@learncard/types 5.12.2 → 5.13.0

package/dist/auth.d.ts

@@ -0,0 +1,328 @@
+/**
+ * Provider-agnostic interfaces for authentication and key derivation.
+ *
+ * Both @learncard/sss-key-manager and learn-card-base import from here,
+ * ensuring a single canonical source for abstract interfaces without
+ * coupling consumers to any specific implementation.
+ */
+/**
+ * Typed error for auth session issues.
+ * Auth providers should throw this (instead of generic Error) when the
+ * session is expired, revoked, or missing so the coordinator can
+ * distinguish "not logged in" from "unexpected failure".
+ */
+export declare class AuthSessionError extends Error {
+    readonly reason: 'expired' | 'no_session' | 'revoked' | 'network';
+    constructor(message: string, reason: 'expired' | 'no_session' | 'revoked' | 'network');
+}
+/**
+ * Auth provider identifier. Known values: 'firebase', 'supertokens', 'keycloak', 'oidc'.
+ * Use any string to support custom auth providers without modifying this type.
+ */
+export type AuthProviderType = string;
+export interface AuthUser {
+    id: string;
+    email?: string;
+    phone?: string;
+    displayName?: string;
+    photoUrl?: string;
+    providerType: AuthProviderType;
+    /** Account creation timestamp (when available from the auth provider) */
+    createdAt?: Date;
+}
+/**
+ * Abstract auth provider interface.
+ * Implementations wrap a specific auth SDK (Firebase, Supertokens, etc.)
+ * and expose a uniform API to the coordinator.
+ */
+export interface AuthProvider {
+    getIdToken(forceRefresh?: boolean): Promise<string>;
+    getCurrentUser(): Promise<AuthUser | null>;
+    getProviderType(): AuthProviderType;
+    signOut(): Promise<void>;
+    /**
+     * Attempt to silently refresh the auth session (e.g., force-refresh
+     * the JWT using the underlying refresh token).
+     *
+     * Returns `true` if the session was successfully refreshed.
+     * Returns `false` if a full re-authentication is required.
+     *
+     * Optional — providers that don't implement this will require full
+     * re-auth whenever the session expires.
+     */
+    refreshSession?(): Promise<boolean>;
+    /**
+     * Re-authenticate with a server-issued token (e.g., a Firebase custom
+     * token returned after a server-side account change that invalidates
+     * the current session).
+     *
+     * Returns the refreshed AuthUser read directly from the auth SDK
+     * (not from the app store, which may be stale).
+     *
+     * Optional — only needed by providers whose server-side account
+     * mutations invalidate the client session.
+     */
+    reauthenticateWithToken?(token: string): Promise<AuthUser | null>;
+}
+/**
+ * Opaque handle returned by `sendPhoneOtp()`.
+ * On web this wraps a ConfirmationResult; on native it carries a verificationId.
+ * Consumers pass this back to `confirmPhoneOtp()` — never inspect internals.
+ */
+export interface PhoneVerificationHandle {
+    verificationId: string;
+    /** Platform-specific confirmation object (e.g. Firebase ConfirmationResult) */
+    _internal?: unknown;
+}
+/**
+ * Abstract sign-in adapter interface.
+ *
+ * Encapsulates **all** provider-specific sign-in logic (Firebase, Supertokens,
+ * Keycloak, …).  Apps register a concrete adapter at startup via
+ * `registerSignInAdapterFactory()` and resolve it through the provider registry.
+ *
+ * The `subscribe()` method is the **single source of truth** for auth state:
+ * `SignInAdapterProvider` calls it once and writes every state change to
+ * `authUserStore`, replacing the Phase 1 bridge.
+ *
+ * Individual sign-in methods return `Promise<AuthUser>` on success and throw
+ * on failure — the app-level hook (`useFirebase` / `useAuth`) handles UI
+ * feedback (toasts, modals, analytics).
+ */
+export interface SignInAdapter {
+    readonly providerType: AuthProviderType;
+    /**
+     * Subscribe to auth-state changes.  The callback fires immediately with
+     * the current state and again on every sign-in / sign-out.
+     *
+     * Returns an unsubscribe function.
+     */
+    subscribe(onUser: (user: AuthUser | null) => void): () => void;
+    /** Synchronous snapshot of the last user emitted by `subscribe()`. */
+    getCurrentUser(): AuthUser | null;
+    sendEmailLink(email: string, redirectUrl?: string): Promise<void>;
+    verifyEmailLink(email: string, link: string): Promise<AuthUser>;
+    isEmailLink(link: string): boolean;
+    /**
+     * Send an SMS OTP to the given number.
+     * On web this sets up a RecaptchaVerifier transparently.
+     */
+    sendPhoneOtp(phoneNumber: string): Promise<PhoneVerificationHandle>;
+    /**
+     * Confirm a phone OTP using the handle returned by `sendPhoneOtp()`.
+     */
+    confirmPhoneOtp(handle: PhoneVerificationHandle, code: string | number): Promise<AuthUser>;
+    /**
+     * Confirm a phone OTP using a native verificationId (Capacitor auto-verify
+     * path).  Falls back to `confirmPhoneOtp` when not implemented.
+     */
+    confirmNativePhoneOtp?(verificationId: string, code: string | number): Promise<AuthUser>;
+    signInWithGoogle(): Promise<AuthUser>;
+    signInWithApple(): Promise<AuthUser>;
+    /** Check for a pending OAuth redirect result (e.g. Apple on web). */
+    checkRedirectResult?(): Promise<AuthUser | null>;
+    signInWithCustomToken(token: string): Promise<AuthUser>;
+    /** Sign in with an OIDC credential (e.g. Keycloak World Scouts SSO). */
+    signInWithOidcCredential?(providerId: string, idToken: string): Promise<AuthUser>;
+    deleteAccount(): Promise<void>;
+    signOut(): Promise<void>;
+    /** Tear down any DOM elements created by the adapter (e.g. RecaptchaVerifier). */
+    cleanup?(): void;
+}
+/**
+ * Recovery method metadata returned by the server.
+ * The `type` is a string so strategies can define their own method types
+ * without modifying this interface.
+ */
+export interface RecoveryMethodInfo {
+    type: string;
+    createdAt: Date;
+    credentialId?: string;
+}
+/**
+ * Generic result of a successful recovery execution.
+ * All strategies must produce a private key + DID.
+ */
+export interface RecoveryResult {
+    privateKey: string;
+    did: string;
+}
+/**
+ * Server key status returned by the strategy's fetchServerKeyStatus.
+ * The strategy owns the server shape — different strategies may
+ * have fundamentally different server payloads.
+ */
+export interface ServerKeyStatus {
+    exists: boolean;
+    needsMigration: boolean;
+    primaryDid: string | null;
+    recoveryMethods: RecoveryMethodInfo[];
+    authShare: string | null;
+    shareVersion: number | null;
+    maskedRecoveryEmail?: string | null;
+}
+/**
+ * Declarative capability flags for a key derivation strategy.
+ *
+ * UI components read these to decide which features to show.
+ * Each strategy declares its own capabilities — no strategy-specific
+ * checks needed in the UI layer.
+ *
+ * All flags default to `false` when absent.
+ *
+ * @example
+ * ```ts
+ * // SSS declares full capabilities:
+ * capabilities: { recovery: true, deviceLinking: true, localKeyPersistence: true }
+ *
+ * // Web3Auth derives keys on-demand, nothing local to manage:
+ * capabilities: { recovery: false, deviceLinking: false, localKeyPersistence: false }
+ * ```
+ */
+export interface KeyDerivationCapabilities {
+    /** Strategy supports user-facing recovery methods (setup + execution) */
+    recovery: boolean;
+    /** Strategy supports cross-device key transfer (e.g., QR-based device linking) */
+    deviceLinking: boolean;
+    /**
+     * Strategy persists key material locally (e.g., device share in IndexedDB).
+     * When true, "public computer" / "forget device" features are relevant.
+     */
+    localKeyPersistence: boolean;
+    /**
+     * Strategy supports upgrading the user's contact method (e.g., phone → email).
+     * When true, the `upgradeContactMethod` method is available and the
+     * email-linking gate can be shown for phone-only users.
+     */
+    contactMethodUpgrade: boolean;
+}
+/**
+ * Key Derivation Strategy
+ *
+ * Abstract interface for different key derivation implementations.
+ * Used by AuthCoordinator to delegate key operations.
+ *
+ * The strategy owns:
+ * - Local key storage
+ * - Key splitting and reconstruction
+ * - Server communication for remote key components
+ * - Recovery method execution and setup
+ * - Storage cleanup knowledge
+ *
+ * Type parameters allow each strategy to define its own recovery shapes:
+ * - TRecoveryInput: what the user provides to recover (e.g., password, passkey)
+ * - TRecoverySetupInput: what the user provides to set up a recovery method
+ * - TRecoverySetupResult: what setup returns (e.g., generated phrase, credential ID)
+ *
+ * @example
+ * // SSS strategy with specific recovery types:
+ * type SSSStrategy = KeyDerivationStrategy<SSSRecoveryInput, SSSRecoverySetupInput, SSSRecoverySetupResult>;
+ *
+ * // Simple strategy with no recovery:
+ * type SimpleStrategy = KeyDerivationStrategy<never, never, never>;
+ */
+export interface KeyDerivationStrategy<TRecoveryInput = unknown, TRecoverySetupInput = unknown, TRecoverySetupResult = unknown> {
+    readonly name: string;
+    /** Declarative feature flags — UI reads these to gate features */
+    readonly capabilities: KeyDerivationCapabilities;
+    /** Check if there's a local key component (e.g., device share) */
+    hasLocalKey(): Promise<boolean>;
+    /** Get the local key component */
+    getLocalKey(): Promise<string | null>;
+    /** Store a local key component */
+    storeLocalKey(key: string): Promise<void>;
+    /** Clear all local key data */
+    clearLocalKeys(): Promise<void>;
+    /** Split a private key into shares/components */
+    splitKey(privateKey: string): Promise<{
+        localKey: string;
+        remoteKey: string;
+    }>;
+    /** Reconstruct private key from components */
+    reconstructKey(localKey: string, remoteKey: string): Promise<string>;
+    /** Verify that stored keys can reconstruct the expected DID */
+    verifyKeys?(localKey: string, remoteKey: string, expectedDid: string, didFromPrivateKey: (pk: string) => Promise<string>): Promise<boolean>;
+    /** Fetch the server-side key status for the authenticated user */
+    fetchServerKeyStatus(token: string, providerType: AuthProviderType): Promise<ServerKeyStatus>;
+    /** Store the remote key component on the server */
+    storeAuthShare(token: string, providerType: AuthProviderType, remoteKey: string, did: string, didAuthVp?: string): Promise<void>;
+    /** Mark migration complete on the server (optional — only needed for migration-capable strategies) */
+    markMigrated?(token: string, providerType: AuthProviderType, didAuthVp?: string): Promise<void>;
+    /** Execute a recovery flow and return the recovered private key + DID */
+    executeRecovery(params: {
+        token: string;
+        providerType: AuthProviderType;
+        input: TRecoveryInput;
+        /** Optional: validate the reconstructed key's DID before rotating shares */
+        didFromPrivateKey?: (privateKey: string) => Promise<string>;
+    }): Promise<RecoveryResult>;
+    /** Set up a new recovery method */
+    setupRecoveryMethod?(params: {
+        token: string;
+        providerType: AuthProviderType;
+        privateKey: string;
+        input: TRecoverySetupInput;
+        authUser?: AuthUser;
+        /** Optional: sign a DID-Auth VP JWT for server write operations */
+        signDidAuthVp?: (privateKey: string) => Promise<string>;
+    }): Promise<TRecoverySetupResult>;
+    /** Get configured recovery methods for the authenticated user */
+    getAvailableRecoveryMethods?(token: string, providerType: AuthProviderType): Promise<RecoveryMethodInfo[]>;
+    /**
+     * Verify email ownership and upgrade the user's contact method on the
+     * server (e.g., phone → email). The server verifies the OTP code, links
+     * the email to the auth account (passwordless), and atomically updates
+     * the UserKey contact method.
+     *
+     * Strategies that don't manage server-side contact methods can omit this.
+     *
+     * @param token - Auth token for the current session
+     * @param providerType - Auth provider type
+     * @param previousPhone - The phone number being replaced
+     * @param email - The new email address (already OTP-verified client-side)
+     * @param code - The 6-digit verification code
+     */
+    upgradeContactMethod?(token: string, providerType: AuthProviderType, previousPhone: string, email: string, code: string): Promise<{
+        customToken?: string;
+    } | void>;
+    /**
+     * Send a backup share to the user's email for fail-safe recovery.
+     * Called by the coordinator after key setup or migration.
+     * Implementation should be fire-and-forget (non-fatal on failure).
+     *
+     * @param token - Auth token for server communication
+     * @param providerType - Auth provider type
+     * @param privateKey - The private key to derive the email share from
+     * @param email - Destination email address
+     */
+    sendEmailBackupShare?(token: string, providerType: AuthProviderType, privateKey: string, email: string): Promise<void>;
+    /**
+     * Get the share version associated with the local device share.
+     * Used to request the matching auth share from the server and to
+     * include in QR cross-device transfers.
+     *
+     * Returns null for legacy shares with no stored version.
+     */
+    getLocalShareVersion?(): Promise<number | null>;
+    /**
+     * Store the share version for the local device share.
+     * Called after receiving a device share + version via QR transfer.
+     */
+    storeLocalShareVersion?(version: number): Promise<void>;
+    /**
+     * Inform the strategy which user is active so it can scope local storage
+     * (e.g., device shares) per-user. Called by the coordinator after
+     * authentication, before any local-key operations.
+     *
+     * Strategies that don't need per-user scoping can omit this method.
+     *
+     * @param userId - Stable, unique identifier for the authenticated user
+     *                 (e.g., Firebase UID). Must NOT change across sessions.
+     */
+    setActiveUser?(userId: string): void;
+    /** Return storage keys (e.g., IndexedDB database names) that should be preserved during logout */
+    getPreservedStorageKeys(): string[];
+    /** Strategy-specific cleanup beyond clearLocalKeys (optional) */
+    cleanup?(): Promise<void>;
+}
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;aAGnB,MAAM,EAAE,SAAS,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS;gBADxE,OAAO,EAAE,MAAM,EACC,MAAM,EAAE,SAAS,GAAG,YAAY,GAAG,SAAS,GAAG,SAAS;CAK/E;AAMD;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEtC,MAAM,WAAW,QAAQ;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,gBAAgB,CAAC;IAE/B,yEAAyE;IACzE,SAAS,CAAC,EAAE,IAAI,CAAC;CACpB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IACzB,UAAU,CAAC,YAAY,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,cAAc,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC3C,eAAe,IAAI,gBAAgB,CAAC;IACpC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzB;;;;;;;;;OASG;IACH,cAAc,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEpC;;;;;;;;;;OAUG;IACH,uBAAuB,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;CACrE;AAMD;;;;GAIG;AACH,MAAM,WAAW,uBAAuB;IACpC,cAAc,EAAE,MAAM,CAAC;IAEvB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,aAAa;IAC1B,QAAQ,CAAC,YAAY,EAAE,gBAAgB,CAAC;IAIxC;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,QAAQ,GAAG,IAAI,KAAK,IAAI,GAAG,MAAM,IAAI,CAAC;IAE/D,sEAAsE;IACtE,cAAc,IAAI,QAAQ,GAAG,IAAI,CAAC;IAIlC,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IAInC;;;OAGG;IACH,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAEpE;;OAEG;IACH,eAAe,CAAC,MAAM,EAAE,uBAAuB,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE3F;;;OAGG;IACH,qBAAqB,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAIzF,gBAAgB,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEtC,eAAe,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAErC,qEAAqE;IACrE,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAIjD,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAExD,wEAAwE;IACxE,wBAAwB,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAIlF,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAIzB,kFAAkF;IAClF,OAAO,CAAC,IAAI,IAAI,CAAC;CACpB;AAMD;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,IAAI,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;CACf;AAMD;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC5B,MAAM,EAAE,OAAO,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,eAAe,EAAE,kBAAkB,EAAE,CAAC;IACtC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvC;AAMD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,yBAAyB;IACtC,yEAAyE;IACzE,QAAQ,EAAE,OAAO,CAAC;IAElB,kFAAkF;IAClF,aAAa,EAAE,OAAO,CAAC;IAEvB;;;OAGG;IACH,mBAAmB,EAAE,OAAO,CAAC;IAE7B;;;;OAIG;IACH,oBAAoB,EAAE,OAAO,CAAC;CACjC;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,qBAAqB,CAClC,cAAc,GAAG,OAAO,EACxB,mBAAmB,GAAG,OAAO,EAC7B,oBAAoB,GAAG,OAAO;IAE9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,kEAAkE;IAClE,QAAQ,CAAC,YAAY,EAAE,yBAAyB,CAAC;IAIjD,kEAAkE;IAClE,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhC,kCAAkC;IAClC,WAAW,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEtC,kCAAkC;IAClC,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1C,+BAA+B;IAC/B,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC,iDAAiD;IACjD,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAE/E,8CAA8C;IAC9C,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAErE,+DAA+D;IAC/D,UAAU,CAAC,CACP,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,iBAAiB,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GACnD,OAAO,CAAC,OAAO,CAAC,CAAC;IAIpB,kEAAkE;IAClE,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAE9F,mDAAmD;IACnD,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjI,sGAAsG;IACtG,YAAY,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAIhG,yEAAyE;IACzE,eAAe,CAAC,MAAM,EAAE;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,gBAAgB,CAAC;QAC/B,KAAK,EAAE,cAAc,CAAC;QACtB,4EAA4E;QAC5E,iBAAiB,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;KAC/D,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAE5B,mCAAmC;IACnC,mBAAmB,CAAC,CAAC,MAAM,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,gBAAgB,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,mBAAmB,CAAC;QAC3B,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,mEAAmE;QACnE,aAAa,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;KAC3D,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAElC,iEAAiE;IACjE,2BAA2B,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,gBAAgB,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAI3G;;;;;;;;;;;;;OAaG;IACH,oBAAoB,CAAC,CACjB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,gBAAgB,EAC9B,aAAa,EAAE,MAAM,EACrB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAI5C;;;;;;;;;OASG;IACH,oBAAoB,CAAC,CACjB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,gBAAgB,EAC9B,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAAC;IAIjB;;;;;;OAMG;IACH,oBAAoB,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEhD;;;OAGG;IACH,sBAAsB,CAAC,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAIxD;;;;;;;;;OASG;IACH,aAAa,CAAC,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAIrC,kGAAkG;IAClG,uBAAuB,IAAI,MAAM,EAAE,CAAC;IAEpC,iEAAiE;IACjE,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B"}

package/dist/index.d.ts

@@ -9,4 +9,5 @@ export * from './mongo';
 export * from './wasm';
 export * from './helpers';
 export * from './queries';
+export * from './auth';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,MAAM,CAAC;AACrB,cAAc,OAAO,CAAC;AACtB,cAAc,QAAQ,CAAC;AACvB,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,OAAO,CAAC;AACtB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC;AACvB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,MAAM,CAAC;AACrB,cAAc,OAAO,CAAC;AACtB,cAAc,QAAQ,CAAC;AACvB,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,OAAO,CAAC;AACtB,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,QAAQ,CAAC;AACvB,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC"}

package/dist/lcn.d.ts

@@ -3022,6 +3022,7 @@ export declare const LCNNotificationTypeEnumValidator: z.ZodEnum<{
     APP_LISTING_SUBMITTED: "APP_LISTING_SUBMITTED";
     APP_LISTING_APPROVED: "APP_LISTING_APPROVED";
     APP_LISTING_REJECTED: "APP_LISTING_REJECTED";
+    DEVICE_LINK_REQUEST: "DEVICE_LINK_REQUEST";
 }>;
 export type LCNNotificationTypeEnum = z.infer<typeof LCNNotificationTypeEnumValidator>;
 export declare const LCNNotificationMessageValidator: z.ZodObject<{
@@ -3141,6 +3142,7 @@ export declare const LCNNotificationValidator: z.ZodObject<{
         APP_LISTING_SUBMITTED: "APP_LISTING_SUBMITTED";
         APP_LISTING_APPROVED: "APP_LISTING_APPROVED";
         APP_LISTING_REJECTED: "APP_LISTING_REJECTED";
+        DEVICE_LINK_REQUEST: "DEVICE_LINK_REQUEST";
     }>;
     to: z.ZodIntersection<z.ZodObject<{
         profileId: z.ZodOptional<z.ZodString>;
@@ -3431,6 +3433,7 @@ export declare const InboxCredentialValidator: z.ZodObject<{
     webhookUrl: z.ZodOptional<z.ZodString>;
     boostUri: z.ZodOptional<z.ZodString>;
     activityId: z.ZodOptional<z.ZodString>;
+    integrationId: z.ZodOptional<z.ZodString>;
     signingAuthority: z.ZodOptional<z.ZodObject<{
         endpoint: z.ZodOptional<z.ZodString>;
         name: z.ZodOptional<z.ZodString>;
@@ -3457,6 +3460,7 @@ export declare const PaginatedInboxCredentialsValidator: z.ZodObject<{
         webhookUrl: z.ZodOptional<z.ZodString>;
         boostUri: z.ZodOptional<z.ZodString>;
         activityId: z.ZodOptional<z.ZodString>;
+        integrationId: z.ZodOptional<z.ZodString>;
         signingAuthority: z.ZodOptional<z.ZodObject<{
             endpoint: z.ZodOptional<z.ZodString>;
             name: z.ZodOptional<z.ZodString>;
@@ -4153,8 +4157,12 @@ export declare const IssueInboxCredentialResponseValidator: z.ZodObject<{
     recipientDid: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 export type IssueInboxCredentialResponseType = z.infer<typeof IssueInboxCredentialResponseValidator>;
+/** A simple name reference that the server resolves to a boost template */
+export declare const CredentialNameRefValidator: z.ZodObject<{
+    name: z.ZodString;
+}, z.core.$loose>;
 export declare const ClaimInboxCredentialValidator: z.ZodObject<{
-    credential: z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
+    credential: z.ZodUnion<[z.ZodUnion<[z.ZodUnion<[z.ZodObject<{
         '@context': z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodRecord<z.ZodString, z.ZodAny>]>>;
         id: z.ZodOptional<z.ZodString>;
         type: z.ZodArray<z.ZodString>;
@@ -4760,7 +4768,9 @@ export declare const ClaimInboxCredentialValidator: z.ZodObject<{
             genre: z.ZodOptional<z.ZodString>;
             audience: z.ZodOptional<z.ZodString>;
         }, z.core.$catchall<z.ZodAny>>>]>>;
-    }, z.core.$catchall<z.ZodAny>>]>;
+    }, z.core.$catchall<z.ZodAny>>]>, z.ZodObject<{
+        name: z.ZodString;
+    }, z.core.$loose>]>;
     configuration: z.ZodOptional<z.ZodObject<{
         publishableKey: z.ZodString;
         signingAuthorityName: z.ZodOptional<z.ZodString>;
@@ -5419,6 +5429,13 @@ export declare const PromotionLevelValidator: z.ZodEnum<{
     DEMOTED: "DEMOTED";
 }>;
 export type PromotionLevel = z.infer<typeof PromotionLevelValidator>;
+export declare const AgeRatingValidator: z.ZodEnum<{
+    "4+": "4+";
+    "9+": "9+";
+    "12+": "12+";
+    "17+": "17+";
+}>;
+export type AgeRating = z.infer<typeof AgeRatingValidator>;
 export declare const AppStoreListingValidator: z.ZodObject<{
     listing_id: z.ZodString;
     slug: z.ZodOptional<z.ZodString>;
@@ -5456,6 +5473,13 @@ export declare const AppStoreListingValidator: z.ZodObject<{
     highlights: z.ZodOptional<z.ZodArray<z.ZodString>>;
     screenshots: z.ZodOptional<z.ZodArray<z.ZodString>>;
     hero_background_color: z.ZodOptional<z.ZodString>;
+    min_age: z.ZodOptional<z.ZodNumber>;
+    age_rating: z.ZodOptional<z.ZodEnum<{
+        "4+": "4+";
+        "9+": "9+";
+        "12+": "12+";
+        "17+": "17+";
+    }>>;
 }, z.core.$strip>;
 export type AppStoreListing = z.infer<typeof AppStoreListingValidator>;
 export declare const AppStoreListingCreateValidator: z.ZodObject<{
@@ -5482,6 +5506,13 @@ export declare const AppStoreListingCreateValidator: z.ZodObject<{
     highlights: z.ZodOptional<z.ZodArray<z.ZodString>>;
     screenshots: z.ZodOptional<z.ZodArray<z.ZodString>>;
     hero_background_color: z.ZodOptional<z.ZodString>;
+    min_age: z.ZodOptional<z.ZodNumber>;
+    age_rating: z.ZodOptional<z.ZodEnum<{
+        "4+": "4+";
+        "9+": "9+";
+        "12+": "12+";
+        "17+": "17+";
+    }>>;
 }, z.core.$strip>;
 export type AppStoreListingCreateType = z.infer<typeof AppStoreListingCreateValidator>;
 export declare const AppStoreListingUpdateValidator: z.ZodObject<{
@@ -5508,6 +5539,13 @@ export declare const AppStoreListingUpdateValidator: z.ZodObject<{
     highlights: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
     screenshots: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
     hero_background_color: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    min_age: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
+    age_rating: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
+        "4+": "4+";
+        "9+": "9+";
+        "12+": "12+";
+        "17+": "17+";
+    }>>>;
 }, z.core.$strip>;
 export type AppStoreListingUpdateType = z.infer<typeof AppStoreListingUpdateValidator>;
 export declare const InstalledAppValidator: z.ZodObject<{
@@ -5547,6 +5585,13 @@ export declare const InstalledAppValidator: z.ZodObject<{
     highlights: z.ZodOptional<z.ZodArray<z.ZodString>>;
     screenshots: z.ZodOptional<z.ZodArray<z.ZodString>>;
     hero_background_color: z.ZodOptional<z.ZodString>;
+    min_age: z.ZodOptional<z.ZodNumber>;
+    age_rating: z.ZodOptional<z.ZodEnum<{
+        "4+": "4+";
+        "9+": "9+";
+        "12+": "12+";
+        "17+": "17+";
+    }>>;
     installed_at: z.ZodString;
 }, z.core.$strip>;
 export type InstalledApp = z.infer<typeof InstalledAppValidator>;
@@ -5590,6 +5635,13 @@ export declare const PaginatedAppStoreListingsValidator: z.ZodObject<{
         highlights: z.ZodOptional<z.ZodArray<z.ZodString>>;
         screenshots: z.ZodOptional<z.ZodArray<z.ZodString>>;
         hero_background_color: z.ZodOptional<z.ZodString>;
+        min_age: z.ZodOptional<z.ZodNumber>;
+        age_rating: z.ZodOptional<z.ZodEnum<{
+            "4+": "4+";
+            "9+": "9+";
+            "12+": "12+";
+            "17+": "17+";
+        }>>;
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type PaginatedAppStoreListings = z.infer<typeof PaginatedAppStoreListingsValidator>;
@@ -5633,6 +5685,13 @@ export declare const PaginatedInstalledAppsValidator: z.ZodObject<{
         highlights: z.ZodOptional<z.ZodArray<z.ZodString>>;
         screenshots: z.ZodOptional<z.ZodArray<z.ZodString>>;
         hero_background_color: z.ZodOptional<z.ZodString>;
+        min_age: z.ZodOptional<z.ZodNumber>;
+        age_rating: z.ZodOptional<z.ZodEnum<{
+            "4+": "4+";
+            "9+": "9+";
+            "12+": "12+";
+            "17+": "17+";
+        }>>;
         installed_at: z.ZodString;
     }, z.core.$strip>>;
 }, z.core.$strip>;
@@ -5646,12 +5705,50 @@ export declare const SendCredentialEventValidator: z.ZodObject<{
     type: z.ZodLiteral<"send-credential">;
     templateAlias: z.ZodString;
     templateData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    preventDuplicateClaim: z.ZodOptional<z.ZodBoolean>;
 }, z.core.$strip>;
 export type SendCredentialEvent = z.infer<typeof SendCredentialEventValidator>;
+export declare const CheckCredentialEventValidator: z.ZodObject<{
+    type: z.ZodLiteral<"check-credential">;
+    templateAlias: z.ZodOptional<z.ZodString>;
+    boostUri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type CheckCredentialEvent = z.infer<typeof CheckCredentialEventValidator>;
+export declare const CheckIssuanceStatusEventValidator: z.ZodObject<{
+    type: z.ZodLiteral<"check-issuance-status">;
+    templateAlias: z.ZodOptional<z.ZodString>;
+    boostUri: z.ZodOptional<z.ZodString>;
+    recipient: z.ZodString;
+}, z.core.$strip>;
+export type CheckIssuanceStatusEvent = z.infer<typeof CheckIssuanceStatusEventValidator>;
+export declare const GetTemplateRecipientsEventValidator: z.ZodObject<{
+    type: z.ZodLiteral<"get-template-recipients">;
+    templateAlias: z.ZodOptional<z.ZodString>;
+    boostUri: z.ZodOptional<z.ZodString>;
+    limit: z.ZodOptional<z.ZodNumber>;
+    cursor: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type GetTemplateRecipientsEvent = z.infer<typeof GetTemplateRecipientsEventValidator>;
 export declare const AppEventValidator: z.ZodDiscriminatedUnion<[z.ZodObject<{
     type: z.ZodLiteral<"send-credential">;
     templateAlias: z.ZodString;
     templateData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    preventDuplicateClaim: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"check-credential">;
+    templateAlias: z.ZodOptional<z.ZodString>;
+    boostUri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"check-issuance-status">;
+    templateAlias: z.ZodOptional<z.ZodString>;
+    boostUri: z.ZodOptional<z.ZodString>;
+    recipient: z.ZodString;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"get-template-recipients">;
+    templateAlias: z.ZodOptional<z.ZodString>;
+    boostUri: z.ZodOptional<z.ZodString>;
+    limit: z.ZodOptional<z.ZodNumber>;
+    cursor: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>], "type">;
 export type AppEvent = z.infer<typeof AppEventValidator>;
 export declare const AppEventInputValidator: z.ZodObject<{
@@ -5660,6 +5757,22 @@ export declare const AppEventInputValidator: z.ZodObject<{
         type: z.ZodLiteral<"send-credential">;
         templateAlias: z.ZodString;
         templateData: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        preventDuplicateClaim: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"check-credential">;
+        templateAlias: z.ZodOptional<z.ZodString>;
+        boostUri: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"check-issuance-status">;
+        templateAlias: z.ZodOptional<z.ZodString>;
+        boostUri: z.ZodOptional<z.ZodString>;
+        recipient: z.ZodString;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"get-template-recipients">;
+        templateAlias: z.ZodOptional<z.ZodString>;
+        boostUri: z.ZodOptional<z.ZodString>;
+        limit: z.ZodOptional<z.ZodNumber>;
+        cursor: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>], "type">;
 }, z.core.$strip>;
 export type AppEventInput = z.infer<typeof AppEventInputValidator>;