@enbox/auth 0.5.0 → 0.6.1

package/src/types.ts

@@ -3,7 +3,8 @@
  * Public types for the authentication and identity management SDK.
  */
 
-import type { ConnectPermissionRequest, EnboxUserAgent, HdIdentityVault, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
+import type { PortableDid } from '@enbox/dids';
+import type { ConnectPermissionRequest, DwnDataEncodedRecordsWriteMessage, DwnProtocolDefinition, EnboxUserAgent, HdIdentityVault, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
 
 import type { PasswordProvider } from './password-provider.js';
 
@@ -210,6 +211,55 @@ export interface RegistrationOptions {
   persistTokens?: boolean;
 }
 
+// ─── Connect Handler ─────────────────────────────────────────────
+
+/**
+ * Result of a successful connect handler invocation.
+ *
+ * Contains the delegated credentials returned by the wallet.
+ * All connect handlers (browser popup, relay, CLI, etc.) must
+ * return this shape on success.
+ */
+export interface ConnectResult {
+  /** The portable delegate DID (includes private keys). */
+  delegatePortableDid: PortableDid;
+
+  /** Permission grants for the requested protocols. */
+  delegateGrants: DwnDataEncodedRecordsWriteMessage[];
+
+  /** The DID of the identity the user approved (the wallet owner's DID). */
+  connectedDid: string;
+}
+
+/**
+ * A connect handler obtains delegated credentials from a wallet.
+ *
+ * Different environments provide different implementations:
+ * - **Browser**: popup + postMessage (`BrowserConnectHandler` from `@enbox/browser`)
+ * - **Relay**: QR/PIN relay flow (`WalletConnect.initClient` from `@enbox/auth`)
+ * - **CLI**: terminal QR/URL + polling (custom handler)
+ * - **Desktop**: native window management (custom handler)
+ *
+ * @example
+ * ```ts
+ * import { BrowserConnectHandler } from '@enbox/browser';
+ * const auth = await AuthManager.create({
+ *   connectHandler: BrowserConnectHandler(),
+ * });
+ * ```
+ */
+export interface ConnectHandler {
+  /**
+   * Obtain delegated credentials from a wallet.
+   *
+   * @param params.permissionRequests - Agent-level permission requests.
+   * @returns The delegate credentials, or `undefined` if the user denied.
+   */
+  requestAccess(params: {
+    permissionRequests: ConnectPermissionRequest[];
+  }): Promise<ConnectResult | undefined>;
+}
+
 /** Options for {@link AuthManager.create}. */
 export interface AuthManagerOptions {
   /**
@@ -298,6 +348,26 @@ export interface AuthManagerOptions {
 
   /** DWN registration configuration. */
   registration?: RegistrationOptions;
+
+  /**
+   * Default connect handler for delegated connect flows.
+   *
+   * Used by `connect()` when the caller provides `protocols` (or other
+   * non-local-connect options) but does not pass a per-call handler.
+   *
+   * @example
+   * ```ts
+   * import { BrowserConnectHandler } from '@enbox/browser';
+   *
+   * const auth = await AuthManager.create({
+   *   connectHandler: BrowserConnectHandler(),
+   * });
+   *
+   * // Later — uses the default handler automatically
+   * const session = await auth.connect({ protocols: [NotesProtocol] });
+   * ```
+   */
+  connectHandler?: ConnectHandler;
 }
 
 /** Options for {@link AuthManager.connect}. */
@@ -316,8 +386,101 @@ export interface LocalConnectOptions {
 
   /** Identity metadata. */
   metadata?: { name?: string };
+
+  /**
+   * Whether to create a default identity if none exist.
+   *
+   * - `false` (default) — Skip automatic identity creation. The session is
+   *   returned with the **agent DID** as the connected DID and no identity
+   *   metadata. Use this when the app manages identity creation separately
+   *   (e.g. a web wallet with an explicit "Create Identity" flow after
+   *   vault setup).
+   *
+   * - `true` — If no identities exist after vault initialisation, a new
+   *   `did:dht` identity is created automatically. Use this when vault
+   *   setup and identity creation are combined into a single step (e.g.
+   *   Electrobun's create wizard).
+   *
+   * @default false
+   */
+  createIdentity?: boolean;
 }
 
+// ─── DWeb Connect ────────────────────────────────────────────────
+
+/**
+ * A protocol permission request in simplified form.
+ *
+ * Dapp developers can pass just a protocol definition (default permissions:
+ * `['read', 'write', 'query', 'subscribe']`), or an object with explicit
+ * permissions.
+ */
+export type ProtocolRequest =
+  | DwnProtocolDefinition
+  | { definition: DwnProtocolDefinition; permissions: Permission[] };
+
+/** Shorthand permission names for DWN protocol scopes. */
+export type Permission = 'write' | 'read' | 'delete' | 'query' | 'subscribe' | 'configure';
+
+/** Default permissions granted when only a protocol definition is provided. */
+export const DEFAULT_PERMISSIONS: Permission[] = ['read', 'write', 'query', 'subscribe'];
+
+/**
+ * Options for a handler-based (delegated) connect flow.
+ *
+ * Used when `connect()` delegates credential acquisition to a
+ * {@link ConnectHandler}. The handler is responsible for the
+ * environment-specific transport (popup, relay, CLI, etc.).
+ */
+export interface HandlerConnectOptions {
+  /**
+   * Protocols to request access to.
+   *
+   * Each entry can be either a protocol definition (uses default permissions)
+   * or an object with `{ definition, permissions }` for explicit control.
+   *
+   * @example
+   * ```ts
+   * // Default permissions (read, write, query, subscribe)
+   * protocols: [NotesProtocol]
+   *
+   * // Explicit permissions
+   * protocols: [
+   *   { definition: NotesProtocol, permissions: ['read', 'write'] },
+   *   { definition: PhotosProtocol, permissions: ['read'] },
+   * ]
+   * ```
+   */
+  protocols?: ProtocolRequest[];
+
+  /**
+   * Connect handler for this call. Overrides the default handler set
+   * on `AuthManager.create()`.
+   */
+  connectHandler?: ConnectHandler;
+
+  /** Override manager default sync interval. */
+  sync?: SyncOption;
+}
+
+/**
+ * Unified options for {@link AuthManager.connect}.
+ *
+ * `connect()` routes to the appropriate flow based on the options:
+ *
+ * - **Handler-based connect** (dapps): triggered when `protocols` or
+ *   `connectHandler` is provided. Delegates to the connect handler
+ *   for credential acquisition.
+ *
+ * - **Local connect** (wallets / CLI): triggered when `password`,
+ *   `createIdentity`, or `recoveryPhrase` is provided.
+ *
+ * In both cases, `connect()` first attempts to restore a previous session
+ * from storage. If a valid session exists, it is returned immediately
+ * without any user interaction.
+ */
+export type ConnectOptions = HandlerConnectOptions | LocalConnectOptions;
+
 /** Options for {@link AuthManager.walletConnect}. */
 export interface WalletConnectOptions {
   /** Display name shown in the wallet during the connect flow. */
@@ -332,9 +495,10 @@ export interface WalletConnectOptions {
   /**
    * Protocol permission requests for the wallet connect flow.
    *
-   * Each entry is a `ConnectPermissionRequest` from `@enbox/agent` containing
-   * a `protocolDefinition` and `permissionScopes`. Use
-   * `WalletConnect.createPermissionRequestForProtocol()` to build these.
+   * Each entry is a `ConnectPermissionRequest` containing a
+   * `protocolDefinition` and `permissionScopes`. Use
+   * `WalletConnect.createPermissionRequestForProtocol()` from `@enbox/auth`
+   * to build these.
    */
   permissionRequests: ConnectPermissionRequest[];
 
@@ -464,6 +628,9 @@ export interface StorageAdapter {
 /** The insecure default password used when none is provided. */
 export const INSECURE_DEFAULT_PASSWORD = 'insecure-static-phrase';
 
+/** Default DWN endpoints for new identities when none are configured. */
+export const DEFAULT_DWN_ENDPOINTS = ['https://enbox-dwn.fly.dev'];
+
 /**
  * Storage keys used by the auth manager for session persistence.
  * @internal

package/src/wallet-connect-client.ts

@@ -0,0 +1,275 @@
+/**
+ * WalletConnect client — initiates the relay-mediated connect flow.
+ *
+ * Moved from `@enbox/agent/src/connect.ts` because `initClient` has zero
+ * coupling to agent internals (no vault, no key store, no DWN processing,
+ * no sync). Its only consumer is `auth/src/connect/wallet.ts`.
+ *
+ * The server-side counterpart (`EnboxConnectProtocol`) correctly stays in
+ * `@enbox/agent` because it uses `agent.processDwnRequest()`,
+ * `agent.sendDwnRequest()`, and `AgentPermissionsApi`.
+ *
+ * @module
+ */
+
+import type { ConnectPermissionRequest, DwnPermissionScope, DwnProtocolDefinition } from '@enbox/agent';
+import type { ConnectPushedResponse, EnboxConnectResponse } from '@enbox/agent';
+
+import { CryptoUtils } from '@enbox/crypto';
+import { DidJwk } from '@enbox/dids';
+import { Convert, logger } from '@enbox/common';
+import { DwnInterfaceName, DwnMethodName } from '@enbox/dwn-sdk-js';
+import { EnboxConnectProtocol, pollWithTtl } from '@enbox/agent';
+
+/**
+ * Options for initiating a wallet connect flow (remote, relay-mediated).
+ *
+ * This is the agent-level options type used by `initClient()`. The auth-level
+ * `WalletConnectOptions` (in `types.ts`) wraps this with additional fields
+ * like `sync`.
+ */
+export type WalletConnectClientOptions = {
+  /** The user-friendly name of the app, displayed in the wallet consent UI. */
+  displayName: string;
+
+  /** The URL of the connect server which relays messages between the app and wallet. */
+  connectServerUrl: string;
+
+  /**
+   * The URI of the wallet app. Query params (`request_uri`, `encryption_key`)
+   * are appended and passed to `onWalletUriReady`.
+   * @example `enbox://connect` or `http://localhost:3000/`
+   */
+  walletUri: string;
+
+  /**
+   * The protocols of permissions requested, along with the definition and
+   * permission scopes for each protocol. The key is the protocol URL and
+   * the value is an object with the protocol definition and the permission scopes.
+   */
+  permissionRequests: ConnectPermissionRequest[];
+
+  /**
+   * Called with the wallet URI including query params (`request_uri`, `encryption_key`).
+   * The app should render this as a QR code or use it as a deep link.
+   *
+   * @param uri - The wallet URI with connect payload.
+   */
+  onWalletUriReady: (uri: string) => void;
+
+  /**
+   * Called to collect the PIN from the user. The PIN is used as AAD
+   * when decrypting the connect response from the relay.
+   *
+   * @returns A promise that resolves to the PIN as a string.
+   */
+  validatePin: () => Promise<string>;
+};
+
+import type { Permission } from './types.js';
+
+/**
+ * The options for creating a permission request for a given protocol.
+ */
+export type ProtocolPermissionOptions = {
+  /** The protocol definition for the protocol being requested */
+  definition: DwnProtocolDefinition;
+
+  /** The permissions being requested for the protocol */
+  permissions: Permission[];
+};
+
+/**
+ * Initiates the wallet connect process. Used when a client wants to obtain
+ * a did from a provider.
+ */
+async function initClient({
+  displayName,
+  connectServerUrl,
+  walletUri,
+  permissionRequests,
+  onWalletUriReady,
+  validatePin,
+}: WalletConnectClientOptions): Promise<{
+  delegateGrants: EnboxConnectResponse['delegateGrants'];
+  delegatePortableDid: EnboxConnectResponse['delegatePortableDid'];
+  connectedDid: string;
+} | undefined> {
+  // ephemeral client did for ECDH, signing, verification
+  const clientDid = await DidJwk.create();
+
+  // TODO: properly implement PKCE. this implementation is lacking server side validations and more.
+  // https://github.com/enboxorg/enbox/issues/829
+  // Derive the code challenge based on the code verifier
+  // const { codeChallengeBytes, codeChallengeBase64Url } =
+  //   await Oidc.generateCodeChallenge();
+  const encryptionKey = CryptoUtils.randomBytes(32);
+
+  // Build callback URL for the connect request.
+  const callbackEndpoint = EnboxConnectProtocol.buildConnectUrl({
+    baseURL  : connectServerUrl,
+    endpoint : 'callback',
+  });
+
+  // Build the connect request.
+  const request = await EnboxConnectProtocol.createConnectRequest({
+    clientDid          : clientDid.uri,
+    callbackUrl        : callbackEndpoint,
+    permissionRequests : permissionRequests,
+    appName            : displayName,
+  });
+
+  // Sign the request as a JWT.
+  const requestJwt = await EnboxConnectProtocol.signJwt({
+    did  : clientDid,
+    data : request as unknown as Record<string, unknown>,
+  });
+
+  if (!requestJwt) {
+    throw new Error('Unable to sign requestObject');
+  }
+  // Encrypt the request JWT with the symmetric key.
+  const requestObjectJwe = await EnboxConnectProtocol.encryptRequest({
+    jwt: requestJwt,
+    encryptionKey,
+  });
+
+  const pushedAuthorizationRequestEndpoint = EnboxConnectProtocol.buildConnectUrl({
+    baseURL  : connectServerUrl,
+    endpoint : 'pushedAuthorizationRequest',
+  });
+
+  const parResponse = await fetch(pushedAuthorizationRequestEndpoint, {
+    body    : JSON.stringify({ request: requestObjectJwe }),
+    method  : 'POST',
+    headers : {
+      'Content-Type': 'application/json',
+    },
+    signal: AbortSignal.timeout(30_000),
+  });
+
+  if (!parResponse.ok) {
+    throw new Error(`${parResponse.status}: ${parResponse.statusText}`);
+  }
+
+  const parData: ConnectPushedResponse = await parResponse.json();
+
+  // a deeplink to a compatible wallet. if the wallet scans this link it should receive
+  // a route to its Connect provider flow and the params of where to fetch the auth request.
+  logger.log(`Wallet URI: ${walletUri}`);
+  const generatedWalletUri = new URL(walletUri);
+  generatedWalletUri.searchParams.set('request_uri', parData.request_uri);
+  generatedWalletUri.searchParams.set(
+    'encryption_key',
+    Convert.uint8Array(encryptionKey).toBase64Url()
+  );
+
+  // call user's callback so they can send the URI to the wallet as they see fit
+  onWalletUriReady(generatedWalletUri.toString());
+
+  const tokenUrl = EnboxConnectProtocol.buildConnectUrl({
+    baseURL    : connectServerUrl,
+    endpoint   : 'token',
+    tokenParam : request.state,
+  });
+
+  // subscribe to receiving a response from the wallet with default TTL. receive ciphertext of {@link EnboxConnectResponse}
+  const authResponse = await pollWithTtl(() => fetch(tokenUrl, { signal: AbortSignal.timeout(30_000) }));
+
+  if (authResponse) {
+    const jwe = await authResponse?.text();
+
+    // Get the PIN from the user and use it as AAD to decrypt.
+    const pin = await validatePin();
+    const jwt = await EnboxConnectProtocol.decryptResponse(clientDid, jwe, pin);
+    const verifiedResponse = (await EnboxConnectProtocol.verifyJwt({
+      jwt,
+    })) as unknown as EnboxConnectResponse;
+
+    return {
+      delegateGrants      : verifiedResponse.delegateGrants,
+      delegatePortableDid : verifiedResponse.delegatePortableDid,
+      connectedDid        : verifiedResponse.providerDid,
+    };
+  }
+}
+
+/**
+ * Creates a set of Dwn Permission Scopes to request for a given protocol.
+ *
+ * If no permissions are provided, the default is to request all relevant record permissions (write, read, delete, query, subscribe).
+ * 'configure' is not included by default, as this gives the application a lot of control over the protocol.
+ */
+function createPermissionRequestForProtocol({ definition, permissions }: ProtocolPermissionOptions): ConnectPermissionRequest {
+  const requests: DwnPermissionScope[] = [];
+
+  // Add the ability to query for the specific protocol
+  requests.push({
+    protocol  : definition.protocol,
+    interface : DwnInterfaceName.Protocols,
+    method    : DwnMethodName.Query,
+  });
+
+  // A Messages.Read grant is a unified scope that covers MessagesRead, MessagesSync, and MessagesSubscribe.
+  // This single grant enables sync and real-time subscriptions for the protocol.
+  requests.push({
+    protocol  : definition.protocol,
+    interface : DwnInterfaceName.Messages,
+    method    : DwnMethodName.Read,
+  });
+
+  // We also request any additional permissions the user has requested for this protocol
+  for (const permission of permissions) {
+    switch (permission) {
+      case 'write':
+        requests.push({
+          protocol  : definition.protocol,
+          interface : DwnInterfaceName.Records,
+          method    : DwnMethodName.Write,
+        });
+        break;
+      case 'read':
+        requests.push({
+          protocol  : definition.protocol,
+          interface : DwnInterfaceName.Records,
+          method    : DwnMethodName.Read,
+        });
+        break;
+      case 'delete':
+        requests.push({
+          protocol  : definition.protocol,
+          interface : DwnInterfaceName.Records,
+          method    : DwnMethodName.Delete,
+        });
+        break;
+      case 'query':
+        requests.push({
+          protocol  : definition.protocol,
+          interface : DwnInterfaceName.Records,
+          method    : DwnMethodName.Query,
+        });
+        break;
+      case 'subscribe':
+        requests.push({
+          protocol  : definition.protocol,
+          interface : DwnInterfaceName.Records,
+          method    : DwnMethodName.Subscribe,
+        });
+        break;
+      case 'configure':
+        requests.push({
+          protocol  : definition.protocol,
+          interface : DwnInterfaceName.Protocols,
+          method    : DwnMethodName.Configure,
+        });
+        break;
+    }
+  }
+
+  return {
+    protocolDefinition : definition,
+    permissionScopes   : requests,
+  };
+}
+
+export const WalletConnect = { initClient, createPermissionRequestForProtocol };

package/dist/esm/flows/dwn-discovery.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"dwn-discovery.js","sourceRoot":"","sources":["../../../src/flows/dwn-discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;;;;;;;;;;AAIH,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,MAAM,cAAc,CAAC;AAGxH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C;;;;;;;;;;GAUG;AACH,MAAM,UAAU,8BAA8B;IAC5C,IAAI,OAAO,UAAU,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC/C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,8BAA8B,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACzE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,kEAAkE;IAClE,qDAAqD;IACrD,IAAI,OAAO,UAAU,CAAC,OAAO,KAAK,WAAW,IAAI,UAAU,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACjF,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,UAAU,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,OAAO,CAAC,QAAQ,CAAC;AAC1B,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;;GASG;AACH,SAAe,0BAA0B,CAAC,QAAgB;;QACxD,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;YACvD,IAAI,UAAU,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBAC7C,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;QAAC,WAAM,CAAC;YACP,oCAAoC;QACtC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CAAA;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAgB,gBAAgB,CACpC,OAAuB;;QAEvB,yDAAyD;QACzD,MAAM,aAAa,GAAG,8BAA8B,EAAE,CAAC;QACvD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAAC,aAAa,CAAC,CAAC;YAClE,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,uBAAuB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;gBAClD,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,uEAAuE;QACzE,CAAC;QAED,yDAAyD;QACzD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;QAClE,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,SAAS,GAAG,MAAM,0BAA0B,CAAC,MAAM,CAAC,CAAC;YAC3D,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,oCAAoC;YACpC,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CAAA;AAED,mEAAmE;AAEnE;;;;;GAKG;AACH,MAAM,UAAgB,uBAAuB,CAC3C,OAAuB,EACvB,QAAgB;;QAEhB,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;CAAA;AAED;;;;;;;GAOG;AACH,MAAM,UAAgB,qBAAqB,CACzC,OAAuB;;QAEvB,MAAM,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;IACxD,CAAC;CAAA;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAgB,uBAAuB,CAC3C,KAAqB,EACrB,OAAuB;;QAEvB,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;QACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QACrE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,4DAA4D;YAC5D,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;YACrC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CAAA;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAgB,sBAAsB,CAC1C,KAAqB,EACrB,OAAuB,EACvB,OAA0B;;QAE1B,kFAAkF;QAClF,MAAM,aAAa,GAAG,8BAA8B,EAAE,CAAC;QAEvD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,yBAAyB,CAAC,aAAa,CAAC,CAAC;YAC1E,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;gBACtD,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,IAAI,CAAC,qBAAqB,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC;gBAClE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,yEAAyE;QAC3E,CAAC;QAED,sCAAsC;QACtC,MAAM,QAAQ,GAAG,MAAM,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAE/D,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;YACpE,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,IAAI,CAAC,qBAAqB,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,IAAI,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;QAC7C,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CAAA;AAED,mEAAmE;AAEnE;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAoB;IAC3D,MAAM,gBAAgB,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,cAAc,EAAE,CAAC;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;IAEzD,mEAAmE;IACnE,mEAAmE;IACnE,8BAA8B;IAC9B,IAAI,OAAO,UAAU,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC1C,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8DAA8D;IAC9D,IAAI,OAAO,UAAU,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC/C,UAAU,CAAC,QAAQ,CAAC,IAAI,GAAG,WAAW,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,mEAAmE;AAEnE,wEAAwE;AACxE,SAAS,cAAc;IACrB,IAAI,OAAO,UAAU,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QAC/C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC"}

package/dist/esm/flows/dwn-registration.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"dwn-registration.js","sourceRoot":"","sources":["../../../src/flows/dwn-registration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;;;;;;;;;;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA6B3C;;;;;;;;;;;GAWG;AACH,MAAM,UAAgB,wBAAwB,CAC5C,GAAwB,EACxB,YAAiC;;;QAEjC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;QAEzE,wEAAwE;QACxE,8EAA8E;QAC9E,IAAI,UAAU,GAA0C,EAAE,CAAC;QAE3D,IAAI,YAAY,CAAC,aAAa,IAAI,OAAO,EAAE,CAAC;YAC1C,UAAU,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,UAAU,GAAG,MAAA,YAAY,CAAC,kBAAkB,mCAAI,EAAE,CAAC;QACrD,CAAC;QAED,MAAM,aAAa,qBAA+C,UAAU,CAAE,CAAC;QAE/E,IAAI,CAAC;YACH,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;gBAElE,IAAI,UAAU,CAAC,wBAAwB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACrD,SAAS;gBACX,CAAC;gBAED,gCAAgC;gBAChC,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC;qBAC5C,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAiB,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;gBAElE,MAAM,eAAe,GACnB,UAAU,CAAC,wBAAwB,CAAC,QAAQ,CAAC,kBAAkB,CAAC;uBAC7D,UAAU,CAAC,YAAY,KAAK,SAAS,CAAC;gBAE3C,IAAI,eAAe,IAAI,YAAY,CAAC,sBAAsB,EAAE,CAAC;oBAC3D,6BAA6B;oBAC7B,IAAI,SAAS,GAAG,aAAa,CAAC,WAAW,CAAsC,CAAC;oBAEhF,0BAA0B;oBAC1B,IAAI,CAAA,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,SAAS,MAAK,SAAS,IAAI,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;wBAC3E,IAAI,SAAS,CAAC,UAAU,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;4BACnD,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,wBAAwB,CAC3D,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,YAAY,CAC7C,CAAC;4BACF,SAAS,GAAG;gCACV,iBAAiB,EAAG,SAAS,CAAC,iBAAiB;gCAC/C,YAAY,EAAQ,SAAS,CAAC,YAAY;gCAC1C,SAAS,EAAW,SAAS,CAAC,SAAS,KAAK,SAAS;oCACnD,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gCACzD,QAAQ,EAAK,SAAS,CAAC,QAAQ;gCAC/B,UAAU,EAAG,SAAS,CAAC,UAAU;6BAClC,CAAC;4BACF,aAAa,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC;wBACzC,CAAC;6BAAM,CAAC;4BACN,SAAS,GAAG,SAAS,CAAC;wBACxB,CAAC;oBACH,CAAC;oBAED,8CAA8C;oBAC9C,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;wBAC5B,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;wBAClC,MAAM,YAAY,GAAG,UAAU,CAAC,YAAa,CAAC;wBAC9C,MAAM,SAAS,GAAG,YAAY,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;wBACtE,MAAM,YAAY,GAAG,GAAG,YAAY,CAAC,YAAY,GAAG,SAAS,EAAE;8BAC3D,gBAAgB,kBAAkB,CAAC,WAAW,CAAC,EAAE;8BACjD,UAAU,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;wBAE1C,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;4BAC3D,YAAY;4BACZ,WAAW;4BACX,KAAK;yBACN,CAAC,CAAC;wBAEH,IAAI,UAAU,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;4BAC/B,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;wBAC/E,CAAC;wBAED,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,gBAAgB,CACvD,YAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,EAAE,WAAW,CACpD,CAAC;wBAEF,SAAS,GAAG;4BACV,iBAAiB,EAAG,aAAa,CAAC,iBAAiB;4BACnD,YAAY,EAAQ,aAAa,CAAC,YAAY;4BAC9C,SAAS,EAAW,aAAa,CAAC,SAAS,KAAK,SAAS;gCACvD,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;4BAC7D,QAAQ,EAAK,YAAY,CAAC,QAAQ;4BAClC,UAAU,EAAG,YAAY,CAAC,UAAU;yBACrC,CAAC;wBACF,aAAa,CAAC,WAAW,CAAC,GAAG,SAAS,CAAC;oBACzC,CAAC;oBAED,mDAAmD;oBACnD,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;wBACjC,MAAM,YAAY,CAAC,uBAAuB,CACxC,WAAW,EAAE,GAAG,EAAE,SAAS,CAAC,iBAAiB,CAC9C,CAAC;oBACJ,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,oDAAoD;oBACpD,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;wBACjC,MAAM,YAAY,CAAC,cAAc,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,IAAI,YAAY,CAAC,aAAa,IAAI,OAAO,EAAE,CAAC;gBAC1C,MAAM,mBAAmB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YACpD,CAAC;YAED,oEAAoE;YACpE,IAAI,YAAY,CAAC,oBAAoB,EAAE,CAAC;gBACtC,YAAY,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAC;YACnD,CAAC;YAED,YAAY,CAAC,SAAS,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;CAAA;AAED,qEAAqE;AAErE;;;;;;;GAOG;AACH,MAAM,UAAgB,qBAAqB,CACzC,OAAuB;;QAEvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC;YAChE,IAAI,CAAC,GAAG,EAAE,CAAC;gBAAC,OAAO,EAAE,CAAC;YAAC,CAAC;YACxB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAA0C,CAAC;QAClE,CAAC;QAAC,WAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CAAA;AAED;;;GAGG;AACH,MAAM,UAAgB,mBAAmB,CACvC,OAAuB,EACvB,MAA6C;;QAE7C,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,mBAAmB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9E,CAAC;CAAA"}

package/dist/esm/flows/import-identity.js

@@ -1,177 +0,0 @@
-/**
- * Identity import flows.
- *
- * - Import from BIP-39 recovery phrase (re-derive vault + identity).
- * - Import from PortableIdentity JSON.
- * @module
- */
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-import { AuthSession } from '../identity-session.js';
-import { registerWithDwnEndpoints } from './dwn-registration.js';
-import { STORAGE_KEYS } from '../types.js';
-/**
- * Import (or recover) an identity from a BIP-39 recovery phrase.
- *
- * This re-initializes the vault with the given phrase and password,
- * recovering the agent DID and all derived keys.
- */
-export function importFromPhrase(ctx, options) {
-    return __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c;
-        const { userAgent, emitter, storage } = ctx;
-        const { recoveryPhrase, password } = options;
-        const sync = (_a = options.sync) !== null && _a !== void 0 ? _a : ctx.defaultSync;
-        const dwnEndpoints = (_c = (_b = options.dwnEndpoints) !== null && _b !== void 0 ? _b : ctx.defaultDwnEndpoints) !== null && _c !== void 0 ? _c : ['https://enbox-dwn.fly.dev'];
-        // Initialize the vault with the recovery phrase.
-        // This re-derives the same agent DID and CEK from the mnemonic.
-        if (yield userAgent.firstLaunch()) {
-            yield userAgent.initialize({
-                password,
-                recoveryPhrase,
-                dwnEndpoints,
-            });
-        }
-        yield userAgent.start({ password });
-        emitter.emit('vault-unlocked', {});
-        // The recovery phrase re-derives the same agent DID,
-        // but the user identity might not exist yet — create one if needed.
-        const identities = yield userAgent.identity.list();
-        let identity = identities[0];
-        let isNewIdentity = false;
-        if (!identity) {
-            isNewIdentity = true;
-            identity = yield userAgent.identity.create({
-                didMethod: 'dht',
-                metadata: { name: 'Default' },
-                didOptions: {
-                    services: [
-                        {
-                            id: 'dwn',
-                            type: 'DecentralizedWebNode',
-                            serviceEndpoint: dwnEndpoints,
-                            enc: '#enc',
-                            sig: '#sig',
-                        }
-                    ],
-                    verificationMethods: [
-                        {
-                            algorithm: 'Ed25519',
-                            id: 'sig',
-                            purposes: ['assertionMethod', 'authentication'],
-                        },
-                        {
-                            algorithm: 'X25519',
-                            id: 'enc',
-                            purposes: ['keyAgreement'],
-                        },
-                    ],
-                },
-            });
-        }
-        const connectedDid = identity.did.uri;
-        // Register with DWN endpoints (if registration options are provided).
-        if (ctx.registration) {
-            yield registerWithDwnEndpoints({
-                userAgent: userAgent,
-                dwnEndpoints,
-                agentDid: userAgent.agentDid.uri,
-                connectedDid,
-                storage: storage,
-            }, ctx.registration);
-        }
-        // Register and start sync.
-        if (isNewIdentity && sync !== 'off') {
-            yield userAgent.sync.registerIdentity({ did: connectedDid, options: { protocols: [] } });
-        }
-        if (sync !== 'off') {
-            const syncMode = sync === undefined ? 'live' : 'poll';
-            const syncInterval = sync !== null && sync !== void 0 ? sync : (syncMode === 'live' ? '5m' : '2m');
-            userAgent.sync.startSync({ mode: syncMode, interval: syncInterval })
-                .catch((err) => console.error('[@enbox/auth] Sync failed:', err));
-        }
-        yield storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true');
-        yield storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
-        const identityInfo = {
-            didUri: connectedDid,
-            name: identity.metadata.name,
-        };
-        const session = new AuthSession({
-            agent: userAgent,
-            did: connectedDid,
-            identity: identityInfo,
-        });
-        emitter.emit('identity-added', { identity: identityInfo });
-        emitter.emit('session-start', {
-            session: { did: connectedDid, identity: identityInfo },
-        });
-        return session;
-    });
-}
-/**
- * Import an identity from a PortableIdentity JSON object.
- *
- * The portable identity contains the DID's private keys and metadata,
- * allowing it to be used on this device.
- */
-export function importFromPortable(ctx, options) {
-    return __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c;
-        const { userAgent, emitter, storage } = ctx;
-        const sync = (_a = options.sync) !== null && _a !== void 0 ? _a : ctx.defaultSync;
-        const identity = yield userAgent.identity.import({
-            portableIdentity: options.portableIdentity,
-        });
-        const connectedDid = (_b = identity.metadata.connectedDid) !== null && _b !== void 0 ? _b : identity.did.uri;
-        const delegateDid = identity.metadata.connectedDid ? identity.did.uri : undefined;
-        // Register with DWN endpoints (if registration options are provided).
-        // For portable imports, extract endpoints from the DID document's DWN service.
-        if (ctx.registration) {
-            const dwnEndpoints = (_c = ctx.defaultDwnEndpoints) !== null && _c !== void 0 ? _c : ['https://enbox-dwn.fly.dev'];
-            yield registerWithDwnEndpoints({
-                userAgent: userAgent,
-                dwnEndpoints,
-                agentDid: userAgent.agentDid.uri,
-                connectedDid,
-                storage: storage,
-            }, ctx.registration);
-        }
-        // Register and start sync.
-        if (sync !== 'off') {
-            yield userAgent.sync.registerIdentity({
-                did: connectedDid,
-                options: { delegateDid, protocols: [] },
-            });
-            const syncMode = sync === undefined ? 'live' : 'poll';
-            const syncInterval = sync !== null && sync !== void 0 ? sync : (syncMode === 'live' ? '5m' : '2m');
-            userAgent.sync.startSync({ mode: syncMode, interval: syncInterval })
-                .catch((err) => console.error('[@enbox/auth] Sync failed:', err));
-        }
-        yield storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true');
-        yield storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
-        const identityInfo = {
-            didUri: connectedDid,
-            name: identity.metadata.name,
-            connectedDid: identity.metadata.connectedDid,
-        };
-        const session = new AuthSession({
-            agent: userAgent,
-            did: connectedDid,
-            delegateDid,
-            identity: identityInfo,
-        });
-        emitter.emit('identity-added', { identity: identityInfo });
-        emitter.emit('session-start', {
-            session: { did: connectedDid, delegateDid, identity: identityInfo },
-        });
-        return session;
-    });
-}
-//# sourceMappingURL=import-identity.js.map