npm - @terminal3/t3n-sdk - Versions diffs - 0.6.0 → 0.8.0 - Mend

@terminal3/t3n-sdk 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.d.ts +121 -7
package/dist/index.esm.js +1 -1
package/dist/index.js +1 -1
package/dist/src/client/actions.d.ts +5 -0
package/dist/src/client/t3n-client.d.ts +19 -1
package/dist/src/config/index.d.ts +36 -2
package/dist/src/index.d.ts +2 -2
package/dist/src/types/auth.d.ts +7 -2
package/dist/src/wasm/quote-verifier/quote_verifier_bytes.d.ts +1 -0
package/dist/src/wasm/quote-verifier-loader.d.ts +58 -0
package/dist/wasm/generated/interfaces/component-session-server-auth.d.ts +2 -1
package/dist/wasm/generated/session.core.wasm +0 -0
package/dist/wasm/generated/session.js +4119 -794
package/package.json +1 -1

package/dist/src/client/actions.d.ts CHANGED Viewed

@@ -15,3 +15,8 @@ export declare function createHandshakeAction(): Uint8Array;
  * @param authInput - The authentication input (Ethereum or OIDC)
  */
 export declare function createAuthAction(authInput: AuthInput): Uint8Array;
+/**
+ * Create the OIDC SubmitToken action for the second step of nonce-bound auth.
+ * @param idToken - The id_token JWT obtained from the OIDC provider with the nonce
+ */
+export declare function createOidcSubmitTokenAction(idToken: string): Uint8Array;

package/dist/src/client/t3n-client.d.ts CHANGED Viewed

@@ -25,9 +25,27 @@ export declare class T3nClient {
      */
     handshake(): Promise<HandshakeResult>;
     /**
-     * Authenticate with the T3n node
+     * Authenticate with the T3n node.
+     *
+     * For OIDC, this runs a two-step nonce-bound flow:
+     * 1. Sends `InitOidcAuth` to server → receives session-binding nonce.
+     * 2. Calls `getIdToken(nonce)` callback so the app can include the
+     *    nonce in the Google authorization URL.
+     * 3. Sends `SubmitIdToken` with the nonce-bearing token → receives DID.
      */
     authenticate(authInput: AuthInput): Promise<Did>;
+    /**
+     * OIDC two-step authentication with session-binding nonce.
+     *
+     * Bypasses the WASM client state machine and makes two encrypted
+     * RPC calls directly:
+     * 1. `InitOidcAuth { provider }` → server generates nonce → returns
+     *    `ProvideNonce { nonce }`.
+     * 2. App calls `getIdToken(nonce)` to obtain a nonce-bound `id_token`.
+     * 3. `SubmitIdToken { id_token }` → server verifies token + nonce →
+     *    returns `Finish { did }`.
+     */
+    private authenticateOidc;
     /**
      * Execute an action on the T3n node
      */

package/dist/src/config/index.d.ts CHANGED Viewed

@@ -12,6 +12,18 @@ import type { SdkConfig, Environment } from "./types";
  * or by passing `baseUrl` to `T3nClient`.
  */
 export declare const NODE_URLS: Record<Environment, string>;
+/** DKG attestation bundle from the cluster. */
+export interface DkgAttestation {
+    /** Sorted base58 peer IDs that participated in DKG. */
+    peer_ids: string[];
+    /** Per-node TDX quotes keyed by base58 peer ID (base64-encoded). */
+    quotes: Record<string, string>;
+    /**
+     * Base64-encoded raw attestation message: `encaps_key || sorted_peer_ids`.
+     * Each quote's `report_data` is `keccak512(attestation_msg)`.
+     */
+    attestation_msg: string;
+}
 /**
  * Set the active environment. Clears any previous URL override and the key
  * cache so the next fetch uses the new environment's default URL.
@@ -32,10 +44,30 @@ export declare function setNodeUrl(url: string | null): void;
 /** Resolve the active node URL: explicit `baseUrl` > override > env default. */
 export declare function getNodeUrl(baseUrl?: string): string;
 /**
- * Fetch the ML-KEM root public key from `${nodeUrl}/status`. Cached per URL.
- * The node must be in the `Ready` phase and expose `encaps_key`.
+ * Fetch the ML-KEM root public key from `${nodeUrl}/status`. Cached
+ * per URL because the key is stable for the cluster's lifetime (a
+ * new DKG means a full redeploy; callers clear the cache via
+ * `clearKeyCache()` or `setNodeUrl()` in that case).
+ *
+ * Returns only the base64-encoded key. For the DKG attestation
+ * bundle (which changes over time as peer quotes replicate via
+ * Raft), call `fetchDkgAttestation()` \u2014 that path is
+ * intentionally uncached.
  */
 export declare function fetchMlKemPublicKey(baseUrl?: string): Promise<string>;
+/**
+ * Fetch the DKG attestation bundle from `${nodeUrl}/status`. Never
+ * cached \u2014 peer quotes are written to consensus KV asynchronously
+ * during cluster bootstrap, so early reads may see a subset of the
+ * expected quotes. Caching would pin an incomplete bundle and cause
+ * spurious `valid_count < expected_count` failures in
+ * `verifyDkgAttestation()` for the whole process lifetime.
+ *
+ * Returns `undefined` when the node has not yet published an
+ * attestation (e.g. still bootstrapping, or running with a mock
+ * signer where attestation is skipped by design).
+ */
+export declare function fetchDkgAttestation(baseUrl?: string): Promise<DkgAttestation | undefined>;
 /** Clear the cached ML-KEM public keys. Useful in tests. */
 export declare function clearKeyCache(): void;
 /**
@@ -44,5 +76,7 @@ export declare function clearKeyCache(): void;
  * `fetchMlKemPublicKey()`.
  */
 export declare function loadConfig(baseUrl?: string): SdkConfig;
+export { verifyTdxQuote, verifyDkgAttestation } from "../wasm/quote-verifier-loader";
+export type { QuoteVerifyResult, DkgVerifyResult, PeerQuoteResult, } from "../wasm/quote-verifier-loader";
 export type { SdkConfig, Environment, ConfigValidationResult } from "./types";
 export { validateConfig } from "./loader";

package/dist/src/index.d.ts CHANGED Viewed

@@ -19,5 +19,5 @@ export type { WasmComponent, ClientHandshake, ClientAuth, SessionCrypto, WasmNex
 export { loadWasmComponent } from "./wasm";
 export { generateRandomString, generateUUID, getScriptVersion, stringToBytes, bytesToString, redactSecrets, redactSecretsFromJson, } from "./utils";
 export { T3nError, SessionStateError, AuthenticationError, HandshakeError, RpcError, WasmError, decodeWasmErrorMessage, extractWasmError, } from "./utils/errors";
-export type { SdkConfig, Environment, ConfigValidationResult } from "./config";
-export { loadConfig, fetchMlKemPublicKey, clearKeyCache, getEnvironmentName, getEnvironment, setEnvironment, setNodeUrl, getNodeUrl, NODE_URLS, validateConfig, } from "./config";
+export type { SdkConfig, Environment, ConfigValidationResult, DkgAttestation, QuoteVerifyResult, DkgVerifyResult, PeerQuoteResult, } from "./config";
+export { loadConfig, fetchMlKemPublicKey, fetchDkgAttestation, verifyTdxQuote, verifyDkgAttestation, clearKeyCache, getEnvironmentName, getEnvironment, setEnvironment, setNodeUrl, getNodeUrl, NODE_URLS, validateConfig, } from "./config";

package/dist/src/types/auth.d.ts CHANGED Viewed

@@ -16,11 +16,16 @@ export interface EthereumSigner {
     signMessage(message: Uint8Array): Promise<Uint8Array>;
 }
 /**
- * OIDC credentials interface
+ * OIDC credentials interface.
+ *
+ * The TEE generates a session-binding nonce that must be included in
+ * the Google authorization URL (`&nonce=…`). The `getIdToken` callback
+ * receives this nonce and must return the `id_token` JWT obtained
+ * from the OIDC provider with the nonce baked into its claims.
  */
 export interface OidcCredentials {
     provider: string;
-    idToken: string;
+    getIdToken: (nonce: string) => Promise<string>;
 }
 /**
  * Base authentication input with method discriminator