@flowsta/auth 2.0.0 → 2.1.1

package/dist/chunk-FOKPJDDJ.mjs

@@ -0,0 +1,267 @@
+// src/index.ts
+async function generatePKCEPair() {
+  const verifier = generateRandomString(128);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  const challenge = base64UrlEncode(digest);
+  return { verifier, challenge };
+}
+function generateRandomString(length) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => chars[byte % chars.length]).join("");
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var FlowstaAuth = class {
+  constructor(config) {
+    this.accessToken = null;
+    this.user = null;
+    this.config = {
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes || ["openid", "email", "display_name"],
+      loginUrl: config.loginUrl || "https://login.flowsta.com",
+      apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
+    };
+    this.restoreSession();
+  }
+  /**
+   * Redirect user to Flowsta login page
+   * User will be redirected back to redirectUri after authentication
+   */
+  async login() {
+    const { verifier, challenge } = await generatePKCEPair();
+    const state = generateRandomString(32);
+    sessionStorage.setItem("flowsta_code_verifier", verifier);
+    sessionStorage.setItem("flowsta_state", state);
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes.join(" "),
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    window.location.href = `${this.config.loginUrl}/login?${params.toString()}`;
+  }
+  /**
+   * Handle OAuth callback after user authentication
+   * Call this on your redirect URI page
+   * @returns The authenticated user
+   */
+  async handleCallback() {
+    const params = new URLSearchParams(window.location.search);
+    const error = params.get("error");
+    if (error) {
+      const description = params.get("error_description") || error;
+      throw new Error(description);
+    }
+    const code = params.get("code");
+    if (!code) {
+      throw new Error("No authorization code received");
+    }
+    const state = params.get("state");
+    const storedState = sessionStorage.getItem("flowsta_state");
+    if (!state || state !== storedState) {
+      throw new Error("Invalid state parameter - possible CSRF attack");
+    }
+    const codeVerifier = sessionStorage.getItem("flowsta_code_verifier");
+    if (!codeVerifier) {
+      throw new Error("Missing PKCE code verifier");
+    }
+    const tokenResponse = await fetch(`${this.config.apiUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.config.redirectUri,
+        client_id: this.config.clientId,
+        code_verifier: codeVerifier
+      })
+    });
+    if (!tokenResponse.ok) {
+      const errorData = await tokenResponse.json();
+      throw new Error(errorData.error_description || "Token exchange failed");
+    }
+    const { access_token, refresh_token } = await tokenResponse.json();
+    sessionStorage.removeItem("flowsta_code_verifier");
+    sessionStorage.removeItem("flowsta_state");
+    const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
+      headers: { Authorization: `Bearer ${access_token}` }
+    });
+    if (!userResponse.ok) {
+      throw new Error("Failed to fetch user info");
+    }
+    const userData = await userResponse.json();
+    const vault = await this.detectVault();
+    this.accessToken = access_token;
+    this.user = {
+      id: userData.sub || userData.id,
+      email: userData.email,
+      username: userData.preferred_username,
+      displayName: userData.display_name || userData.name,
+      profilePicture: userData.picture || userData.profile_picture,
+      agentPubKey: userData.agent_pub_key,
+      did: userData.did,
+      signingMode: vault.running ? "ipc" : "remote"
+    };
+    localStorage.setItem("flowsta_access_token", access_token);
+    localStorage.setItem("flowsta_user", JSON.stringify(this.user));
+    if (refresh_token) {
+      localStorage.setItem("flowsta_refresh_token", refresh_token);
+    }
+    return this.user;
+  }
+  /**
+   * Log out the current user
+   */
+  logout() {
+    this.accessToken = null;
+    this.user = null;
+    localStorage.removeItem("flowsta_access_token");
+    localStorage.removeItem("flowsta_user");
+    localStorage.removeItem("flowsta_refresh_token");
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    return !!this.accessToken && !!this.user;
+  }
+  /**
+   * Get the current user
+   */
+  getUser() {
+    return this.user;
+  }
+  /**
+   * Get the current access token
+   */
+  getAccessToken() {
+    return this.accessToken;
+  }
+  /**
+   * Get current auth state
+   */
+  getState() {
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      user: this.user,
+      accessToken: this.accessToken,
+      isLoading: false,
+      error: null
+    };
+  }
+  // ── Vault Detection ──────────────────────────────────────────────
+  /**
+   * Detect whether Flowsta Vault (desktop app) is running.
+   *
+   * Probes the IPC server at localhost:27777. If running and unlocked,
+   * signing can be done locally instead of via the API.
+   *
+   * @returns Detection result with running status and agent info
+   */
+  async detectVault() {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2e3);
+      const response = await fetch("http://127.0.0.1:27777/status", {
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (!response.ok) {
+        return { running: false };
+      }
+      const data = await response.json();
+      return {
+        running: true,
+        agentPubKey: data.agent_pub_key || data.agentPubKey,
+        did: data.did
+      };
+    } catch {
+      return { running: false };
+    }
+  }
+  // ── Agent Linking ────────────────────────────────────────────────
+  /**
+   * Get agents linked to a specific agent (or the current user's agent).
+   *
+   * Queries the API which reads from the DHT (IsSamePersonEntry).
+   *
+   * @param agentPubKey Optional specific agent to query. Defaults to current user's agent.
+   * @returns List of linked agent public keys
+   */
+  async getLinkedAgents(agentPubKey) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/linked-agents`);
+    if (agentPubKey) {
+      url.searchParams.set("agent_pub_key", agentPubKey);
+    }
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      const data2 = await response.json().catch(() => ({}));
+      throw new Error(data2.error || "Failed to get linked agents");
+    }
+    const data = await response.json();
+    return data.linked_agents || [];
+  }
+  /**
+   * Check if two agents are linked (verified on the DHT).
+   *
+   * @param agentA First agent's public key
+   * @param agentB Second agent's public key
+   * @returns true if the agents are linked via an IsSamePersonEntry
+   */
+  async areAgentsLinked(agentA, agentB) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/are-agents-linked`);
+    url.searchParams.set("agent_a", agentA);
+    url.searchParams.set("agent_b", agentB);
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      return false;
+    }
+    const data = await response.json();
+    return data.linked === true;
+  }
+  restoreSession() {
+    if (typeof localStorage === "undefined") return;
+    const token = localStorage.getItem("flowsta_access_token");
+    const userJson = localStorage.getItem("flowsta_user");
+    if (token && userJson) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userJson);
+      } catch {
+        this.logout();
+      }
+    }
+  }
+};
+var index_default = FlowstaAuth;
+
+export {
+  FlowstaAuth,
+  index_default
+};

package/dist/chunk-HXNYC5IQ.mjs

@@ -0,0 +1,267 @@
+// src/index.ts
+async function generatePKCEPair() {
+  const verifier = generateRandomString(128);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  const challenge = base64UrlEncode(digest);
+  return { verifier, challenge };
+}
+function generateRandomString(length) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => chars[byte % chars.length]).join("");
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var FlowstaAuth = class {
+  constructor(config) {
+    this.accessToken = null;
+    this.user = null;
+    this.config = {
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes || ["profile", "email"],
+      loginUrl: config.loginUrl || "https://login.flowsta.com",
+      apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
+    };
+    this.restoreSession();
+  }
+  /**
+   * Redirect user to Flowsta login page
+   * User will be redirected back to redirectUri after authentication
+   */
+  async login() {
+    const { verifier, challenge } = await generatePKCEPair();
+    const state = generateRandomString(32);
+    sessionStorage.setItem("flowsta_code_verifier", verifier);
+    sessionStorage.setItem("flowsta_state", state);
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: this.config.scopes.join(" "),
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    window.location.href = `${this.config.loginUrl}/login?${params.toString()}`;
+  }
+  /**
+   * Handle OAuth callback after user authentication
+   * Call this on your redirect URI page
+   * @returns The authenticated user
+   */
+  async handleCallback() {
+    const params = new URLSearchParams(window.location.search);
+    const error = params.get("error");
+    if (error) {
+      const description = params.get("error_description") || error;
+      throw new Error(description);
+    }
+    const code = params.get("code");
+    if (!code) {
+      throw new Error("No authorization code received");
+    }
+    const state = params.get("state");
+    const storedState = sessionStorage.getItem("flowsta_state");
+    if (!state || state !== storedState) {
+      throw new Error("Invalid state parameter - possible CSRF attack");
+    }
+    const codeVerifier = sessionStorage.getItem("flowsta_code_verifier");
+    if (!codeVerifier) {
+      throw new Error("Missing PKCE code verifier");
+    }
+    const tokenResponse = await fetch(`${this.config.apiUrl}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.config.redirectUri,
+        client_id: this.config.clientId,
+        code_verifier: codeVerifier
+      })
+    });
+    if (!tokenResponse.ok) {
+      const errorData = await tokenResponse.json();
+      throw new Error(errorData.error_description || "Token exchange failed");
+    }
+    const { access_token, refresh_token } = await tokenResponse.json();
+    sessionStorage.removeItem("flowsta_code_verifier");
+    sessionStorage.removeItem("flowsta_state");
+    const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
+      headers: { Authorization: `Bearer ${access_token}` }
+    });
+    if (!userResponse.ok) {
+      throw new Error("Failed to fetch user info");
+    }
+    const userData = await userResponse.json();
+    const vault = await this.detectVault();
+    this.accessToken = access_token;
+    this.user = {
+      id: userData.sub || userData.id,
+      email: userData.email,
+      username: userData.preferred_username,
+      displayName: userData.display_name || userData.name,
+      profilePicture: userData.picture || userData.profile_picture,
+      agentPubKey: userData.agent_pub_key,
+      did: userData.did,
+      signingMode: vault.running ? "ipc" : "remote"
+    };
+    localStorage.setItem("flowsta_access_token", access_token);
+    localStorage.setItem("flowsta_user", JSON.stringify(this.user));
+    if (refresh_token) {
+      localStorage.setItem("flowsta_refresh_token", refresh_token);
+    }
+    return this.user;
+  }
+  /**
+   * Log out the current user
+   */
+  logout() {
+    this.accessToken = null;
+    this.user = null;
+    localStorage.removeItem("flowsta_access_token");
+    localStorage.removeItem("flowsta_user");
+    localStorage.removeItem("flowsta_refresh_token");
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    return !!this.accessToken && !!this.user;
+  }
+  /**
+   * Get the current user
+   */
+  getUser() {
+    return this.user;
+  }
+  /**
+   * Get the current access token
+   */
+  getAccessToken() {
+    return this.accessToken;
+  }
+  /**
+   * Get current auth state
+   */
+  getState() {
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      user: this.user,
+      accessToken: this.accessToken,
+      isLoading: false,
+      error: null
+    };
+  }
+  // ── Vault Detection ──────────────────────────────────────────────
+  /**
+   * Detect whether Flowsta Vault (desktop app) is running.
+   *
+   * Probes the IPC server at localhost:27777. If running and unlocked,
+   * signing can be done locally instead of via the API.
+   *
+   * @returns Detection result with running status and agent info
+   */
+  async detectVault() {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2e3);
+      const response = await fetch("http://127.0.0.1:27777/status", {
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (!response.ok) {
+        return { running: false };
+      }
+      const data = await response.json();
+      return {
+        running: true,
+        agentPubKey: data.agent_pub_key || data.agentPubKey,
+        did: data.did
+      };
+    } catch {
+      return { running: false };
+    }
+  }
+  // ── Agent Linking ────────────────────────────────────────────────
+  /**
+   * Get agents linked to a specific agent (or the current user's agent).
+   *
+   * Queries the API which reads from the DHT (IsSamePersonEntry).
+   *
+   * @param agentPubKey Optional specific agent to query. Defaults to current user's agent.
+   * @returns List of linked agent public keys
+   */
+  async getLinkedAgents(agentPubKey) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/linked-agents`);
+    if (agentPubKey) {
+      url.searchParams.set("agent_pub_key", agentPubKey);
+    }
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      const data2 = await response.json().catch(() => ({}));
+      throw new Error(data2.error || "Failed to get linked agents");
+    }
+    const data = await response.json();
+    return data.linked_agents || [];
+  }
+  /**
+   * Check if two agents are linked (verified on the DHT).
+   *
+   * @param agentA First agent's public key
+   * @param agentB Second agent's public key
+   * @returns true if the agents are linked via an IsSamePersonEntry
+   */
+  async areAgentsLinked(agentA, agentB) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/are-agents-linked`);
+    url.searchParams.set("agent_a", agentA);
+    url.searchParams.set("agent_b", agentB);
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      return false;
+    }
+    const data = await response.json();
+    return data.linked === true;
+  }
+  restoreSession() {
+    if (typeof localStorage === "undefined") return;
+    const token = localStorage.getItem("flowsta_access_token");
+    const userJson = localStorage.getItem("flowsta_user");
+    if (token && userJson) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userJson);
+      } catch {
+        this.logout();
+      }
+    }
+  }
+};
+var index_default = FlowstaAuth;
+
+export {
+  FlowstaAuth,
+  index_default
+};

package/dist/index.d.mts

@@ -9,13 +9,15 @@
  * - Zero-knowledge architecture
  * - No client secrets needed (PKCE provides security)
  * - Simple "Sign in with Flowsta" integration
+ * - Flowsta Vault detection (desktop app IPC)
+ * - Agent linking queries (DHT-verified identity proofs)
  */
 interface FlowstaAuthConfig {
     /** Your Flowsta application client ID (from dev.flowsta.com) */
     clientId: string;
     /** The URI to redirect back to after authentication */
     redirectUri: string;
-    /** OAuth scopes to request. Default: ['profile', 'email'] */
+    /** OAuth scopes to request. Default: ['openid', 'email', 'display_name'] */
     scopes?: string[];
     /** The Flowsta login URL. Default: 'https://login.flowsta.com' */
     loginUrl?: string;
@@ -37,6 +39,28 @@ interface FlowstaUser {
     agentPubKey?: string;
     /** User's DID (Decentralized Identifier) */
     did?: string;
+    /** Agents linked to this user (from DHT IsSamePersonEntry) */
+    linkedAgents?: LinkedAgent[];
+    /** Current signing mode ('remote' = API, 'ipc' = Flowsta Vault) */
+    signingMode?: 'remote' | 'ipc';
+}
+/** A linked agent (verified on the DHT via IsSamePersonEntry) */
+interface LinkedAgent {
+    /** The linked agent's public key */
+    agentPubKey: string;
+    /** When the link was created */
+    linkedAt?: string;
+    /** Whether the link has been revoked */
+    isRevoked: boolean;
+}
+/** Flowsta Vault desktop app status */
+interface VaultDetectionResult {
+    /** Whether Flowsta Vault is running and reachable on localhost */
+    running: boolean;
+    /** The vault agent's public key (if unlocked) */
+    agentPubKey?: string;
+    /** The vault agent's DID (if unlocked) */
+    did?: string;
 }
 interface AuthState {
     /** Whether the user is authenticated */
@@ -106,7 +130,33 @@ declare class FlowstaAuth {
      * Get current auth state
      */
     getState(): AuthState;
+    /**
+     * Detect whether Flowsta Vault (desktop app) is running.
+     *
+     * Probes the IPC server at localhost:27777. If running and unlocked,
+     * signing can be done locally instead of via the API.
+     *
+     * @returns Detection result with running status and agent info
+     */
+    detectVault(): Promise<VaultDetectionResult>;
+    /**
+     * Get agents linked to a specific agent (or the current user's agent).
+     *
+     * Queries the API which reads from the DHT (IsSamePersonEntry).
+     *
+     * @param agentPubKey Optional specific agent to query. Defaults to current user's agent.
+     * @returns List of linked agent public keys
+     */
+    getLinkedAgents(agentPubKey?: string): Promise<string[]>;
+    /**
+     * Check if two agents are linked (verified on the DHT).
+     *
+     * @param agentA First agent's public key
+     * @param agentB Second agent's public key
+     * @returns true if the agents are linked via an IsSamePersonEntry
+     */
+    areAgentsLinked(agentA: string, agentB: string): Promise<boolean>;
     private restoreSession;
 }
 
-export { type AuthState, FlowstaAuth, type FlowstaAuthConfig, type FlowstaUser, FlowstaAuth as default };
+export { type AuthState, FlowstaAuth, type FlowstaAuthConfig, type FlowstaUser, type LinkedAgent, type VaultDetectionResult, FlowstaAuth as default };

package/dist/index.d.ts

@@ -9,13 +9,15 @@
  * - Zero-knowledge architecture
  * - No client secrets needed (PKCE provides security)
  * - Simple "Sign in with Flowsta" integration
+ * - Flowsta Vault detection (desktop app IPC)
+ * - Agent linking queries (DHT-verified identity proofs)
  */
 interface FlowstaAuthConfig {
     /** Your Flowsta application client ID (from dev.flowsta.com) */
     clientId: string;
     /** The URI to redirect back to after authentication */
     redirectUri: string;
-    /** OAuth scopes to request. Default: ['profile', 'email'] */
+    /** OAuth scopes to request. Default: ['openid', 'email', 'display_name'] */
     scopes?: string[];
     /** The Flowsta login URL. Default: 'https://login.flowsta.com' */
     loginUrl?: string;
@@ -37,6 +39,28 @@ interface FlowstaUser {
     agentPubKey?: string;
     /** User's DID (Decentralized Identifier) */
     did?: string;
+    /** Agents linked to this user (from DHT IsSamePersonEntry) */
+    linkedAgents?: LinkedAgent[];
+    /** Current signing mode ('remote' = API, 'ipc' = Flowsta Vault) */
+    signingMode?: 'remote' | 'ipc';
+}
+/** A linked agent (verified on the DHT via IsSamePersonEntry) */
+interface LinkedAgent {
+    /** The linked agent's public key */
+    agentPubKey: string;
+    /** When the link was created */
+    linkedAt?: string;
+    /** Whether the link has been revoked */
+    isRevoked: boolean;
+}
+/** Flowsta Vault desktop app status */
+interface VaultDetectionResult {
+    /** Whether Flowsta Vault is running and reachable on localhost */
+    running: boolean;
+    /** The vault agent's public key (if unlocked) */
+    agentPubKey?: string;
+    /** The vault agent's DID (if unlocked) */
+    did?: string;
 }
 interface AuthState {
     /** Whether the user is authenticated */
@@ -106,7 +130,33 @@ declare class FlowstaAuth {
      * Get current auth state
      */
     getState(): AuthState;
+    /**
+     * Detect whether Flowsta Vault (desktop app) is running.
+     *
+     * Probes the IPC server at localhost:27777. If running and unlocked,
+     * signing can be done locally instead of via the API.
+     *
+     * @returns Detection result with running status and agent info
+     */
+    detectVault(): Promise<VaultDetectionResult>;
+    /**
+     * Get agents linked to a specific agent (or the current user's agent).
+     *
+     * Queries the API which reads from the DHT (IsSamePersonEntry).
+     *
+     * @param agentPubKey Optional specific agent to query. Defaults to current user's agent.
+     * @returns List of linked agent public keys
+     */
+    getLinkedAgents(agentPubKey?: string): Promise<string[]>;
+    /**
+     * Check if two agents are linked (verified on the DHT).
+     *
+     * @param agentA First agent's public key
+     * @param agentB Second agent's public key
+     * @returns true if the agents are linked via an IsSamePersonEntry
+     */
+    areAgentsLinked(agentA: string, agentB: string): Promise<boolean>;
     private restoreSession;
 }
 
-export { type AuthState, FlowstaAuth, type FlowstaAuthConfig, type FlowstaUser, FlowstaAuth as default };
+export { type AuthState, FlowstaAuth, type FlowstaAuthConfig, type FlowstaUser, type LinkedAgent, type VaultDetectionResult, FlowstaAuth as default };

package/dist/index.js

@@ -53,7 +53,7 @@ var FlowstaAuth = class {
     this.config = {
       clientId: config.clientId,
       redirectUri: config.redirectUri,
-      scopes: config.scopes || ["profile", "email"],
+      scopes: config.scopes || ["openid", "email", "display_name"],
       loginUrl: config.loginUrl || "https://login.flowsta.com",
       apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
     };
@@ -123,12 +123,13 @@ var FlowstaAuth = class {
     sessionStorage.removeItem("flowsta_code_verifier");
     sessionStorage.removeItem("flowsta_state");
     const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
-      headers: { "Authorization": `Bearer ${access_token}` }
+      headers: { Authorization: `Bearer ${access_token}` }
     });
     if (!userResponse.ok) {
       throw new Error("Failed to fetch user info");
     }
     const userData = await userResponse.json();
+    const vault = await this.detectVault();
     this.accessToken = access_token;
     this.user = {
       id: userData.sub || userData.id,
@@ -137,7 +138,8 @@ var FlowstaAuth = class {
       displayName: userData.display_name || userData.name,
       profilePicture: userData.picture || userData.profile_picture,
       agentPubKey: userData.agent_pub_key,
-      did: userData.did
+      did: userData.did,
+      signingMode: vault.running ? "ipc" : "remote"
     };
     localStorage.setItem("flowsta_access_token", access_token);
     localStorage.setItem("flowsta_user", JSON.stringify(this.user));
@@ -186,6 +188,88 @@ var FlowstaAuth = class {
       error: null
     };
   }
+  // ── Vault Detection ──────────────────────────────────────────────
+  /**
+   * Detect whether Flowsta Vault (desktop app) is running.
+   *
+   * Probes the IPC server at localhost:27777. If running and unlocked,
+   * signing can be done locally instead of via the API.
+   *
+   * @returns Detection result with running status and agent info
+   */
+  async detectVault() {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2e3);
+      const response = await fetch("http://127.0.0.1:27777/status", {
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (!response.ok) {
+        return { running: false };
+      }
+      const data = await response.json();
+      return {
+        running: true,
+        agentPubKey: data.agent_pub_key || data.agentPubKey,
+        did: data.did
+      };
+    } catch {
+      return { running: false };
+    }
+  }
+  // ── Agent Linking ────────────────────────────────────────────────
+  /**
+   * Get agents linked to a specific agent (or the current user's agent).
+   *
+   * Queries the API which reads from the DHT (IsSamePersonEntry).
+   *
+   * @param agentPubKey Optional specific agent to query. Defaults to current user's agent.
+   * @returns List of linked agent public keys
+   */
+  async getLinkedAgents(agentPubKey) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/linked-agents`);
+    if (agentPubKey) {
+      url.searchParams.set("agent_pub_key", agentPubKey);
+    }
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      const data2 = await response.json().catch(() => ({}));
+      throw new Error(data2.error || "Failed to get linked agents");
+    }
+    const data = await response.json();
+    return data.linked_agents || [];
+  }
+  /**
+   * Check if two agents are linked (verified on the DHT).
+   *
+   * @param agentA First agent's public key
+   * @param agentB Second agent's public key
+   * @returns true if the agents are linked via an IsSamePersonEntry
+   */
+  async areAgentsLinked(agentA, agentB) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/are-agents-linked`);
+    url.searchParams.set("agent_a", agentA);
+    url.searchParams.set("agent_b", agentB);
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      return false;
+    }
+    const data = await response.json();
+    return data.linked === true;
+  }
   restoreSession() {
     if (typeof localStorage === "undefined") return;
     const token = localStorage.getItem("flowsta_access_token");

package/dist/index.mjs

@@ -1,7 +1,7 @@
 import {
   FlowstaAuth,
   index_default
-} from "./chunk-NBWAVXMK.mjs";
+} from "./chunk-FOKPJDDJ.mjs";
 export {
   FlowstaAuth,
   index_default as default

package/dist/react.d.mts

@@ -1,7 +1,7 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode } from 'react';
 import { FlowstaAuthConfig, AuthState, FlowstaUser } from './index.mjs';
-export { default as FlowstaAuth } from './index.mjs';
+export { FlowstaAuth } from './index.mjs';
 
 interface FlowstaAuthContextValue extends AuthState {
     /** Redirect to Flowsta login */

package/dist/react.d.ts

@@ -1,7 +1,7 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode } from 'react';
 import { FlowstaAuthConfig, AuthState, FlowstaUser } from './index.js';
-export { default as FlowstaAuth } from './index.js';
+export { FlowstaAuth } from './index.js';
 
 interface FlowstaAuthContextValue extends AuthState {
     /** Redirect to Flowsta login */

package/dist/react.js

@@ -59,7 +59,7 @@ var FlowstaAuth = class {
     this.config = {
       clientId: config.clientId,
       redirectUri: config.redirectUri,
-      scopes: config.scopes || ["profile", "email"],
+      scopes: config.scopes || ["openid", "email", "display_name"],
       loginUrl: config.loginUrl || "https://login.flowsta.com",
       apiUrl: config.apiUrl || "https://auth-api.flowsta.com"
     };
@@ -129,12 +129,13 @@ var FlowstaAuth = class {
     sessionStorage.removeItem("flowsta_code_verifier");
     sessionStorage.removeItem("flowsta_state");
     const userResponse = await fetch(`${this.config.apiUrl}/oauth/userinfo`, {
-      headers: { "Authorization": `Bearer ${access_token}` }
+      headers: { Authorization: `Bearer ${access_token}` }
     });
     if (!userResponse.ok) {
       throw new Error("Failed to fetch user info");
     }
     const userData = await userResponse.json();
+    const vault = await this.detectVault();
     this.accessToken = access_token;
     this.user = {
       id: userData.sub || userData.id,
@@ -143,7 +144,8 @@ var FlowstaAuth = class {
       displayName: userData.display_name || userData.name,
       profilePicture: userData.picture || userData.profile_picture,
       agentPubKey: userData.agent_pub_key,
-      did: userData.did
+      did: userData.did,
+      signingMode: vault.running ? "ipc" : "remote"
     };
     localStorage.setItem("flowsta_access_token", access_token);
     localStorage.setItem("flowsta_user", JSON.stringify(this.user));
@@ -192,6 +194,88 @@ var FlowstaAuth = class {
       error: null
     };
   }
+  // ── Vault Detection ──────────────────────────────────────────────
+  /**
+   * Detect whether Flowsta Vault (desktop app) is running.
+   *
+   * Probes the IPC server at localhost:27777. If running and unlocked,
+   * signing can be done locally instead of via the API.
+   *
+   * @returns Detection result with running status and agent info
+   */
+  async detectVault() {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2e3);
+      const response = await fetch("http://127.0.0.1:27777/status", {
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (!response.ok) {
+        return { running: false };
+      }
+      const data = await response.json();
+      return {
+        running: true,
+        agentPubKey: data.agent_pub_key || data.agentPubKey,
+        did: data.did
+      };
+    } catch {
+      return { running: false };
+    }
+  }
+  // ── Agent Linking ────────────────────────────────────────────────
+  /**
+   * Get agents linked to a specific agent (or the current user's agent).
+   *
+   * Queries the API which reads from the DHT (IsSamePersonEntry).
+   *
+   * @param agentPubKey Optional specific agent to query. Defaults to current user's agent.
+   * @returns List of linked agent public keys
+   */
+  async getLinkedAgents(agentPubKey) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/linked-agents`);
+    if (agentPubKey) {
+      url.searchParams.set("agent_pub_key", agentPubKey);
+    }
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      const data2 = await response.json().catch(() => ({}));
+      throw new Error(data2.error || "Failed to get linked agents");
+    }
+    const data = await response.json();
+    return data.linked_agents || [];
+  }
+  /**
+   * Check if two agents are linked (verified on the DHT).
+   *
+   * @param agentA First agent's public key
+   * @param agentB Second agent's public key
+   * @returns true if the agents are linked via an IsSamePersonEntry
+   */
+  async areAgentsLinked(agentA, agentB) {
+    const token = this.accessToken;
+    if (!token) {
+      throw new Error("Not authenticated");
+    }
+    const url = new URL(`${this.config.apiUrl}/auth/are-agents-linked`);
+    url.searchParams.set("agent_a", agentA);
+    url.searchParams.set("agent_b", agentB);
+    const response = await fetch(url.toString(), {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!response.ok) {
+      return false;
+    }
+    const data = await response.json();
+    return data.linked === true;
+  }
   restoreSession() {
     if (typeof localStorage === "undefined") return;
     const token = localStorage.getItem("flowsta_access_token");

package/dist/react.mjs

@@ -1,6 +1,6 @@
 import {
   FlowstaAuth
-} from "./chunk-NBWAVXMK.mjs";
+} from "./chunk-FOKPJDDJ.mjs";
 
 // src/react.tsx
 import {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@flowsta/auth",
-  "version": "2.0.0",
-  "description": "Flowsta Auth SDK 2.0 - OAuth-only authentication for web applications",
+  "version": "2.1.1",
+  "description": "Flowsta Auth SDK - OAuth authentication with Vault detection and agent linking",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.ts",
@@ -51,10 +51,11 @@
     }
   },
   "devDependencies": {
+    "@types/react": "^18.2.0",
+    "happy-dom": "20.5.0",
     "tsup": "^8.0.0",
     "typescript": "^5.3.0",
-    "vitest": "^1.0.0",
-    "@types/react": "^18.2.0"
+    "vite": "7.3.1",
+    "vitest": "^4.0.18"
   }
 }
-