@neetru/sdk 3.1.4 → 3.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/README.md +8 -4
  3. package/dist/auth.cjs +35 -9
  4. package/dist/auth.cjs.map +1 -1
  5. package/dist/auth.d.cts +1 -1
  6. package/dist/auth.d.ts +1 -1
  7. package/dist/auth.mjs +35 -9
  8. package/dist/auth.mjs.map +1 -1
  9. package/dist/catalog.d.cts +1 -1
  10. package/dist/catalog.d.ts +1 -1
  11. package/dist/checkout.d.cts +1 -1
  12. package/dist/checkout.d.ts +1 -1
  13. package/dist/db-react.d.cts +1 -1
  14. package/dist/db-react.d.ts +1 -1
  15. package/dist/db.d.cts +1 -1
  16. package/dist/db.d.ts +1 -1
  17. package/dist/entitlements.d.cts +1 -1
  18. package/dist/entitlements.d.ts +1 -1
  19. package/dist/firestore-compat.d.cts +1 -1
  20. package/dist/firestore-compat.d.ts +1 -1
  21. package/dist/index.cjs +36 -10
  22. package/dist/index.cjs.map +1 -1
  23. package/dist/index.d.cts +3 -3
  24. package/dist/index.d.ts +3 -3
  25. package/dist/index.mjs +36 -10
  26. package/dist/index.mjs.map +1 -1
  27. package/dist/mocks.cjs +26 -7
  28. package/dist/mocks.cjs.map +1 -1
  29. package/dist/mocks.d.cts +24 -7
  30. package/dist/mocks.d.ts +24 -7
  31. package/dist/mocks.mjs +26 -7
  32. package/dist/mocks.mjs.map +1 -1
  33. package/dist/notifications.d.cts +1 -1
  34. package/dist/notifications.d.ts +1 -1
  35. package/dist/react.d.cts +1 -1
  36. package/dist/react.d.ts +1 -1
  37. package/dist/support.d.cts +1 -1
  38. package/dist/support.d.ts +1 -1
  39. package/dist/telemetry.d.cts +1 -1
  40. package/dist/telemetry.d.ts +1 -1
  41. package/dist/{types-DvMdYbfV.d.cts → types-BXvGHppn.d.cts} +8 -0
  42. package/dist/{types-CRIIjqzC.d.ts → types-CQVak2a3.d.ts} +8 -0
  43. package/dist/usage.d.cts +1 -1
  44. package/dist/usage.d.ts +1 -1
  45. package/dist/webhooks.d.cts +1 -1
  46. package/dist/webhooks.d.ts +1 -1
  47. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -5,6 +5,15 @@ All notable changes to `@neetru/sdk` will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [3.1.5] - 2026-06-18 — **fix: drift de versão + exemplos quebrados no README**
9
+
10
+ Release **patch**. Item I4 do Conselho de UI (version/reference drift).
11
+
12
+ ### Fixed
13
+
14
+ - **`VERSION` exportado** agora bate com o `package.json` (`3.1.5`). Estava pinado em `'3.1.3'` enquanto o pacote publicado já era `3.1.4` → consumers liam a versão errada via `import { VERSION } from '@neetru/sdk'`.
15
+ - **README** parou de mostrar `usage.track()` / `usage.getQuota()` como exemplos vivos — são métodos REMOVIDOS no 3.0 (o próprio README/CHANGELOG documenta a remoção). Trocados por `usage.report(resource, qty)` (devolve `{value, limit, remaining}` inline) e `usage.check(resource)`.
16
+
8
17
  ## [3.1.0] - 2026-06-05 — **feat: subpath `firestore-compat` + hooks de dados React (frente-B P0)**
9
18
 
10
19
  Release **minor** — só adições, nenhum export removido nem assinatura alterada (a suite de snapshot SDK-QW-5 confirma que a superfície pública 3.0 segue intacta). Upgrade direto de qualquer 3.0.x.
package/README.md CHANGED
@@ -194,10 +194,14 @@ const detailed = await neetru.entitlements.detailed('gestovendas', 'ai_recommend
194
194
  ### Usage tracking
195
195
 
196
196
  ```ts
197
- await neetru.usage.track('report_generated', { count: 42, format: 'pdf' });
198
-
199
- const quota = await neetru.usage.getQuota('reports_per_month');
200
- // → { used: 15, limit: 100, resetsAt: '...', plan: 'starter' }
197
+ // Reporta consumo (resource, qty) devolve {value, limit, remaining} inline,
198
+ // sem precisar de uma chamada de quota separada. Idempotency-Key automático.
199
+ const usage = await neetru.usage.report('reports_generated', 1);
200
+ // → { value: 16, limit: 100, remaining: 84, status: 'ok' }
201
+
202
+ // Verifica entitlement de um resource (sem incrementar o contador).
203
+ const ent = await neetru.usage.check('reports_per_month');
204
+ // → { allowed, limit?, remaining? }
201
205
  ```
202
206
 
203
207
  ### Support
package/dist/auth.cjs CHANGED
@@ -5469,9 +5469,19 @@ var DEV_FIXTURE_USER = Object.freeze({
5469
5469
  var MockAuth = class {
5470
5470
  _user;
5471
5471
  _listeners;
5472
- constructor(initialUser = null) {
5472
+ _allowUnsignedDecode;
5473
+ constructor(initialUser = null, options) {
5473
5474
  this._user = initialUser;
5474
5475
  this._listeners = /* @__PURE__ */ new Set();
5476
+ this._allowUnsignedDecode = options?.allowUnsignedDecode ?? false;
5477
+ if (this._allowUnsignedDecode) {
5478
+ const isTestEnv = typeof process !== "undefined" && (process.env?.NODE_ENV === "test" || process.env?.VITEST === "true" || process.env?.VITEST != null);
5479
+ if (!isTestEnv && typeof console !== "undefined") {
5480
+ console.warn(
5481
+ "[neetru-sdk] MockAuth.verifyToken est\xE1 em modo allowUnsignedDecode=true: tokens N\xC3O t\xEAm assinatura verificada. Este modo \xE9 exclusivo para testes \u2014 NUNCA use como security boundary em c\xF3digo deployado."
5482
+ );
5483
+ }
5484
+ }
5475
5485
  }
5476
5486
  async signIn(_options) {
5477
5487
  if (!this._user) this._user = { ...DEV_FIXTURE_USER };
@@ -5496,18 +5506,27 @@ var MockAuth = class {
5496
5506
  };
5497
5507
  }
5498
5508
  /**
5499
- * Mock de `verifyToken` — decodifica o JWT sem verificar assinatura (pra testes).
5500
- * Em dev, retorna o user atual do mock se já estiver logado. Aceita qualquer token
5501
- * não-vazio sem chamar rede.
5509
+ * Mock de `verifyToken` — por default lança `unauthorized` pra prevenir uso
5510
+ * acidental como security boundary em código deployado.
5511
+ *
5512
+ * Para decodificar JWTs sem verificar assinatura em testes, crie a instância
5513
+ * com `new MockAuth(user, { allowUnsignedDecode: true })`. Isso é um opt-in
5514
+ * explícito — nunca acontece silenciosamente.
5502
5515
  *
5503
- * Para simular falhas em testes, use `MockAuth.__mockVerifyToken(fn)`.
5516
+ * Para simular falhas ou resultados customizados, use `__mockVerifyToken(fn)`.
5504
5517
  */
5505
5518
  async verifyToken(token) {
5506
5519
  if (this._verifyTokenOverride) {
5507
5520
  return this._verifyTokenOverride(token);
5508
5521
  }
5509
5522
  if (!token) {
5510
- throw Object.assign(new Error("Token inv\xE1lido"), { code: "token_invalid_signature" });
5523
+ throw new NeetruError("token_invalid_signature", "Token inv\xE1lido: string vazia");
5524
+ }
5525
+ if (!this._allowUnsignedDecode) {
5526
+ throw new NeetruError(
5527
+ "unauthorized",
5528
+ "MockAuth.verifyToken n\xE3o verifica assinaturas JWT e N\xC3O deve ser usado como security boundary em c\xF3digo deployado. Em testes, use new MockAuth(user, { allowUnsignedDecode: true }) para habilitar decodifica\xE7\xE3o sem assinatura, ou __mockVerifyToken(fn) para injetar resultado customizado."
5529
+ );
5511
5530
  }
5512
5531
  try {
5513
5532
  const parts = token.split(".");
@@ -5534,7 +5553,7 @@ var MockAuth = class {
5534
5553
  } catch {
5535
5554
  }
5536
5555
  if (this._user) return this._user;
5537
- throw Object.assign(new Error("Nenhum user mock dispon\xEDvel"), { code: "token_invalid_signature" });
5556
+ throw new NeetruError("token_invalid_signature", "Nenhum user mock dispon\xEDvel e JWT sem sub v\xE1lido");
5538
5557
  }
5539
5558
  /**
5540
5559
  * Mock de `handleRedirectCallback` (Bug 2 / 3.1.3) — não há redirect real no
@@ -6094,13 +6113,20 @@ function createOidcAuthNamespace(config) {
6094
6113
  const issuer = idpOrigin;
6095
6114
  const jwksUrl = `${idpOrigin}/api/v1/oauth/.well-known/jwks.json`;
6096
6115
  const cacheTtlMs = options?.jwksCacheTtlMs ?? DEFAULT_JWKS_TTL_MS;
6116
+ const audienceFromOptions = options?.audience;
6097
6117
  const parsedKey = tryParseApiKey(config.apiKey);
6098
- const audience = parsedKey?.keyId;
6118
+ const audience = audienceFromOptions ?? parsedKey?.keyId;
6119
+ if (!audience) {
6120
+ throw new NeetruError(
6121
+ "invalid_config",
6122
+ "verifyToken requires an audience: provide apiKey on the client or pass options.audience. Calling jwtVerify without an audience allows tokens issued for other OIDC clients to pass."
6123
+ );
6124
+ }
6099
6125
  const jwks = _getJwks(jwksUrl, cacheTtlMs);
6100
6126
  try {
6101
6127
  const { payload } = await jose.jwtVerify(token, jwks, {
6102
6128
  issuer,
6103
- ...audience ? { audience } : {},
6129
+ audience,
6104
6130
  algorithms: ["RS256"]
6105
6131
  });
6106
6132
  return _jwtPayloadToUser(payload);