@qlever-llc/trellis-svelte 0.7.0-rc.5 → 0.7.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qlever-llc/trellis-svelte",
-  "version": "0.7.0-rc.5",
+  "version": "0.7.0",
   "type": "module",
   "description": "Svelte components and state helpers for Trellis browser applications.",
   "license": "Apache-2.0",
@@ -28,7 +28,7 @@
   },
   "dependencies": {
     "@nats-io/nats-core": "^3.3.1",
-    "@qlever-llc/trellis": "^0.7.0-rc.5",
+    "@qlever-llc/trellis": "^0.7.0",
     "typebox": "^1.0.15"
   },
   "peerDependencies": {

package/src/components/TrellisProvider.svelte

@@ -1,7 +1,7 @@
 <script lang="ts">
   import type { NatsConnection } from "@nats-io/nats-core";
   import { AsyncResult } from "@qlever-llc/result";
-  import type { Trellis, TrellisAPI } from "@qlever-llc/trellis";
+  import type { Trellis, TrellisAPI } from "../../../trellis/trellis.ts";
   import { onDestroy } from "svelte";
   import type { Snippet } from "svelte";
   import {
@@ -14,7 +14,7 @@
   import {
     type TrellisClientContract,
   } from "../state/trellis.svelte.ts";
-  import { TrellisClient } from "@qlever-llc/trellis";
+  import { TrellisClient } from "../../../trellis/client_connect.ts";
 
   type Props = {
     children: Snippet;

package/src/context.svelte.ts

@@ -1,5 +1,5 @@
 import type { NatsConnection } from "@nats-io/nats-core";
-import type { TrellisAPI } from "@qlever-llc/trellis";
+import type { TrellisAPI } from "../../trellis/contracts.ts";
 import { createContext } from "svelte";
 import type { AuthState } from "./state/auth.svelte.ts";
 import type { NatsState } from "./state/nats.svelte.ts";

package/src/portal_flow.svelte.ts

@@ -2,10 +2,10 @@ import {
   fetchPortalFlowState,
   portalFlowIdFromUrl,
   portalProviderLoginUrl,
-  type PortalFlowState,
+  type BrowserPortalFlowState as PortalFlowState,
   submitPortalApproval,
   type AuthConfig,
-} from "@qlever-llc/trellis/auth";
+} from "@qlever-llc/trellis/auth/browser";
 
 export type CreatePortalFlowConfig = AuthConfig & {
   getUrl?: () => URL;

package/src/state/auth.svelte.ts

@@ -1,19 +1,18 @@
 import {
-  type BindResponse,
-  type BindSuccessResponse,
+  type AuthStartResponse,
   bindFlow,
+  type BindResponse,
   bindSession,
+  type BindSuccessResponse,
   clearSessionKey,
   getOrCreateSessionKey,
   getPublicSessionKey,
+  startAuthRequest as browserStartAuthRequest,
   type SentinelCreds,
   type SessionKeyHandle,
-} from "@qlever-llc/trellis/auth";
-import { canonicalizeJsonValue } from "../../../auth/utils.ts";
-import { oauthInitSig } from "../../../auth/browser/session.ts";
+} from "@qlever-llc/trellis/auth/browser";
 import { Result } from "@qlever-llc/result";
 import { SvelteDate } from "svelte/reactivity";
-import type { TrellisContractV1 } from "@qlever-llc/trellis";
 import { Type } from "typebox";
 import { Value } from "typebox/value";
 import type { TrellisClientContract } from "./trellis.svelte.ts";
@@ -62,7 +61,10 @@ function loadPersistedAuth(): PersistedAuth | null {
   const result = Result.try(() => {
     const stored = localStorage.getItem(STORAGE_KEY);
     if (!stored) return null;
-    const parsed = Value.Parse(PersistedAuthSchema, JSON.parse(stored)) as PersistedAuth;
+    const parsed = Value.Parse(
+      PersistedAuthSchema,
+      JSON.parse(stored),
+    ) as PersistedAuth;
     if (new Date(parsed.expires) < new Date()) {
       localStorage.removeItem(STORAGE_KEY);
       return null;
@@ -84,12 +86,12 @@ function persistAuth(state: {
   localStorage.setItem(
     STORAGE_KEY,
     JSON.stringify({
-        bindingToken: state.bindingToken,
-        inboxPrefix: state.inboxPrefix,
-        expires: state.expires.toISOString(),
-        sentinel: state.sentinel,
-        natsServers: state.natsServers,
-      }),
+      bindingToken: state.bindingToken,
+      inboxPrefix: state.inboxPrefix,
+      expires: state.expires.toISOString(),
+      sentinel: state.sentinel,
+      natsServers: state.natsServers,
+    }),
   );
 }
 
@@ -115,34 +117,10 @@ function normalizeAuthUrl(authUrl: string): string {
   return new URL(authUrl).toString().replace(/\/$/, "");
 }
 
-function encodeJsonForQuery(value: unknown): string {
-  const json = canonicalizeJsonValue(value);
-  const bytes = new TextEncoder().encode(json);
-  let binary = "";
-  for (const byte of bytes) binary += String.fromCharCode(byte);
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-
-async function buildLoginUrl(options: {
-  authUrl: string;
-  redirectTo: string;
-  handle: SessionKeyHandle;
-  contract: Record<string, unknown>;
-  context?: unknown;
-}): Promise<string> {
-  const sessionKey = getPublicSessionKey(options.handle);
-  const sig = await oauthInitSig(options.handle, options.redirectTo, options.context);
-  const url = new URL(`${options.authUrl}/auth/login`);
-
-  url.searchParams.set("redirectTo", options.redirectTo);
-  url.searchParams.set("sessionKey", sessionKey);
-  url.searchParams.set("sig", sig);
-  url.searchParams.set("contract", encodeJsonForQuery(options.contract));
-  if (options.context !== undefined) {
-    url.searchParams.set("context", encodeJsonForQuery(options.context));
-  }
-
-  return url.href;
+function websocketTransportServers(response: {
+  transports?: { websocket?: { natsServers: string[] } };
+}): string[] | undefined {
+  return response.transports?.websocket?.natsServers;
 }
 
 function loadPersistedAuthUrl(): string | null {
@@ -228,6 +206,14 @@ export class AuthState {
     return authUrl;
   }
 
+  #requireContract(): TrellisClientContract {
+    const contract = this.#config.contract;
+    if (!contract) {
+      throw new Error("Auth contract is not configured");
+    }
+    return contract;
+  }
+
   setAuthUrl(authUrl: string): string {
     const normalized = persistAuthUrl(authUrl);
     this.#config.authUrl = normalized;
@@ -246,6 +232,9 @@ export class AuthState {
   get contract(): TrellisClientContract | undefined {
     return this.#config.contract;
   }
+  get contractDigest(): string {
+    return this.#requireContract().CONTRACT_DIGEST;
+  }
   get sessionKey(): string | null {
     return this.#state.handle ? getPublicSessionKey(this.#state.handle) : null;
   }
@@ -256,7 +245,9 @@ export class AuthState {
     return this.#state.inboxPrefix;
   }
   get expires(): Date | null {
-    return this.#state.expiresMs === null ? null : new SvelteDate(this.#state.expiresMs);
+    return this.#state.expiresMs === null
+      ? null
+      : new SvelteDate(this.#state.expiresMs);
   }
   get sentinel(): SentinelCreds | null {
     return this.#state.sentinel;
@@ -299,21 +290,42 @@ export class AuthState {
    * This method does not return - it redirects the browser.
    */
   async signIn(options: SignInOptions = {}): Promise<never> {
-    const authUrl = options.authUrl ? this.setAuthUrl(options.authUrl) : this.#requireAuthUrl();
+    const currentUrl = new URL(window.location.href);
+    const redirectTo = resolveRedirectTo(options, currentUrl);
+    const response = await this.startAuthRequest({
+      ...options,
+      redirectTo,
+    });
+    window.location.href = response.status === "bound"
+      ? redirectTo
+      : response.loginUrl;
+    throw new Error("Redirecting to auth for provider selection");
+  }
+
+  async startAuthRequest(options: SignInOptions = {}): Promise<AuthStartResponse> {
+    const authUrl = options.authUrl
+      ? this.setAuthUrl(options.authUrl)
+      : this.#requireAuthUrl();
     const handle = await this.init();
     const currentUrl = new URL(window.location.href);
-    const url = await buildLoginUrl({
+    const response = await browserStartAuthRequest({
       authUrl,
       redirectTo: resolveRedirectTo(options, currentUrl),
       handle,
-      contract: this.#config.contract?.CONTRACT ?? {},
+      contract: this.#requireContract().CONTRACT,
       context: options.context,
     });
-    window.location.href = url;
-    throw new Error("Redirecting to auth for provider selection");
+
+    if (response.status === "bound") {
+      this.setBindingToken(response);
+    }
+
+    return response;
   }
 
-  async handleCallback(url: string = window.location.href): Promise<BindResult | null> {
+  async handleCallback(
+    url: string = window.location.href,
+  ): Promise<BindResult | null> {
     if (this.#bindingInProgress) return this.#bindingInProgress;
 
     const flowId = new URL(url).searchParams.get("flowId");
@@ -330,13 +342,18 @@ export class AuthState {
   async #resolveCallback(flowId: string): Promise<BindResult> {
     try {
       const response = await this.bindFlow(flowId);
-      return response.status === "bound"
-        ? { status: "bound" }
-        : { status: "insufficient_capabilities", missingCapabilities: response.missingCapabilities };
+      return response.status === "bound" ? { status: "bound" } : {
+        status: "insufficient_capabilities",
+        missingCapabilities: response.missingCapabilities,
+      };
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("approval_denied")) return { status: "approval_denied" };
-      if (message.includes("approval_required")) return { status: "approval_required" };
+      if (message.includes("approval_denied")) {
+        return { status: "approval_denied" };
+      }
+      if (message.includes("approval_required")) {
+        return { status: "approval_required" };
+      }
       return { status: "error", message };
     }
   }
@@ -346,7 +363,9 @@ export class AuthState {
    */
   cleanupCallbackUrl(url: string = window.location.href): string | null {
     const parsed = new URL(url);
-    if (parsed.searchParams.has("flowId") || parsed.searchParams.has("authError")) {
+    if (
+      parsed.searchParams.has("flowId") || parsed.searchParams.has("authError")
+    ) {
       parsed.searchParams.delete("flowId");
       parsed.searchParams.delete("authError");
       return `${parsed.pathname}${parsed.search}${parsed.hash}`;
@@ -394,10 +413,14 @@ export class AuthState {
   }
 
   setBindingToken(
-    response: Pick<BindSuccessResponse, "bindingToken" | "inboxPrefix" | "expires"> & {
-      sentinel?: SentinelCreds;
-      natsServers?: string[];
-    },
+    response:
+      & Pick<BindSuccessResponse, "bindingToken" | "inboxPrefix" | "expires">
+      & {
+        sentinel?: SentinelCreds;
+        transports?: {
+          websocket?: { natsServers: string[] };
+        };
+      },
   ): void {
     this.#state.bindingToken = response.bindingToken;
     this.#state.inboxPrefix = response.inboxPrefix;
@@ -406,8 +429,9 @@ export class AuthState {
     if (response.sentinel) {
       this.#state.sentinel = response.sentinel;
     }
-    if (response.natsServers) {
-      this.#state.natsServers = response.natsServers;
+    const websocketServers = websocketTransportServers(response);
+    if (websocketServers) {
+      this.#state.natsServers = websocketServers;
     }
 
     // Only persist if we have sentinel credentials
@@ -439,7 +463,9 @@ export class AuthState {
    * Sign out by clearing all credentials and redirecting to login.
    * This method does not return - it redirects the browser.
    */
-  async signOut(remoteLogout?: () => Promise<unknown> | unknown): Promise<never> {
+  async signOut(
+    remoteLogout?: () => Promise<unknown> | unknown,
+  ): Promise<never> {
     if (remoteLogout) {
       try {
         await remoteLogout();

package/src/state/nats.svelte.ts

@@ -3,20 +3,20 @@ import {
   type NatsConnection,
   wsconnect,
 } from "@nats-io/nats-core";
-import type { Trellis } from "@qlever-llc/trellis";
+import type { Trellis } from "../../../trellis/trellis.ts";
 import {
   getPublicSessionKey,
   natsConnectSigForBindingToken,
   type SentinelCreds,
   type SessionKeyHandle,
   signBytes,
-} from "@qlever-llc/trellis/auth";
+} from "@qlever-llc/trellis/auth/browser";
 import { AsyncResult, UnexpectedError } from "@qlever-llc/result";
 import {
   API as AUTH_API,
   type AuthRenewBindingTokenInput,
   type AuthRenewBindingTokenOutput,
-} from "@qlever-llc/trellis/sdk/auth";
+} from "@qlever-llc/trellis-sdk/auth";
 import type { AuthState } from "./auth.svelte.ts";
 import { createClient } from "../../../trellis/client.ts";
 
@@ -258,13 +258,17 @@ export class NatsState {
           context: { message: "Not authenticated: binding token expired" },
         });
       }
-      const { handle, bindingToken } = requireBrowserAuth(this.#authState);
+      const { handle, bindingToken, sentinel } = requireBrowserAuth(
+        this.#authState,
+      );
+      this.#servers = resolveServers(this.#authState, this.#config);
+      this.#sentinel = sentinel;
       const inboxPrefix = this.#authState.inboxPrefix ?? undefined;
       this.#tokenRef.value = await buildNatsAuthToken(handle, bindingToken);
 
       const authenticator = jwtAuthenticator(
-        this.#sentinel.jwt,
-        new TextEncoder().encode(this.#sentinel.seed),
+        sentinel.jwt,
+        new TextEncoder().encode(sentinel.seed),
       );
 
       this.nc = await wsconnect({
@@ -315,13 +319,34 @@ export class NatsState {
       ) => Promise<unknown>;
       const binding = await requestOrThrow(
         "Auth.RenewBindingToken",
-        {} satisfies AuthRenewBindingTokenInput,
+        {
+          contractDigest: this.#authState.contractDigest,
+        } satisfies AuthRenewBindingTokenInput,
       ) as AuthRenewBindingTokenOutput;
-      this.#authState.setBindingToken(binding);
-      this.#tokenRef.value = await buildNatsAuthToken(
-        this.#handle,
-        binding.bindingToken,
-      );
+      if (binding.status === "bound") {
+        this.#authState.setBindingToken(binding);
+        this.#sentinel = this.#authState.sentinel ?? this.#sentinel;
+        this.#tokenRef.value = await buildNatsAuthToken(
+          this.#handle,
+          binding.bindingToken,
+        );
+        return;
+      }
+
+      if (binding.status !== "contract_changed") {
+        return;
+      }
+
+      const authStart = await this.#authState.startAuthRequest({
+        redirectTo: window.location.href,
+      });
+      if (authStart.status === "bound") {
+        this.#authState.setBindingToken(authStart);
+        await this.reconnect();
+        return;
+      }
+
+      window.location.href = authStart.loginUrl;
     };
 
     await AsyncResult.try(renew);

package/src/state/trellis.svelte.ts

@@ -1,12 +1,9 @@
-import {
-  defineContract,
-  type Trellis,
-  type TrellisAPI,
-  type TrellisContractV1,
-} from "@qlever-llc/trellis";
+import { defineAppContract } from "../../../trellis/contract.ts";
+import type { TrellisAPI, TrellisContractV1 } from "../../../trellis/contracts.ts";
+import type { Trellis } from "../../../trellis/trellis.ts";
 import { TrellisClient } from "../../../trellis/client_connect.ts";
 import { createClient } from "../../../trellis/client.ts";
-import { getPublicSessionKey, signBytes } from "@qlever-llc/trellis/auth";
+import { getPublicSessionKey, signBytes } from "@qlever-llc/trellis/auth/browser";
 import type { AuthState } from "./auth.svelte.ts";
 import type { NatsState } from "./nats.svelte.ts";
 
@@ -22,12 +19,13 @@ export type TrellisStateConfig<TApi extends TrellisAPI = TrellisAPI> = {
   contract?: TrellisClientContract<TApi>;
 };
 
-const DEFAULT_TRELLIS_CONTRACT = defineContract({
-  id: "trellis.svelte.browser@v1",
-  displayName: "Trellis Svelte Browser Client",
-  description: "Represent a browser client that only uses its locally declared Trellis APIs.",
-  kind: "app",
-}) satisfies TrellisClientContract<TrellisAPI>;
+const DEFAULT_TRELLIS_CONTRACT = defineAppContract(
+  () => ({
+    id: "trellis.svelte.browser@v1",
+    displayName: "Trellis Svelte Browser Client",
+    description: "Represent a browser client that only uses its locally declared Trellis APIs.",
+  }),
+) satisfies TrellisClientContract<TrellisAPI>;
 
 /**
  * Svelte 5 wrapper for Trellis client.