@qlever-llc/trellis 0.6.1 → 0.7.0-rc.2

package/esm/trellis/client_connect.js

@@ -0,0 +1,300 @@
+import * as dntShim from "../_dnt.shims.js";
+import { jwtAuthenticator } from "@nats-io/nats-core";
+import { BindResponseSchema, buildLoginUrl, getOrCreateSessionKey, } from "./auth.js";
+import { createAuth } from "./auth.js";
+import { canonicalizeJsonValue, sha256, utf8 } from "./auth.js";
+import { loadDefaultRuntimeTransport, } from "./runtime_transport.js";
+import { Trellis } from "./trellis.js";
+import { Type } from "typebox";
+import { Value } from "typebox/value";
+import { bindFlowSig, getPublicSessionKey, oauthInitSig, signBytes, } from "../auth/browser/session.js";
+const ClientBootstrapReadySchema = Type.Object({
+    status: Type.Literal("ready"),
+    connectInfo: Type.Object({
+        sessionKey: Type.String({ minLength: 1 }),
+        contractId: Type.String({ minLength: 1 }),
+        contractDigest: Type.String({ minLength: 1 }),
+        transport: Type.Object({
+            natsServers: Type.Array(Type.String({ minLength: 1 }), { minItems: 1 }),
+            inboxPrefix: Type.String({ minLength: 1 }),
+            sentinel: Type.Object({
+                jwt: Type.String({ minLength: 1 }),
+                seed: Type.String({ minLength: 1 }),
+            }, { additionalProperties: false }),
+        }, { additionalProperties: false }),
+        auth: Type.Object({
+            mode: Type.Literal("binding_token"),
+            bindingToken: Type.String({ minLength: 1 }),
+            expiresAt: Type.String({ format: "date-time" }),
+        }, { additionalProperties: false }),
+    }, { additionalProperties: false }),
+}, { additionalProperties: true });
+const ClientBootstrapAuthRequiredSchema = Type.Object({
+    status: Type.Literal("auth_required"),
+}, { additionalProperties: true });
+const ClientBootstrapNotReadySchema = Type.Object({
+    status: Type.Literal("not_ready"),
+    reason: Type.String({ minLength: 1 }),
+}, { additionalProperties: true });
+function isBrowserRuntime() {
+    return typeof dntShim.dntGlobalThis !== "undefined" && typeof document !== "undefined";
+}
+const defaultDeps = {
+    loadTransport: loadDefaultRuntimeTransport,
+    now: () => Date.now(),
+};
+function normalizeTrellisUrl(trellisUrl) {
+    return new URL(trellisUrl).toString().replace(/\/$/, "");
+}
+function resolveCurrentUrl(auth) {
+    if (auth?.currentUrl instanceof URL)
+        return auth.currentUrl;
+    if (typeof auth?.currentUrl === "string")
+        return new URL(auth.currentUrl);
+    if (isBrowserRuntime())
+        return new URL(globalThis.location.href);
+    return null;
+}
+function resolveRedirectTo(auth, currentUrl) {
+    if (auth.redirectTo) {
+        return new URL(auth.redirectTo, currentUrl.origin).toString();
+    }
+    const queryRedirect = currentUrl.searchParams.get("redirectTo");
+    if (queryRedirect) {
+        return new URL(queryRedirect, currentUrl.origin).toString();
+    }
+    if (auth.landingPath) {
+        return new URL(auth.landingPath, currentUrl.origin).toString();
+    }
+    return currentUrl.toString();
+}
+function encodeJsonForQuery(value) {
+    const json = canonicalizeJsonValue(value);
+    const bytes = new TextEncoder().encode(json);
+    let binary = "";
+    for (const byte of bytes)
+        binary += String.fromCharCode(byte);
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+async function signDomainValue(sign, prefix, value) {
+    const digest = await sha256(utf8(`${prefix}:${value}`));
+    const signature = await sign(digest);
+    const binary = String.fromCharCode(...signature);
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+async function resolveClientIdentity(auth) {
+    if (auth?.mode === "session_key") {
+        const sessionAuth = await createAuth({ sessionKeySeed: auth.sessionKeySeed });
+        return {
+            mode: "session_key",
+            sessionKey: sessionAuth.sessionKey,
+            sign: sessionAuth.sign,
+            oauthInitSig: sessionAuth.oauthInitSig,
+            bindingTokenSig: sessionAuth.natsConnectSigForBindingToken,
+            bootstrapSig: (iat) => signDomainValue(sessionAuth.sign, "bootstrap-client", String(iat)),
+            bindFlowSig: (flowId) => signDomainValue(sessionAuth.sign, "bind-flow", flowId),
+        };
+    }
+    const handle = auth?.handle ?? await getOrCreateSessionKey();
+    return {
+        mode: "browser",
+        sessionKey: getPublicSessionKey(handle),
+        sign: (data) => signBytes(handle, data),
+        oauthInitSig: (redirectTo, context) => oauthInitSig(handle, redirectTo, context),
+        bindingTokenSig: (bindingToken) => signDomainValue((data) => signBytes(handle, data), "nats-connect", bindingToken),
+        bootstrapSig: (iat) => signDomainValue((data) => signBytes(handle, data), "bootstrap-client", String(iat)),
+        bindFlowSig: (flowId) => bindFlowSig(handle, flowId),
+    };
+}
+async function bindClientFlow(args) {
+    const response = await fetch(`${args.trellisUrl}/auth/flow/${encodeURIComponent(args.flowId)}/bind`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ sessionKey: args.sessionKey, sig: args.sig }),
+    });
+    if (!response.ok) {
+        throw new Error(`Client bind failed: ${response.status} ${await response.text()}`);
+    }
+    const payload = await response.json();
+    const parsed = Value.Parse(BindResponseSchema, payload);
+    if (parsed.status !== "bound") {
+        throw new Error(`Client bind did not complete: ${parsed.status}`);
+    }
+}
+async function fetchClientBootstrap(args) {
+    const response = await fetch(new URL("/bootstrap/client", args.trellisUrl), {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            sessionKey: args.sessionKey,
+            iat: args.iat,
+            sig: args.bootstrapSig,
+        }),
+    });
+    const payload = await response.json();
+    if (!response.ok) {
+        const reason = typeof payload?.reason === "string"
+            ? payload.reason
+            : `http_${response.status}`;
+        throw new Error(`Client bootstrap failed: ${reason}`);
+    }
+    if (Value.Check(ClientBootstrapReadySchema, payload)) {
+        return payload;
+    }
+    if (Value.Check(ClientBootstrapAuthRequiredSchema, payload)) {
+        return payload;
+    }
+    if (Value.Check(ClientBootstrapNotReadySchema, payload)) {
+        return payload;
+    }
+    throw new Error("Client bootstrap returned an invalid response");
+}
+function cleanupBrowserCallbackUrl(currentUrl) {
+    if (!isBrowserRuntime())
+        return;
+    if (!currentUrl.searchParams.has("flowId") && !currentUrl.searchParams.has("authError")) {
+        return;
+    }
+    currentUrl.searchParams.delete("flowId");
+    currentUrl.searchParams.delete("authError");
+    globalThis.history.replaceState({}, "", currentUrl.pathname + currentUrl.search);
+}
+async function buildSessionKeyLoginUrl(args) {
+    const url = new URL(`${args.trellisUrl}/auth/login`);
+    url.searchParams.set("redirectTo", args.redirectTo);
+    url.searchParams.set("sessionKey", args.sessionKey);
+    url.searchParams.set("sig", args.oauthInitSig);
+    url.searchParams.set("contract", encodeJsonForQuery(args.contract));
+    if (args.provider) {
+        url.searchParams.set("provider", args.provider);
+    }
+    if (args.context !== undefined) {
+        url.searchParams.set("context", encodeJsonForQuery(args.context));
+    }
+    return url.toString();
+}
+export async function connectClientWithDeps(args, deps) {
+    const trellisUrl = normalizeTrellisUrl(args.trellisUrl);
+    const identity = await resolveClientIdentity(args.auth);
+    const currentUrl = args.auth?.mode === "session_key" ? null : resolveCurrentUrl(args.auth);
+    const callbackFlowId = args.auth?.mode === "session_key"
+        ? args.auth.flowId
+        : currentUrl?.searchParams.get("flowId") ?? undefined;
+    if (callbackFlowId) {
+        await bindClientFlow({
+            trellisUrl,
+            sessionKey: identity.sessionKey,
+            flowId: callbackFlowId,
+            sig: await identity.bindFlowSig(callbackFlowId),
+        });
+        if (currentUrl)
+            cleanupBrowserCallbackUrl(currentUrl);
+    }
+    const bootstrapIat = Math.floor(deps.now() / 1_000);
+    const initialBootstrap = await fetchClientBootstrap({
+        trellisUrl,
+        sessionKey: identity.sessionKey,
+        iat: bootstrapIat,
+        bootstrapSig: await identity.bootstrapSig(bootstrapIat),
+    });
+    const bootstrap = initialBootstrap.status === "auth_required"
+        ? await resolveAuthRequired(args, identity, currentUrl, deps)
+        : initialBootstrap;
+    if (bootstrap.status !== "ready") {
+        if (bootstrap.status === "not_ready") {
+            throw new Error(`Client bootstrap is not ready: ${bootstrap.reason}`);
+        }
+        throw new Error("Client bootstrap still requires authentication");
+    }
+    const transport = await deps.loadTransport();
+    const token = JSON.stringify({
+        v: 1,
+        sessionKey: identity.sessionKey,
+        bindingToken: bootstrap.connectInfo.auth.bindingToken,
+        sig: await identity.bindingTokenSig(bootstrap.connectInfo.auth.bindingToken),
+    });
+    const nc = await transport.connect({
+        servers: bootstrap.connectInfo.transport.natsServers,
+        token,
+        inboxPrefix: bootstrap.connectInfo.transport.inboxPrefix,
+        authenticator: jwtAuthenticator(bootstrap.connectInfo.transport.sentinel.jwt, new TextEncoder().encode(bootstrap.connectInfo.transport.sentinel.seed)),
+    });
+    const clientOpts = {
+        ...(typeof args.name === "string" ? { name: args.name } : {}),
+        ...(args.log ? { log: args.log } : {}),
+        ...(typeof args.timeout === "number" ? { timeout: args.timeout } : {}),
+        ...(typeof args.stream === "string" ? { stream: args.stream } : {}),
+        ...(args.noResponderRetry ? { noResponderRetry: args.noResponderRetry } : {}),
+    };
+    return new Trellis(clientOpts.name ?? "client", nc, {
+        sessionKey: identity.sessionKey,
+        sign: identity.sign,
+    }, {
+        log: clientOpts.log,
+        timeout: clientOpts.timeout,
+        stream: clientOpts.stream,
+        noResponderRetry: clientOpts.noResponderRetry,
+        api: args.contract.API.trellis,
+    });
+}
+async function resolveAuthRequired(args, identity, currentUrl, deps) {
+    const browserAuth = args.auth?.mode === "session_key"
+        ? {}
+        : args.auth ?? {};
+    const redirectTo = args.auth?.mode === "session_key"
+        ? args.auth.redirectTo
+        : currentUrl
+            ? resolveRedirectTo(browserAuth, currentUrl)
+            : undefined;
+    if (!redirectTo) {
+        throw new Error("Client authentication requires a redirectTo URL");
+    }
+    const loginUrl = args.auth?.mode === "session_key"
+        ? await buildSessionKeyLoginUrl({
+            trellisUrl: normalizeTrellisUrl(args.trellisUrl),
+            redirectTo,
+            sessionKey: identity.sessionKey,
+            contract: args.contract.CONTRACT,
+            provider: args.auth.provider,
+            context: args.auth.context,
+            oauthInitSig: await identity.oauthInitSig(redirectTo, args.auth.context),
+        })
+        : await buildLoginUrl({
+            authUrl: normalizeTrellisUrl(args.trellisUrl),
+            redirectTo,
+            handle: browserAuth.handle ?? await getOrCreateSessionKey(),
+            provider: browserAuth.provider,
+            contract: args.contract.CONTRACT,
+            context: browserAuth.context,
+        });
+    const continuation = await args.onAuthRequired?.({
+        loginUrl,
+        sessionKey: identity.sessionKey,
+        mode: identity.mode,
+    });
+    if (continuation && typeof continuation === "object" && "flowId" in continuation) {
+        await bindClientFlow({
+            trellisUrl: normalizeTrellisUrl(args.trellisUrl),
+            sessionKey: identity.sessionKey,
+            flowId: continuation.flowId,
+            sig: await identity.bindFlowSig(continuation.flowId),
+        });
+        const bootstrapIat = Math.floor(deps.now() / 1_000);
+        return await fetchClientBootstrap({
+            trellisUrl: normalizeTrellisUrl(args.trellisUrl),
+            sessionKey: identity.sessionKey,
+            iat: bootstrapIat,
+            bootstrapSig: await identity.bootstrapSig(bootstrapIat),
+        });
+    }
+    if (isBrowserRuntime()) {
+        globalThis.location.href = loginUrl;
+        throw new Error("Redirecting to Trellis login");
+    }
+    throw new Error("Client authentication required and no auth continuation was provided");
+}
+export class TrellisClient {
+    static connect(args) {
+        return connectClientWithDeps(args, defaultDeps);
+    }
+}

package/esm/trellis/contract.d.ts

@@ -1,11 +1,5 @@
-import type { NatsConnection } from "@nats-io/nats-core";
 import { type DefinedContract as BaseDefinedContract, type ContractApiViews, type ContractDependencyUse, type ContractModule, type ContractUseFn, type DefineContractInput, type EmptyApi, type MergeApis, type OwnedApiFromSource, type SdkContractModule, type TrellisApiLike, type TrellisContractV1, type UsedApiFromUses, type UseSpec } from "../contracts/mod.js";
-import type { ClientOpts } from "./client.js";
-import type { Trellis, TrellisAuth } from "./trellis.js";
-type RuntimeContractMethods<TOwnedApi extends TrellisApiLike, TTrellisApi extends TrellisApiLike> = {
-    createClient(nats: NatsConnection, auth: TrellisAuth, opts?: ClientOpts): Trellis<TTrellisApi>;
-};
-export type DefinedContract<TOwnedApi extends TrellisApiLike, TUsedApi extends TrellisApiLike, TTrellisApi extends TrellisApiLike, TContractId extends string = string> = BaseDefinedContract<TOwnedApi, TUsedApi, TTrellisApi, TContractId> & RuntimeContractMethods<TOwnedApi, TTrellisApi>;
+export type DefinedContract<TOwnedApi extends TrellisApiLike, TUsedApi extends TrellisApiLike, TTrellisApi extends TrellisApiLike, TContractId extends string = string> = BaseDefinedContract<TOwnedApi, TUsedApi, TTrellisApi, TContractId>;
 export declare function defineContract<const T extends DefineContractInput<any, any, any, any, any, any>>(source: T): DefinedContract<OwnedApiFromSource<T> & TrellisApiLike, UsedApiFromUses<T["uses"]> & TrellisApiLike, MergeApis<OwnedApiFromSource<T>, UsedApiFromUses<T["uses"]>> & TrellisApiLike, T["id"]>;
 export type { ContractApiViews, ContractDependencyUse, ContractModule, ContractUseFn, DefineContractInput, EmptyApi, SdkContractModule, TrellisApiLike, TrellisContractV1, UseSpec, };
 //# sourceMappingURL=contract.d.ts.map

package/esm/trellis/contract.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"contract.d.ts","sourceRoot":"","sources":["../../src/trellis/contract.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEzD,OAAO,EACL,KAAK,eAAe,IAAI,mBAAmB,EAC3C,KAAK,gBAAgB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EAExB,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,OAAO,EACb,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AASzD,KAAK,sBAAsB,CACzB,SAAS,SAAS,cAAc,EAChC,WAAW,SAAS,cAAc,IAChC;IACF,YAAY,CACV,IAAI,EAAE,cAAc,EACpB,IAAI,EAAE,WAAW,EACjB,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC,WAAW,CAAC,CAAC;CACzB,CAAC;AAOF,MAAM,MAAM,eAAe,CACzB,SAAS,SAAS,cAAc,EAChC,QAAQ,SAAS,cAAc,EAC/B,WAAW,SAAS,cAAc,EAClC,WAAW,SAAS,MAAM,GAAG,MAAM,IACjC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,CAAC,GAAG,sBAAsB,CAC7F,SAAS,EACT,WAAW,CACZ,CAAC;AAwBF,wBAAgB,cAAc,CAAC,KAAK,CAAC,CAAC,SAAS,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAC9F,MAAM,EAAE,CAAC,GACR,eAAe,CAChB,kBAAkB,CAAC,CAAC,CAAC,GAAG,cAAc,EACtC,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,cAAc,EAC3C,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,cAAc,EAC7E,CAAC,CAAC,IAAI,CAAC,CACR,CAWA;AAED,YAAY,EACV,gBAAgB,EAChB,qBAAqB,EACrB,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,QAAQ,EACR,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,OAAO,GACR,CAAC"}
+{"version":3,"file":"contract.d.ts","sourceRoot":"","sources":["../../src/trellis/contract.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,eAAe,IAAI,mBAAmB,EAC3C,KAAK,gBAAgB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EAExB,KAAK,QAAQ,EACb,KAAK,SAAS,EACd,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,OAAO,EACb,MAAM,qBAAqB,CAAC;AAS7B,MAAM,MAAM,eAAe,CACzB,SAAS,SAAS,cAAc,EAChC,QAAQ,SAAS,cAAc,EAC/B,WAAW,SAAS,cAAc,EAClC,WAAW,SAAS,MAAM,GAAG,MAAM,IACjC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AAEvE,wBAAgB,cAAc,CAAC,KAAK,CAAC,CAAC,SAAS,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAC9F,MAAM,EAAE,CAAC,GACR,eAAe,CAChB,kBAAkB,CAAC,CAAC,CAAC,GAAG,cAAc,EACtC,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,cAAc,EAC3C,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,cAAc,EAC7E,CAAC,CAAC,IAAI,CAAC,CACR,CAOA;AAED,YAAY,EACV,gBAAgB,EAChB,qBAAqB,EACrB,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,QAAQ,EACR,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,OAAO,GACR,CAAC"}

package/esm/trellis/contract.js

@@ -1,15 +1,4 @@
 import { defineContract as defineContractBase, } from "../contracts/mod.js";
-import { createClient } from "./client.js";
-function withRuntimeHelpers(contract) {
-    const runtimeContract = contract;
-    const createRuntimeClient = createClient;
-    runtimeContract.createClient = (nats, auth, opts) => createRuntimeClient(runtimeContract, nats, auth, opts);
-    return runtimeContract;
-}
 export function defineContract(source) {
-    const contract = defineContractBase(source);
-    // TypeScript's recursion limit trips over this cast in Svelte/tsserver, but
-    // the runtime helper augmentation preserves the underlying contract shape.
-    // @ts-ignore TS2589
-    return withRuntimeHelpers(contract);
+    return defineContractBase(source);
 }

package/esm/trellis/device.d.ts

@@ -0,0 +1,41 @@
+import { type NatsConnection } from "@nats-io/nats-core";
+import type { TrellisAPI } from "./contracts.js";
+import { Trellis } from "./trellis.js";
+type DeviceContract<TApi extends TrellisAPI = TrellisAPI> = {
+    CONTRACT_ID: string;
+    CONTRACT_DIGEST: string;
+    API: {
+        trellis: TApi;
+    };
+};
+type DeviceConnectTransport = {
+    connect(options: {
+        servers: string | string[];
+        token?: string;
+        authenticator?: unknown;
+        inboxPrefix?: string;
+    }): Promise<NatsConnection>;
+};
+type DeviceConnectDeps = {
+    loadTransport(): Promise<DeviceConnectTransport>;
+    now(): number;
+};
+export type DeviceActivationController = {
+    url: string;
+    waitForOnlineApproval(opts?: {
+        signal?: AbortSignal;
+    }): Promise<void>;
+    acceptConfirmationCode(code: string): Promise<void>;
+};
+export type TrellisDeviceConnectArgs<TApi extends TrellisAPI = TrellisAPI> = {
+    trellisUrl: string;
+    contract: DeviceContract<TApi>;
+    rootSecret: Uint8Array | string;
+    onActivationRequired?(activation: DeviceActivationController): Promise<void>;
+};
+export declare function connectDeviceWithDeps<TApi extends TrellisAPI>(args: TrellisDeviceConnectArgs<TApi>, deps: DeviceConnectDeps): Promise<Trellis<TApi>>;
+export declare const TrellisDevice: {
+    connect<TApi extends TrellisAPI>(args: TrellisDeviceConnectArgs<TApi>): Promise<Trellis<TApi>>;
+};
+export {};
+//# sourceMappingURL=device.d.ts.map

package/esm/trellis/device.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.d.ts","sourceRoot":"","sources":["../../src/trellis/device.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoB,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAa3E,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAIvC,KAAK,cAAc,CAAC,IAAI,SAAS,UAAU,GAAG,UAAU,IAAI;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,GAAG,EAAE;QACH,OAAO,EAAE,IAAI,CAAC;KACf,CAAC;CACH,CAAC;AAEF,KAAK,sBAAsB,GAAG;IAC5B,OAAO,CAAC,OAAO,EAAE;QACf,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;CAC7B,CAAC;AAEF,KAAK,iBAAiB,GAAG;IACvB,aAAa,IAAI,OAAO,CAAC,sBAAsB,CAAC,CAAC;IACjD,GAAG,IAAI,MAAM,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,qBAAqB,CAAC,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD,CAAC;AAEF,MAAM,MAAM,wBAAwB,CAAC,IAAI,SAAS,UAAU,GAAG,UAAU,IAAI;IAC3E,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,cAAc,CAAC,IAAI,CAAC,CAAC;IAC/B,UAAU,EAAE,UAAU,GAAG,MAAM,CAAC;IAChC,oBAAoB,CAAC,CAAC,UAAU,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9E,CAAC;AA0GF,wBAAsB,qBAAqB,CAAC,IAAI,SAAS,UAAU,EACjE,IAAI,EAAE,wBAAwB,CAAC,IAAI,CAAC,EACpC,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CA2HxB;AAED,eAAO,MAAM,aAAa;YAChB,IAAI,SAAS,UAAU,QACvB,wBAAwB,CAAC,IAAI,CAAC,GACnC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;CAG1B,CAAC"}

package/esm/trellis/device.js

@@ -0,0 +1,209 @@
+import { jwtAuthenticator } from "@nats-io/nats-core";
+import { buildDeviceActivationPayload, buildDeviceActivationUrl, createDeviceNatsAuthToken, deriveDeviceIdentity, signDeviceWaitRequest, verifyDeviceConfirmationCode, waitForDeviceActivation, } from "../auth/device_activation.js";
+import { importEd25519PrivateKeyFromSeedBase64url } from "../auth/keys.js";
+import { base64urlDecode, base64urlEncode, toArrayBuffer } from "../auth/utils.js";
+import { loadDefaultRuntimeTransport } from "./runtime_transport.js";
+import { Trellis } from "./trellis.js";
+import { Type } from "typebox";
+import { Value } from "typebox/value";
+const DeviceBootstrapReadySchema = Type.Object({
+    status: Type.Literal("ready"),
+    connectInfo: Type.Object({
+        instanceId: Type.String({ minLength: 1 }),
+        profileId: Type.String({ minLength: 1 }),
+        contractId: Type.String({ minLength: 1 }),
+        contractDigest: Type.String({ minLength: 1 }),
+        transport: Type.Object({
+            natsServers: Type.Array(Type.String({ minLength: 1 }), { minItems: 1 }),
+            sentinel: Type.Object({
+                jwt: Type.String({ minLength: 1 }),
+                seed: Type.String({ minLength: 1 }),
+            }, { additionalProperties: false }),
+        }, { additionalProperties: false }),
+        auth: Type.Object({
+            mode: Type.Literal("device_identity"),
+            iatSkewSeconds: Type.Integer({ minimum: 1 }),
+        }, { additionalProperties: false }),
+    }, { additionalProperties: false }),
+}, { additionalProperties: false });
+const DeviceBootstrapActivationRequiredSchema = Type.Object({
+    status: Type.Literal("activation_required"),
+}, { additionalProperties: false });
+const DeviceBootstrapNotReadySchema = Type.Object({
+    status: Type.Literal("not_ready"),
+    reason: Type.String({ minLength: 1 }),
+}, { additionalProperties: false });
+function normalizeRootSecret(rootSecret) {
+    if (typeof rootSecret === "string") {
+        const decoded = base64urlDecode(rootSecret.trim());
+        if (decoded.length === 0)
+            throw new Error("rootSecret must not be empty");
+        return decoded;
+    }
+    if (rootSecret.length === 0)
+        throw new Error("rootSecret must not be empty");
+    return rootSecret;
+}
+async function signIdentityBytes(identitySeed, data) {
+    const privateKey = await importEd25519PrivateKeyFromSeedBase64url(base64urlEncode(identitySeed));
+    return new Uint8Array(await crypto.subtle.sign("Ed25519", privateKey, toArrayBuffer(data)));
+}
+const defaultDeps = {
+    loadTransport: loadDefaultRuntimeTransport,
+    now: () => Date.now(),
+};
+function activationRequiredError() {
+    return new Error("Device activation required but no activation handler was provided");
+}
+function isConnectInfoUnavailable(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return message.includes("404") || message.includes("unknown_device") || message.includes("activation_required");
+}
+async function fetchDeviceBootstrap(args) {
+    const request = await signDeviceWaitRequest({
+        publicIdentityKey: args.publicIdentityKey,
+        nonce: "connect-info",
+        identitySeed: args.identitySeed,
+        contractDigest: args.contractDigest,
+        iat: args.iat,
+    });
+    const bootstrapRequest = {
+        publicIdentityKey: request.publicIdentityKey,
+        contractDigest: request.contractDigest,
+        iat: request.iat,
+        sig: request.sig,
+    };
+    const response = await fetch(new URL("/bootstrap/device", args.trellisUrl), {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(bootstrapRequest),
+    });
+    if (!response.ok) {
+        throw new Error(`Device bootstrap failed: ${response.status} ${await response.text()}`);
+    }
+    const payload = await response.json();
+    if (Value.Check(DeviceBootstrapReadySchema, payload))
+        return payload;
+    if (Value.Check(DeviceBootstrapActivationRequiredSchema, payload))
+        return payload;
+    if (Value.Check(DeviceBootstrapNotReadySchema, payload))
+        return payload;
+    throw new Error("Device bootstrap returned an invalid response");
+}
+export async function connectDeviceWithDeps(args, deps) {
+    const rootSecret = normalizeRootSecret(args.rootSecret);
+    const identity = await deriveDeviceIdentity(rootSecret);
+    const contractDigest = args.contract.CONTRACT_DIGEST;
+    let connectInfo = null;
+    try {
+        const bootstrap = await fetchDeviceBootstrap({
+            trellisUrl: args.trellisUrl,
+            publicIdentityKey: identity.publicIdentityKey,
+            identitySeed: identity.identitySeed,
+            contractDigest,
+        });
+        if (bootstrap.status === "ready") {
+            connectInfo = bootstrap.connectInfo;
+        }
+        else if (bootstrap.status === "not_ready") {
+            throw new Error(bootstrap.reason);
+        }
+    }
+    catch (error) {
+        if (!isConnectInfoUnavailable(error))
+            throw error;
+    }
+    if (!connectInfo) {
+        if (!args.onActivationRequired)
+            throw activationRequiredError();
+        const nonce = crypto.randomUUID();
+        const payload = await buildDeviceActivationPayload({
+            activationKey: identity.activationKey,
+            publicIdentityKey: identity.publicIdentityKey,
+            nonce,
+        });
+        const activationUrl = buildDeviceActivationUrl({
+            trellisUrl: args.trellisUrl,
+            payload,
+        });
+        let activationCompleted = false;
+        let onlineConnectInfo = null;
+        await args.onActivationRequired({
+            url: activationUrl,
+            waitForOnlineApproval: async (opts) => {
+                if (activationCompleted)
+                    return;
+                const activation = await waitForDeviceActivation({
+                    trellisUrl: args.trellisUrl,
+                    publicIdentityKey: identity.publicIdentityKey,
+                    nonce,
+                    identitySeed: identity.identitySeed,
+                    contractDigest,
+                    signal: opts?.signal,
+                });
+                onlineConnectInfo = activation.connectInfo;
+                activationCompleted = true;
+            },
+            acceptConfirmationCode: async (code) => {
+                if (activationCompleted)
+                    return;
+                const ok = await verifyDeviceConfirmationCode({
+                    activationKey: identity.activationKey,
+                    publicIdentityKey: identity.publicIdentityKey,
+                    nonce,
+                    confirmationCode: code,
+                });
+                if (!ok) {
+                    throw new Error("Invalid device confirmation code");
+                }
+                activationCompleted = true;
+            },
+        });
+        if (!activationCompleted) {
+            throw new Error("Device activation did not complete");
+        }
+        if (onlineConnectInfo) {
+            connectInfo = onlineConnectInfo;
+        }
+        else {
+            const bootstrap = await fetchDeviceBootstrap({
+                trellisUrl: args.trellisUrl,
+                publicIdentityKey: identity.publicIdentityKey,
+                identitySeed: identity.identitySeed,
+                contractDigest,
+            });
+            if (bootstrap.status !== "ready") {
+                throw new Error(`Device bootstrap is not ready: ${bootstrap.status}`);
+            }
+            connectInfo = bootstrap.connectInfo;
+        }
+    }
+    if (!connectInfo) {
+        throw new Error("Device bootstrap did not return runtime connect info");
+    }
+    const transport = await deps.loadTransport();
+    const iat = Math.floor(deps.now() / 1_000);
+    const authToken = await createDeviceNatsAuthToken({
+        publicIdentityKey: identity.publicIdentityKey,
+        identitySeed: identity.identitySeed,
+        contractDigest,
+        iat,
+    });
+    const nc = await transport.connect({
+        servers: connectInfo.transport.natsServers,
+        token: JSON.stringify(authToken),
+        inboxPrefix: `_INBOX.${identity.publicIdentityKey.slice(0, 16)}`,
+        authenticator: jwtAuthenticator(connectInfo.transport.sentinel.jwt, new TextEncoder().encode(connectInfo.transport.sentinel.seed)),
+    });
+    return new Trellis(args.contract.CONTRACT_ID, nc, {
+        sessionKey: identity.publicIdentityKey,
+        sign: (data) => signIdentityBytes(identity.identitySeed, data),
+    }, {
+        api: args.contract.API.trellis,
+    });
+}
+export const TrellisDevice = {
+    connect(args) {
+        return connectDeviceWithDeps(args, defaultDeps);
+    },
+};

package/esm/trellis/errors/AuthError.d.ts

@@ -4,7 +4,7 @@ export declare const AuthErrorDataSchema: Type.TObject<{
     id: Type.TString;
     type: Type.TLiteral<"AuthError">;
     message: Type.TString;
-    reason: Type.TUnion<[Type.TLiteral<"invalid_request">, Type.TLiteral<"missing_session_key">, Type.TLiteral<"missing_proof">, Type.TLiteral<"session_not_found">, Type.TLiteral<"session_expired">, Type.TLiteral<"invalid_signature">, Type.TLiteral<"user_not_found">, Type.TLiteral<"user_inactive">, Type.TLiteral<"unknown_workload">, Type.TLiteral<"workload_profile_not_found">, Type.TLiteral<"workload_profile_disabled">, Type.TLiteral<"workload_activation_revoked">, Type.TLiteral<"unknown_service">, Type.TLiteral<"service_disabled">, Type.TLiteral<"iat_out_of_range">, Type.TLiteral<"invalid_binding_token">, Type.TLiteral<"session_corrupted">, Type.TLiteral<"session_already_bound">, Type.TLiteral<"authtoken_already_used">, Type.TLiteral<"oauth_session_key_mismatch">, Type.TLiteral<"service_role_on_user">, Type.TLiteral<"reply_subject_mismatch">, Type.TLiteral<"insufficient_permissions">, Type.TLiteral<"forbidden">, Type.TLiteral<"missing_handoff_id">, Type.TLiteral<"missing_profile_id">, Type.TLiteral<"workload_activation_handoff_not_found">, Type.TLiteral<"workload_activation_handoff_expired">, Type.TLiteral<"workload_activation_rejected">, Type.TLiteral<"workload_identity_key_mismatch">, Type.TLiteral<"invalid_workload_qr_mac">]>;
+    reason: Type.TUnion<[Type.TLiteral<"invalid_request">, Type.TLiteral<"missing_session_key">, Type.TLiteral<"missing_proof">, Type.TLiteral<"session_not_found">, Type.TLiteral<"session_expired">, Type.TLiteral<"invalid_signature">, Type.TLiteral<"user_not_found">, Type.TLiteral<"user_inactive">, Type.TLiteral<"unknown_device">, Type.TLiteral<"device_profile_not_found">, Type.TLiteral<"device_profile_disabled">, Type.TLiteral<"device_activation_revoked">, Type.TLiteral<"unknown_service">, Type.TLiteral<"service_disabled">, Type.TLiteral<"iat_out_of_range">, Type.TLiteral<"invalid_binding_token">, Type.TLiteral<"session_corrupted">, Type.TLiteral<"session_already_bound">, Type.TLiteral<"authtoken_already_used">, Type.TLiteral<"oauth_session_key_mismatch">, Type.TLiteral<"service_role_on_user">, Type.TLiteral<"reply_subject_mismatch">, Type.TLiteral<"insufficient_permissions">, Type.TLiteral<"forbidden">, Type.TLiteral<"missing_handoff_id">, Type.TLiteral<"missing_profile_id">, Type.TLiteral<"device_activation_handoff_not_found">, Type.TLiteral<"device_activation_handoff_expired">, Type.TLiteral<"device_activation_rejected">, Type.TLiteral<"device_identity_key_mismatch">, Type.TLiteral<"invalid_device_qr_mac">]>;
     context: Type.TOptional<Type.TRecord<"^.*$", Type.TUnknown>>;
     traceId: Type.TOptional<Type.TString>;
 }>;

package/esm/trellis/errors/AuthError.js

@@ -13,10 +13,10 @@ export const AuthErrorDataSchema = Type.Object({
         Type.Literal("invalid_signature"),
         Type.Literal("user_not_found"),
         Type.Literal("user_inactive"),
-        Type.Literal("unknown_workload"),
-        Type.Literal("workload_profile_not_found"),
-        Type.Literal("workload_profile_disabled"),
-        Type.Literal("workload_activation_revoked"),
+        Type.Literal("unknown_device"),
+        Type.Literal("device_profile_not_found"),
+        Type.Literal("device_profile_disabled"),
+        Type.Literal("device_activation_revoked"),
         Type.Literal("unknown_service"),
         Type.Literal("service_disabled"),
         Type.Literal("iat_out_of_range"),
@@ -31,11 +31,11 @@ export const AuthErrorDataSchema = Type.Object({
         Type.Literal("forbidden"),
         Type.Literal("missing_handoff_id"),
         Type.Literal("missing_profile_id"),
-        Type.Literal("workload_activation_handoff_not_found"),
-        Type.Literal("workload_activation_handoff_expired"),
-        Type.Literal("workload_activation_rejected"),
-        Type.Literal("workload_identity_key_mismatch"),
-        Type.Literal("invalid_workload_qr_mac"),
+        Type.Literal("device_activation_handoff_not_found"),
+        Type.Literal("device_activation_handoff_expired"),
+        Type.Literal("device_activation_rejected"),
+        Type.Literal("device_identity_key_mismatch"),
+        Type.Literal("invalid_device_qr_mac"),
     ]),
     context: Type.Optional(Type.Record(Type.String(), Type.Unknown())),
     traceId: Type.Optional(Type.String()),

package/esm/trellis/errors/StoreError.d.ts

@@ -0,0 +1,22 @@
+import Type, { type Static } from "typebox";
+import { TrellisError } from "./TrellisError.js";
+export declare const StoreErrorDataSchema: Type.TObject<{
+    id: Type.TString;
+    type: Type.TLiteral<"StoreError">;
+    message: Type.TString;
+    operation: Type.TOptional<Type.TString>;
+    context: Type.TOptional<Type.TRecord<"^.*$", Type.TUnknown>>;
+    traceId: Type.TOptional<Type.TString>;
+}>;
+export type StoreErrorData = Static<typeof StoreErrorDataSchema>;
+export declare class StoreError extends TrellisError<StoreErrorData> {
+    readonly name: "StoreError";
+    readonly operation?: string;
+    constructor(options: ErrorOptions & {
+        operation?: string;
+        context?: Record<string, unknown>;
+        id?: string;
+    });
+    toSerializable(): StoreErrorData;
+}
+//# sourceMappingURL=StoreError.d.ts.map