDENTIFIER_TYPES
+            ].join(', ')}.`);
+        }
+        this.logger.info('BusinessAccountClient.addSigner creating pending signer (reshare pending)');
+        return this.apiClient.addBusinessAccountSigner({
+            businessAccountId,
+            walletId,
+            signerType,
+            userId,
+            identifier,
+            identifierType,
+            traceContext
+        });
+    }
+    constructor({ apiClient, logger }){
+        this.apiClient = apiClient;
+        this.logger = logger;
     }
 }
 
@@ -1899,6 +2152,9 @@ exports.BROWSER_SDK_ROUTE_PREFIX = BROWSER_SDK_ROUTE_PREFIX;
 exports.BackupLocation = BackupLocation;
 exports.BitcoinAddressType = BitcoinAddressType;
 exports.BitcoinNetwork = BitcoinNetwork;
+exports.BusinessAccountClient = BusinessAccountClient;
+exports.BusinessAccountMemberRole = BusinessAccountMemberRole;
+exports.BusinessAccountSignerType = BusinessAccountSignerType;
 exports.CreateRoomPartiesOptions = CreateRoomPartiesOptions;
 exports.DELEGATED_SHARE_COUNT = DELEGATED_SHARE_COUNT;
 exports.DYNAMIC_AUTH_BASE_API_URL_MAP = DYNAMIC_AUTH_BASE_API_URL_MAP;

package/index.esm.js

@@ -768,8 +768,8 @@ const getElapsedTime = (startTime)=>{
                 }
                 if (event.type === SuccessEventType.CeremonyComplete) {
                     ceremonyCompleteSeen = true;
-                    const { accountAddress, walletId, shareSetId, shareSetType } = event.data;
-                    onCeremonyComplete == null ? void 0 : onCeremonyComplete(accountAddress, walletId, shareSetId, shareSetType);
+                    const { accountAddress, walletId, shareSetId, shareSetType, targetUserId, clientKeyshareBackupGrant } = event.data;
+                    onCeremonyComplete == null ? void 0 : onCeremonyComplete(accountAddress, walletId, shareSetId, shareSetType, targetUserId, clientKeyshareBackupGrant);
                 }
                 if (event.type === 'error') {
                     settled = true;
@@ -915,7 +915,7 @@ const getRequiredExternalKeyShareId = (ks)=>{
  * before it is posted and surfaces in Datadog exactly as the recovery path does.
  */ const assertDynamicLocationsHaveExternalKeyShareId = (locations)=>locations.filter((location)=>location.location === BackupLocation.DYNAMIC).forEach((location)=>getRequiredExternalKeyShareId(location));
 
-var version = "1.0.28";
+var version = "1.0.29";
 
 class BaseClient {
     /**
@@ -1047,7 +1047,7 @@ class DynamicApiClient extends BaseClient {
             }
         });
     }
-    async createWalletAccount({ chainName, clientKeygenIds, dynamicRequestId, thresholdSignatureScheme, skipLock, bitcoinConfig, onError, onCeremonyComplete, traceContext }) {
+    async createWalletAccount({ chainName, clientKeygenIds, dynamicRequestId, thresholdSignatureScheme, skipLock, bitcoinConfig, businessAccountId, onError, onCeremonyComplete, traceContext }) {
         const { addressType } = bitcoinConfig || {};
         const requestBody = _extends({
             chain: chainName,
@@ -1057,6 +1057,8 @@ class DynamicApiClient extends BaseClient {
             skipLock
         } : {}, addressType ? {
             addressType
+        } : {}, businessAccountId ? {
+            businessAccountId
         } : {});
         return createEventStreamPromise({
             apiClient: this.apiClient,
@@ -1387,7 +1389,7 @@ class DynamicApiClient extends BaseClient {
         });
         return data;
     }
-    async markKeySharesAsBackedUp({ walletId, shareSetId, locations, dynamicRequestId, traceContext, passwordUpdateBatchId }) {
+    async markKeySharesAsBackedUp({ walletId, shareSetId, locations, dynamicRequestId, traceContext, passwordUpdateBatchId, businessAccountId }) {
         assertDynamicLocationsHaveExternalKeyShareId(locations);
         const { data } = await this.apiClient.post(`${this.waasRoutePrefix}/${walletId}/keyShares/backup/locations`, _extends({
             locations
@@ -1395,6 +1397,8 @@ class DynamicApiClient extends BaseClient {
             passwordUpdateBatchId
         }, shareSetId ? {
             shareSetId
+        } : {}, businessAccountId ? {
+            businessAccountId
         } : {}), {
             headers: {
                 [DynamicRequestIdHeader]: dynamicRequestId,
@@ -1534,6 +1538,158 @@ class DynamicApiClient extends BaseClient {
         });
         return data;
     }
+    // --- Business accounts (SDK routes, JWT-authed, membership-scoped) ---
+    /** Create a business account; the caller's JWT user is seeded as the first owner. */ async createBusinessAccount({ request, traceContext }) {
+        const { data } = await this.apiClient.post(this.businessAccountsRoutePrefix, request, {
+            headers: {
+                [DynamicRequestIdHeader]: v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /** List business accounts the caller is a member of. */ async listBusinessAccounts({ traceContext } = {}) {
+        const { data } = await this.apiClient.get(this.businessAccountsRoutePrefix, {
+            headers: {
+                [DynamicRequestIdHeader]: v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /** Get a business account with embedded members + signers. 404 if the caller is not a member. */ async getBusinessAccountById({ businessAccountId, traceContext }) {
+        const { data } = await this.apiClient.get(`${this.businessAccountsRoutePrefix}/${businessAccountId}`, {
+            headers: {
+                [DynamicRequestIdHeader]: v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /**
+   * Add an existing wallet to a business account. No ceremony — the server
+   * transfers ownership and registers the caller as owner + signer bound to
+   * their existing share set. Omit `businessAccountId` to find-or-create the
+   * per-wallet business account. Returns the business-account detail. Idempotent.
+   */ async linkWalletToBusinessAccount({ walletId, businessAccountId, traceContext }) {
+        const { data } = await this.apiClient.post(`${this.businessAccountsRoutePrefix}/linkWallet`, _extends({
+            walletId
+        }, businessAccountId ? {
+            businessAccountId
+        } : {}), {
+            headers: {
+                [DynamicRequestIdHeader]: v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /** Add a member to a business account by user id. Caller must be an owner/admin. */ async addBusinessAccountMember({ businessAccountId, userId, role, traceContext }) {
+        const { data } = await this.apiClient.post(`${this.businessAccountsRoutePrefix}/${businessAccountId}/members`, _extends({
+            userId
+        }, role ? {
+            role
+        } : {}), {
+            headers: {
+                [DynamicRequestIdHeader]: v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /**
+   * Add a signer to a business-account wallet. Resolve the target by `userId`, or by
+   * `identifier` + `identifierType` (e.g. an email). Returns a PENDING signer
+   * (HTTP 202, `shareSetId: null`) — the reshare ceremony that mints the share
+   * is a follow-up and not yet performed server-side.
+   */ async addBusinessAccountSigner({ businessAccountId, walletId, signerType, userId, identifier, identifierType, traceContext }) {
+        const { data } = await this.apiClient.post(`${this.businessAccountsRoutePrefix}/${businessAccountId}/wallets/${walletId}/signers`, _extends({
+            signerType
+        }, userId ? {
+            userId
+        } : {}, identifier ? {
+            identifier
+        } : {}, identifierType ? {
+            type: identifierType
+        } : {}), {
+            headers: {
+                [DynamicRequestIdHeader]: v4().replace('-', ''),
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }
+        });
+        return data;
+    }
+    /**
+   * SSE ceremony variant of addSigner (WIP — DYNT-1072). Same-parties
+   * 2/2 -> 2/2 reshare on the signers endpoint: the caller's existing client
+   * share participates as a remaining party (clientKeygenIds = [existing], no
+   * new party). The server runs the degenerate reshare with
+   * `newServerKeygenIds=[]` and persists the result as a NEW isolated share set
+   * for the target signer — it must NOT refresh the caller's set in place.
+   *
+   * Returns the room (createEventStreamPromise) + the new `shareSetId` via
+   * onCeremonyComplete. The resulting client share is reshared locally and
+   * seeded to the client-keyshare-service on the target's behalf (see
+   * `seedBusinessAccountSignerShare`). Not wired into the live addSigner until the
+   * redcoast signers SSE endpoint exists.
+   */ async addBusinessAccountSignerCeremony({ businessAccountId, walletId, clientKeygenIds, oldThresholdSignatureScheme, signerType, userId, identifier, identifierType, dynamicRequestId, onError, onCeremonyComplete, traceContext }) {
+        return createEventStreamPromise({
+            apiClient: this.apiClient,
+            dynamicRequestId,
+            endpoint: `${this.businessAccountsRoutePrefix}/${businessAccountId}/wallets/${walletId}/signers`,
+            body: _extends({
+                signerType,
+                clientKeygenIds,
+                oldThresholdSignatureScheme,
+                // FF-on share-set semantics: always reshare to a NEW 2/2 share set.
+                newThresholdSignatureScheme: ThresholdSignatureScheme.TWO_OF_TWO
+            }, userId ? {
+                userId
+            } : {}, identifier ? {
+                identifier
+            } : {}, identifierType ? {
+                type: identifierType
+            } : {}),
+            successEventType: SuccessEventType.RoomCreated,
+            timeoutMessage: 'Add signer reshare timed out',
+            onError,
+            onCeremonyComplete,
+            traceContext
+        });
+    }
+    /**
+   * On-behalf KSS write for addSigner: store the added signer's freshly-reshared
+   * client share in the client-keyshare-service keyed to the ADDED signer's
+   * partition via `targetUserId` in the body. Uses the caller's relay auth (the
+   * business-account-membership gate is FF-bypassed for now; the client-keyshare-service
+   * reads `targetUserId` and inserts-if-empty). Returns the stored keyShareId(s)
+   * to thread as `externalKeyShareId` into `markKeySharesAsBackedUp`.
+   * Hardened auth (scoped grant token) is the follow-up — DYNT-1071/1072.
+   */ async backupOnBehalfOfAddedSigner({ walletId, targetUserId, encryptedAccountCredentials, passwordEncrypted, encryptionVersion, clientKeyshareBackupGrant, signedSessionId, dynamicRequestId, traceContext }) {
+        const { data } = await this.clientRelayApiClient.post(`${this.waasRoutePrefix}/${walletId}/keyShares/backup`, {
+            encryptedAccountCredentials,
+            passwordEncrypted,
+            encryptionVersion,
+            targetUserId
+        }, {
+            headers: _extends({
+                [DynamicRequestIdHeader]: dynamicRequestId,
+                [DynamicTraceIdHeader]: traceContext == null ? void 0 : traceContext.traceId,
+                [DynamicTraceElapsedTimeHeader]: getElapsedTime(traceContext == null ? void 0 : traceContext.startTime)
+            }, signedSessionId && {
+                [DynamicClientSessionSignature]: signedSessionId
+            }, clientKeyshareBackupGrant && {
+                Authorization: `Bearer ${clientKeyshareBackupGrant}`
+            })
+        });
+        return data;
+    }
     async delegatedSignMessage({ walletId, shareSetId, message, isFormatted, dynamicRequestId, onError, context, traceContext }) {
         return createEventStreamPromise({
             apiClient: this.apiClient,
@@ -1629,6 +1785,103 @@ class DynamicApiClient extends BaseClient {
         });
         this.sdkRoutePrefix = isServerSdk ? SERVER_SDK_ROUTE_PREFIX : BROWSER_SDK_ROUTE_PREFIX;
         this.waasRoutePrefix = `${this.sdkRoutePrefix}/${this.environmentId}/waas`;
+        this.businessAccountsRoutePrefix = `${this.sdkRoutePrefix}/${this.environmentId}/businessAccounts`;
+    }
+}
+
+// Local mirror of the business-account models generated into
+// `@dynamic-labs/sdk-api-core`. Swap these for the generated imports once that
+// package is bumped with the SDK routes (redcoast PR #9792).
+var BusinessAccountMemberRole = /*#__PURE__*/ function(BusinessAccountMemberRole) {
+    BusinessAccountMemberRole["Owner"] = "owner";
+    BusinessAccountMemberRole["Admin"] = "admin";
+    BusinessAccountMemberRole["Viewer"] = "viewer";
+    return BusinessAccountMemberRole;
+}({});
+var BusinessAccountSignerType = /*#__PURE__*/ function(BusinessAccountSignerType) {
+    BusinessAccountSignerType["EndUser"] = "endUser";
+    BusinessAccountSignerType["Server"] = "server";
+    return BusinessAccountSignerType;
+}({});
+
+// Subset redcoast's addSigner endpoint supports today (sdkController.ts).
+// Other identifier types in the TS union are reserved for future endpoints.
+const ADD_SIGNER_SUPPORTED_IDENTIFIER_TYPES = new Set([
+    'email',
+    'externalUserId',
+    'id'
+]);
+/**
+ * Business-account orchestration. Lives in core (not on the monolithic wallet
+ * client) so both browser and node clients can compose it. Pure REST today.
+ */ class BusinessAccountClient {
+    /** Create a business account; the authenticated caller is seeded as the first owner member. */ async createBusinessAccount(request = {}, options) {
+        return this.apiClient.createBusinessAccount({
+            request,
+            traceContext: options == null ? void 0 : options.traceContext
+        });
+    }
+    /** List business accounts the caller is a member of. */ async listBusinessAccounts(options) {
+        return this.apiClient.listBusinessAccounts({
+            traceContext: options == null ? void 0 : options.traceContext
+        });
+    }
+    /** Full account detail (members + signers). 404 if the caller is not a member. */ async getBusinessAccount(businessAccountId, options) {
+        return this.apiClient.getBusinessAccountById({
+            businessAccountId,
+            traceContext: options == null ? void 0 : options.traceContext
+        });
+    }
+    /**
+   * Bring an existing wallet under a business account so signers can be added to it.
+   * Pure REST, no ceremony — the owner already holds a valid share set, so the
+   * server just transfers ownership and registers the caller as owner + signer.
+   * Omit `businessAccountId` to find-or-create the per-wallet business account.
+   * Idempotent.
+   */ async addWalletToBusinessAccount({ walletId, businessAccountId, traceContext }) {
+        return this.apiClient.linkWalletToBusinessAccount({
+            walletId,
+            businessAccountId,
+            traceContext
+        });
+    }
+    /** Add a member to a business account by user id. Caller must be an owner/admin. */ async addMember({ businessAccountId, userId, role, traceContext }) {
+        return this.apiClient.addBusinessAccountMember({
+            businessAccountId,
+            userId,
+            role,
+            traceContext
+        });
+    }
+    /**
+   * Add a signer to a business-account wallet, resolved by `email` (or explicit
+   * `userId`). Server creates the user if absent, auto-adds them as a member,
+   * and writes a PENDING signer row. Returns the pending signer — the reshare
+   * ceremony that mints the share lives in the browser SDK.
+   */ async addSigner({ businessAccountId, walletId, targetSignerIdentity, signerType = 'endUser', traceContext }) {
+        const { userId, identifier, identifierType } = targetSignerIdentity;
+        if (!userId && !(identifier && identifierType)) {
+            throw new Error('BusinessAccountClient.addSigner requires targetSignerIdentity.userId, or identifier + identifierType');
+        }
+        if (identifierType && !ADD_SIGNER_SUPPORTED_IDENTIFIER_TYPES.has(identifierType)) {
+            throw new Error(`BusinessAccountClient.addSigner: identifierType '${identifierType}' is not supported. Use one of: ${[
+                ...ADD_SIGNER_SUPPORTED_IDENTIFIER_TYPES
+            ].join(', ')}.`);
+        }
+        this.logger.info('BusinessAccountClient.addSigner creating pending signer (reshare pending)');
+        return this.apiClient.addBusinessAccountSigner({
+            businessAccountId,
+            walletId,
+            signerType,
+            userId,
+            identifier,
+            identifierType,
+            traceContext
+        });
+    }
+    constructor({ apiClient, logger }){
+        this.apiClient = apiClient;
+        this.logger = logger;
     }
 }
 
@@ -1872,4 +2125,4 @@ const handleAxiosError = (error, message, context, _logger)=>{
     throw new WalletApiError(resolvedStatus, STATUS_MESSAGES[resolvedStatus]);
 };
 
-export { AuthMode, BITCOIN_ADDRESS_TYPE_CONFIG, BITCOIN_DERIVATION_PATHS, BROWSER_SDK_ROUTE_PREFIX, BackupLocation, BitcoinAddressType, BitcoinNetwork, CreateRoomPartiesOptions, DELEGATED_SHARE_COUNT, DYNAMIC_AUTH_BASE_API_URL_MAP, DYNAMIC_AUTH_DEV_BASE_API_URL, DYNAMIC_AUTH_PREPROD_BASE_API_URL, DYNAMIC_AUTH_PROD_BASE_API_URL, DYNAMIC_CLIENT_RELAY_REDCOAST_API_KEY_MAP, DYNAMIC_CLIENT_RELAY_REDCOAST_APP_ID_MAP, DYNAMIC_FORWARD_MPC_DEV_ENCLAVE_URL, DYNAMIC_FORWARD_MPC_ENCLAVE_ATTESTATION_CONFIG_MAP, DYNAMIC_FORWARD_MPC_ENCLAVE_URL_MAP, DYNAMIC_FORWARD_MPC_PREPROD_ENCLAVE_URL, DYNAMIC_FORWARD_MPC_PROD_ENCLAVE_URL, DYNAMIC_KEYSHARES_RELAY_MAP, DYNAMIC_KEYSHARES_RELAY_PREPROD_BASE_API_URL, DYNAMIC_KEYSHARES_RELAY_PROD_BASE_API_URL, DynamicApiClient, DynamicClientSessionSignature, DynamicElevatedAccessTokenHeader, DynamicForwardMPCHeader, DynamicMfaTokenHeader, DynamicRequestIdHeader, DynamicTraceElapsedTimeHeader, DynamicTraceIdHeader, ENCRYPTED_SHARES_STORAGE_SUFFIX, ENVIRONMENT_ENUM, EVM_COMPATIBLE_CHAINS, FEATURE_FLAGS, IFRAME_DOMAIN_MAP, Logger, MIDNIGHT_DERIVATION_PATHS, MPC_CHAIN_CONFIG, MPC_CONFIG, MPC_RELAY_DEV_API_URL, MPC_RELAY_PREPROD_API_URL, MPC_RELAY_PROD_API_URL, MPC_RELAY_URL_MAP, NoopLogger, PREPROD_RELAY_API_KEY, PREPROD_RELAY_APP_ID, PROD_RELAY_API_KEY, PROD_RELAY_APP_ID, RELAY_API_KEY_HEADER, RELAY_APP_ID_HEADER, SDK_NAMESPACE, SERVER_SDK_ROUTE_PREFIX, SOLANA_RPC_URL, SuccessEventType, ThresholdSignatureScheme, URL_PATTERNS, WalletApiError, WalletOperation, WalletReadyState, assertDynamicLocationsHaveExternalKeyShareId, chain, chainEnumToVerifiedCredentialName, formatNamespacedVersion, getBitcoinChainConfig, getClientThreshold, getDynamicServerThreshold, getEnvironmentFromUrl, getMPCChainConfig, getRequiredExternalKeyShareId, getReshareConfig, getServerWalletReshareConfig, getTSSConfig, getVersionNamespace, getVersionWithoutNamespace, handleAxiosError, isEvmCompatibleChain, parseNamespacedVersion, serializeMessageForForwardMPC, verifiedCredentialNameToChainEnum };
+export { AuthMode, BITCOIN_ADDRESS_TYPE_CONFIG, BITCOIN_DERIVATION_PATHS, BROWSER_SDK_ROUTE_PREFIX, BackupLocation, BitcoinAddressType, BitcoinNetwork, BusinessAccountClient, BusinessAccountMemberRole, BusinessAccountSignerType, CreateRoomPartiesOptions, DELEGATED_SHARE_COUNT, DYNAMIC_AUTH_BASE_API_URL_MAP, DYNAMIC_AUTH_DEV_BASE_API_URL, DYNAMIC_AUTH_PREPROD_BASE_API_URL, DYNAMIC_AUTH_PROD_BASE_API_URL, DYNAMIC_CLIENT_RELAY_REDCOAST_API_KEY_MAP, DYNAMIC_CLIENT_RELAY_REDCOAST_APP_ID_MAP, DYNAMIC_FORWARD_MPC_DEV_ENCLAVE_URL, DYNAMIC_FORWARD_MPC_ENCLAVE_ATTESTATION_CONFIG_MAP, DYNAMIC_FORWARD_MPC_ENCLAVE_URL_MAP, DYNAMIC_FORWARD_MPC_PREPROD_ENCLAVE_URL, DYNAMIC_FORWARD_MPC_PROD_ENCLAVE_URL, DYNAMIC_KEYSHARES_RELAY_MAP, DYNAMIC_KEYSHARES_RELAY_PREPROD_BASE_API_URL, DYNAMIC_KEYSHARES_RELAY_PROD_BASE_API_URL, DynamicApiClient, DynamicClientSessionSignature, DynamicElevatedAccessTokenHeader, DynamicForwardMPCHeader, DynamicMfaTokenHeader, DynamicRequestIdHeader, DynamicTraceElapsedTimeHeader, DynamicTraceIdHeader, ENCRYPTED_SHARES_STORAGE_SUFFIX, ENVIRONMENT_ENUM, EVM_COMPATIBLE_CHAINS, FEATURE_FLAGS, IFRAME_DOMAIN_MAP, Logger, MIDNIGHT_DERIVATION_PATHS, MPC_CHAIN_CONFIG, MPC_CONFIG, MPC_RELAY_DEV_API_URL, MPC_RELAY_PREPROD_API_URL, MPC_RELAY_PROD_API_URL, MPC_RELAY_URL_MAP, NoopLogger, PREPROD_RELAY_API_KEY, PREPROD_RELAY_APP_ID, PROD_RELAY_API_KEY, PROD_RELAY_APP_ID, RELAY_API_KEY_HEADER, RELAY_APP_ID_HEADER, SDK_NAMESPACE, SERVER_SDK_ROUTE_PREFIX, SOLANA_RPC_URL, SuccessEventType, ThresholdSignatureScheme, URL_PATTERNS, WalletApiError, WalletOperation, WalletReadyState, assertDynamicLocationsHaveExternalKeyShareId, chain, chainEnumToVerifiedCredentialName, formatNamespacedVersion, getBitcoinChainConfig, getClientThreshold, getDynamicServerThreshold, getEnvironmentFromUrl, getMPCChainConfig, getRequiredExternalKeyShareId, getReshareConfig, getServerWalletReshareConfig, getTSSConfig, getVersionNamespace, getVersionWithoutNamespace, handleAxiosError, isEvmCompatibleChain, parseNamespacedVersion, serializeMessageForForwardMPC, verifiedCredentialNameToChainEnum };