@synonymdev/pubky 0.6.0-rc.2 → 0.6.0-rc.7

package/README.md

@@ -17,7 +17,7 @@ Module system + TS types: ESM and CommonJS both supported; TypeScript typings ge
 ## Getting Started
 
 ```js
-import { Pubky, PublicKey, Keypair } from "@synonymdev/pubky";
+import { Pubky, PublicKey, Keypair, AuthFlowKind } from "@synonymdev/pubky";
 
 // Initiate a Pubky SDK facade wired for default mainnet Pkarr relays.
 const pubky = new Pubky(); // or: const pubky = Pubky.testnet(); for localhost testnet.
@@ -35,22 +35,31 @@ const session = await signer.signup(homeserver, signupToken);
 
 // 3) Write a public JSON file (session-scoped storage uses cookies automatically)
 const path = "/pub/example.com/hello.json";
-await session.storage().putJson(path, { hello: "world" });
+await session.storage.putJson(path, { hello: "world" });
 
 // 4) Read it publicly (no auth needed)
-const userPk = session.info().publicKey();
-const addr = `${userPk.z32()}/pub/example.com/hello.json`;
-const json = await pubky.publicStorage().getJson(addr); // -> { hello: "world" }
+const userPk = session.info.publicKey.z32();
+const addr = `pubky${userPk}/pub/example.com/hello.json`;
+const json = await pubky.publicStorage.getJson(addr); // -> { hello: "world" }
+
+// 5) Authenticate on a 3rd-party app
+const authFlow = pubky.startAuthFlow("/pub/my-cool-app/:rw", AuthFlowKind::signin()); // require permissions to read and write into `my.app`
+renderQr(authFlow.authorizationUrl); // show to user
+const session = await authFlow.awaitApproval();
 ```
 
 Find here [**ready-to-run examples**](https://github.com/pubky/pubky-core/tree/main/examples).
 
+### Initialization & events
+
+The npm package bundles the WebAssembly module and **initializes it before exposing any APIs**. This avoids the common wasm-pack pitfall where events fire before the module finishes instantiating. Long-polling flows such as `authFlow.awaitApproval()` or `authFlow.tryPollOnce()` only start their relay calls after the underlying module is ready, so you won't miss approvals while the bundle is loading.
+
 ## API Overview
 
 Use `new Pubky()` to quickly get any flow started:
 
 ```js
-import { Pubky, Keypair } from "@synonymdev/pubky";
+import { Pubky, Keypair, AuthFlowKind } from "@synonymdev/pubky";
 
 // Mainnet (default relays)
 const pubky = new Pubky();
@@ -62,25 +71,29 @@ const pubkyLocal = Pubky.testnet("localhost");
 // Signer (bind your keypair to a new Signer actor)
 const signer = pubky.signer(Keypair.random());
 
+// Pubky Auth flow (with capabilities)
+const authFlow = pubky.startAuthFlow("/pub/my-cool-app/:rw", AuthFlowKind::signin());
+
 // Public storage (read-only)
-const publicStorage = pubky.publicStorage();
+const publicStorage = pubky.publicStorage;
 
-// PKDNS resolver (read-only)
-const pkdns = pubky.pkdns();
+// Pkdns resolver
+const pkdns = pubky.getHomeserverOf(publicKey);
 
 // Optional: raw HTTP client for advanced use
-const client = pubky.client();
+const client = pubky.client;
 ```
 
 ### Client (HTTP bridge)
 
 ```js
-import { Client } from "@synonymdev/pubky";
+import { Client, resolvePubky } from "@synonymdev/pubky";
 
-const client = new Client(); // or: pubky.client(); instead of constructing a client manually
+const client = new Client(); // or: pubky.client.fetch(); instead of constructing a client manually
 
-// Works with both pubky:// and http(s)://
-const res = await client.fetch("pubky://<pubky>/pub/example.com/file.txt");
+// Convert the identifier into a transport URL before fetching.
+const url = resolvePubky("pubky<pubky>/pub/example.com/file.txt");
+const res = await client.fetch(url);
 ```
 
 ---
@@ -91,7 +104,7 @@ const res = await client.fetch("pubky://<pubky>/pub/example.com/file.txt");
 import { Keypair, PublicKey } from "@synonymdev/pubky";
 
 const keypair = Keypair.random();
-const pubkey = keypair.publicKey();
+const pubkey = keypair.publicKey;
 
 // z-base-32 roundtrip
 const parsed = PublicKey.from(pubkey.z32());
@@ -138,13 +151,26 @@ await session.signout(); // invalidates server session
 **Session details**
 
 ```js
-const info = session.info();
-const userPk = info.publicKey(); // -> PublicKey
-const caps = info.capabilities(); // -> string[]
+const userPk = session.info.publicKey.z32(); // -> PublicKey as z32 string
+const caps = session.info.capabilities; // -> string[] permissions and paths
+
+const storage = session.storage; // -> This User's storage API (absolute paths)
+```
+
+**Persist a session across tab refreshes (browser)**
+
+```js
+// Save the session snapshot (no secrets inside; relies on the HTTP-only cookie).
+const snapshot = session.export();
+localStorage.setItem("pubky-session", snapshot);
 
-const storage = session.storage(); // -> SessionStorage (absolute paths)
+// Later (after a reload), rehydrate using the browser's stored cookie.
+const restored = await pubky.restoreSession(localStorage.getItem("pubky-session")!);
 ```
 
+> The exported string contains only public session metadata. The browser must keep the
+> HTTP-only cookie alive for the restored session to remain authenticated.
+
 **Approve a pubkyauth request URL**
 
 ```js
@@ -158,24 +184,57 @@ await signer.approveAuthRequest("pubkyauth:///?caps=...&secret=...&relay=...");
 End-to-end auth (3rd-party app asks a user to approve via QR/deeplink, E.g. Pubky Ring).
 
 ```js
-import { Pubky } from "@synonymdev/pubky";
+import { Pubky, AuthFlowKind } from "@synonymdev/pubky";
 const pubky = new Pubky();
 
 // Comma-separated capabilities string
-const caps = "/pub/my.app/:rw,/pub/another.app/folder/:w";
+const caps = "/pub/my-cool-app/:rw,/pub/another-app/folder/:w";
 
 // Optional relay; defaults to Synonym-hosted relay if omitted
 const relay = "https://httprelay.pubky.app/link/"; // optional (defaults to this)
 
 // Start the auth polling
-const flow = pubky.startAuthFlow(caps, relay);
+const flow = pubky.startAuthFlow(caps, AuthFlowKind::signin(), relay);
 
-renderQr(flow.authorizationUrl()); // show to user
+renderQr(flow.authorizationUrl); // show to user
 
 // Blocks until the signer approves; returns a ready Session
 const session = await flow.awaitApproval();
 ```
 
+#### Validate and normalize capabilities
+
+If you accept capability strings from user input (forms, CLI arguments, etc.),
+use `validateCapabilities` before calling `startAuthFlow`. The helper returns a
+normalized string (ordering actions like `:rw`) and throws a structured error
+when the input is malformed.
+
+```js
+import { Pubky, validateCapabilities, AuthFlowKind } from "@synonymdev/pubky";
+
+const pubky = new Pubky();
+
+const rawCaps = formData.get("caps");
+
+try {
+  const caps = validateCapabilities(rawCaps ?? "");
+  const flow = pubky.startAuthFlow(caps, AuthFlowKind::signin());
+  renderQr(flow.authorizationUrl);
+  const session = await flow.awaitApproval();
+  // ...
+} catch (error) {
+  if (error.name === "InvalidInput") {
+    surfaceValidationError(error.message);
+    return;
+  }
+  throw error;
+}
+```
+
+On invalid input, `validateCapabilities` throws a `PubkyError` with
+`{ name: "InvalidInput", message: "Invalid capability entries: …" }`, so you can
+surface precise feedback to the user.
+
 #### Http Relay & reliability
 
 - If you don’t specify a relay, `PubkyAuthFlow` defaults to a Synonym-hosted relay. If that relay is down, logins won’t complete.
@@ -189,26 +248,37 @@ const session = await flow.awaitApproval();
 #### PublicStorage (read-only)
 
 ```js
-const pub = pubky.publicStorage();
+const pub = pubky.publicStorage;
 
 // Reads
-await pub.getJson(`${userPk.z32()}/pub/example.com/data.json`);
-await pub.getText(`${userPk.z32()}/pub/example.com/readme.txt`);
-await pub.getBytes(`${userPk.z32()}/pub/example.com/icon.png`); // Uint8Array
+const response = await pub.get(
+  `pubky${userPk.z32()}/pub/example.com/data.json`
+); // -> Response (stream it)
+await pub.getJson(`pubky${userPk.z32()}/pub/example.com/data.json`);
+await pub.getText(`pubky${userPk.z32()}/pub/example.com/readme.txt`);
+await pub.getBytes(`pubky${userPk.z32()}/pub/example.com/icon.png`); // Uint8Array
 
 // Metadata
-await pub.exists(`${userPk.z32()}/pub/example.com/foo`); // boolean
-await pub.stats(`${userPk.z32()}/pub/example.com/foo`); // { content_length, content_type, etag, last_modified } | null
+await pub.exists(`pubky${userPk.z32()}/pub/example.com/foo`); // boolean
+await pub.stats(`pubky${userPk.z32()}/pub/example.com/foo`); // { content_length, content_type, etag, last_modified } | null
 
 // List directory (addressed path "<pubky>/pub/.../") must include trailing `/`.
 // list(addr, cursor=null|suffix|fullUrl, reverse=false, limit?, shallow=false)
-await pub.list(`${userPk.z32()}/pub/example.com/`, null, false, 100, false);
+await pub.list(
+  `pubky${userPk.z32()}/pub/example.com/`,
+  null,
+  false,
+  100,
+  false
+);
 ```
 
+Use `get()` when you need the raw `Response` for streaming or custom parsing.
+
 #### SessionStorage (read/write; uses cookies)
 
 ```js
-const s = session.storage();
+const s = session.storage;
 
 // Writes
 await s.putJson("/pub/example.com/data.json", { ok: true });
@@ -216,6 +286,7 @@ await s.putText("/pub/example.com/note.txt", "hello");
 await s.putBytes("/pub/example.com/img.bin", new Uint8Array([1, 2, 3]));
 
 // Reads
+const response = await s.get("/pub/example.com/data.json"); // -> Response (stream it)
 await s.getJson("/pub/example.com/data.json");
 await s.getText("/pub/example.com/note.txt");
 await s.getBytes("/pub/example.com/img.bin");
@@ -231,12 +302,14 @@ await s.list("/pub/example.com/", null, false, 100, false);
 await s.delete("/pub/example.com/data.json");
 ```
 
+`get()` exposes the underlying `Response`, which is handy for streaming bodies or inspecting headers before consuming content.
+
 Path rules:
 
 - Session storage uses **absolute** paths like `"/pub/app/file.txt"`.
-- Public storage uses **addressed** form `<user>/pub/app/file.txt` (or `pubky://<user>/...`).
+- Public storage uses **addressed** form `pubky<user>/pub/app/file.txt` (preferred) or `pubky://<user>/...`.
 
-**Convention:** put your app’s public data under a domain-like folder in `/pub`, e.g. `/pub/mycoolnew.app/`.
+**Convention:** put your app’s public data under a domain-like folder in `/pub`, e.g. `/pub/my-new-app/`.
 
 ---
 
@@ -250,26 +323,60 @@ import { Pubky, PublicKey, Keypair } from "@synonymdev/pubky";
 const pubky = new Pubky();
 
 // Read-only resolver
-const resolver = pubky.pkdns();
-const homeserver = await resolver.getHomeserverOf(PublicKey.from("<user-z32>")); // string | undefined
+const homeserver = await pubky.getHomeserverOf(PublicKey.from("<user-z32>")); // string | undefined
 
 // With keys (signer-bound)
 const signer = pubky.signer(Keypair.random());
 
 // Republish if missing or stale (reuses current host unless overridden)
-await signer.pkdns().publishHomeserverIfStale();
+await signer.pkdns.publishHomeserverIfStale();
 // Or force an override now:
-await signer.pkdns().publishHomeserverForce(/* optional override homeserver*/);
+await signer.pkdns.publishHomeserverForce(/* optional override homeserver*/);
+// Resolve your own homeserver:
+await signer.pkdns.getHomeserver();
+```
+
+## Logging
+
+The SDK ships with a WASM logger that bridges Rust `log` output into the browser or Node console. Call `setLogLevel` **once at application start**, before constructing `Pubky` or other SDK actors, to choose how verbose the logs should be.
+
+```js
+import { setLogLevel } from "@synonymdev/pubky";
+
+setLogLevel("debug"); // "error" | "warn" | "info" | "debug" | "trace"
+```
+
+If the logger is already initialized, calling `setLogLevel` again will throw. Pick the most verbose level (`"debug"` or `"trace"`) while developing to see pkarr resolution, network requests and storage operations in the console.
+
+#### Resolve `pubky` identifiers into transport URLs
+
+Use `resolvePubky()` when you need to feed an addressed resource into a raw HTTP client:
+
+```js
+import { resolvePubky } from "@synonymdev/pubky";
+
+const identifier =
+  "pubkyoperrr8wsbpr3ue9d4qj41ge1kcc6r7fdiy6o3ugjrrhi4y77rdo/pub/pubky.app/posts/0033X02JAN0SG";
+const url = resolvePubky(identifier);
+// -> "https://_pubky.operrr8wsbpr3ue9d4qj41ge1kcc6r7fdiy6o3ugjrrhi4y77rdo/pub/pubky.app/posts/0033X02JAN0SG"
 ```
 
+Both `pubky<pk>/…` (preferred) and `pubky://<pk>/…` resolve to the same HTTPS endpoint.
+
+---
+
+## WASM memory (`free()` helpers)
+
+`wasm-bindgen` generates `free()` methods on exported classes (for example `Pubky`, `AuthFlow` `PublicKey`). JavaScript's GC eventually releases the underlying Rust structs on its own, but calling `free()` lets you drop them **immediately** if you are creating many short-lived instances (e.g. in a long-running worker). It is safe to skip manual frees in typical browser or Node apps.
+
 ---
 
 ## Errors
 
-All async methods throw a structured `PubkyJsError`:
+All async methods throw a structured `PubkyError`:
 
 ```ts
-type PubkyJsError = {
+interface PubkyError extends Error {
   name:
     | "RequestError" // network/server/validation/JSON
     | "InvalidInput"
@@ -277,8 +384,8 @@ type PubkyJsError = {
     | "PkarrError"
     | "InternalError";
   message: string;
-  statusCode?: number; // present for HTTP server errors (4xx/5xx)
-};
+  data?: unknown; // structured context when available (e.g. { statusCode: number })
+}
 ```
 
 Example:
@@ -287,28 +394,43 @@ Example:
 try {
   await publicStorage.getJson(`${pk}/pub/example.com/missing.json`);
 } catch (e) {
-  if (e.name === "RequestError" && e.statusCode === 404) {
+  const error = e as PubkyError;
+  if (
+    error.name === "RequestError" &&
+    typeof error.data === "object" &&
+    error.data !== null &&
+    "statusCode" in error.data &&
+    typeof (error.data as { statusCode?: number }).statusCode === "number" &&
+    (error.data as { statusCode?: number }).statusCode === 404
+  ) {
     // handle not found
   }
 }
 ```
 
+## Browser environment notes
+
+- Keep the Pubky client UI and the homeserver on the **same origin family** (both local or both remote). Browsers partition cookies by scheme/host, and cross-site requests (e.g., http://localhost calling https://staging…​) can silently drop or cache `SameSite`/`Secure` session cookies.
+- If you must mix environments, use a reverse proxy so the browser always talks to one consistent origin (or disable caching via devtools and clear cookies between switches).
+- When troubleshooting auth/session caching: open a fresh incognito window, clear site data for the target origin, and verify the request includes credentials.
+
 ---
 
 ## Local Test & Development
 
 For test and development, you can run a local homeserver in a test network.
 
-1. Install Rust (for wasm builds):
+1. Install Rust (for wasm and testnet builds):
 
 ```bash
 curl https://sh.rustup.rs -sSf | sh
 ```
 
-2. Run the local testnet:
+2. Install and run the local testnet:
 
 ```bash
-npm run testnet
+cargo install pubky-testnet
+pubky-testnet
 ```
 
 3. Point the SDK at testnet: