@neus/sdk 1.0.7 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +0 -23
  2. package/SECURITY.md +38 -38
  3. package/client.js +1837 -1837
  4. package/package.json +136 -136
  5. package/types.d.ts +915 -915
  6. package/widgets/README.md +45 -45
  7. package/widgets/verify-gate/dist/VerifyGate.js +88 -21
package/README.md CHANGED
@@ -10,29 +10,6 @@
10
10
  npm install @neus/sdk
11
11
  ```
12
12
 
13
- ## One-command onboarding
14
-
15
- ```bash
16
- npx -y -p @neus/sdk neus init
17
- ```
18
-
19
- Configures supported MCP clients automatically. By default the command installs NEUS into user-level Claude Code, Cursor, and VS Code MCP config when those clients are detected.
20
-
21
- ## CLI
22
-
23
- ```bash
24
- # Autopilot setup for detected clients
25
- npx -y -p @neus/sdk neus init
26
-
27
- # Enable personal account tools such as neus_me and private reads
28
- npx -y -p @neus/sdk neus auth --access-key <npk_...>
29
-
30
- # Inspect current NEUS MCP setup
31
- npx -y -p @neus/sdk neus status --json
32
- ```
33
-
34
- Use `neus init --project` when you want shared repo config instead of personal user-scope setup. Access keys stay user-scope only so secrets do not land in checked-in config. Use `--client claude`, `--client cursor`, or `--client vscode` when you want to target one editor directly.
35
-
36
13
  ## Minimal working example
37
14
 
38
15
  ```javascript
package/SECURITY.md CHANGED
@@ -1,38 +1,38 @@
1
- # NEUS SDK security notes
2
-
3
- Treat **wallet signatures** and **API keys** as secrets. Do not log them, expose them to clients, or store them in analytics.
4
-
5
- ## Authentication model
6
-
7
- - **Verification requests** are authenticated with a wallet signature over the **CAIP-380 Portable Proof** six-line signing string. Never roll your own message format in production—use the SDK or the hosted preparation step documented for HTTP integrations.
8
- - **Proof lookups by `proofId`** are safe for public proofs. Private proofs return a minimal payload unless the caller proves ownership (authenticated owner or signed request).
9
- - **Owner-only reads** of private proof payloads require an extra owner-signed request. The SDK attaches the required signed headers for you.
10
-
11
- ## Do not
12
-
13
- - Do not treat proof signatures as bearer tokens (they are request-bound).
14
- - Do not embed API keys in browser apps. Keep API keys server-side only.
15
- - Do not log or persist proof signatures, API keys, or third-party auth credentials (if your integration uses them).
16
-
17
- ## Privacy defaults
18
-
19
- **`client.verify()`** defaults to **private**.
20
-
21
- **`VerifyGate`** create mode also defaults to **private**.
22
-
23
- Use public visibility only when you intentionally need proof reuse without owner-authenticated access:
24
-
25
- - unlisted public: `privacyLevel: 'public'`, `publicDisplay: false`
26
- - listed public: `privacyLevel: 'public'`, `publicDisplay: true`
27
-
28
- Do not treat unlisted public proofs as secret.
29
-
30
- `storeOriginalContent` is an advanced storage control. Most integrations should leave the default as-is.
31
-
32
- Controls:
33
-
34
- - `privacyLevel` - private by default; switch to public only for intentional public reuse
35
- - `publicDisplay` - discovery vs unlisted
36
- - `storeOriginalContent` - advanced content-storage control
37
-
38
- Discoverable listings require **`privacyLevel: 'public'`** and **`publicDisplay: true`**.
1
+ # NEUS SDK security notes
2
+
3
+ Treat **wallet signatures** and **API keys** as secrets. Do not log them, expose them to clients, or store them in analytics.
4
+
5
+ ## Authentication model
6
+
7
+ - **Verification requests** are authenticated with a wallet signature over the **CAIP-380 Portable Proof** six-line signing string. Never roll your own message format in production—use the SDK or the hosted preparation step documented for HTTP integrations.
8
+ - **Proof lookups by `proofId`** are safe for public proofs. Private proofs return a minimal payload unless the caller proves ownership (authenticated owner or signed request).
9
+ - **Owner-only reads** of private proof payloads require an extra owner-signed request. The SDK attaches the required signed headers for you.
10
+
11
+ ## Do not
12
+
13
+ - Do not treat proof signatures as bearer tokens (they are request-bound).
14
+ - Do not embed API keys in browser apps. Keep API keys server-side only.
15
+ - Do not log or persist proof signatures, API keys, or third-party auth credentials (if your integration uses them).
16
+
17
+ ## Privacy defaults
18
+
19
+ **`client.verify()`** defaults to **private**.
20
+
21
+ **`VerifyGate`** create mode also defaults to **private**.
22
+
23
+ Use public visibility only when you intentionally need proof reuse without owner-authenticated access:
24
+
25
+ - unlisted public: `privacyLevel: 'public'`, `publicDisplay: false`
26
+ - listed public: `privacyLevel: 'public'`, `publicDisplay: true`
27
+
28
+ Do not treat unlisted public proofs as secret.
29
+
30
+ `storeOriginalContent` is an advanced storage control. Most integrations should leave the default as-is.
31
+
32
+ Controls:
33
+
34
+ - `privacyLevel` - private by default; switch to public only for intentional public reuse
35
+ - `publicDisplay` - discovery vs unlisted
36
+ - `storeOriginalContent` - advanced content-storage control
37
+
38
+ Discoverable listings require **`privacyLevel: 'public'`** and **`publicDisplay: true`**.