@qlever-llc/trellis 0.8.3 → 0.9.0-rc.2

package/README.md

@@ -16,7 +16,7 @@ const client = await TrellisClient.connect({
   trellisUrl: "https://trellis.example.com",
   contract: app,
 });
-const meResult = await client.request("Auth.Me", {});
+const meResult = await client.request("Auth.Sessions.Me", {});
 const me = meResult.orThrow();
 ```
 

package/bin/trellis-generate.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+const { createHash } = require("node:crypto");
+const fs = require("node:fs");
+const https = require("node:https");
+const os = require("node:os");
+const path = require("node:path");
+const { spawnSync } = require("node:child_process");
+
+const REPO_OWNER = "qlever-llc";
+const REPO_NAME = "trellis";
+const BIN_NAME = "trellis-generate";
+const SUPPORTED_TARGETS = new Set([
+  "x86_64-unknown-linux-gnu",
+  "aarch64-unknown-linux-gnu",
+  "x86_64-apple-darwin",
+  "aarch64-apple-darwin",
+]);
+
+main().catch((error) => {
+  console.error(error);
+  process.exit(1);
+});
+
+async function main() {
+  const packageVersion = readPackageVersion();
+  const binary = (process.env.TRELLIS_GENERATE_BIN || "").trim() ||
+    await ensureCachedReleaseBinary(packageVersion);
+  verifyBinaryVersion(binary, packageVersion);
+  const status = spawnSync(binary, process.argv.slice(2), { stdio: "inherit" });
+  if (status.error) throw status.error;
+  process.exit(status.status ?? 1);
+}
+
+function readPackageVersion() {
+  const manifestPath = path.resolve(__dirname, "../package.json");
+  const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+  if (typeof manifest.version !== "string" || !manifest.version.trim()) {
+    throw new Error("@qlever-llc/trellis package manifest does not declare a version");
+  }
+  return manifest.version.trim();
+}
+
+async function ensureCachedReleaseBinary(version) {
+  const target = releaseTarget();
+  const cacheDir = path.join(cacheRoot(), version, target);
+  const binary = path.join(cacheDir, BIN_NAME);
+  if (fs.existsSync(binary)) return binary;
+
+  fs.mkdirSync(cacheDir, { recursive: true });
+  const tag = "v" + version;
+  const archiveName = BIN_NAME + "-" + tag + "-" + target + ".tar.gz";
+  const checksumName = "checksum-" + tag + "-" + target + "-" + BIN_NAME + ".sha256";
+  const releaseBase = "https://github.com/" + REPO_OWNER + "/" + REPO_NAME + "/releases/download/" + tag;
+  const [archive, checksumText] = await Promise.all([
+    downloadBytes(releaseBase + "/" + archiveName),
+    downloadText(releaseBase + "/" + checksumName),
+  ]);
+  verifyChecksum(archive, checksumText, archiveName);
+
+  const archivePath = path.join(cacheDir, archiveName);
+  fs.writeFileSync(archivePath, archive);
+  const extract = spawnSync("tar", ["-xzf", archivePath, "-C", cacheDir], { stdio: "inherit" });
+  if (extract.error) throw extract.error;
+  if (extract.status !== 0) throw new Error("tar failed with exit code " + extract.status);
+  fs.chmodSync(binary, 0o755);
+  return binary;
+}
+
+function releaseTarget() {
+  const arch = os.arch() === "x64" ? "x86_64" : os.arch() === "arm64" ? "aarch64" : os.arch();
+  const platform = os.platform() === "darwin" ? "apple-darwin" : os.platform() === "linux" ? "unknown-linux-gnu" : undefined;
+  const target = platform ? arch + "-" + platform : undefined;
+  if (target && SUPPORTED_TARGETS.has(target)) return target;
+  throw new Error("no " + BIN_NAME + " release binary is available for " + os.platform() + " " + os.arch());
+}
+
+function cacheRoot() {
+  if ((process.env.TRELLIS_GENERATE_CACHE || "").trim()) return process.env.TRELLIS_GENERATE_CACHE.trim();
+  if ((process.env.XDG_CACHE_HOME || "").trim()) return path.join(process.env.XDG_CACHE_HOME.trim(), "trellis", BIN_NAME);
+  if ((process.env.LOCALAPPDATA || "").trim()) return path.join(process.env.LOCALAPPDATA.trim(), "trellis", BIN_NAME);
+  if ((process.env.HOME || "").trim()) return path.join(process.env.HOME.trim(), ".cache", "trellis", BIN_NAME);
+  throw new Error("HOME, LOCALAPPDATA, or TRELLIS_GENERATE_CACHE must be set to cache trellis-generate");
+}
+
+function downloadBytes(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, (response) => {
+      if (response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        resolve(downloadBytes(response.headers.location));
+        return;
+      }
+      if (response.statusCode !== 200) {
+        reject(new Error("failed to download " + url + ": HTTP " + response.statusCode));
+        response.resume();
+        return;
+      }
+      const chunks = [];
+      response.on("data", (chunk) => chunks.push(chunk));
+      response.on("end", () => resolve(Buffer.concat(chunks)));
+    }).on("error", reject);
+  });
+}
+
+async function downloadText(url) {
+  return (await downloadBytes(url)).toString("utf8");
+}
+
+function verifyChecksum(bytes, checksumText, label) {
+  const expected = checksumText.trim().split(/\s+/)[0]?.toLowerCase();
+  if (!expected || !/^[0-9a-f]{64}$/.test(expected)) {
+    throw new Error("release checksum asset did not contain a SHA-256 digest");
+  }
+  const actual = createHash("sha256").update(bytes).digest("hex");
+  if (actual !== expected) {
+    throw new Error("checksum mismatch for " + label + ": expected " + expected + ", got " + actual);
+  }
+}
+
+function verifyBinaryVersion(binary, expectedVersion) {
+  const output = spawnSync(binary, ["--version"], { encoding: "utf8" });
+  if (output.error) throw output.error;
+  if (output.status !== 0) throw new Error("failed to run " + binary + " --version");
+  const text = (output.stdout || "").trim();
+  const actualVersion = text.split(/\s+/).find((part) => /^v?\d+\.\d+\.\d+/.test(part));
+  if (!actualVersion || normalizeVersion(actualVersion) !== normalizeVersion(expectedVersion)) {
+    throw new Error(binary + " is " + (text || "unknown version") + "; expected " + BIN_NAME + " " + expectedVersion);
+  }
+}
+
+function normalizeVersion(version) {
+  return version.trim().replace(/^v/, "").split("+")[0];
+}

package/esm/auth/browser/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../../auth/browser/login.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,KAAK,iBAAiB,EAEtB,KAAK,YAAY,EAEjB,KAAK,mBAAmB,EAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGrD,YAAY,EACV,qBAAqB,EACrB,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,GACd,MAAM,eAAe,CAAC;AAEvB,MAAM,MAAM,UAAU,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AA2BF,wBAAsB,aAAa,CACjC,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AA0CnB,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAgC7B;AAwCD,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,YAAY,GACrB,QAAQ,IAAI,mBAAmB,CAEjC;AAED,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAwBvB"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../../../auth/browser/login.ts"],"names":[],"mappings":"AAKA,OAAO,EAGL,KAAK,iBAAiB,EAEtB,KAAK,YAAY,EAEjB,KAAK,mBAAmB,EAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGrD,YAAY,EACV,qBAAqB,EACrB,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,gBAAgB,EAChB,aAAa,GACd,MAAM,eAAe,CAAC;AAEvB,MAAM,MAAM,UAAU,GAAG;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AA2BF,wBAAsB,aAAa,CACjC,MAAM,EAAE,UAAU,EAClB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AACnB,wBAAsB,aAAa,CACjC,IAAI,EAAE;IACJ,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;AA0CnB,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqD7B;AA0ED,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,YAAY,GACrB,QAAQ,IAAI,mBAAmB,CAEjC;AAED,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAwBvB"}

package/esm/auth/browser/login.js

@@ -1,4 +1,5 @@
 import { Value } from "typebox/value";
+import { digestContractManifest, } from "../../contract_support/mod.js";
 import { AuthStartRequestSchema, AuthStartResponseSchema, BindResponseSchema, } from "../schemas.js";
 import { bindFlowSig, getPublicSessionKey, oauthInitSig } from "./session.js";
 function contextRecord(value) {
@@ -35,26 +36,61 @@ export async function buildLoginUrl(argsOrConfig, provider, redirectTo, handle,
 }
 export async function startAuthRequest(args) {
     const context = contextRecord(args.context);
-    const sig = await oauthInitSig(args.handle, args.redirectTo, context, args.provider, args.contract);
+    const contractDigest = isTrellisContractV1(args.contract)
+        ? digestContractManifest(args.contract)
+        : undefined;
+    const sig = await oauthInitSig(args.handle, args.redirectTo, context, args.provider, contractDigest ?? args.contract);
     const request = Value.Parse(AuthStartRequestSchema, {
         redirectTo: args.redirectTo,
         sessionKey: getPublicSessionKey(args.handle),
         sig,
-        contract: args.contract,
+        ...(contractDigest ? { contractDigest } : { contract: args.contract }),
         ...(args.provider ? { provider: args.provider } : {}),
         ...(context ? { context } : {}),
     });
-    const response = await fetch(`${args.authUrl}/auth/requests`, {
+    let response = await fetch(`${args.authUrl}/auth/requests`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(request),
     });
+    if (await authStartNeedsManifest(response)) {
+        const fullSig = await oauthInitSig(args.handle, args.redirectTo, context, args.provider, args.contract);
+        response = await fetch(`${args.authUrl}/auth/requests`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                ...request,
+                sig: fullSig,
+                contract: args.contract,
+            }),
+        });
+    }
     if (!response.ok) {
         const text = await response.text();
         throw new Error(`Auth request failed: ${response.status} ${text}`);
     }
     return Value.Parse(AuthStartResponseSchema, await response.json());
 }
+async function authStartNeedsManifest(response) {
+    if (response.ok || response.status !== 409)
+        return false;
+    const clone = response.clone();
+    let payload;
+    try {
+        payload = await clone.json();
+    }
+    catch {
+        payload = undefined;
+    }
+    if (payload && typeof payload === "object") {
+        const record = payload;
+        return record.reason === "manifest_required" ||
+            record.code === "manifest_required" ||
+            record.error === "manifest_required" ||
+            record.message === "manifest_required";
+    }
+    return (await response.clone().text()).includes("manifest_required");
+}
 function buildLoginUrlArgsFromPositional(config, provider, redirectTo, handle, contract, context) {
     if (redirectTo === undefined || handle === undefined || contract === undefined) {
         throw new TypeError("buildLoginUrl requires redirectTo, handle, and contract");
@@ -68,6 +104,13 @@ function buildLoginUrlArgsFromPositional(config, provider, redirectTo, handle, c
         context,
     };
 }
+function isTrellisContractV1(contract) {
+    return contract.format === "trellis.contract.v1" &&
+        typeof contract.id === "string" &&
+        typeof contract.displayName === "string" &&
+        typeof contract.description === "string" &&
+        typeof contract.kind === "string";
+}
 function isNestedBuildLoginUrlArgs(value) {
     return "config" in value;
 }

package/esm/auth/browser/portal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../../auth/browser/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,eAAe,EAAyB,MAAM,gBAAgB,CAAC;AAC7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAMtD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAE3D;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAY1B;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,MAAM,CAKR;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAkB1B;AAED,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,eAAe,GAAG,IAAI,GAC5B,MAAM,GAAG,IAAI,CAEf"}
+{"version":3,"file":"portal.d.ts","sourceRoot":"","sources":["../../../../auth/browser/portal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,eAAe,EAAyB,MAAM,gBAAgB,CAAC;AAC7E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAG7C,YAAY,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAMtD,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,GAAG,IAAI,CAE3D;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CAY1B;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,MAAM,CAKR;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,eAAe,CAAC,CAkB1B;AAED,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,eAAe,GAAG,IAAI,GAC5B,MAAM,GAAG,IAAI,CAIf"}

package/esm/auth/browser/portal.js

@@ -29,5 +29,9 @@ export async function submitPortalApproval(config, flowId, decision) {
     return Value.Parse(PortalFlowStateSchema, await response.json());
 }
 export function portalRedirectLocation(state) {
-    return state?.status === "redirect" ? state.location : null;
+    if (state?.status === "redirect")
+        return state.location;
+    if (state?.status === "approval_denied")
+        return state.returnLocation ?? null;
+    return null;
 }

package/esm/auth/browser/session.d.ts

@@ -3,16 +3,27 @@ export type SessionKeyHandle = {
     publicKey: CryptoKey;
     publicKeyRaw: Uint8Array;
     sessionKey: string;
+    persistence?: SessionKeyPersistenceMode;
+    expiresAt?: number;
 };
-export declare function generateSessionKey(): Promise<SessionKeyHandle>;
-export declare function loadSessionKey(): Promise<SessionKeyHandle | null>;
-export declare function getOrCreateSessionKey(): Promise<SessionKeyHandle>;
+export type SessionKeyPersistenceMode = "temporary" | "remembered";
+export type SessionKeyOptions = {
+    /** Defaults to remembered IndexedDB storage. */
+    persistence?: SessionKeyPersistenceMode;
+    /** Expiry for remembered keys, as epoch milliseconds or a Date. */
+    expiresAt?: number | Date;
+    /** Relative expiry for remembered keys. Ignored when expiresAt is set. */
+    ttlMs?: number;
+};
+export declare function generateSessionKey(options?: SessionKeyOptions): Promise<SessionKeyHandle>;
+export declare function loadSessionKey(options?: Pick<SessionKeyOptions, "persistence">): Promise<SessionKeyHandle | null>;
+export declare function getOrCreateSessionKey(options?: SessionKeyOptions): Promise<SessionKeyHandle>;
 export declare function signBytes(handle: SessionKeyHandle, data: Uint8Array): Promise<Uint8Array>;
 export declare function getPublicSessionKey(handle: SessionKeyHandle): string;
-export declare function oauthInitSig(handle: SessionKeyHandle, redirectTo: string, context?: unknown, provider?: string, contract?: Record<string, unknown>): Promise<string>;
+export declare function oauthInitSig(handle: SessionKeyHandle, redirectTo: string, context?: unknown, provider?: string, contract?: Record<string, unknown> | string): Promise<string>;
 export declare function bindFlowSig(handle: SessionKeyHandle, flowId: string): Promise<string>;
 export declare function natsConnectSigForIat(handle: SessionKeyHandle, iat: number, contractDigest: string): Promise<string>;
-export declare function createRpcProof(handle: SessionKeyHandle, subject: string, payload: Uint8Array): Promise<string>;
-export declare function clearSessionKey(): Promise<void>;
-export declare function hasSessionKey(): Promise<boolean>;
+export declare function createRpcProof(handle: SessionKeyHandle, subject: string, payload: Uint8Array, requestId: string, iat: number): Promise<string>;
+export declare function clearSessionKey(options?: Pick<SessionKeyOptions, "persistence">): Promise<void>;
+export declare function hasSessionKey(options?: Pick<SessionKeyOptions, "persistence">): Promise<boolean>;
 //# sourceMappingURL=session.d.ts.map

package/esm/auth/browser/session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../../auth/browser/session.ts"],"names":[],"mappings":"AAgBA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAoBpE;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CASvE;AAED,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAIvE;AAED,wBAAsB,SAAS,CAC7B,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,UAAU,CAAC,CAOrB;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAEpE;AAED,wBAAsB,YAAY,CAChC,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,OAAO,EACjB,QAAQ,CAAC,EAAE,MAAM,EACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACjC,OAAO,CAAC,MAAM,CAAC,CAUjB;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,MAAM,EACX,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,CAOjB;AAED,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAErD;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC,CAEtD"}
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../../auth/browser/session.ts"],"names":[],"mappings":"AAgBA,MAAM,MAAM,gBAAgB,GAAG;IAC7B,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,yBAAyB,CAAC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG,WAAW,GAAG,YAAY,CAAC;AAEnE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,gDAAgD;IAChD,WAAW,CAAC,EAAE,yBAAyB,CAAC;IACxC,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,0EAA0E;IAC1E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAWF,wBAAsB,kBAAkB,CACtC,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CA8B3B;AAED,wBAAsB,cAAc,CAClC,OAAO,GAAE,IAAI,CAAC,iBAAiB,EAAE,aAAa,CAAM,GACnD,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAalC;AAED,wBAAsB,qBAAqB,CACzC,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAI3B;AAED,wBAAsB,SAAS,CAC7B,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE,UAAU,GACf,OAAO,CAAC,UAAU,CAAC,CAOrB;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAEpE;AAED,wBAAsB,YAAY,CAChC,MAAM,EAAE,gBAAgB,EACxB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,OAAO,EACjB,QAAQ,CAAC,EAAE,MAAM,EACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAC1C,OAAO,CAAC,MAAM,CAAC,CAUjB;AAED,wBAAsB,WAAW,CAC/B,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAIjB;AAED,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,MAAM,EACX,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED,wBAAsB,cAAc,CAClC,MAAM,EAAE,gBAAgB,EACxB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,CAAC,CASjB;AAED,wBAAsB,eAAe,CACnC,OAAO,GAAE,IAAI,CAAC,iBAAiB,EAAE,aAAa,CAAM,GACnD,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,aAAa,CACjC,OAAO,GAAE,IAAI,CAAC,iBAAiB,EAAE,aAAa,CAAM,GACnD,OAAO,CAAC,OAAO,CAAC,CAIlB"}

package/esm/auth/browser/session.js

@@ -2,19 +2,42 @@ import { base64urlEncode, canonicalizeJsonValue, sha256, toArrayBuffer, utf8, }
 import { createProof } from "../proof.js";
 import { buildNatsConnectSignaturePayload } from "../session_auth.js";
 import { deleteKeyPair, hasKeyPair, loadKeyPair, storeKeyPair, } from "./storage.js";
-export async function generateSessionKey() {
+let temporarySessionKey = null;
+function resolveExpiresAt(options) {
+    if (options.expiresAt instanceof Date)
+        return options.expiresAt.getTime();
+    if (typeof options.expiresAt === "number")
+        return options.expiresAt;
+    if (typeof options.ttlMs === "number")
+        return Date.now() + options.ttlMs;
+    return undefined;
+}
+export async function generateSessionKey(options = {}) {
+    const persistence = options.persistence ?? "remembered";
+    const expiresAt = resolveExpiresAt(options);
     const keyPair = await crypto.subtle.generateKey({ name: "Ed25519" }, false, ["sign", "verify"]);
     const publicKeyRaw = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
     const sessionKey = base64urlEncode(publicKeyRaw);
-    await storeKeyPair(keyPair, publicKeyRaw);
-    return {
+    const handle = {
         privateKey: keyPair.privateKey,
         publicKey: keyPair.publicKey,
         publicKeyRaw,
         sessionKey,
+        persistence,
+        ...(expiresAt === undefined ? {} : { expiresAt }),
     };
+    if (persistence === "temporary") {
+        temporarySessionKey = handle;
+    }
+    else {
+        await storeKeyPair(keyPair, publicKeyRaw, { expiresAt });
+    }
+    return handle;
 }
-export async function loadSessionKey() {
+export async function loadSessionKey(options = {}) {
+    const persistence = options.persistence ?? "remembered";
+    if (persistence === "temporary")
+        return temporarySessionKey;
     const stored = await loadKeyPair();
     if (!stored)
         return null;
@@ -23,13 +46,15 @@ export async function loadSessionKey() {
         publicKey: stored.publicKey,
         publicKeyRaw: stored.publicKeyRaw,
         sessionKey: base64urlEncode(stored.publicKeyRaw),
+        persistence: "remembered",
+        ...(stored.expiresAt === undefined ? {} : { expiresAt: stored.expiresAt }),
     };
 }
-export async function getOrCreateSessionKey() {
-    const existing = await loadSessionKey();
+export async function getOrCreateSessionKey(options = {}) {
+    const existing = await loadSessionKey(options);
     if (existing)
         return existing;
-    return await generateSessionKey();
+    return await generateSessionKey(options);
 }
 export async function signBytes(handle, data) {
     const sig = await crypto.subtle.sign({ name: "Ed25519" }, handle.privateKey, toArrayBuffer(data));
@@ -57,17 +82,28 @@ export async function natsConnectSigForIat(handle, iat, contractDigest) {
     const sig = await signBytes(handle, digest);
     return base64urlEncode(sig);
 }
-export async function createRpcProof(handle, subject, payload) {
+export async function createRpcProof(handle, subject, payload, requestId, iat) {
     const payloadHash = await sha256(payload);
     return await createProof(handle.privateKey, {
         sessionKey: handle.sessionKey,
         subject,
         payloadHash,
+        iat,
+        requestId,
     });
 }
-export async function clearSessionKey() {
-    await deleteKeyPair();
+export async function clearSessionKey(options = {}) {
+    const persistence = options.persistence;
+    if (persistence === undefined || persistence === "temporary") {
+        temporarySessionKey = null;
+    }
+    if (persistence === undefined || persistence === "remembered") {
+        await deleteKeyPair();
+    }
 }
-export async function hasSessionKey() {
+export async function hasSessionKey(options = {}) {
+    const persistence = options.persistence ?? "remembered";
+    if (persistence === "temporary")
+        return temporarySessionKey !== null;
     return await hasKeyPair();
 }

package/esm/auth/browser/storage.d.ts

@@ -4,8 +4,13 @@ export type StoredKeyPair = {
     publicKey: CryptoKey;
     publicKeyRaw: Uint8Array;
     createdAt: number;
+    persistence?: "remembered";
+    expiresAt?: number;
 };
-export declare function storeKeyPair(keyPair: CryptoKeyPair, publicKeyRaw: Uint8Array): Promise<void>;
+export type StoredKeyPairOptions = {
+    expiresAt?: number;
+};
+export declare function storeKeyPair(keyPair: CryptoKeyPair, publicKeyRaw: Uint8Array, options?: StoredKeyPairOptions): Promise<void>;
 export declare function loadKeyPair(): Promise<StoredKeyPair | null>;
 export declare function deleteKeyPair(): Promise<void>;
 export declare function hasKeyPair(): Promise<boolean>;

package/esm/auth/browser/storage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../../auth/browser/storage.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,wBAAsB,YAAY,CAChC,OAAO,EAAE,aAAa,EACtB,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,wBAAsB,WAAW,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAYjE;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAYnD;AAED,wBAAsB,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,CAGnD"}
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../../auth/browser/storage.ts"],"names":[],"mappings":"AAqBA,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,SAAS,CAAC;IACtB,SAAS,EAAE,SAAS,CAAC;IACrB,YAAY,EAAE,UAAU,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,YAAY,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,wBAAsB,YAAY,CAChC,OAAO,EAAE,aAAa,EACtB,YAAY,EAAE,UAAU,EACxB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,IAAI,CAAC,CAwBf;AAED,wBAAsB,WAAW,IAAI,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAoBjE;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAYnD;AAED,wBAAsB,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,CAGnD"}

package/esm/auth/browser/storage.js

@@ -15,7 +15,7 @@ function openDB() {
         };
     });
 }
-export async function storeKeyPair(keyPair, publicKeyRaw) {
+export async function storeKeyPair(keyPair, publicKeyRaw, options = {}) {
     const db = await openDB();
     return new Promise((resolve, reject) => {
         const tx = db.transaction(STORE_NAME, "readwrite");
@@ -26,6 +26,10 @@ export async function storeKeyPair(keyPair, publicKeyRaw) {
             publicKey: keyPair.publicKey,
             publicKeyRaw,
             createdAt: Date.now(),
+            persistence: "remembered",
+            ...(options.expiresAt === undefined
+                ? {}
+                : { expiresAt: options.expiresAt }),
         };
         const request = store.put(record);
         request.onerror = () => reject(request.error);
@@ -36,11 +40,19 @@ export async function storeKeyPair(keyPair, publicKeyRaw) {
 export async function loadKeyPair() {
     const db = await openDB();
     return new Promise((resolve, reject) => {
-        const tx = db.transaction(STORE_NAME, "readonly");
+        const tx = db.transaction(STORE_NAME, "readwrite");
         const store = tx.objectStore(STORE_NAME);
         const request = store.get(KEY_ID);
         request.onerror = () => reject(request.error);
-        request.onsuccess = () => resolve(request.result ?? null);
+        request.onsuccess = () => {
+            const result = request.result;
+            if (result?.expiresAt !== undefined && result.expiresAt <= Date.now()) {
+                store.delete(KEY_ID);
+                resolve(null);
+                return;
+            }
+            resolve(result ?? null);
+        };
         tx.oncomplete = () => db.close();
     });
 }

package/esm/auth/browser.d.ts

@@ -5,9 +5,9 @@
  */
 export { type AuthConfig, type AuthStartFlowResponse, type AuthStartRequest, type AuthStartResponse, bindFlow, type BindResponse, type BindSuccessResponse, buildLoginUrl, isBindSuccessResponse, type SentinelCreds, startAuthRequest, } from "./browser/login.ts";
 export { type ApprovalDecision, fetchPortalFlowState, portalFlowIdFromUrl, type PortalFlowState, type PortalFlowState as BrowserPortalFlowState, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, } from "./browser/portal.ts";
-export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForIat, type SessionKeyHandle, signBytes, } from "./browser/session.ts";
+export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForIat, type SessionKeyHandle, type SessionKeyOptions, type SessionKeyPersistenceMode, signBytes, } from "./browser/session.ts";
 export { deleteKeyPair, hasKeyPair } from "./browser/storage.ts";
-export { type ApprovalDecision as ApprovalDecisionData, ApprovalDecisionSchema, type AuthStartFlowResponse as AuthStartFlowResponseData, AuthStartFlowResponseSchema, type AuthStartRequest as AuthStartRequestData, AuthStartRequestSchema, type AuthStartResponse as AuthStartResponseData, AuthStartResponseSchema, type BindResponse as BindResponseData, BindResponseSchema, type BindSuccessResponse as BindSuccessResponseData, BindSuccessResponseSchema, type ClientTransportEndpoints as ClientTransportEndpointsData, ClientTransportEndpointsSchema, type ClientTransports as ClientTransportsData, ClientTransportsSchema, type ContractApproval as ContractApprovalData, ContractApprovalSchema, type NatsAuthTokenV1 as NatsAuthTokenV1Data, NatsAuthTokenV1Schema, type SentinelCreds as SentinelCredsData, SentinelCredsSchema, } from "./schemas.ts";
+export { approvalCapabilityKeys, type ApprovalDecision as ApprovalDecisionData, ApprovalDecisionSchema, type AuthStartFlowResponse as AuthStartFlowResponseData, AuthStartFlowResponseSchema, type AuthStartRequest as AuthStartRequestData, AuthStartRequestSchema, type AuthStartResponse as AuthStartResponseData, AuthStartResponseSchema, type BindResponse as BindResponseData, BindResponseSchema, type BindSuccessResponse as BindSuccessResponseData, BindSuccessResponseSchema, type ClientTransportEndpoints as ClientTransportEndpointsData, ClientTransportEndpointsSchema, type ClientTransports as ClientTransportsData, ClientTransportsSchema, type ContractApproval as ContractApprovalData, type ContractApprovalCapability as ContractApprovalCapabilityData, ContractApprovalSchema, type NatsAuthTokenV1 as NatsAuthTokenV1Data, NatsAuthTokenV1Schema, type SentinelCreds as SentinelCredsData, SentinelCredsSchema, } from "./schemas.ts";
 export type { NatsAuthTokenV1 } from "./types.ts";
 export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.ts";
 //# sourceMappingURL=browser.d.ts.map

package/esm/auth/browser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../auth/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,QAAQ,EACR,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,aAAa,EACb,qBAAqB,EACrB,KAAK,aAAa,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,IAAI,sBAAsB,EAC9C,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,SAAS,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EACL,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,qBAAqB,IAAI,yBAAyB,EACvD,2BAA2B,EAC3B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,iBAAiB,IAAI,qBAAqB,EAC/C,uBAAuB,EACvB,KAAK,YAAY,IAAI,gBAAgB,EACrC,kBAAkB,EAClB,KAAK,mBAAmB,IAAI,uBAAuB,EACnD,yBAAyB,EACzB,KAAK,wBAAwB,IAAI,4BAA4B,EAC7D,8BAA8B,EAC9B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,eAAe,IAAI,mBAAmB,EAC3C,qBAAqB,EACrB,KAAK,aAAa,IAAI,iBAAiB,EACvC,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EACL,eAAe,EACf,eAAe,EACf,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../auth/browser.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,QAAQ,EACR,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,aAAa,EACb,qBAAqB,EACrB,KAAK,aAAa,EAClB,gBAAgB,GACjB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,eAAe,EACpB,KAAK,eAAe,IAAI,sBAAsB,EAC9C,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,WAAW,EACX,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,KAAK,gBAAgB,EACrB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,EAC9B,SAAS,GACV,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EACL,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,qBAAqB,IAAI,yBAAyB,EACvD,2BAA2B,EAC3B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,iBAAiB,IAAI,qBAAqB,EAC/C,uBAAuB,EACvB,KAAK,YAAY,IAAI,gBAAgB,EACrC,kBAAkB,EAClB,KAAK,mBAAmB,IAAI,uBAAuB,EACnD,yBAAyB,EACzB,KAAK,wBAAwB,IAAI,4BAA4B,EAC7D,8BAA8B,EAC9B,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,sBAAsB,EACtB,KAAK,gBAAgB,IAAI,oBAAoB,EAC7C,KAAK,0BAA0B,IAAI,8BAA8B,EACjE,sBAAsB,EACtB,KAAK,eAAe,IAAI,mBAAmB,EAC3C,qBAAqB,EACrB,KAAK,aAAa,IAAI,iBAAiB,EACvC,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EACL,eAAe,EACf,eAAe,EACf,MAAM,EACN,aAAa,EACb,IAAI,GACL,MAAM,YAAY,CAAC"}

package/esm/auth/browser.js

@@ -7,5 +7,5 @@ export { bindFlow, buildLoginUrl, isBindSuccessResponse, startAuthRequest, } fro
 export { fetchPortalFlowState, portalFlowIdFromUrl, portalProviderLoginUrl, portalRedirectLocation, submitPortalApproval, } from "./browser/portal.js";
 export { bindFlowSig, clearSessionKey, createRpcProof, generateSessionKey, getOrCreateSessionKey, getPublicSessionKey, hasSessionKey, loadSessionKey, natsConnectSigForIat, signBytes, } from "./browser/session.js";
 export { deleteKeyPair, hasKeyPair } from "./browser/storage.js";
-export { ApprovalDecisionSchema, AuthStartFlowResponseSchema, AuthStartRequestSchema, AuthStartResponseSchema, BindResponseSchema, BindSuccessResponseSchema, ClientTransportEndpointsSchema, ClientTransportsSchema, ContractApprovalSchema, NatsAuthTokenV1Schema, SentinelCredsSchema, } from "./schemas.js";
+export { approvalCapabilityKeys, ApprovalDecisionSchema, AuthStartFlowResponseSchema, AuthStartRequestSchema, AuthStartResponseSchema, BindResponseSchema, BindSuccessResponseSchema, ClientTransportEndpointsSchema, ClientTransportsSchema, ContractApprovalSchema, NatsAuthTokenV1Schema, SentinelCredsSchema, } from "./schemas.js";
 export { base64urlDecode, base64urlEncode, sha256, toArrayBuffer, utf8, } from "./utils.js";

package/esm/auth/device_activation.d.ts

@@ -4,7 +4,7 @@ import type { BaseError } from "@qlever-llc/result";
 import { AsyncResult } from "@qlever-llc/result";
 import type { OperationRef } from "../operations.ts";
 import type { NatsAuthTokenV1 } from "./schemas.ts";
-import { AuthActivateDeviceProgressSchema, AuthActivateDeviceResponseSchema, AuthActivateDeviceSchema, AuthGetDeviceConnectInfoResponseSchema, AuthGetDeviceConnectInfoSchema, AuthListDeviceActivationsResponseSchema, AuthListDeviceActivationsSchema, AuthRevokeDeviceActivationResponseSchema, AuthRevokeDeviceActivationSchema, WaitForDeviceActivationResponseSchema } from "./protocol.ts";
+import { AuthDevicesConnectInfoGetResponseSchema, AuthDevicesConnectInfoGetSchema, AuthDeviceUserAuthoritiesListResponseSchema, AuthDeviceUserAuthoritiesListSchema, AuthDeviceUserAuthoritiesRevokeResponseSchema, AuthDeviceUserAuthoritiesRevokeSchema, AuthResolveDeviceUserAuthoritiesProgressSchema, AuthResolveDeviceUserAuthoritiesResponseSchema, AuthResolveDeviceUserAuthoritiesSchema, WaitForDeviceActivationResponseSchema } from "./protocol.ts";
 export declare const DeviceActivationPayloadSchema: Type.TObject<{
     v: Type.TLiteral<1>;
     publicIdentityKey: Type.TString;
@@ -12,24 +12,25 @@ export declare const DeviceActivationPayloadSchema: Type.TObject<{
     qrMac: Type.TString;
 }>;
 export declare const DeviceActivationWaitRequestSchema: Type.TObject<{
+    flowId: Type.TString;
     publicIdentityKey: Type.TString;
     nonce: Type.TString;
-    contractDigest: Type.TOptional<Type.TString>;
+    contractDigest: Type.TString;
     iat: Type.TNumber;
     sig: Type.TString;
 }>;
 export type DeviceActivationPayload = StaticDecode<typeof DeviceActivationPayloadSchema>;
 export type DeviceActivationWaitRequest = StaticDecode<typeof DeviceActivationWaitRequestSchema>;
 export type WaitForDeviceActivationResponse = StaticDecode<typeof WaitForDeviceActivationResponseSchema>;
-export type AuthActivateDeviceInput = StaticDecode<typeof AuthActivateDeviceSchema>;
-export type AuthActivateDeviceProgress = StaticDecode<typeof AuthActivateDeviceProgressSchema>;
-export type AuthActivateDeviceOutput = StaticDecode<typeof AuthActivateDeviceResponseSchema>;
-export type AuthListDeviceActivationsInput = StaticDecode<typeof AuthListDeviceActivationsSchema>;
-export type AuthListDeviceActivationsOutput = StaticDecode<typeof AuthListDeviceActivationsResponseSchema>;
-export type AuthRevokeDeviceActivationInput = StaticDecode<typeof AuthRevokeDeviceActivationSchema>;
-export type AuthRevokeDeviceActivationResponse = StaticDecode<typeof AuthRevokeDeviceActivationResponseSchema>;
-export type GetDeviceConnectInfoInput = StaticDecode<typeof AuthGetDeviceConnectInfoSchema>;
-export type GetDeviceConnectInfoOutput = StaticDecode<typeof AuthGetDeviceConnectInfoResponseSchema>;
+export type AuthResolveDeviceUserAuthoritiesInput = StaticDecode<typeof AuthResolveDeviceUserAuthoritiesSchema>;
+export type AuthResolveDeviceUserAuthoritiesProgress = StaticDecode<typeof AuthResolveDeviceUserAuthoritiesProgressSchema>;
+export type AuthResolveDeviceUserAuthoritiesOutput = StaticDecode<typeof AuthResolveDeviceUserAuthoritiesResponseSchema>;
+export type AuthDeviceUserAuthoritiesListInput = StaticDecode<typeof AuthDeviceUserAuthoritiesListSchema>;
+export type AuthDeviceUserAuthoritiesListOutput = StaticDecode<typeof AuthDeviceUserAuthoritiesListResponseSchema>;
+export type AuthDeviceUserAuthoritiesRevokeInput = StaticDecode<typeof AuthDeviceUserAuthoritiesRevokeSchema>;
+export type AuthDeviceUserAuthoritiesRevokeResponse = StaticDecode<typeof AuthDeviceUserAuthoritiesRevokeResponseSchema>;
+export type GetDeviceConnectInfoInput = StaticDecode<typeof AuthDevicesConnectInfoGetSchema>;
+export type GetDeviceConnectInfoOutput = StaticDecode<typeof AuthDevicesConnectInfoGetResponseSchema>;
 export type DeviceIdentity = {
     identitySeed: Uint8Array;
     identitySeedBase64url: string;
@@ -37,35 +38,35 @@ export type DeviceIdentity = {
     activationKey: Uint8Array;
     activationKeyBase64url: string;
 };
-type DeviceActivationRpcMethod = "Auth.ListDeviceActivations" | "Auth.RevokeDeviceActivation" | "Auth.GetDeviceConnectInfo";
-type AuthActivateDeviceOperationShape = {
+type DeviceActivationRpcMethod = "Auth.DeviceUserAuthorities.List" | "Auth.DeviceUserAuthorities.Revoke" | "Auth.Devices.ConnectInfo.Get";
+type AuthResolveDeviceUserAuthoritiesOperationShape = {
     subject: string;
-    input: typeof AuthActivateDeviceSchema;
-    progress: typeof AuthActivateDeviceProgressSchema;
-    output: typeof AuthActivateDeviceResponseSchema;
+    input: typeof AuthResolveDeviceUserAuthoritiesSchema;
+    progress: typeof AuthResolveDeviceUserAuthoritiesProgressSchema;
+    output: typeof AuthResolveDeviceUserAuthoritiesResponseSchema;
 };
-export type AuthActivateDeviceOperation = OperationRef<AuthActivateDeviceOperationShape, AuthActivateDeviceProgress, AuthActivateDeviceOutput>;
+export type AuthResolveDeviceUserAuthoritiesOperation = OperationRef<AuthResolveDeviceUserAuthoritiesOperationShape, AuthResolveDeviceUserAuthoritiesProgress, AuthResolveDeviceUserAuthoritiesOutput>;
 type DeviceActivationRpcInputMap = {
-    "Auth.ListDeviceActivations": AuthListDeviceActivationsInput;
-    "Auth.RevokeDeviceActivation": AuthRevokeDeviceActivationInput;
-    "Auth.GetDeviceConnectInfo": GetDeviceConnectInfoInput;
+    "Auth.DeviceUserAuthorities.List": AuthDeviceUserAuthoritiesListInput;
+    "Auth.DeviceUserAuthorities.Revoke": AuthDeviceUserAuthoritiesRevokeInput;
+    "Auth.Devices.ConnectInfo.Get": GetDeviceConnectInfoInput;
 };
 type DeviceActivationRpcOutputMap = {
-    "Auth.ListDeviceActivations": AuthListDeviceActivationsOutput;
-    "Auth.RevokeDeviceActivation": AuthRevokeDeviceActivationResponse;
-    "Auth.GetDeviceConnectInfo": GetDeviceConnectInfoOutput;
+    "Auth.DeviceUserAuthorities.List": AuthDeviceUserAuthoritiesListOutput;
+    "Auth.DeviceUserAuthorities.Revoke": AuthDeviceUserAuthoritiesRevokeResponse;
+    "Auth.Devices.ConnectInfo.Get": GetDeviceConnectInfoOutput;
 };
 type RequestClient = {
     request<M extends DeviceActivationRpcMethod>(method: M, input: DeviceActivationRpcInputMap[M], opts?: unknown): AsyncResult<DeviceActivationRpcOutputMap[M], BaseError>;
 };
-type ActivateDeviceOperationClient = {
-    operation(method: "Auth.ActivateDevice"): {
-        input(input: AuthActivateDeviceInput): {
-            start(): AsyncResult<AuthActivateDeviceOperation, BaseError>;
+type ResolveDeviceUserAuthoritiesOperationClient = {
+    operation(method: "Auth.DeviceUserAuthorities.Resolve"): {
+        input(input: AuthResolveDeviceUserAuthoritiesInput): {
+            start(): AsyncResult<AuthResolveDeviceUserAuthoritiesOperation, BaseError>;
         };
     };
 };
-export type DeviceActivationTransport = RequestClient & ActivateDeviceOperationClient;
+export type DeviceActivationTransport = RequestClient & ResolveDeviceUserAuthoritiesOperationClient;
 export declare function deriveDeviceIdentity(deviceRootSecret: Uint8Array): Promise<DeviceIdentity>;
 export declare function deriveDeviceQrMac(input: {
     activationKey: Uint8Array | string;
@@ -99,12 +100,13 @@ export declare function verifyDeviceConfirmationCode(input: {
     nonce: string;
     confirmationCode: string;
 }): Promise<boolean>;
-export declare function buildDeviceWaitProofInput(publicIdentityKey: string, nonce: string, iat: number, contractDigest?: string): Uint8Array;
+export declare function buildDeviceWaitProofInput(flowId: string, publicIdentityKey: string, nonce: string, iat: number, contractDigest: string): Uint8Array;
 export declare function signDeviceWaitRequest(args: {
+    flowId: string;
     publicIdentityKey: string;
     nonce: string;
     identitySeed: Uint8Array | string;
-    contractDigest?: string;
+    contractDigest: string;
     iat?: number;
 }): Promise<DeviceActivationWaitRequest>;
 export declare function createDeviceNatsAuthToken(args: {
@@ -117,6 +119,7 @@ export declare function createDeviceNatsAuthToken(args: {
 }>;
 export declare function waitForDeviceActivation(args: {
     trellisUrl: string;
+    flowId: string;
     publicIdentityKey: string;
     nonce: string;
     identitySeed: Uint8Array | string;
@@ -134,9 +137,9 @@ export declare function getDeviceConnectInfo(args: {
     iat?: number;
 }): Promise<GetDeviceConnectInfoOutput>;
 export declare function createDeviceActivationClient(client: DeviceActivationTransport): {
-    activateDevice(input: AuthActivateDeviceInput): any;
-    listDeviceActivations(input?: AuthListDeviceActivationsInput): any;
-    revokeDeviceActivation(input: AuthRevokeDeviceActivationInput): any;
+    resolveDeviceUserAuthorities(input: AuthResolveDeviceUserAuthoritiesInput): any;
+    listDeviceActivations(input: AuthDeviceUserAuthoritiesListInput): any;
+    revokeDeviceActivation(input: AuthDeviceUserAuthoritiesRevokeInput): any;
     getDeviceConnectInfo(input: GetDeviceConnectInfoInput): any;
 };
 export declare function verifyDeviceWaitSignature(input: DeviceActivationWaitRequest): Promise<boolean>;