@tenxyte/core 0.9.0 → 0.9.3

package/src/client.ts

@@ -1,50 +0,0 @@
-import { TenxyteHttpClient, HttpClientOptions } from './http/client';
-import { AuthModule } from './modules/auth';
-import { SecurityModule } from './modules/security';
-import { RbacModule } from './modules/rbac';
-import { UserModule } from './modules/user';
-import { B2bModule } from './modules/b2b';
-import { AiModule } from './modules/ai';
-
-/**
- * The primary entry point for the Tenxyte SDK.
- * Groups together logic for authentication, security, organization switching, and AI control.
- */
-export class TenxyteClient {
-    /** The core HTTP wrapper handling network interception and parsing */
-    public http: TenxyteHttpClient;
-    /** Authentication module (Login, Signup, Magic link, session handling) */
-    public auth: AuthModule;
-    /** Security module (2FA, WebAuthn, Passwords, OTPs) */
-    public security: SecurityModule;
-    /** Role-Based Access Control and permission checking module */
-    public rbac: RbacModule;
-    /** Connected user's profile and management module */
-    public user: UserModule;
-    /** Business-to-Business organizations module (multi-tenant environments) */
-    public b2b: B2bModule;
-    /** AIRS - AI Responsibility & Security module (Agent tokens, Circuit breakers, HITL) */
-    public ai: AiModule;
-
-    /**
-     * Initializes the SDK with connection details for your Tenxyte-powered API.
-     * @param options Configuration options including `baseUrl` and custom headers like `X-Access-Key`
-     * 
-     * @example
-     * ```typescript
-     * const tx = new TenxyteClient({ 
-     *     baseUrl: 'https://api.my-service.com',
-     *     headers: { 'X-Access-Key': 'pkg_abc123' }
-     * });
-     * ```
-     */
-    constructor(options: HttpClientOptions) {
-        this.http = new TenxyteHttpClient(options);
-        this.auth = new AuthModule(this.http);
-        this.security = new SecurityModule(this.http);
-        this.rbac = new RbacModule(this.http);
-        this.user = new UserModule(this.http);
-        this.b2b = new B2bModule(this.http);
-        this.ai = new AiModule(this.http);
-    }
-}

package/src/http/client.ts

@@ -1,162 +0,0 @@
-import type { TenxyteError } from '../types';
-
-export interface HttpClientOptions {
-    baseUrl: string;
-    timeoutMs?: number;
-    headers?: Record<string, string>;
-}
-
-export type RequestConfig = Omit<RequestInit, 'body' | 'headers'> & {
-    body?: unknown;
-    headers?: Record<string, string>;
-    params?: Record<string, string | number | boolean>;
-};
-
-/**
- * Core HTTP Client underlying the SDK.
- * Handles JSON parsing, standard headers, simple request processing,
- * and normalizing errors into TenxyteError format.
- */
-export class TenxyteHttpClient {
-    private baseUrl: string;
-    private defaultHeaders: Record<string, string>;
-
-    // Interceptors
-    private requestInterceptors: Array<(config: RequestConfig & { url: string }) => Promise<RequestConfig & { url: string }> | (RequestConfig & { url: string })> = [];
-    private responseInterceptors: Array<(response: Response, request: { url: string; config: RequestConfig }) => Promise<Response> | Response> = [];
-
-    constructor(options: HttpClientOptions) {
-        this.baseUrl = options.baseUrl.replace(/\/$/, ''); // Remove trailing slash
-        this.defaultHeaders = {
-            'Content-Type': 'application/json',
-            Accept: 'application/json',
-            ...options.headers,
-        };
-    }
-
-    // Interceptor Registration
-    addRequestInterceptor(interceptor: typeof this.requestInterceptors[0]) {
-        this.requestInterceptors.push(interceptor);
-    }
-
-    addResponseInterceptor(interceptor: typeof this.responseInterceptors[0]) {
-        this.responseInterceptors.push(interceptor);
-    }
-
-    /**
-     * Main request method wrapping fetch
-     */
-    async request<T>(endpoint: string, config: RequestConfig = {}): Promise<T> {
-        const urlStr = endpoint.startsWith('http')
-            ? endpoint
-            : `${this.baseUrl}${endpoint.startsWith('/') ? '' : '/'}${endpoint}`;
-
-        let urlObj = new URL(urlStr);
-
-        if (config.params) {
-            Object.entries(config.params).forEach(([key, value]) => {
-                if (value !== undefined && value !== null) {
-                    urlObj.searchParams.append(key, String(value));
-                }
-            });
-        }
-
-        let requestContext: any = {
-            url: urlObj.toString(),
-            ...config,
-            headers: { ...this.defaultHeaders, ...(config.headers || {}) } as Record<string, string>,
-        };
-
-        // Handle FormData implicitly for multipart requests
-        if (typeof FormData !== 'undefined' && requestContext.body instanceof FormData) {
-            const headers = requestContext.headers as Record<string, string>;
-            // Explicitly remove Content-Type so fetch can auto-assign the multipart boundary
-            delete headers['Content-Type'];
-            delete headers['content-type'];
-        } else if (requestContext.body && typeof requestContext.body === 'object') {
-            const contentType = (requestContext.headers as Record<string, string>)['Content-Type'] || '';
-            if (contentType.toLowerCase().includes('application/json')) {
-                requestContext.body = JSON.stringify(requestContext.body);
-            }
-        }
-
-        // Run Request Interceptors
-        for (const interceptor of this.requestInterceptors) {
-            requestContext = await interceptor(requestContext);
-        }
-
-        const { url, ...fetchConfig } = requestContext as any;
-
-        try {
-            let response = await fetch(url, fetchConfig as RequestInit);
-
-            // Run Response Interceptors (e.g., token refresh logic)
-            for (const interceptor of this.responseInterceptors) {
-                response = await interceptor(response, { url, config: fetchConfig as RequestConfig });
-            }
-
-            if (!response.ok) {
-                throw await this.normalizeError(response);
-            }
-
-            // Handle NoContent
-            if (response.status === 204) {
-                return {} as T;
-            }
-
-            const contentType = response.headers.get('content-type');
-            if (contentType && contentType.includes('application/json')) {
-                return (await response.json()) as T;
-            }
-
-            return (await response.text()) as unknown as T;
-        } catch (error: any) {
-            if (error && error.code) {
-                throw error; // Already normalized
-            }
-            throw {
-                error: error.message || 'Network request failed',
-                code: 'NETWORK_ERROR' as unknown as import('../types').TenxyteErrorCode,
-                details: String(error)
-            } as TenxyteError;
-        }
-    }
-
-    private async normalizeError(response: Response): Promise<TenxyteError> {
-        try {
-            const body = await response.json();
-            return {
-                error: body.error || body.detail || 'API request failed',
-                code: body.code || `HTTP_${response.status}`,
-                details: body.details || body,
-                retry_after: response.headers.has('Retry-After') ? parseInt(response.headers.get('Retry-After')!, 10) : undefined,
-            } as TenxyteError;
-        } catch (e) {
-            return {
-                error: `HTTP Error ${response.status}: ${response.statusText}`,
-                code: `HTTP_${response.status}` as unknown as import('../types').TenxyteErrorCode,
-            } as TenxyteError;
-        }
-    }
-
-    // Convenience methods
-    get<T>(endpoint: string, config?: Omit<RequestConfig, 'method' | 'body'>) {
-        return this.request<T>(endpoint, { ...config, method: 'GET' });
-    }
-
-    post<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>) {
-        return this.request<T>(endpoint, { ...config, method: 'POST', body: data });
-    }
-
-    put<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>) {
-        return this.request<T>(endpoint, { ...config, method: 'PUT', body: data });
-    }
-
-    patch<T>(endpoint: string, data?: unknown, config?: Omit<RequestConfig, 'method' | 'body'>) {
-        return this.request<T>(endpoint, { ...config, method: 'PATCH', body: data });
-    }
-
-    delete<T>(endpoint: string, config?: Omit<RequestConfig, 'method' | 'body'>) {
-        return this.request<T>(endpoint, { ...config, method: 'DELETE' });
-    }
-}

package/src/http/index.ts

@@ -1 +0,0 @@
-export * from './client';

package/src/http/interceptors.ts

@@ -1,117 +0,0 @@
-import type { TenxyteStorage } from '../storage';
-import type { RequestConfig, TenxyteHttpClient } from './client';
-
-export interface TenxyteContext {
-    activeOrgSlug: string | null;
-    agentTraceId: string | null;
-}
-
-export function createAuthInterceptor(storage: TenxyteStorage, context: TenxyteContext) {
-    return async (request: RequestConfig & { url: string }) => {
-        // Inject Authorization if present
-        const token = await storage.getItem('tx_access');
-        const headers = { ...(request.headers as Record<string, string>) || {} };
-
-        if (token && !headers['Authorization']) {
-            headers['Authorization'] = `Bearer ${token}`;
-        }
-
-        // Inject Contextual Headers based on SDK state
-        if (context.activeOrgSlug && !headers['X-Org-Slug']) {
-            headers['X-Org-Slug'] = context.activeOrgSlug;
-        }
-
-        if (context.agentTraceId && !headers['X-Prompt-Trace-ID']) {
-            headers['X-Prompt-Trace-ID'] = context.agentTraceId;
-        }
-
-        return { ...request, headers };
-    };
-}
-
-export function createRefreshInterceptor(
-    client: TenxyteHttpClient,
-    storage: TenxyteStorage,
-    onSessionExpired: () => void
-) {
-    let isRefreshing = false;
-    let refreshQueue: Array<(token: string | null) => void> = [];
-
-    const processQueue = (error: Error | null, token: string | null = null) => {
-        refreshQueue.forEach(prom => prom(token));
-        refreshQueue = [];
-    };
-
-    return async (response: Response, request: { url: string; config: RequestConfig }): Promise<Response> => {
-        // Only intercept 401s when not attempting to login/refresh itself
-        if (response.status === 401 && !request.url.includes('/auth/refresh') && !request.url.includes('/auth/login')) {
-            const refreshToken = await storage.getItem('tx_refresh');
-
-            if (!refreshToken) {
-                onSessionExpired();
-                return response; // Pass through 401 if we cannot refresh
-            }
-
-            if (isRefreshing) {
-                // Wait in queue for the refresh to complete
-                return new Promise<Response>((resolve) => {
-                    refreshQueue.push((newToken: string | null) => {
-                        if (newToken) {
-                            const retryHeaders = { ...(request.config.headers as Record<string, string>), Authorization: `Bearer ${newToken}` };
-                            resolve(fetch(request.url, { ...request.config, headers: retryHeaders } as RequestInit));
-                        } else {
-                            resolve(response);
-                        }
-                    });
-                });
-            }
-
-            // We are the first one, initiate refresh
-            isRefreshing = true;
-
-            try {
-                const refreshResponse = await fetch(`${client['baseUrl']}/auth/refresh/`, {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({ refresh_token: refreshToken })
-                });
-
-                if (!refreshResponse.ok) {
-                    throw new Error('Refresh failed');
-                }
-
-                const data = await refreshResponse.json();
-
-                await storage.setItem('tx_access', data.access);
-                if (data.refresh) {
-                    await storage.setItem('tx_refresh', data.refresh);
-                }
-
-                isRefreshing = false;
-                processQueue(null, data.access);
-
-                // Retry original request seamlessly for the caller that initiated this
-                const retryHeaders = { ...(request.config.headers as Record<string, string>), Authorization: `Bearer ${data.access}` };
-                // We use fetch directly to return a true Response object back to the chain,
-                // rather than using client.request which resolves the JSON.
-                // Wait, the interceptor must return a Promise<Response>!
-                const r = await fetch(request.url, { ...request.config, headers: retryHeaders } as RequestInit);
-                return r;
-
-            } catch (err) {
-                // Refresh failed (invalid token, expired, network error)
-                isRefreshing = false;
-                await storage.removeItem('tx_access');
-                await storage.removeItem('tx_refresh');
-
-                processQueue(err as Error, null);
-                onSessionExpired();
-
-                // Pass original 401 back
-                return response;
-            }
-        }
-
-        return response;
-    };
-}

package/src/index.ts

@@ -1,7 +0,0 @@
-export * from './client';
-export * from './http/client';
-export * from './modules/auth';
-export * from './modules/security';
-export * from './modules/rbac';
-export * from './modules/user';
-export * from './types';

package/src/modules/ai.ts

@@ -1,178 +0,0 @@
-import { TenxyteHttpClient } from '../http/client';
-import { AgentTokenSummary, AgentPendingAction } from '../types';
-
-export class AiModule {
-    private agentToken: string | null = null;
-    private traceId: string | null = null;
-
-    constructor(private client: TenxyteHttpClient) {
-        // Register an interceptor to auto-inject AgentBearer and Trace ID
-        this.client.addRequestInterceptor((config) => {
-            const headers: Record<string, string> = { ...config.headers };
-
-            if (this.agentToken) {
-                // Determine if we should replace the standard Authorization
-                // By Tenxyte specification, AgentToken uses "AgentBearer"
-                headers['Authorization'] = `AgentBearer ${this.agentToken}`;
-            }
-
-            if (this.traceId) {
-                headers['X-Prompt-Trace-ID'] = this.traceId;
-            }
-
-            return { ...config, headers };
-        });
-
-        // Intercept 202 Accepted and specific 403 errors (Circuit Breaker)
-        // Usually, these should be emitted via the main TenxyteClient EventEmitter.
-        // For now, we add a response interceptor to handle the HTTP side.
-        this.client.addResponseInterceptor(async (response, request) => {
-            // Note: Since response streams can only be read once, full integration
-            // with EventEmitter for deep inspection (like 202s body) requires cloning.
-            if (response.status === 202) {
-                // HTTP 202 Accepted indicates HITL awaiting confirmation
-                const cloned = response.clone();
-                try {
-                    const data = await cloned.json();
-                    // Assuming TenxyteClient will fire 'agent:awaiting_approval' based on this later
-                    console.debug('[Tenxyte AI] Received 202 Awaiting Approval:', data);
-                } catch {
-                    // Ignore parsing errors
-                }
-            } else if (response.status === 403) {
-                const cloned = response.clone();
-                try {
-                    const data = await cloned.json();
-                    if (data.code === 'BUDGET_EXCEEDED') {
-                        console.warn('[Tenxyte AI] Network responded with Budget Exceeded for Agent.');
-                    } else if (data.status === 'suspended') {
-                        console.warn('[Tenxyte AI] Circuit breaker open for Agent.');
-                    }
-                } catch {
-                    // Ignore parsing errors
-                }
-            }
-            return response;
-        });
-    }
-
-    // ─── AgentToken Lifecycle ───
-
-    /**
-     * Create an AgentToken granting specific deterministic limits to an AI Agent.
-     */
-    async createAgentToken(data: {
-        agent_id: string;
-        permissions?: string[];
-        expires_in?: number;
-        organization?: string;
-        budget_limit_usd?: number;
-        circuit_breaker?: {
-            max_requests?: number;
-            window_seconds?: number;
-        };
-        dead_mans_switch?: {
-            heartbeat_required_every?: number;
-        };
-    }): Promise<{
-        id: number;
-        token: string;
-        agent_id: string;
-        status: string;
-        expires_at: string;
-    }> {
-        return this.client.post('/api/v1/auth/ai/tokens/', data);
-    }
-
-    /**
-     * Set the SDK to operate on behalf of an Agent using the generated Agent Token payload.
-     * Overrides standard `Authorization` headers with `AgentBearer`.
-     */
-    setAgentToken(token: string): void {
-        this.agentToken = token;
-    }
-
-    /** Disables the active Agent override and reverts to standard User session requests. */
-    clearAgentToken(): void {
-        this.agentToken = null;
-    }
-
-    /** Check if the SDK is currently mocking requests as an AI Agent. */
-    isAgentMode(): boolean {
-        return this.agentToken !== null;
-    }
-
-    /** List previously provisioned active Agent tokens. */
-    async listAgentTokens(): Promise<AgentTokenSummary[]> {
-        return this.client.get('/api/v1/auth/ai/tokens/');
-    }
-
-    /** Fetch the status and configuration of a specific AgentToken. */
-    async getAgentToken(tokenId: number): Promise<AgentTokenSummary> {
-        return this.client.get(`/api/v1/auth/ai/tokens/${tokenId}/`);
-    }
-
-    /** Irreversibly revoke a targeted AgentToken from acting upon the Tenant. */
-    async revokeAgentToken(tokenId: number): Promise<{ status: 'revoked' }> {
-        return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/revoke/`);
-    }
-
-    /** Temporarily freeze an AgentToken by forcibly closing its Circuit Breaker. */
-    async suspendAgentToken(tokenId: number): Promise<{ status: 'suspended' }> {
-        return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/suspend/`);
-    }
-
-    /** Emergency kill-switch to wipe all operational Agent Tokens. */
-    async revokeAllAgentTokens(): Promise<{ status: 'revoked'; count: number }> {
-        return this.client.post('/api/v1/auth/ai/tokens/revoke-all/');
-    }
-
-    // ─── Circuit Breaker ───
-
-    /** Satisfy an Agent's Dead-Man's switch heartbeat requirement to prevent suspension. */
-    async sendHeartbeat(tokenId: number): Promise<{ status: 'ok' }> {
-        return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/heartbeat/`);
-    }
-
-    // ─── Human in the Loop (HITL) ───
-
-    /** List intercepted HTTP 202 actions waiting for Human interaction / approval. */
-    async listPendingActions(): Promise<AgentPendingAction[]> {
-        return this.client.get('/api/v1/auth/ai/pending-actions/');
-    }
-
-    /** Complete a pending HITL authorization to finally flush the Agent action to backend systems. */
-    async confirmPendingAction(confirmationToken: string): Promise<{ status: 'confirmed' }> {
-        return this.client.post('/api/v1/auth/ai/pending-actions/confirm/', { token: confirmationToken });
-    }
-
-    /** Block an Agent action permanently. */
-    async denyPendingAction(confirmationToken: string): Promise<{ status: 'denied' }> {
-        return this.client.post('/api/v1/auth/ai/pending-actions/deny/', { token: confirmationToken });
-    }
-
-    // ─── Traceability and Budget ───
-
-    /** Start piping the `X-Prompt-Trace-ID` custom header outwards for tracing logs against LLM inputs. */
-    setTraceId(traceId: string): void {
-        this.traceId = traceId;
-    }
-
-    /** Disable trace forwarding context. */
-    clearTraceId(): void {
-        this.traceId = null;
-    }
-
-    /** 
-     * Report consumption costs associated with a backend invocation back to Tenxyte for strict circuit budgeting.
-     * @param tokenId - AgentToken evaluating ID.
-     * @param usage - Sunk token costs or explicit USD derivations.
-     */
-    async reportUsage(tokenId: number, usage: {
-        cost_usd: number;
-        prompt_tokens: number;
-        completion_tokens: number;
-    }): Promise<{ status: 'ok' } | { error: 'Budget exceeded'; status: 'suspended' }> {
-        return this.client.post(`/api/v1/auth/ai/tokens/${tokenId}/report-usage/`, usage);
-    }
-}

package/src/modules/auth.ts

@@ -1,116 +0,0 @@
-import { TenxyteHttpClient } from '../http/client';
-import { TokenPair, GeneratedSchema } from '../types';
-
-export interface LoginEmailOptions {
-    totp_code?: string;
-}
-
-export interface LoginPhoneOptions {
-    totp_code?: string;
-}
-
-export type RegisterRequest = any;
-
-export interface MagicLinkRequest {
-    email: string;
-}
-
-export interface SocialLoginRequest {
-    access_token?: string;
-    authorization_code?: string;
-    id_token?: string;
-}
-
-export class AuthModule {
-    constructor(private client: TenxyteHttpClient) { }
-
-    /**
-     * Authenticate a user with their email and password.
-     * @param data - The login credentials and optional TOTP code if 2FA is required.
-     * @returns A pair of Access and Refresh tokens upon successful authentication.
-     * @throws {TenxyteError} If credentials are invalid, or if `2FA_REQUIRED` without a valid `totp_code`.
-     */
-    async loginWithEmail(
-        data: GeneratedSchema['LoginEmail'],
-    ): Promise<TokenPair> {
-        return this.client.post<TokenPair>('/api/v1/auth/login/email/', data);
-    }
-
-    /**
-     * Authenticate a user with an international phone number and password.
-     * @param data - The login credentials and optional TOTP code if 2FA is required.
-     * @returns A pair of Access and Refresh tokens.
-     */
-    async loginWithPhone(
-        data: GeneratedSchema['LoginPhone'],
-    ): Promise<TokenPair> {
-        return this.client.post<TokenPair>('/api/v1/auth/login/phone/', data);
-    }
-
-    /**
-     * Registers a new user account.
-     * @param data - The registration details (email, password, etc.).
-     * @returns The registered user data or a confirmation message.
-     */
-    async register(data: RegisterRequest): Promise<any> {
-        return this.client.post<any>('/api/v1/auth/register/', data);
-    }
-
-    /**
-     * Logout from the current session.
-     * Informs the backend to immediately revoke the specified refresh token.
-     * @param refreshToken - The refresh token to revoke.
-     */
-    async logout(refreshToken: string): Promise<void> {
-        return this.client.post<void>('/api/v1/auth/logout/', { refresh_token: refreshToken });
-    }
-
-    /**
-     * Logout from all sessions across all devices.
-     * Revokes all refresh tokens currently assigned to the user.
-     */
-    async logoutAll(): Promise<void> {
-        return this.client.post<void>('/api/v1/auth/logout/all/');
-    }
-
-    /**
-     * Request a Magic Link for passwordless sign-in.
-     * @param data - The email to send the logic link to.
-     */
-    async requestMagicLink(data: MagicLinkRequest): Promise<void> {
-        return this.client.post<void>('/api/v1/auth/magic-link/request/', data);
-    }
-
-    /**
-     * Verifies a magic link token extracted from the URL.
-     * @param token - The cryptographic token received via email.
-     * @returns A session token pair if the token is valid and unexpired.
-     */
-    async verifyMagicLink(token: string): Promise<TokenPair> {
-        return this.client.get<TokenPair>(`/api/v1/auth/magic-link/verify/`, { params: { token } });
-    }
-
-    /**
-     * Submits OAuth2 Social Authentication payloads to the backend.
-     * Can be used with native mobile SDK tokens (like Apple Sign-In JWTs).
-     * @param provider - The OAuth provider ('google', 'github', etc.)
-     * @param data - The OAuth tokens (access_token, id_token, etc.)
-     * @returns An active session token pair.
-     */
-    async loginWithSocial(provider: 'google' | 'github' | 'microsoft' | 'facebook', data: SocialLoginRequest): Promise<TokenPair> {
-        return this.client.post<TokenPair>(`/api/v1/auth/social/${provider}/`, data);
-    }
-
-    /**
-     * Handle Social Auth Callbacks (Authorization Code flow).
-     * @param provider - The OAuth provider ('google', 'github', etc.)
-     * @param code - The authorization code retrieved from the query string parameters.
-     * @param redirectUri - The original redirect URI that was requested.
-     * @returns An active session token pair after successful code exchange.
-     */
-    async handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string): Promise<TokenPair> {
-        return this.client.get<TokenPair>(`/api/v1/auth/social/${provider}/callback/`, {
-            params: { code, redirect_uri: redirectUri },
-        });
-    }
-}