@terminal3/t3n-sdk 0.7.0 → 0.10.0

package/dist/src/client/config.d.ts

@@ -2,7 +2,7 @@
  * Configuration types for T3n Client
  */
 import { WasmComponent } from "../wasm";
-import { SessionId, GuestToHostHandlers } from "../types";
+import { SessionId } from "../types";
 import { Logger, LogLevel } from "../utils/logger";
 import { Transport } from "./transport";
 /**
@@ -11,7 +11,7 @@ import { Transport } from "./transport";
 export interface T3nClientConfig {
     /** Base URL of the T3n node (used if transport not provided) */
     baseUrl?: string;
-    /** WASM component instance for cryptographic operations */
+    /** WASM component instance (async direct-call — `tee:session@1.0.0`). */
     wasmComponent: WasmComponent;
     /** Optional transport layer - if not provided, uses HttpTransport with baseUrl */
     transport?: Transport;
@@ -21,15 +21,35 @@ export interface T3nClientConfig {
     timeout?: number;
     /** Optional custom headers to include in requests */
     headers?: Record<string, string>;
-    /**
-     * Log level for this client instance.
-     * Defaults to global log level (LogLevel.ERROR) if not specified.
-     * Use LogLevel.DEBUG for verbose logging, LogLevel.INFO for informational messages,
-     * LogLevel.WARN for warnings, or LogLevel.ERROR for errors only.
-     */
+    /** Log level for this client instance. */
     logLevel?: LogLevel;
     /** Optional custom logger - if provided, overrides logLevel */
     logger?: Logger;
-    /** Optional guest-to-host request handlers - provides custom behavior for WASM requests */
-    handlers?: GuestToHostHandlers;
+    /**
+     * Optional signer bridge used by `authenticate()` for the ETH
+     * (SIWE) flow. Given the SIWE message bytes, the callback must
+     * produce a 65-byte `(r || s || v)` signature over the EIP-191
+     * personal-sign digest — matching `cryptography::ecdsa::eth`
+     * recovery on the node. A convenience wrapper for raw-private-key
+     * signing is planned for the follow-up commit that lands full
+     * ETH auth support.
+     */
+    ethSign?: (message: Uint8Array) => Promise<Uint8Array>;
+    /**
+     * Ethereum address (0x-prefixed, 20 bytes hex) of the user
+     * authenticating. Required by `authenticate()` for the ETH flow —
+     * the server recovers the signer from the SIWE message and
+     * compares to this address.
+     */
+    ethAddress?: string;
+    /**
+     * SIWE domain / URI / chain-id used in the message the SDK builds.
+     * Matches `SiwePolicy` on the server — the server's allowlist
+     * policy (if configured in NodeConfig) only accepts matching
+     * values. Defaults: domain `"localhost"`, URL `"https://trinity.io"`,
+     * chain ID `1` (Ethereum mainnet).
+     */
+    siweDomain?: string;
+    siweUrl?: string;
+    siweChainId?: number;
 }

package/dist/src/client/index.d.ts

@@ -4,7 +4,3 @@
 export * from "./config";
 export * from "./transport";
 export * from "./t3n-client";
-export * from "./handlers";
-export * from "./encryption";
-export * from "./actions";
-export * from "./request-parser";

package/dist/src/client/t3n-client.d.ts

@@ -1,88 +1,51 @@
 /**
- * T3n Client - Main SDK class
+ * T3n Client — thin host-function provider + WASM sequencer.
  *
- * Provides a simple interface for establishing secure sessions with T3n nodes.
- * All cryptographic complexity is handled in WASM components.
+ * The SDK communicates with the session contract strictly through
+ * WIT:
+ *   - Calls `clientHandshake.run(sid)` — contract handles ML-KEM
+ *     encapsulation, HKDF, POSTs via `host.transport.postRpc`,
+ *     derives session keys, returns them.
+ *   - Calls `clientAuth.runEth(keys, address, ...)` — contract
+ *     builds the SIWE message, signs via `host.eth-signer.ethSign`,
+ *     POSTs + parses the Finish response, returns the DID.
+ *   - For `execute()`, the SDK just encrypts the JSON-RPC payload
+ *     via `sessionCrypto.encrypt` and POSTs it through its transport.
+ *
+ * No SIWE building, no HKDF, no hex/base64 shuffling, no wire
+ * envelopes outside the contract. The contract is the single source
+ * of protocol truth.
  */
 import { T3nClientConfig } from "./config";
 import { SessionId, Did, SessionStatus, AuthInput, HandshakeResult } from "../types";
-/**
- * Main T3n SDK Client
- */
 export declare class T3nClient {
     private readonly config;
     private readonly transport;
     private readonly sessionId;
     private readonly logger;
-    private readonly encryption;
     private status;
-    private wasmState;
+    private sessionKeys;
     private did;
-    private handshakeResult;
     constructor(config: T3nClientConfig);
-    /**
-     * Start the handshake process with the T3n node
-     */
     handshake(): Promise<HandshakeResult>;
-    /**
-     * Authenticate with the T3n node.
-     *
-     * For OIDC, this runs a two-step nonce-bound flow:
-     * 1. Sends `InitOidcAuth` to server → receives session-binding nonce.
-     * 2. Calls `getIdToken(nonce)` callback so the app can include the
-     *    nonce in the Google authorization URL.
-     * 3. Sends `SubmitIdToken` with the nonce-bearing token → receives DID.
-     */
     authenticate(authInput: AuthInput): Promise<Did>;
-    /**
-     * OIDC two-step authentication with session-binding nonce.
-     *
-     * Bypasses the WASM client state machine and makes two encrypted
-     * RPC calls directly:
-     * 1. `InitOidcAuth { provider }` → server generates nonce → returns
-     *    `ProvideNonce { nonce }`.
-     * 2. App calls `getIdToken(nonce)` to obtain a nonce-bound `id_token`.
-     * 3. `SubmitIdToken { id_token }` → server verifies token + nonce →
-     *    returns `Finish { did }`.
-     */
-    private authenticateOidc;
-    /**
-     * Execute an action on the T3n node
-     */
     execute(payload: unknown): Promise<string>;
     getSessionId(): SessionId;
     getStatus(): SessionStatus;
     getDid(): Did | null;
+    isAuthenticated(): boolean;
     getLastSetCookie(): string | null;
     getLastResponseHeaders(): Record<string, string>;
-    isAuthenticated(): boolean;
-    /**
-     * Run a WASM state machine flow to completion
-     */
-    private runFlow;
-    /**
-     * Try to finalize the current flow
-     */
-    private tryFinalize;
-    /**
-     * Handle a WASM request based on its type
-     */
-    private handleWasmRequest;
     /**
-     * Handle a send-remote request by calling the RPC endpoint
-     */
-    private handleSendRemote;
-    private captureHandshakeResult;
-    /**
-     * Handle a guest-to-host request using configured handlers
-     */
-    private handleGuestToHost;
-    /**
-     * Send an RPC request with automatic encryption/decryption
-     */
-    private sendRpcRequest;
-    /**
-     * Get the current session state for encryption
+     * Build the `host.transport.postRpc` callback the contract uses for
+     * all its HTTP round-trips. Must be passed into `loadWasmComponent`
+     * at instantiation time so the contract can POST during handshake
+     * and auth.
+     *
+     * `params` from the contract is the opaque JSON-RPC params (already
+     * encrypted where encryption is needed). The SDK wraps in the
+     * JSON-RPC envelope and injects the Session-Id header.
      */
-    private getSessionState;
+    buildPostRpcHostImport(): (method: string, _sessionIdFromGuest: string, params: string) => Promise<string>;
+    private sendRpcRaw;
 }

package/dist/src/config/index.d.ts

@@ -12,6 +12,18 @@ import type { SdkConfig, Environment } from "./types";
  * or by passing `baseUrl` to `T3nClient`.
  */
 export declare const NODE_URLS: Record<Environment, string>;
+/** DKG attestation bundle from the cluster. */
+export interface DkgAttestation {
+    /** Sorted base58 peer IDs that participated in DKG. */
+    peer_ids: string[];
+    /** Per-node TDX quotes keyed by base58 peer ID (base64-encoded). */
+    quotes: Record<string, string>;
+    /**
+     * Base64-encoded raw attestation message: `encaps_key || sorted_peer_ids`.
+     * Each quote's `report_data` is `keccak512(attestation_msg)`.
+     */
+    attestation_msg: string;
+}
 /**
  * Set the active environment. Clears any previous URL override and the key
  * cache so the next fetch uses the new environment's default URL.
@@ -32,10 +44,30 @@ export declare function setNodeUrl(url: string | null): void;
 /** Resolve the active node URL: explicit `baseUrl` > override > env default. */
 export declare function getNodeUrl(baseUrl?: string): string;
 /**
- * Fetch the ML-KEM root public key from `${nodeUrl}/status`. Cached per URL.
- * The node must be in the `Ready` phase and expose `encaps_key`.
+ * Fetch the ML-KEM root public key from `${nodeUrl}/status`. Cached
+ * per URL because the key is stable for the cluster's lifetime (a
+ * new DKG means a full redeploy; callers clear the cache via
+ * `clearKeyCache()` or `setNodeUrl()` in that case).
+ *
+ * Returns only the base64-encoded key. For the DKG attestation
+ * bundle (which changes over time as peer quotes replicate via
+ * Raft), call `fetchDkgAttestation()` \u2014 that path is
+ * intentionally uncached.
  */
 export declare function fetchMlKemPublicKey(baseUrl?: string): Promise<string>;
+/**
+ * Fetch the DKG attestation bundle from `${nodeUrl}/status`. Never
+ * cached \u2014 peer quotes are written to consensus KV asynchronously
+ * during cluster bootstrap, so early reads may see a subset of the
+ * expected quotes. Caching would pin an incomplete bundle and cause
+ * spurious `valid_count < expected_count` failures in
+ * `verifyDkgAttestation()` for the whole process lifetime.
+ *
+ * Returns `undefined` when the node has not yet published an
+ * attestation (e.g. still bootstrapping, or running with a mock
+ * signer where attestation is skipped by design).
+ */
+export declare function fetchDkgAttestation(baseUrl?: string): Promise<DkgAttestation | undefined>;
 /** Clear the cached ML-KEM public keys. Useful in tests. */
 export declare function clearKeyCache(): void;
 /**
@@ -44,5 +76,7 @@ export declare function clearKeyCache(): void;
  * `fetchMlKemPublicKey()`.
  */
 export declare function loadConfig(baseUrl?: string): SdkConfig;
+export { verifyTdxQuote, verifyDkgAttestation } from "../wasm/quote-verifier-loader";
+export type { QuoteVerifyResult, DkgVerifyResult, PeerQuoteResult, } from "../wasm/quote-verifier-loader";
 export type { SdkConfig, Environment, ConfigValidationResult } from "./types";
 export { validateConfig } from "./loader";

package/dist/src/index.d.ts

@@ -1,9 +1,11 @@
 /**
  * T3n TypeScript SDK
  *
- * A minimal TypeScript SDK that mirrors the server's RPC handler approach,
- * keeping all state machine logic hidden in WASM and providing a clean,
- * agnostic wrapper that doesn't expose authentication methods or internal states.
+ * A thin host-function provider over the `tee:session` WASM
+ * contract. The SDK supplies host imports (transport, wallet, OIDC
+ * popup, KEM pubkey, RNG, time, cookie sink) at jco instantiation
+ * time and calls the contract's typed exports for handshake, auth,
+ * and session crypto. The contract owns every protocol detail.
  */
 export { T3nClient } from "./client";
 export type { T3nClientConfig } from "./client";
@@ -12,12 +14,11 @@ export type { Logger } from "./utils/logger";
 export { LogLevel, createLogger, getLogger, setGlobalLogLevel, getGlobalLogLevel, } from "./utils/logger";
 export type { Transport, JsonRpcRequest, JsonRpcResponse } from "./client";
 export { HttpTransport, MockTransport } from "./client";
-export type { SessionId, Did, OidcCredentials, AuthInput, EthAuthInput, OidcAuthInput, GuestToHostHandler, GuestToHostHandlers, } from "./types";
+export type { SessionId, Did, OidcCredentials, AuthInput, EthAuthInput, OidcAuthInput, } from "./types";
 export { SessionStatus, AuthMethod, createEthAuthInput, createOidcAuthInput, } from "./types";
-export { metamask_sign, metamask_get_address, eth_get_address, createDefaultHandlers, createMlKemPublicKeyHandler, createRandomHandler, } from "./client/handlers";
-export type { WasmComponent, ClientHandshake, ClientAuth, SessionCrypto, WasmNextResult, } from "./wasm";
+export type { WasmComponent, ClientHandshake, ClientAuth, ServerHandshake, SessionCrypto, CookieIface, ClientSessionKeys, ServerSessionKeys, HandshakeOutcome, AuthOutcome, ServerOutcome, Validation, SessionHostImports, } from "./wasm";
 export { loadWasmComponent } from "./wasm";
 export { generateRandomString, generateUUID, getScriptVersion, stringToBytes, bytesToString, redactSecrets, redactSecretsFromJson, } from "./utils";
 export { T3nError, SessionStateError, AuthenticationError, HandshakeError, RpcError, WasmError, decodeWasmErrorMessage, extractWasmError, } from "./utils/errors";
-export type { SdkConfig, Environment, ConfigValidationResult } from "./config";
-export { loadConfig, fetchMlKemPublicKey, clearKeyCache, getEnvironmentName, getEnvironment, setEnvironment, setNodeUrl, getNodeUrl, NODE_URLS, validateConfig, } from "./config";
+export type { SdkConfig, Environment, ConfigValidationResult, DkgAttestation, QuoteVerifyResult, DkgVerifyResult, PeerQuoteResult, } from "./config";
+export { loadConfig, fetchMlKemPublicKey, fetchDkgAttestation, verifyTdxQuote, verifyDkgAttestation, clearKeyCache, getEnvironmentName, getEnvironment, setEnvironment, setNodeUrl, getNodeUrl, NODE_URLS, validateConfig, } from "./config";

package/dist/src/types/auth.d.ts

@@ -18,14 +18,15 @@ export interface EthereumSigner {
 /**
  * OIDC credentials interface.
  *
- * The TEE generates a session-binding nonce that must be included in
- * the Google authorization URL (`&nonce=…`). The `getIdToken` callback
- * receives this nonce and must return the `id_token` JWT obtained
- * from the OIDC provider with the nonce baked into its claims.
+ * The TEE generates a session-binding nonce; the user-interaction
+ * step is wired at WASM load time via `hostImports.getIdToken`
+ * (see `loadWasmComponent`), mirroring how `hostImports.ethSign`
+ * supplies wallet access. The contract calls `getIdToken(provider,
+ * nonce)` from inside `runOidc` and feeds the returned `id_token`
+ * to the server.
  */
 export interface OidcCredentials {
     provider: string;
-    getIdToken: (nonce: string) => Promise<string>;
 }
 /**
  * Base authentication input with method discriminator

package/dist/src/types/index.d.ts

@@ -1,42 +1,18 @@
 /**
- * Public types export for T3n SDK
- */
-/**
- * Guest-to-Host request handler function type
+ * Public types export for T3n SDK.
  *
- * Handles requests from WASM guest that need host (SDK) to perform side
- * effects. The exact shape of `requestData` depends on the specific
- * handler — see `GuestToHostHandlers` below for the per-handler shapes.
- * The wrapper layer in `T3nClient.handleGuestToHost` parses the JSON
- * envelope and calls the matching handler with the parsed data, so
- * each handler's implementation should narrow `requestData` to its
- * own expected shape.
- */
-export type GuestToHostHandler = (requestData: Record<string, unknown>) => Promise<Uint8Array>;
-/**
- * Map of guest-to-host request handlers
- * Keys match the guest_to_host tag values from the WASM
+ * The legacy `GuestToHostHandler` / `GuestToHostHandlers` types are
+ * gone — the SDK is now strictly a thin host-function provider. The
+ * `tee:session` contract owns every protocol detail (SIWE message
+ * build, HKDF, AES-GCM, wire-envelope wrapping); the SDK supplies a
+ * small set of host imports (`mlKemPublicKey`, `random`, `ethSign`,
+ * `getIdToken`, `nowMs`, `setCookie`, `postRpc`) at jco instantiation
+ * time and calls the contract's typed WIT exports
+ * (`clientHandshake.run`, `clientAuth.runEth` / `runOidc`,
+ * `sessionCrypto.encrypt` / `decrypt`).
+ *
+ * See `src/wasm/loader.ts` for the host-import surface and
+ * `src/client/t3n-client.ts` for the consumer-facing API.
  */
-export interface GuestToHostHandlers {
-    /**
-     * Handle Ethereum signature requests
-     * requestData: { guest_to_host: "EthSign", challenge: string (base64) }
-     * Returns: JSON bytes of { host_to_guest: "EthSign", challenge: string, signature: string }
-     */
-    EthSign?: GuestToHostHandler;
-    /**
-     * Handle MlKem public key requests
-     * requestData: { guest_to_host: "MlKemPublicKey" }
-     * Returns: JSON bytes of { host_to_guest: "MlKemPublicKey", key: string }
-     */
-    MlKemPublicKey?: GuestToHostHandler;
-    /**
-     * Handle random bytes requests
-     * requestData: { guest_to_host: "Random", len?: number }
-     * Returns: JSON bytes of { host_to_guest: "Random", bytes: string (base64) }
-     */
-    Random?: GuestToHostHandler;
-    [key: string]: GuestToHostHandler | undefined;
-}
 export * from "./session";
 export * from "./auth";

package/dist/src/utils/hkdf.d.ts

@@ -0,0 +1,36 @@
+/**
+ * HKDF-SHA256 key derivation that mirrors `session::session::derive_keys`
+ * in the node (`node/session/src/session.rs`).
+ *
+ * The server derives two directional keys from the raw ML-KEM shared
+ * secret using HKDF-Extract-then-Expand with:
+ *   - salt  = b"" (empty)
+ *   - ikm   = the 32-byte raw KEM shared secret
+ *   - info  = b"t3-session-v1-c2s" | b"t3-session-v1-s2c"
+ *   - L     = 32 bytes each
+ *
+ * The client must derive the same pair so that c2s / s2c line up on
+ * both sides. WebCrypto's `subtle.deriveBits` with `HKDF` does
+ * Extract+Expand in one call, so the TS implementation collapses to a
+ * few lines per direction.
+ */
+/**
+ * Derive directional session keys from the raw ML-KEM shared secret.
+ *
+ * @param rawSecret 32 bytes from `handshakeAsync.clientRun` (the
+ *                  `ClientPending.secret` field).
+ * @returns `{ c2s, s2c }` — each 32 bytes, suitable for AES-256-GCM.
+ */
+export declare function deriveDirectionalKeys(rawSecret: Uint8Array): Promise<{
+    c2s: Uint8Array;
+    s2c: Uint8Array;
+}>;
+/**
+ * Pack directional keys for the client-side session-crypto WASM calls.
+ *
+ * The contract's `session-crypto.encrypt`/`decrypt` interprets its
+ * `keys` argument as `encrypt_key || decrypt_key`. The client
+ * encrypts with c2s and decrypts with s2c, so the client packs
+ * `c2s || s2c`.
+ */
+export declare function packClientSessionKeys(c2s: Uint8Array, s2c: Uint8Array): Uint8Array;

package/dist/src/utils/index.d.ts

@@ -4,6 +4,7 @@
 export * from "./crypto";
 export * from "./contract-version";
 export * from "./errors";
+export * from "./hkdf";
 export * from "./logger";
 export * from "./redaction";
 export * from "./session";

package/dist/src/wasm/interface.d.ts

@@ -1,104 +1,69 @@
 /**
- * WASM Component Interface - Mirrors the WIT specification exactly
+ * WASM Component Interface — async direct-call.
  *
- * This interface works with completely opaque byte arrays, just like the WIT interface.
- * The TypeScript SDK doesn't know about internal state machine phases or details.
+ * Mirrors `tee:session@1.0.0` WIT world. The SDK talks to the WASM
+ * only through these exports (plus host imports supplied at
+ * instantiation); all protocol glue lives inside the contract.
  */
-/**
- * Result type for WASM next() operations
- */
-export interface WasmNextResult {
-    state: Uint8Array;
-    request: Uint8Array;
+export interface ClientSessionKeys {
+    /** `encrypt_key || decrypt_key`, 64 bytes. */
+    blob: Uint8Array;
+    sid: Uint8Array;
+}
+export interface HandshakeOutcome {
+    keys: ClientSessionKeys;
+    authenticated: boolean;
+    did?: string;
+    expirySec: bigint;
 }
-/**
- * Client handshake operations - completely opaque byte arrays only
- */
 export interface ClientHandshake {
-    /**
-     * Process next step in handshake
-     * @param state - Current handshake state (null for initial call)
-     * @param action - Action to process (opaque bytes)
-     * @returns Promise with new state and request to send
-     */
-    next(state: Uint8Array | null, action: Uint8Array): Promise<WasmNextResult>;
-    /**
-     * Attempt to finalize handshake
-     * @param state - Current handshake state
-     * @returns Promise with session bytes if successful
-     * @throws Error if handshake not ready to finalize
-     */
-    finish(state: Uint8Array): Promise<Uint8Array>;
+    run(sid: Uint8Array, cookie: string | undefined): HandshakeOutcome;
+}
+export interface AuthOutcome {
+    did: string;
+    cookie?: string;
 }
-/**
- * Client authentication operations - completely opaque byte arrays only
- */
 export interface ClientAuth {
+    runEth(sessionKeys: Uint8Array, ethAddress: string, siweDomain: string | undefined, siweUrl: string | undefined, siweChainId: bigint | undefined): AuthOutcome;
     /**
-     * Process next step in authentication
-     * @param state - Current auth state (null for initial call)
-     * @param action - Action to process (opaque bytes)
-     * @returns Promise with new state and request to send
-     */
-    next(state: Uint8Array | null, action: Uint8Array): Promise<WasmNextResult>;
-    /**
-     * Attempt to finalize authentication
-     * @param state - Current auth state
-     * @returns Promise with DID bytes if successful
-     * @throws Error if authentication not ready to finalize
+     * Run the full OIDC flow in one call. The contract drives both
+     * server round-trips and invokes the SDK's `getIdToken(provider,
+     * nonce)` host import in between to obtain the IdP-signed token.
      */
-    finish(state: Uint8Array): Promise<Uint8Array>;
+    runOidc(sessionKeys: Uint8Array, provider: string): AuthOutcome;
 }
-/**
- * Client authentication operations - completely opaque byte arrays only
- */
-export interface ClientExecute {
-    /**
-     * Process next step in authentication
-     * @param state - Current auth state (null for initial call)
-     * @param action - Action to process (opaque bytes)
-     * @returns Promise with new state and request to send
-     */
-    next(state: Uint8Array | null, action: Uint8Array): Promise<WasmNextResult>;
-    /**
-     * Attempt to finalize authentication
-     * @param state - Current auth state
-     * @returns Promise with DID bytes if successful
-     * @throws Error if authentication not ready to finalize
-     */
-    finish(state: Uint8Array): Promise<Uint8Array>;
+export interface ServerSessionKeys {
+    c2s: Uint8Array;
+    s2c: Uint8Array;
+    sid: Uint8Array;
+}
+export interface ServerOutcome {
+    keys: ServerSessionKeys;
+    authenticated: boolean;
+    did?: string;
+    expirySec: bigint;
+    refreshedCookie?: string;
+}
+export interface ServerHandshake {
+    run(sid: Uint8Array, ciphertext: Uint8Array, cookieValue: string | undefined): ServerOutcome;
 }
-/**
- * Session encryption/decryption operations - completely opaque byte arrays only
- */
 export interface SessionCrypto {
-    /**
-     * Encrypt plaintext using session
-     * @param session - Session state (opaque bytes)
-     * @param plaintext - Data to encrypt
-     * @returns Promise with encrypted bytes
-     */
-    encrypt(session: Uint8Array, plaintext: Uint8Array): Promise<Uint8Array>;
-    /**
-     * Decrypt ciphertext using session
-     * @param session - Session state (opaque bytes)
-     * @param ciphertext - Data to decrypt
-     * @returns Promise with decrypted bytes
-     */
-    decrypt(session: Uint8Array, ciphertext: Uint8Array): Promise<Uint8Array>;
+    encrypt(keys: Uint8Array, plaintext: Uint8Array): Uint8Array;
+    decrypt(keys: Uint8Array, ciphertext: Uint8Array): Uint8Array;
 }
-/**
- * Main WASM Component interface - mirrors the WIT interface exactly
- *
- * This is completely opaque to the TypeScript layer. All state machine logic,
- * authentication flows, and cryptographic operations are handled in WASM.
- */
+export interface Validation {
+    authenticated: boolean;
+    did?: string;
+    exp: bigint;
+}
+export interface CookieIface {
+    validate(cookieValue: string, teeAddress: Uint8Array, nowSec: bigint): Validation;
+}
+/** Fully instantiated session component. */
 export interface WasmComponent {
-    /** Client handshake operations */
-    flow: {
-        handshake: ClientHandshake;
-        auth: ClientAuth;
-        execute: ClientExecute;
-    };
-    session: SessionCrypto;
+    clientHandshake: ClientHandshake;
+    clientAuth: ClientAuth;
+    serverHandshake: ServerHandshake;
+    sessionCrypto: SessionCrypto;
+    cookie: CookieIface;
 }