@sylphx/sdk 0.3.4 → 0.3.5

package/dist/react/index.d.cts

@@ -694,14 +694,6 @@ interface TaskRunStatus {
     updatedAt: string;
 }
 
-/**
- * SDK Configuration
- *
- * Create a config object that can be passed to SDK functions.
- * This is the foundation for the function-based API.
- *
- * Uses appId or secretKey for authentication via x-app-secret header.
- */
 /**
  * SDK Configuration for Pure Functions
  *
@@ -725,27 +717,26 @@ interface TaskRunStatus {
  */
 interface SylphxConfig {
     /**
-     * Your app key — identifies the app and environment.
-     *
-     * Accepts either:
-     * - Secret key (sk_dev_, sk_stg_, sk_prod_) — full access, server-side only
-     * - Publishable key (app_dev_, app_stg_, app_prod_) — limited access, safe for client
-     *
-     * Get this from Platform Console → Apps → Your App → Environments
+     * Secret key (sk_*) — full access, server-side only.
+     * Embed project ref, env, and routing info (ADR-021).
+     * Get from Platform Console → Apps → Your App → Environments.
      */
     readonly secretKey?: string;
     /**
-     * Project ref — short 12-char lowercase alphanumeric string (e.g. "abc123def456").
-     *
+     * Publishable key (pk_*) — client-safe, read-only access.
+     * Embeds project ref, env, and routing info (ADR-021).
+     * Get from Platform Console → Apps → Your App → Environments.
+     */
+    readonly publicKey?: string;
+    /**
+     * Project ref — 12-char lowercase alphanumeric string.
+     * Extracted from the key automatically (ADR-021).
      * The SDK targets: https://{ref}.api.sylphx.com/v1
-     *
-     * Get this from Platform Console → Projects → Your Project → Overview.
      */
     readonly ref: string;
     /**
      * Pre-computed base URL: https://{ref}.api.sylphx.com/v1
-     *
-     * Used by buildApiUrl and callApi internally.
+     * Derived from the embedded ref in the key.
      */
     readonly baseUrl: string;
     /** Optional: Current access token for authenticated requests */
@@ -15399,18 +15390,20 @@ declare function sanitizeUrl$1(url: string): string | null;
  * 4. No silent fixes - Transparency over convenience (but warn + continue)
  * 5. Single Source of Truth - All key logic in one place
  *
- * Key Formats (OAuth 2.0 Standard):
- * - App ID: app_(dev|stg|prod)_[identifier] — Public identifier (like OAuth client_id)
- * - Secret Key: sk_(dev|stg|prod)_[identifier] — Server-side only (like OAuth client_secret)
+ * Key Formats (ADR-021):
+ * - Publishable key: pk_(dev|stg|prod)_{ref}_{32hex} — client-safe (new)
+ * - Secret Key:      sk_(dev|stg|prod)_{ref}_{64hex} — server-side only
  *
- * Identifier Types:
- * - Customer apps: 32 hex chars
- * - Platform apps: platform_{app-slug} (e.g., platform_sylphx-console)
+ * Legacy Key Formats (backward-compat):
+ * - App ID (old):    app_(dev|stg|prod)_[identifier] — Public identifier
+ *
+ * Special Internal Formats (NOT rotated):
+ * - Console bootstrap: app_prod_platform_{slug} / sk_prod_platform_{slug}
  */
 /** Environment type derived from key prefix */
 type EnvironmentType = 'development' | 'staging' | 'production';
-/** Key type - appId (public) or secret (server) */
-type KeyType = 'appId' | 'secret';
+/** Key type - publicKey (pk_*), appId (legacy app_*), or secret (sk_*) */
+type KeyType = 'publicKey' | 'appId' | 'secret';
 /** Validation result with clear error information */
 interface KeyValidationResult {
     /** Whether the key is valid (possibly after sanitization) */
@@ -15429,7 +15422,9 @@ interface KeyValidationResult {
     issues?: string[];
 }
 /**
- * Validate an App ID and return detailed results
+ * Validate a legacy App ID (app_*) and return detailed results.
+ *
+ * @deprecated Use validatePublicKey() for new pk_* keys (ADR-021).
  *
  * @example
  * ```typescript
@@ -15444,8 +15439,9 @@ interface KeyValidationResult {
  */
 declare function validateAppId(key: string | undefined | null): KeyValidationResult;
 /**
- * Validate and sanitize App ID, logging warnings
+ * Validate and sanitize App ID, logging warnings.
  *
+ * @deprecated Use validateAndSanitizePublicKey() for new pk_* keys (ADR-021).
  * @throws Error if the key is invalid and cannot be sanitized
  * @returns The sanitized App ID
  */
@@ -15504,17 +15500,19 @@ declare function isProductionKey(key: string): boolean;
  */
 declare function getCookieNamespace(secretKey: string): string;
 /**
- * Detect the type of key (App ID or Secret Key)
+ * Detect the type of key.
  *
- * @returns 'appId', 'secret', or null if unknown
+ * @returns 'publicKey' (pk_*), 'appId' (legacy app_*), 'secret' (sk_*), or null if unknown
  */
 declare function detectKeyType(key: string): KeyType | null;
 /**
- * Check if a key is an App ID
+ * Check if a key is an App ID (legacy app_* format)
+ *
+ * @deprecated Use isPublishableKey() to also accept new pk_* keys
  */
 declare function isAppId(key: string): boolean;
 /**
- * Check if a key is a secret key
+ * Check if a key is a secret key (sk_*)
  */
 declare function isSecretKey(key: string): boolean;
 /**

package/dist/react/index.d.ts

@@ -694,14 +694,6 @@ interface TaskRunStatus {
     updatedAt: string;
 }
 
-/**
- * SDK Configuration
- *
- * Create a config object that can be passed to SDK functions.
- * This is the foundation for the function-based API.
- *
- * Uses appId or secretKey for authentication via x-app-secret header.
- */
 /**
  * SDK Configuration for Pure Functions
  *
@@ -725,27 +717,26 @@ interface TaskRunStatus {
  */
 interface SylphxConfig {
     /**
-     * Your app key — identifies the app and environment.
-     *
-     * Accepts either:
-     * - Secret key (sk_dev_, sk_stg_, sk_prod_) — full access, server-side only
-     * - Publishable key (app_dev_, app_stg_, app_prod_) — limited access, safe for client
-     *
-     * Get this from Platform Console → Apps → Your App → Environments
+     * Secret key (sk_*) — full access, server-side only.
+     * Embed project ref, env, and routing info (ADR-021).
+     * Get from Platform Console → Apps → Your App → Environments.
      */
     readonly secretKey?: string;
     /**
-     * Project ref — short 12-char lowercase alphanumeric string (e.g. "abc123def456").
-     *
+     * Publishable key (pk_*) — client-safe, read-only access.
+     * Embeds project ref, env, and routing info (ADR-021).
+     * Get from Platform Console → Apps → Your App → Environments.
+     */
+    readonly publicKey?: string;
+    /**
+     * Project ref — 12-char lowercase alphanumeric string.
+     * Extracted from the key automatically (ADR-021).
      * The SDK targets: https://{ref}.api.sylphx.com/v1
-     *
-     * Get this from Platform Console → Projects → Your Project → Overview.
      */
     readonly ref: string;
     /**
      * Pre-computed base URL: https://{ref}.api.sylphx.com/v1
-     *
-     * Used by buildApiUrl and callApi internally.
+     * Derived from the embedded ref in the key.
      */
     readonly baseUrl: string;
     /** Optional: Current access token for authenticated requests */
@@ -15399,18 +15390,20 @@ declare function sanitizeUrl$1(url: string): string | null;
  * 4. No silent fixes - Transparency over convenience (but warn + continue)
  * 5. Single Source of Truth - All key logic in one place
  *
- * Key Formats (OAuth 2.0 Standard):
- * - App ID: app_(dev|stg|prod)_[identifier] — Public identifier (like OAuth client_id)
- * - Secret Key: sk_(dev|stg|prod)_[identifier] — Server-side only (like OAuth client_secret)
+ * Key Formats (ADR-021):
+ * - Publishable key: pk_(dev|stg|prod)_{ref}_{32hex} — client-safe (new)
+ * - Secret Key:      sk_(dev|stg|prod)_{ref}_{64hex} — server-side only
  *
- * Identifier Types:
- * - Customer apps: 32 hex chars
- * - Platform apps: platform_{app-slug} (e.g., platform_sylphx-console)
+ * Legacy Key Formats (backward-compat):
+ * - App ID (old):    app_(dev|stg|prod)_[identifier] — Public identifier
+ *
+ * Special Internal Formats (NOT rotated):
+ * - Console bootstrap: app_prod_platform_{slug} / sk_prod_platform_{slug}
  */
 /** Environment type derived from key prefix */
 type EnvironmentType = 'development' | 'staging' | 'production';
-/** Key type - appId (public) or secret (server) */
-type KeyType = 'appId' | 'secret';
+/** Key type - publicKey (pk_*), appId (legacy app_*), or secret (sk_*) */
+type KeyType = 'publicKey' | 'appId' | 'secret';
 /** Validation result with clear error information */
 interface KeyValidationResult {
     /** Whether the key is valid (possibly after sanitization) */
@@ -15429,7 +15422,9 @@ interface KeyValidationResult {
     issues?: string[];
 }
 /**
- * Validate an App ID and return detailed results
+ * Validate a legacy App ID (app_*) and return detailed results.
+ *
+ * @deprecated Use validatePublicKey() for new pk_* keys (ADR-021).
  *
  * @example
  * ```typescript
@@ -15444,8 +15439,9 @@ interface KeyValidationResult {
  */
 declare function validateAppId(key: string | undefined | null): KeyValidationResult;
 /**
- * Validate and sanitize App ID, logging warnings
+ * Validate and sanitize App ID, logging warnings.
  *
+ * @deprecated Use validateAndSanitizePublicKey() for new pk_* keys (ADR-021).
  * @throws Error if the key is invalid and cannot be sanitized
  * @returns The sanitized App ID
  */
@@ -15504,17 +15500,19 @@ declare function isProductionKey(key: string): boolean;
  */
 declare function getCookieNamespace(secretKey: string): string;
 /**
- * Detect the type of key (App ID or Secret Key)
+ * Detect the type of key.
  *
- * @returns 'appId', 'secret', or null if unknown
+ * @returns 'publicKey' (pk_*), 'appId' (legacy app_*), 'secret' (sk_*), or null if unknown
  */
 declare function detectKeyType(key: string): KeyType | null;
 /**
- * Check if a key is an App ID
+ * Check if a key is an App ID (legacy app_* format)
+ *
+ * @deprecated Use isPublishableKey() to also accept new pk_* keys
  */
 declare function isAppId(key: string): boolean;
 /**
- * Check if a key is a secret key
+ * Check if a key is a secret key (sk_*)
  */
 declare function isSecretKey(key: string): boolean;
 /**

package/dist/react/index.js

@@ -43292,6 +43292,7 @@ var PlatformContext = (0, import_react72.createContext)(null);
 init_constants();
 
 // src/key-validation.ts
+var PUBLIC_KEY_PATTERN = /^pk_(dev|stg|prod)_[a-z0-9]{12}_[a-f0-9]{32}$/;
 var APP_ID_PATTERN = /^app_(dev|stg|prod)_[a-z0-9_-]+$/;
 var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod)_[a-z0-9_-]+$/;
 var ENV_PREFIX_MAP = {
@@ -43382,6 +43383,9 @@ function validateKeyForType(key, keyType, pattern, envVarName) {
     issues: [...issues, "invalid-format"]
   };
 }
+function validatePublicKey(key) {
+  return validateKeyForType(key, "publicKey", PUBLIC_KEY_PATTERN, "NEXT_PUBLIC_SYLPHX_KEY");
+}
 function validateAppId(key) {
   return validateKeyForType(key, "appId", APP_ID_PATTERN, "NEXT_PUBLIC_SYLPHX_APP_ID");
 }
@@ -43410,22 +43414,23 @@ function validateAndSanitizeSecretKey(key) {
 }
 function detectEnvironment(key) {
   const sanitized = key.trim().toLowerCase();
+  if (sanitized.startsWith("pk_")) {
+    const result = validatePublicKey(sanitized);
+    if (!result.valid) throw new Error(result.error);
+    return result.environment;
+  }
   if (sanitized.startsWith("sk_")) {
     const result = validateSecretKey(sanitized);
-    if (!result.valid) {
-      throw new Error(result.error);
-    }
+    if (!result.valid) throw new Error(result.error);
     return result.environment;
   }
   if (sanitized.startsWith("app_")) {
     const result = validateAppId(sanitized);
-    if (!result.valid) {
-      throw new Error(result.error);
-    }
+    if (!result.valid) throw new Error(result.error);
     return result.environment;
   }
   throw new Error(
-    `[Sylphx] Invalid key format. Key must start with 'sk_' (secret) or 'app_' (App ID).`
+    `[Sylphx] Invalid key format. Key must start with 'pk_' (publishable), 'sk_' (secret), or 'app_' (legacy App ID).`
   );
 }
 function isDevelopmentKey(key) {
@@ -43441,6 +43446,7 @@ function getCookieNamespace(secretKey) {
 }
 function detectKeyType(key) {
   const sanitized = key.trim().toLowerCase();
+  if (sanitized.startsWith("pk_")) return "publicKey";
   if (sanitized.startsWith("app_")) return "appId";
   if (sanitized.startsWith("sk_")) return "secret";
   return null;
@@ -43453,6 +43459,9 @@ function isSecretKey(key) {
 }
 function validateKey(key) {
   const keyType = key ? detectKeyType(key) : null;
+  if (keyType === "publicKey") {
+    return validatePublicKey(key);
+  }
   if (keyType === "appId") {
     return validateAppId(key);
   }
@@ -43462,7 +43471,7 @@ function validateKey(key) {
   return {
     valid: false,
     sanitizedKey: "",
-    error: key ? `Invalid key format. Keys must start with 'app_' (App ID) or 'sk_' (Secret Key), followed by environment (dev/stg/prod) and identifier. Got: ${key.slice(0, 20)}...` : "API key is required but was not provided.",
+    error: key ? `Invalid key format. Keys must start with 'pk_' (publishable), 'app_' (legacy), or 'sk_' (secret), followed by environment (dev/stg/prod). Got: ${key.slice(0, 20)}...` : "API key is required but was not provided.",
     issues: key ? ["invalid_format"] : ["missing"]
   };
 }
@@ -43487,6 +43496,57 @@ function isDevelopmentRuntime() {
 }
 
 // src/config.ts
+function parseKey(key) {
+  const sanitized = key.trim().toLowerCase();
+  if (sanitized.startsWith("app_")) {
+    throw new SylphxError(
+      "[Sylphx] API key format has changed (ADR-021). Keys now embed the project ref.\n\nOld format: app_prod_xxx\nNew format: pk_prod_{ref}_xxx\n\nPlease regenerate your API keys from the Sylphx Console \u2192 Your App \u2192 Environments.\nOr contact support@sylphx.com for assistance.",
+      { code: "BAD_REQUEST" }
+    );
+  }
+  const prefix = sanitized.startsWith("pk_") ? "pk" : sanitized.startsWith("sk_") ? "sk" : null;
+  if (!prefix) {
+    throw new SylphxError(
+      `[Sylphx] Invalid key format. Keys must start with 'pk_' (publishable) or 'sk_' (secret). Got: "${sanitized.slice(0, 15)}..."`,
+      { code: "BAD_REQUEST" }
+    );
+  }
+  const parts = sanitized.split("_");
+  if (parts.length !== 4) {
+    throw new SylphxError(
+      `[Sylphx] Invalid key structure. Expected format: ${prefix}_{env}_{ref}_{token} (4 segments separated by '_'). Got ${parts.length} segment(s).`,
+      { code: "BAD_REQUEST" }
+    );
+  }
+  const [, env, ref, token] = parts;
+  if (env !== "prod" && env !== "dev" && env !== "stg") {
+    throw new SylphxError(
+      `[Sylphx] Invalid key environment "${env}". Must be 'prod', 'dev', or 'stg'.`,
+      { code: "BAD_REQUEST" }
+    );
+  }
+  if (!/^[a-z0-9]{12}$/.test(ref)) {
+    throw new SylphxError(
+      `[Sylphx] Invalid project ref in key: "${ref}". Must be a 12-character lowercase alphanumeric string.`,
+      { code: "BAD_REQUEST" }
+    );
+  }
+  const expectedTokenLen = prefix === "pk" ? 32 : 64;
+  if (token.length !== expectedTokenLen || !/^[a-f0-9]+$/.test(token)) {
+    throw new SylphxError(
+      `[Sylphx] Invalid key token. ${prefix === "pk" ? "Publishable" : "Secret"} keys must have a ${expectedTokenLen}-char hex token.`,
+      { code: "BAD_REQUEST" }
+    );
+  }
+  return {
+    type: prefix,
+    env,
+    ref,
+    token,
+    isPublic: prefix === "pk",
+    baseUrl: `https://${ref}.${DEFAULT_SDK_API_HOST}${SDK_API_PATH}`
+  };
+}
 function httpStatusToErrorCode(status) {
   switch (status) {
     case 400:
@@ -43521,31 +43581,58 @@ function httpStatusToErrorCode(status) {
 }
 var REF_PATTERN = /^[a-z0-9]{12}$/;
 function createConfig(input) {
+  const keyForParsing = input.secretKey || input.publicKey;
+  if (!keyForParsing) {
+    if (input.ref) {
+      const trimmedRef = input.ref.trim();
+      if (!REF_PATTERN.test(trimmedRef)) {
+        throw new SylphxError(
+          `[Sylphx] Invalid project ref format: "${input.ref}". Expected a 12-character lowercase alphanumeric string (e.g. "abc123def456"). Get your ref from Platform Console \u2192 Projects \u2192 Your Project \u2192 Overview.`,
+          { code: "BAD_REQUEST" }
+        );
+      }
+      const baseUrl2 = `https://${trimmedRef}.${DEFAULT_SDK_API_HOST}${SDK_API_PATH}`;
+      console.warn(
+        "[Sylphx] Providing only ref without a key is deprecated. Provide secretKey or publicKey \u2014 the ref is now embedded in keys (ADR-021)."
+      );
+      return Object.freeze({ ref: trimmedRef, baseUrl: baseUrl2, accessToken: input.accessToken });
+    }
+    throw new SylphxError(
+      "[Sylphx] Either publicKey or secretKey must be provided to createConfig().",
+      { code: "BAD_REQUEST" }
+    );
+  }
+  const parsed = parseKey(keyForParsing);
+  const ref = parsed.ref;
+  const baseUrl = parsed.baseUrl;
   let secretKey;
   if (input.secretKey) {
     const result = validateKey(input.secretKey);
     if (!result.valid) {
-      throw new SylphxError(result.error || "Invalid API key", {
+      throw new SylphxError(result.error || "Invalid secret key", {
         code: "BAD_REQUEST",
         data: { issues: result.issues }
       });
     }
-    if (result.warning) {
-      console.warn(`[Sylphx] ${result.warning}`);
-    }
+    if (result.warning) console.warn(`[Sylphx] ${result.warning}`);
     secretKey = result.sanitizedKey;
   }
-  const trimmedRef = input.ref.trim();
-  if (!REF_PATTERN.test(trimmedRef)) {
-    throw new SylphxError(
-      `[Sylphx] Invalid project ref format: "${input.ref}". Expected a 12-character lowercase alphanumeric string (e.g. "abc123def456"). Get your ref from Platform Console \u2192 Projects \u2192 Your Project \u2192 Overview.`,
-      { code: "BAD_REQUEST" }
-    );
+  let publicKey;
+  if (input.publicKey) {
+    const result = validateKey(input.publicKey);
+    if (!result.valid) {
+      throw new SylphxError(result.error || "Invalid public key", {
+        code: "BAD_REQUEST",
+        data: { issues: result.issues }
+      });
+    }
+    if (result.warning) console.warn(`[Sylphx] ${result.warning}`);
+    publicKey = result.sanitizedKey;
   }
-  const baseUrl = `https://${trimmedRef}.${DEFAULT_SDK_API_HOST}${SDK_API_PATH}`;
   return Object.freeze({
     secretKey,
-    ref: trimmedRef,
+    publicKey,
+    ref,
     baseUrl,
     accessToken: input.accessToken
   });
@@ -43556,6 +43643,8 @@ function buildHeaders(config2) {
   };
   if (config2.secretKey) {
     headers["x-app-secret"] = config2.secretKey;
+  } else if (config2.publicKey) {
+    headers["x-app-secret"] = config2.publicKey;
   }
   if (config2.accessToken) {
     headers.Authorization = `Bearer ${config2.accessToken}`;