@parity/product-deploy 0.8.3-rc.1 → 0.8.3-rc.12

package/README.md

@@ -1,5 +1,56 @@
 # bulletin-deploy
 
-Early alpha code, stay tuned.
+CLI tool for deploying web apps to the [Polkadot Bulletin Chain](https://github.com/paritytech/polkadot-bulletin-chain) via [DotNS](https://github.com/paritytech/dotns).
 
-Full documentation and contributing guide: [docs-internal/README.dev.md](docs-internal/README.dev.md)
+## Install
+
+```sh
+npm install -g bulletin-deploy
+```
+
+## Quick start
+
+```sh
+# Build your app, then deploy:
+bulletin-deploy ./dist my-app.dot
+```
+
+## Session-based signing (mobile wallet)
+
+Sign in once with your mobile Polkadot wallet — no mnemonic on disk:
+
+```sh
+bulletin-deploy login    # Scan QR code with your Polkadot wallet app
+bulletin-deploy whoami   # Show the currently signed-in address
+bulletin-deploy logout   # Sign out and clear the session
+```
+
+After `login`, subsequent deploys will use the session signer automatically.
+
+## Options
+
+Run `bulletin-deploy --help` for the full option reference.
+
+Key options:
+
+| Option | Description |
+|--------|-------------|
+| `--env <id>` | Target environment (default: `paseo-next-v2`). Run `--list-environments` to see available IDs. |
+| `--mnemonic "..."` | DotNS owner mnemonic (or set `MNEMONIC` env var). Alternative to session signing. |
+| `--js-merkle` | Use pure-JS merkleization (no IPFS Kubo binary required). |
+| `--publish` | List the domain in the on-chain Publisher registry after deploy. |
+| `--config <path>` | Explicit path to `bulletin-deploy.config.ts` for product deploys. |
+| `--tag "..."` | Label the deploy in telemetry. |
+| `--version` | Print the installed version and exit. |
+
+## Environments
+
+bulletin-deploy ships with built-in environment presets (RPC endpoints, contract addresses). Use `--list-environments` to print the table. Override individual fields with `--environment-file <path>` or `--contract KEY=0x...`.
+
+## Telemetry
+
+Anonymous deploy telemetry is sent to Sentry by default. Set `BULLETIN_DEPLOY_UPDATE_CHECK=0` to disable the version check. The DSN is baked into the published package; source builds are silent.
+
+## Contributing
+
+See [docs-internal/](docs-internal/) for design notes and investigation logs (internal; not published to npm).

package/bin/bulletin-deploy

@@ -8,6 +8,16 @@ import { loadRunState, writeRunState, shouldSkipStaleWarning, shouldShowOomHint,
 import { loadEnvironments, listEnvironments, formatEnvironmentTable, DEFAULT_ENV_ID } from "../dist/environments.js";
 import * as fs from "fs";
 
+// Suppress "@parity/product-sdk-logger" localStorage warning in Node.js v22+.
+// The logger tries to read log-level config from localStorage which doesn't exist
+// in Node.js — it emits a NoSuchNativeMethod warning we cannot fix upstream.
+const _origEmitWarning = process.emitWarning.bind(process);
+process.emitWarning = (warning, ...rest) => {
+  const msg = typeof warning === "string" ? warning : warning?.message ?? String(warning);
+  if (msg.includes("localStorage") || msg.includes("local storage")) return;
+  _origEmitWarning(warning, ...rest);
+};
+
 // Install early so anything printed during flag parsing / preflight is
 // available to the bug-report log tail.
 installLogCapture();
@@ -58,6 +68,7 @@ for (let i = 0; i < args.length; i++) {
   else if (args[i] === "--publish") { flags.publish = true; }
   else if (args[i] === "--unpublish") { flags.unpublish = true; }
   else if (args[i] === "--fail-on-publish-error") { flags.failOnPublishError = true; }
+  else if (args[i] === "--suri") { flags.suri = args[++i]; }
   else if (args[i] === "--version" || args[i] === "-V") { flags.version = true; }
   else if (args[i] === "--help" || args[i] === "-h") { flags.help = true; }
   else { positional.push(args[i]); }
@@ -123,6 +134,36 @@ if (flags.unpublish) {
   }
 }
 
+// Sign-in subcommands: login / logout / whoami.
+// Lazy-imported from dist so the SSO deps never load in headless/deploy mode.
+{
+  const sub = positional[0];
+  if (sub === "login" || sub === "logout" || sub === "whoami") {
+    const envId = flags.env ?? DEFAULT_ENV_ID;
+    // The SSO adapter's polkadot-api client fires a benign `DestroyedError:
+    // Client destroyed` on orphaned pending-response promises during WS teardown,
+    // AFTER the command has done its work (e.g. logout already disconnected). The
+    // deploy path's handlers (below) aren't installed yet here, so guard the
+    // command path: swallow that + connection-teardown noise, surface anything else.
+    const benignTeardown = (e) => {
+      const s = e instanceof Error ? `${e.name ?? ""} ${e.message ?? ""}` : String(e);
+      return isConnectionError(e) || /DestroyedError|Client destroyed/.test(s);
+    };
+    process.on("unhandledRejection", (e) => { if (!benignTeardown(e)) { console.error(e); process.exit(1); } });
+    process.on("uncaughtException", (e) => { if (!benignTeardown(e)) { console.error(e); process.exit(1); } });
+    try {
+      const capSub = sub.charAt(0).toUpperCase() + sub.slice(1);
+      const mod = await import(`../dist/commands/${sub}.js`);
+      await mod[`run${capSub}`](envId, { suri: flags.suri });
+    } catch (err) {
+      console.error(`Error: ${err?.message ?? err}`);
+      process.exit(1);
+    }
+    await closeTelemetry();
+    process.exit(0);
+  }
+}
+
 // `product` subcommand. Only `validate` is wired today. `publish` and `resolve` arrive in later phases.
 if (positional[0] === "product") {
   const verb = positional[1];
@@ -171,6 +212,9 @@ if (flags.help || positional.length === 0) {
 
 Usage:
   bulletin-deploy <build-dir> <domain.dot>  Deploy an app
+  bulletin-deploy login                     Sign in with your Polkadot wallet (mobile)
+  bulletin-deploy logout                    Sign out and clear the session
+  bulletin-deploy whoami                    Show the currently signed-in address
 
 Options:
   --env <id>               Target environment from environments.json (default: paseo-next-v2).
@@ -259,7 +303,14 @@ if (!flags.help && !flags.version) {
       console.error("");
       markRelaunchOomHintShown();
     } else if (prev.status === "crashed" && prev.reason) {
-      console.error(`   Previous deploy exited via ${prev.reason}. Continuing.`);
+      const reasonMap = {
+        "unhandled": "crashed unexpectedly",
+        "uncaught": "crashed unexpectedly",
+        "SIGINT": "was interrupted (Ctrl-C)",
+        "SIGTERM": "was stopped",
+      };
+      const friendly = reasonMap[prev.reason] ?? "did not exit cleanly";
+      console.error(`   Previous deploy ${friendly}. Continuing.`);
     } else if (prev.status === "running") {
       console.error(`   Previous deploy did not exit cleanly. Continuing.`);
     }
@@ -378,6 +429,7 @@ try {
   const result = await deploy(buildDir, domain, {
     mnemonic: flags.mnemonic,
     derivationPath: flags.derivationPath,
+    suri: flags.suri,
     rpc: flags.rpc,
     env: flags.env,
     poolSize: flags.poolSize,
@@ -435,13 +487,7 @@ try {
         ? `--config ${flags.config}`
         : `bulletin-deploy.config.{ts,js,mjs} via walking up from ${buildDirAbs}`;
       console.log("");
-      console.log(`⚠  No bulletin-deploy.config.ts found (${where}).`);
-      console.log(`   ${domain} was published as legacy contenthash only.`);
-      console.log("   Add a bulletin-deploy.config.ts to enable the product manifest:");
-      console.log("     • product icon, displayName, description on the base name");
-      console.log("     • per-modality subnames (app.<id>.dot, widget.<id>.dot, worker.<id>.dot)");
-      console.log("     • each modality’s archive CID on its subname contenthash");
-      console.log("   See: https://github.com/paritytech/triangle-js-sdks (Product Manifest RFC)");
+      console.log(`⚠  No bulletin-deploy.config.ts — ${domain} published as legacy contenthash only. Add config to enable product manifest: https://github.com/paritytech/triangle-js-sdks`);
     }
   }
 

package/dist/allocations-B65Is4Md.d.ts

@@ -0,0 +1,97 @@
+import { UserSession } from '@parity/product-sdk-terminal';
+
+/**
+ * Thin wrapper over the RFC-0010 `host_request_resource_allocation` call.
+ * Lifted from playground-cli `src/utils/allowances/host.ts` (issue #411).
+ *
+ * `@parity/product-sdk-terminal` does not yet re-export this API at its
+ * package root, but the underlying `UserSession` (from `@novasamatech/host-papp`)
+ * exposes `requestResourceAllocation()`. We call it directly here and gate the
+ * shape locally so consumers stay decoupled from the deep import path. Replace
+ * this whole module with a `product-sdk-terminal` re-export once the SDK
+ * surfaces the same call.
+ *
+ * Wire format (SCALE-derived, mirrors host-papp's
+ * `dist/sso/sessionManager/scale/resourceAllocation.d.ts`):
+ *   request  → { callingProductId, resources: AllocatableResource[], onExisting }
+ *   response → AllocationOutcome[] (one per resource, in order)
+ *
+ * The mobile app handles `hostRequestResourceAllocation` in
+ * `AllowanceHostCalls.kt` and routes the user through an approval UI.
+ */
+
+/**
+ * Structural mirror of host-papp's `ApAllocatableResource` codec type. We
+ * declare it locally because host-papp's package root doesn't re-export the
+ * codec types yet — when it does (and product-sdk-terminal threads them
+ * through) this can be replaced with a direct import.
+ *
+ *   StatementStoreAllowance — write to the SSS (host_chat, allowance ring).
+ *   BulletInAllowance       — write to Bulletin (TransactionStorage.store).
+ *   SmartContractAllowance  — PGAS sponsoring for Revive contract calls.
+ *                             The `value` is the derivation index of the
+ *                             product account (0 for the default account).
+ *   AutoSigning             — surrender the product-account signing key to
+ *                             the host so it can sign on the user's behalf
+ *                             without per-call prompts. Not used today.
+ */
+type AllocatableResource = {
+    tag: "StatementStoreAllowance";
+    value: undefined;
+} | {
+    tag: "BulletInAllowance";
+    value: undefined;
+} | {
+    tag: "SmartContractAllowance";
+    value: number;
+} | {
+    tag: "AutoSigning";
+    value: undefined;
+};
+/**
+ * Outcome of one allocation. We don't read the inner `Allocated` payload
+ * (allowance slot keys, derivation secrets) — the host stores them and uses
+ * them transparently on subsequent calls. We just need the tag to know
+ * whether the allocation succeeded.
+ */
+type AllocationOutcome = {
+    tag: "Allocated";
+    value: unknown;
+} | {
+    tag: "Rejected";
+    value: undefined;
+} | {
+    tag: "NotAvailable";
+    value: undefined;
+};
+/** Tag-only view, handy for downstream code that doesn't care about payloads. */
+type ResourceTag = AllocatableResource["tag"];
+type OnExistingAllowancePolicy = "Ignore" | "Increase";
+/**
+ * Default mobile-granted resource set for a CLI product account: write access
+ * to the statement store + Bulletin, plus PGAS sponsoring for the default
+ * (index 0) product account.
+ */
+declare const DEFAULT_RESOURCES: AllocatableResource[];
+/**
+ * Send a `host_request_resource_allocation` request over the user's active
+ * session. The host (mobile wallet) prompts the user to approve and returns
+ * one outcome per requested resource in order.
+ *
+ * Throws on transport-level failures (Statement Store unreachable, encryption
+ * error, etc.). Per-resource refusals are reported as `Rejected`/`NotAvailable`
+ * outcomes — callers inspect the array to decide whether to proceed.
+ */
+declare function requestResourceAllocation(session: UserSession, productId: string, resources?: AllocatableResource[], onExisting?: OnExistingAllowancePolicy): Promise<AllocationOutcome[]>;
+interface AllocationSummary {
+    granted: AllocatableResource[];
+    rejected: AllocatableResource[];
+    unavailable: AllocatableResource[];
+}
+/**
+ * Bucket allocation outcomes by tag. Order-sensitive: `outcomes[i]` maps to
+ * `resources[i]`. Outcomes without a matching resource are silently dropped.
+ */
+declare function summarizeOutcomes(outcomes: AllocationOutcome[], resources: AllocatableResource[]): AllocationSummary;
+
+export { type AllocatableResource as A, DEFAULT_RESOURCES as D, type OnExistingAllowancePolicy as O, type ResourceTag as R, type AllocationOutcome as a, type AllocationSummary as b, requestResourceAllocation as r, summarizeOutcomes as s };

package/dist/auth/index.d.ts

@@ -0,0 +1,7 @@
+export { A as AuthClient, a as AuthConfig, C as ConnectResult, L as LoginHandle, b as LoginStatus, c as LogoutHandle, d as LogoutStatus, S as SessionAddresses, e as SessionHandle, f as createAuthClient } from '../auth-DkRZBK-T.js';
+export { renderQrCode } from '@parity/product-sdk-terminal';
+export { R as ResolvedSigner, S as SignerNotAvailableError, r as resolveSigner } from '../signer-CriGqahj.js';
+export { A as AllocatableResource, a as AllocationOutcome, b as AllocationSummary, D as DEFAULT_RESOURCES, r as requestResourceAllocation, s as summarizeOutcomes } from '../allocations-B65Is4Md.js';
+export { renderLoginStatus, renderLogoutStatus } from './vendor/ui/index.js';
+import 'polkadot-api';
+import '@parity/product-sdk-tx';

package/dist/auth/index.js

@@ -0,0 +1,26 @@
+import "../chunk-JQKKMUCT.js";
+import {
+  DEFAULT_RESOURCES,
+  SignerNotAvailableError,
+  createAuthClient,
+  requestResourceAllocation,
+  resolveSigner,
+  summarizeOutcomes
+} from "../chunk-2OZVKA3D.js";
+import {
+  renderLoginStatus,
+  renderLogoutStatus,
+  renderQrCode
+} from "../chunk-RIRDBSBG.js";
+import "../chunk-ZOC4GITL.js";
+export {
+  DEFAULT_RESOURCES,
+  SignerNotAvailableError,
+  createAuthClient,
+  renderLoginStatus,
+  renderLogoutStatus,
+  renderQrCode,
+  requestResourceAllocation,
+  resolveSigner,
+  summarizeOutcomes
+};

package/dist/auth/vendor/index.d.ts

@@ -0,0 +1,32 @@
+export { A as AuthClient, a as AuthConfig, C as ConnectResult, L as LoginHandle, b as LoginStatus, c as LogoutHandle, d as LogoutStatus, S as SessionAddresses, e as SessionHandle, f as createAuthClient } from '../../auth-DkRZBK-T.js';
+import { UserSession } from '@parity/product-sdk-terminal';
+import { PolkadotSigner } from 'polkadot-api';
+export { R as ResolvedSigner, S as SignerNotAvailableError, a as SignerOptions, b as SignerSource, p as parseDevAccountName, r as resolveSigner } from '../../signer-CriGqahj.js';
+export { A as AllocatableResource, a as AllocationOutcome, b as AllocationSummary, D as DEFAULT_RESOURCES, O as OnExistingAllowancePolicy, R as ResourceTag, r as requestResourceAllocation, s as summarizeOutcomes } from '../../allocations-B65Is4Md.js';
+import '@parity/product-sdk-tx';
+
+interface ProductAccountRef {
+    productId: string;
+    derivationIndex: number;
+}
+declare const INCOMPLETE_SESSION_MESSAGE = "Stored login session is missing the root account public key. Run \"logout\" and then \"login\" to pair again.";
+declare function sessionRootPublicKey(session: UserSession): Uint8Array;
+/**
+ * Soft-derive the product account public key off a wallet root.
+ *
+ * This is the single source of truth for product-account math. Both
+ * `createSessionSigner` (which builds the signer used to actually sign
+ * on-chain) and `deriveSessionAddresses` (which builds the display triple)
+ * go through here so a future change to derivation params can't silently
+ * desync the signer from what we print.
+ *
+ * sr25519 soft derivation is composable on public keys alone, so deriving
+ * from `rootAccountId` locally produces the SAME public key the mobile
+ * derives privately via `mnemonic + "/product/...{idx}"`. Algorithm parity
+ * with mobile/desktop is locked by the frozen vectors in
+ * `@parity/product-sdk-keys`'s `product-account.test.ts`.
+ */
+declare function deriveProductPublicKey(rootAccountId: Uint8Array, ref: ProductAccountRef): Uint8Array;
+declare function createSessionSigner(session: UserSession, ref: ProductAccountRef): PolkadotSigner;
+
+export { INCOMPLETE_SESSION_MESSAGE, type ProductAccountRef, createSessionSigner, deriveProductPublicKey, sessionRootPublicKey };

package/dist/auth/vendor/index.js

@@ -0,0 +1,27 @@
+import {
+  DEFAULT_RESOURCES,
+  INCOMPLETE_SESSION_MESSAGE,
+  SignerNotAvailableError,
+  createAuthClient,
+  createSessionSigner,
+  deriveProductPublicKey,
+  parseDevAccountName,
+  requestResourceAllocation,
+  resolveSigner,
+  sessionRootPublicKey,
+  summarizeOutcomes
+} from "../../chunk-2OZVKA3D.js";
+import "../../chunk-ZOC4GITL.js";
+export {
+  DEFAULT_RESOURCES,
+  INCOMPLETE_SESSION_MESSAGE,
+  SignerNotAvailableError,
+  createAuthClient,
+  createSessionSigner,
+  deriveProductPublicKey,
+  parseDevAccountName,
+  requestResourceAllocation,
+  resolveSigner,
+  sessionRootPublicKey,
+  summarizeOutcomes
+};

package/dist/auth/vendor/ui/index.d.ts

@@ -0,0 +1,15 @@
+export { renderQrCode } from '@parity/product-sdk-terminal';
+import { b as LoginStatus, d as LogoutStatus } from '../../../auth-DkRZBK-T.js';
+import 'polkadot-api';
+import '../../../allocations-B65Is4Md.js';
+
+/**
+ * Pure formatters that map the `LoginStatus` / `LogoutStatus` streams to
+ * one-line terminal messages. No I/O, no terminal deps — `import type` only,
+ * so this module stays unit-testable without the SSO stack.
+ */
+
+declare function renderLoginStatus(status: LoginStatus): string;
+declare function renderLogoutStatus(status: LogoutStatus): string;
+
+export { renderLoginStatus, renderLogoutStatus };

package/dist/auth/vendor/ui/index.js

@@ -0,0 +1,10 @@
+import {
+  renderLoginStatus,
+  renderLogoutStatus,
+  renderQrCode
+} from "../../../chunk-RIRDBSBG.js";
+export {
+  renderLoginStatus,
+  renderLogoutStatus,
+  renderQrCode
+};

package/dist/auth-DkRZBK-T.d.ts

@@ -0,0 +1,122 @@
+import { TerminalAdapter, UserSession } from '@parity/product-sdk-terminal';
+import { PolkadotSigner } from 'polkadot-api';
+import { A as AllocatableResource, O as OnExistingAllowancePolicy, a as AllocationOutcome } from './allocations-B65Is4Md.js';
+
+/**
+ * Per-product configuration injected into `createAuthClient`. Lifting the
+ * sign-in glue out of playground-cli (issue #411) means the env-specific
+ * constants playground hard-coded in its `config.ts` (DAPP_ID, product id,
+ * metadata URL, People-chain endpoints) become consumer-supplied so the same
+ * package serves `playground` and `dot` (and future products) unchanged.
+ */
+interface AuthConfig {
+    /** The dApp identity string. Scopes the on-disk session namespace
+     *  (`~/.polkadot-apps/${dappId}_*`) and the SSO pairing — each product
+     *  gets its own, independently-revocable session. */
+    dappId: string;
+    /** Product id used to derive the product account (`/product/{productId}/{index}`). */
+    productId: string;
+    /** Derivation index of the product account (0 = default). */
+    derivationIndex: number;
+    /** Hosted app-metadata doc (name/icon) the mobile wallet reads at pairing. */
+    metadataUrl: string;
+    /** People-parachain RPC endpoints the terminal adapter connects to. */
+    peopleEndpoints: string[];
+}
+
+/**
+ * The three addresses we surface from a paired session.
+ *
+ * - `rootAddress` — SS58 of `session.rootAccountId`, the `rootUserAccountId`
+ *   the mobile app sent over the SSO handshake (bare-mnemonic sr25519 root on
+ *   current mobile builds). Keyed by `Resources.Consumers` on the People
+ *   parachain, so it's the right input for `lookupUsername`.
+ * - `productAddress` — SS58 of the product account derived via
+ *   `product/{productId}/{index}` from `rootAccountId`. This is what actually
+ *   signs on-chain transactions from the CLI.
+ * - `productH160` — the same product pubkey as a 20-byte EVM address (Revive /
+ *   contracts view). Derived from the SAME pubkey as `productAddress`.
+ */
+interface SessionAddresses {
+    rootAddress: string;
+    productAddress: string;
+    productH160: `0x${string}`;
+}
+type ConnectResult = {
+    kind: "existing";
+    address: string;
+    addresses: SessionAddresses;
+} | {
+    kind: "qr";
+    qrCode: string;
+    login: LoginHandle;
+};
+type LoginStatus = {
+    step: "waiting";
+} | {
+    step: "paired";
+} | {
+    step: "pending";
+    stage: string;
+} | {
+    step: "success";
+    address: string;
+    addresses: SessionAddresses;
+} | {
+    step: "error";
+    message: string;
+};
+interface LoginHandle {
+    adapter: TerminalAdapter;
+    /** The authenticate() promise — already running since connect(). */
+    authPromise: ReturnType<TerminalAdapter["sso"]["authenticate"]>;
+}
+/**
+ * A session signer bundle — the signer plus an explicit `destroy()` that tears
+ * down the long-lived adapter the signer depends on. Callers MUST invoke
+ * `destroy()` once done — the WebSocket keeps the event loop alive.
+ */
+interface SessionHandle {
+    address: string;
+    addresses: SessionAddresses;
+    signer: PolkadotSigner;
+    userSession: UserSession;
+    destroy(): void;
+}
+type LogoutStatus = {
+    step: "disconnecting";
+    address: string;
+} | {
+    step: "success";
+    address: string;
+} | {
+    step: "partial";
+    address: string;
+    reason: string;
+} | {
+    step: "error";
+    message: string;
+};
+interface LogoutHandle {
+    adapter: TerminalAdapter;
+    address: string;
+    session: UserSession;
+}
+/** The product-bound auth surface returned by `createAuthClient`. */
+interface AuthClient {
+    connect(): Promise<ConnectResult>;
+    waitForLogin(handle: LoginHandle, onStatus: (status: LoginStatus) => void): Promise<string | null>;
+    getSessionSigner(): Promise<SessionHandle | null>;
+    findSession(): Promise<LogoutHandle | null>;
+    waitForLogout(handle: LogoutHandle, onStatus: (status: LogoutStatus) => void): Promise<void>;
+    requestAllocation(session: UserSession, resources?: AllocatableResource[], onExisting?: OnExistingAllowancePolicy): Promise<AllocationOutcome[]>;
+    clearLocalAppStorage(dir?: string): Promise<void>;
+}
+/**
+ * Build an auth client bound to a product's `AuthConfig`. All adapter creation,
+ * address derivation, and session-storage scoping read from `config`, so the
+ * same code serves any product.
+ */
+declare function createAuthClient(config: AuthConfig): AuthClient;
+
+export { type AuthClient as A, type ConnectResult as C, type LoginHandle as L, type SessionAddresses as S, type AuthConfig as a, type LoginStatus as b, type LogoutHandle as c, type LogoutStatus as d, type SessionHandle as e, createAuthClient as f };

package/dist/auth-config.d.ts

@@ -0,0 +1,39 @@
+import { a as AuthConfig, A as AuthClient } from './auth-DkRZBK-T.js';
+import { EnvironmentsDoc } from './environments.js';
+import '@parity/product-sdk-terminal';
+import 'polkadot-api';
+import './allocations-B65Is4Md.js';
+
+/** dApp identity that scopes the SSO session namespace on disk. Currently reuses
+ *  playground's identity for dev; swap to e.g. "dot-deploy" when dot has its own
+ *  hosted metadata document. */
+declare const DOT_DAPP_ID = "dot-cli";
+/** Product id used for product-account derivation (`/product/{productId}/{index}`).
+ *  Reuses playground's product id so dev sessions are shared. */
+declare const DOT_PRODUCT_ID = "playground.dot";
+/** Derivation index (0 = default product account). */
+declare const DOT_DERIVATION_INDEX = 0;
+/** Metadata document URL the mobile wallet fetches at pairing to display the app name/icon.
+ *  Reuses playground's hosted gist for dev — swap once dot has its own hosted doc. */
+declare const DOT_TERMINAL_METADATA_URL = "https://gist.githubusercontent.com/ReinhardHatko/1967dd3f4afe78683cc0ba14d6ec8744/raw/c1625eb7ed7671b7e09a3fa2a25998dde33c70b8/metadata.json";
+/**
+ * Returns true if there is a persisted SSO session file on disk.
+ * Does NOT load the SSO stack — uses only node fs/os/path.
+ * Safe to call from headless/pool paths.
+ */
+declare function hasPersistedSession(): boolean;
+/**
+ * Build an `AuthConfig` from the bundled environments document.
+ *
+ * Reads the People-parachain endpoint for `envId` and assembles the config that
+ * `createAuthClient` needs. Throws with a clear message if the people chain or
+ * its endpoint for `envId` is absent.
+ */
+declare function buildAuthConfig(doc: EnvironmentsDoc, envId: string): AuthConfig;
+/**
+ * Lazily create an auth client for the given environment. Imports the facade
+ * only when called so the SSO deps don't load in headless/mnemonic paths.
+ */
+declare function getAuthClient(envId: string): Promise<AuthClient>;
+
+export { DOT_DAPP_ID, DOT_DERIVATION_INDEX, DOT_PRODUCT_ID, DOT_TERMINAL_METADATA_URL, buildAuthConfig, getAuthClient, hasPersistedSession };

package/dist/auth-config.js

@@ -0,0 +1,20 @@
+import {
+  DOT_DAPP_ID,
+  DOT_DERIVATION_INDEX,
+  DOT_PRODUCT_ID,
+  DOT_TERMINAL_METADATA_URL,
+  buildAuthConfig,
+  getAuthClient,
+  hasPersistedSession
+} from "./chunk-YUSHBZBX.js";
+import "./chunk-5K3RI5C2.js";
+import "./chunk-ZOC4GITL.js";
+export {
+  DOT_DAPP_ID,
+  DOT_DERIVATION_INDEX,
+  DOT_PRODUCT_ID,
+  DOT_TERMINAL_METADATA_URL,
+  buildAuthConfig,
+  getAuthClient,
+  hasPersistedSession
+};

package/dist/bug-report.js

@@ -9,10 +9,10 @@ import {
   offerBugReport,
   scrubSecrets,
   setDeployContext
-} from "./chunk-C4GH5ARB.js";
-import "./chunk-BDS2LLCJ.js";
-import "./chunk-P53IIXZ7.js";
-import "./chunk-UNWYTYYZ.js";
+} from "./chunk-SNP5ZKLS.js";
+import "./chunk-CBLBVAGQ.js";
+import "./chunk-6RKWBRCK.js";
+import "./chunk-NYPXRYSY.js";
 export {
   buildCliFlagsSummary,
   buildLabels,