@terminal3/t3n-sdk 0.8.0 → 0.10.0

package/dist/src/client/config.d.ts

@@ -2,7 +2,7 @@
  * Configuration types for T3n Client
  */
 import { WasmComponent } from "../wasm";
-import { SessionId, GuestToHostHandlers } from "../types";
+import { SessionId } from "../types";
 import { Logger, LogLevel } from "../utils/logger";
 import { Transport } from "./transport";
 /**
@@ -11,7 +11,7 @@ import { Transport } from "./transport";
 export interface T3nClientConfig {
     /** Base URL of the T3n node (used if transport not provided) */
     baseUrl?: string;
-    /** WASM component instance for cryptographic operations */
+    /** WASM component instance (async direct-call — `tee:session@1.0.0`). */
     wasmComponent: WasmComponent;
     /** Optional transport layer - if not provided, uses HttpTransport with baseUrl */
     transport?: Transport;
@@ -21,15 +21,35 @@ export interface T3nClientConfig {
     timeout?: number;
     /** Optional custom headers to include in requests */
     headers?: Record<string, string>;
-    /**
-     * Log level for this client instance.
-     * Defaults to global log level (LogLevel.ERROR) if not specified.
-     * Use LogLevel.DEBUG for verbose logging, LogLevel.INFO for informational messages,
-     * LogLevel.WARN for warnings, or LogLevel.ERROR for errors only.
-     */
+    /** Log level for this client instance. */
     logLevel?: LogLevel;
     /** Optional custom logger - if provided, overrides logLevel */
     logger?: Logger;
-    /** Optional guest-to-host request handlers - provides custom behavior for WASM requests */
-    handlers?: GuestToHostHandlers;
+    /**
+     * Optional signer bridge used by `authenticate()` for the ETH
+     * (SIWE) flow. Given the SIWE message bytes, the callback must
+     * produce a 65-byte `(r || s || v)` signature over the EIP-191
+     * personal-sign digest — matching `cryptography::ecdsa::eth`
+     * recovery on the node. A convenience wrapper for raw-private-key
+     * signing is planned for the follow-up commit that lands full
+     * ETH auth support.
+     */
+    ethSign?: (message: Uint8Array) => Promise<Uint8Array>;
+    /**
+     * Ethereum address (0x-prefixed, 20 bytes hex) of the user
+     * authenticating. Required by `authenticate()` for the ETH flow —
+     * the server recovers the signer from the SIWE message and
+     * compares to this address.
+     */
+    ethAddress?: string;
+    /**
+     * SIWE domain / URI / chain-id used in the message the SDK builds.
+     * Matches `SiwePolicy` on the server — the server's allowlist
+     * policy (if configured in NodeConfig) only accepts matching
+     * values. Defaults: domain `"localhost"`, URL `"https://trinity.io"`,
+     * chain ID `1` (Ethereum mainnet).
+     */
+    siweDomain?: string;
+    siweUrl?: string;
+    siweChainId?: number;
 }

package/dist/src/client/index.d.ts

@@ -4,7 +4,3 @@
 export * from "./config";
 export * from "./transport";
 export * from "./t3n-client";
-export * from "./handlers";
-export * from "./encryption";
-export * from "./actions";
-export * from "./request-parser";

package/dist/src/client/t3n-client.d.ts

@@ -1,88 +1,51 @@
 /**
- * T3n Client - Main SDK class
+ * T3n Client — thin host-function provider + WASM sequencer.
  *
- * Provides a simple interface for establishing secure sessions with T3n nodes.
- * All cryptographic complexity is handled in WASM components.
+ * The SDK communicates with the session contract strictly through
+ * WIT:
+ *   - Calls `clientHandshake.run(sid)` — contract handles ML-KEM
+ *     encapsulation, HKDF, POSTs via `host.transport.postRpc`,
+ *     derives session keys, returns them.
+ *   - Calls `clientAuth.runEth(keys, address, ...)` — contract
+ *     builds the SIWE message, signs via `host.eth-signer.ethSign`,
+ *     POSTs + parses the Finish response, returns the DID.
+ *   - For `execute()`, the SDK just encrypts the JSON-RPC payload
+ *     via `sessionCrypto.encrypt` and POSTs it through its transport.
+ *
+ * No SIWE building, no HKDF, no hex/base64 shuffling, no wire
+ * envelopes outside the contract. The contract is the single source
+ * of protocol truth.
  */
 import { T3nClientConfig } from "./config";
 import { SessionId, Did, SessionStatus, AuthInput, HandshakeResult } from "../types";
-/**
- * Main T3n SDK Client
- */
 export declare class T3nClient {
     private readonly config;
     private readonly transport;
     private readonly sessionId;
     private readonly logger;
-    private readonly encryption;
     private status;
-    private wasmState;
+    private sessionKeys;
     private did;
-    private handshakeResult;
     constructor(config: T3nClientConfig);
-    /**
-     * Start the handshake process with the T3n node
-     */
     handshake(): Promise<HandshakeResult>;
-    /**
-     * Authenticate with the T3n node.
-     *
-     * For OIDC, this runs a two-step nonce-bound flow:
-     * 1. Sends `InitOidcAuth` to server → receives session-binding nonce.
-     * 2. Calls `getIdToken(nonce)` callback so the app can include the
-     *    nonce in the Google authorization URL.
-     * 3. Sends `SubmitIdToken` with the nonce-bearing token → receives DID.
-     */
     authenticate(authInput: AuthInput): Promise<Did>;
-    /**
-     * OIDC two-step authentication with session-binding nonce.
-     *
-     * Bypasses the WASM client state machine and makes two encrypted
-     * RPC calls directly:
-     * 1. `InitOidcAuth { provider }` → server generates nonce → returns
-     *    `ProvideNonce { nonce }`.
-     * 2. App calls `getIdToken(nonce)` to obtain a nonce-bound `id_token`.
-     * 3. `SubmitIdToken { id_token }` → server verifies token + nonce →
-     *    returns `Finish { did }`.
-     */
-    private authenticateOidc;
-    /**
-     * Execute an action on the T3n node
-     */
     execute(payload: unknown): Promise<string>;
     getSessionId(): SessionId;
     getStatus(): SessionStatus;
     getDid(): Did | null;
+    isAuthenticated(): boolean;
     getLastSetCookie(): string | null;
     getLastResponseHeaders(): Record<string, string>;
-    isAuthenticated(): boolean;
-    /**
-     * Run a WASM state machine flow to completion
-     */
-    private runFlow;
-    /**
-     * Try to finalize the current flow
-     */
-    private tryFinalize;
-    /**
-     * Handle a WASM request based on its type
-     */
-    private handleWasmRequest;
     /**
-     * Handle a send-remote request by calling the RPC endpoint
-     */
-    private handleSendRemote;
-    private captureHandshakeResult;
-    /**
-     * Handle a guest-to-host request using configured handlers
-     */
-    private handleGuestToHost;
-    /**
-     * Send an RPC request with automatic encryption/decryption
-     */
-    private sendRpcRequest;
-    /**
-     * Get the current session state for encryption
+     * Build the `host.transport.postRpc` callback the contract uses for
+     * all its HTTP round-trips. Must be passed into `loadWasmComponent`
+     * at instantiation time so the contract can POST during handshake
+     * and auth.
+     *
+     * `params` from the contract is the opaque JSON-RPC params (already
+     * encrypted where encryption is needed). The SDK wraps in the
+     * JSON-RPC envelope and injects the Session-Id header.
      */
-    private getSessionState;
+    buildPostRpcHostImport(): (method: string, _sessionIdFromGuest: string, params: string) => Promise<string>;
+    private sendRpcRaw;
 }

package/dist/src/index.d.ts

@@ -1,9 +1,11 @@
 /**
  * T3n TypeScript SDK
  *
- * A minimal TypeScript SDK that mirrors the server's RPC handler approach,
- * keeping all state machine logic hidden in WASM and providing a clean,
- * agnostic wrapper that doesn't expose authentication methods or internal states.
+ * A thin host-function provider over the `tee:session` WASM
+ * contract. The SDK supplies host imports (transport, wallet, OIDC
+ * popup, KEM pubkey, RNG, time, cookie sink) at jco instantiation
+ * time and calls the contract's typed exports for handshake, auth,
+ * and session crypto. The contract owns every protocol detail.
  */
 export { T3nClient } from "./client";
 export type { T3nClientConfig } from "./client";
@@ -12,10 +14,9 @@ export type { Logger } from "./utils/logger";
 export { LogLevel, createLogger, getLogger, setGlobalLogLevel, getGlobalLogLevel, } from "./utils/logger";
 export type { Transport, JsonRpcRequest, JsonRpcResponse } from "./client";
 export { HttpTransport, MockTransport } from "./client";
-export type { SessionId, Did, OidcCredentials, AuthInput, EthAuthInput, OidcAuthInput, GuestToHostHandler, GuestToHostHandlers, } from "./types";
+export type { SessionId, Did, OidcCredentials, AuthInput, EthAuthInput, OidcAuthInput, } from "./types";
 export { SessionStatus, AuthMethod, createEthAuthInput, createOidcAuthInput, } from "./types";
-export { metamask_sign, metamask_get_address, eth_get_address, createDefaultHandlers, createMlKemPublicKeyHandler, createRandomHandler, } from "./client/handlers";
-export type { WasmComponent, ClientHandshake, ClientAuth, SessionCrypto, WasmNextResult, } from "./wasm";
+export type { WasmComponent, ClientHandshake, ClientAuth, ServerHandshake, SessionCrypto, CookieIface, ClientSessionKeys, ServerSessionKeys, HandshakeOutcome, AuthOutcome, ServerOutcome, Validation, SessionHostImports, } from "./wasm";
 export { loadWasmComponent } from "./wasm";
 export { generateRandomString, generateUUID, getScriptVersion, stringToBytes, bytesToString, redactSecrets, redactSecretsFromJson, } from "./utils";
 export { T3nError, SessionStateError, AuthenticationError, HandshakeError, RpcError, WasmError, decodeWasmErrorMessage, extractWasmError, } from "./utils/errors";

package/dist/src/types/auth.d.ts

@@ -18,14 +18,15 @@ export interface EthereumSigner {
 /**
  * OIDC credentials interface.
  *
- * The TEE generates a session-binding nonce that must be included in
- * the Google authorization URL (`&nonce=…`). The `getIdToken` callback
- * receives this nonce and must return the `id_token` JWT obtained
- * from the OIDC provider with the nonce baked into its claims.
+ * The TEE generates a session-binding nonce; the user-interaction
+ * step is wired at WASM load time via `hostImports.getIdToken`
+ * (see `loadWasmComponent`), mirroring how `hostImports.ethSign`
+ * supplies wallet access. The contract calls `getIdToken(provider,
+ * nonce)` from inside `runOidc` and feeds the returned `id_token`
+ * to the server.
  */
 export interface OidcCredentials {
     provider: string;
-    getIdToken: (nonce: string) => Promise<string>;
 }
 /**
  * Base authentication input with method discriminator

package/dist/src/types/index.d.ts

@@ -1,42 +1,18 @@
 /**
- * Public types export for T3n SDK
- */
-/**
- * Guest-to-Host request handler function type
+ * Public types export for T3n SDK.
  *
- * Handles requests from WASM guest that need host (SDK) to perform side
- * effects. The exact shape of `requestData` depends on the specific
- * handler — see `GuestToHostHandlers` below for the per-handler shapes.
- * The wrapper layer in `T3nClient.handleGuestToHost` parses the JSON
- * envelope and calls the matching handler with the parsed data, so
- * each handler's implementation should narrow `requestData` to its
- * own expected shape.
- */
-export type GuestToHostHandler = (requestData: Record<string, unknown>) => Promise<Uint8Array>;
-/**
- * Map of guest-to-host request handlers
- * Keys match the guest_to_host tag values from the WASM
+ * The legacy `GuestToHostHandler` / `GuestToHostHandlers` types are
+ * gone — the SDK is now strictly a thin host-function provider. The
+ * `tee:session` contract owns every protocol detail (SIWE message
+ * build, HKDF, AES-GCM, wire-envelope wrapping); the SDK supplies a
+ * small set of host imports (`mlKemPublicKey`, `random`, `ethSign`,
+ * `getIdToken`, `nowMs`, `setCookie`, `postRpc`) at jco instantiation
+ * time and calls the contract's typed WIT exports
+ * (`clientHandshake.run`, `clientAuth.runEth` / `runOidc`,
+ * `sessionCrypto.encrypt` / `decrypt`).
+ *
+ * See `src/wasm/loader.ts` for the host-import surface and
+ * `src/client/t3n-client.ts` for the consumer-facing API.
  */
-export interface GuestToHostHandlers {
-    /**
-     * Handle Ethereum signature requests
-     * requestData: { guest_to_host: "EthSign", challenge: string (base64) }
-     * Returns: JSON bytes of { host_to_guest: "EthSign", challenge: string, signature: string }
-     */
-    EthSign?: GuestToHostHandler;
-    /**
-     * Handle MlKem public key requests
-     * requestData: { guest_to_host: "MlKemPublicKey" }
-     * Returns: JSON bytes of { host_to_guest: "MlKemPublicKey", key: string }
-     */
-    MlKemPublicKey?: GuestToHostHandler;
-    /**
-     * Handle random bytes requests
-     * requestData: { guest_to_host: "Random", len?: number }
-     * Returns: JSON bytes of { host_to_guest: "Random", bytes: string (base64) }
-     */
-    Random?: GuestToHostHandler;
-    [key: string]: GuestToHostHandler | undefined;
-}
 export * from "./session";
 export * from "./auth";

package/dist/src/utils/hkdf.d.ts

@@ -0,0 +1,36 @@
+/**
+ * HKDF-SHA256 key derivation that mirrors `session::session::derive_keys`
+ * in the node (`node/session/src/session.rs`).
+ *
+ * The server derives two directional keys from the raw ML-KEM shared
+ * secret using HKDF-Extract-then-Expand with:
+ *   - salt  = b"" (empty)
+ *   - ikm   = the 32-byte raw KEM shared secret
+ *   - info  = b"t3-session-v1-c2s" | b"t3-session-v1-s2c"
+ *   - L     = 32 bytes each
+ *
+ * The client must derive the same pair so that c2s / s2c line up on
+ * both sides. WebCrypto's `subtle.deriveBits` with `HKDF` does
+ * Extract+Expand in one call, so the TS implementation collapses to a
+ * few lines per direction.
+ */
+/**
+ * Derive directional session keys from the raw ML-KEM shared secret.
+ *
+ * @param rawSecret 32 bytes from `handshakeAsync.clientRun` (the
+ *                  `ClientPending.secret` field).
+ * @returns `{ c2s, s2c }` — each 32 bytes, suitable for AES-256-GCM.
+ */
+export declare function deriveDirectionalKeys(rawSecret: Uint8Array): Promise<{
+    c2s: Uint8Array;
+    s2c: Uint8Array;
+}>;
+/**
+ * Pack directional keys for the client-side session-crypto WASM calls.
+ *
+ * The contract's `session-crypto.encrypt`/`decrypt` interprets its
+ * `keys` argument as `encrypt_key || decrypt_key`. The client
+ * encrypts with c2s and decrypts with s2c, so the client packs
+ * `c2s || s2c`.
+ */
+export declare function packClientSessionKeys(c2s: Uint8Array, s2c: Uint8Array): Uint8Array;

package/dist/src/utils/index.d.ts

@@ -4,6 +4,7 @@
 export * from "./crypto";
 export * from "./contract-version";
 export * from "./errors";
+export * from "./hkdf";
 export * from "./logger";
 export * from "./redaction";
 export * from "./session";

package/dist/src/wasm/interface.d.ts

@@ -1,104 +1,69 @@
 /**
- * WASM Component Interface - Mirrors the WIT specification exactly
+ * WASM Component Interface — async direct-call.
  *
- * This interface works with completely opaque byte arrays, just like the WIT interface.
- * The TypeScript SDK doesn't know about internal state machine phases or details.
+ * Mirrors `tee:session@1.0.0` WIT world. The SDK talks to the WASM
+ * only through these exports (plus host imports supplied at
+ * instantiation); all protocol glue lives inside the contract.
  */
-/**
- * Result type for WASM next() operations
- */
-export interface WasmNextResult {
-    state: Uint8Array;
-    request: Uint8Array;
+export interface ClientSessionKeys {
+    /** `encrypt_key || decrypt_key`, 64 bytes. */
+    blob: Uint8Array;
+    sid: Uint8Array;
+}
+export interface HandshakeOutcome {
+    keys: ClientSessionKeys;
+    authenticated: boolean;
+    did?: string;
+    expirySec: bigint;
 }
-/**
- * Client handshake operations - completely opaque byte arrays only
- */
 export interface ClientHandshake {
-    /**
-     * Process next step in handshake
-     * @param state - Current handshake state (null for initial call)
-     * @param action - Action to process (opaque bytes)
-     * @returns Promise with new state and request to send
-     */
-    next(state: Uint8Array | null, action: Uint8Array): Promise<WasmNextResult>;
-    /**
-     * Attempt to finalize handshake
-     * @param state - Current handshake state
-     * @returns Promise with session bytes if successful
-     * @throws Error if handshake not ready to finalize
-     */
-    finish(state: Uint8Array): Promise<Uint8Array>;
+    run(sid: Uint8Array, cookie: string | undefined): HandshakeOutcome;
+}
+export interface AuthOutcome {
+    did: string;
+    cookie?: string;
 }
-/**
- * Client authentication operations - completely opaque byte arrays only
- */
 export interface ClientAuth {
+    runEth(sessionKeys: Uint8Array, ethAddress: string, siweDomain: string | undefined, siweUrl: string | undefined, siweChainId: bigint | undefined): AuthOutcome;
     /**
-     * Process next step in authentication
-     * @param state - Current auth state (null for initial call)
-     * @param action - Action to process (opaque bytes)
-     * @returns Promise with new state and request to send
-     */
-    next(state: Uint8Array | null, action: Uint8Array): Promise<WasmNextResult>;
-    /**
-     * Attempt to finalize authentication
-     * @param state - Current auth state
-     * @returns Promise with DID bytes if successful
-     * @throws Error if authentication not ready to finalize
+     * Run the full OIDC flow in one call. The contract drives both
+     * server round-trips and invokes the SDK's `getIdToken(provider,
+     * nonce)` host import in between to obtain the IdP-signed token.
      */
-    finish(state: Uint8Array): Promise<Uint8Array>;
+    runOidc(sessionKeys: Uint8Array, provider: string): AuthOutcome;
 }
-/**
- * Client authentication operations - completely opaque byte arrays only
- */
-export interface ClientExecute {
-    /**
-     * Process next step in authentication
-     * @param state - Current auth state (null for initial call)
-     * @param action - Action to process (opaque bytes)
-     * @returns Promise with new state and request to send
-     */
-    next(state: Uint8Array | null, action: Uint8Array): Promise<WasmNextResult>;
-    /**
-     * Attempt to finalize authentication
-     * @param state - Current auth state
-     * @returns Promise with DID bytes if successful
-     * @throws Error if authentication not ready to finalize
-     */
-    finish(state: Uint8Array): Promise<Uint8Array>;
+export interface ServerSessionKeys {
+    c2s: Uint8Array;
+    s2c: Uint8Array;
+    sid: Uint8Array;
+}
+export interface ServerOutcome {
+    keys: ServerSessionKeys;
+    authenticated: boolean;
+    did?: string;
+    expirySec: bigint;
+    refreshedCookie?: string;
+}
+export interface ServerHandshake {
+    run(sid: Uint8Array, ciphertext: Uint8Array, cookieValue: string | undefined): ServerOutcome;
 }
-/**
- * Session encryption/decryption operations - completely opaque byte arrays only
- */
 export interface SessionCrypto {
-    /**
-     * Encrypt plaintext using session
-     * @param session - Session state (opaque bytes)
-     * @param plaintext - Data to encrypt
-     * @returns Promise with encrypted bytes
-     */
-    encrypt(session: Uint8Array, plaintext: Uint8Array): Promise<Uint8Array>;
-    /**
-     * Decrypt ciphertext using session
-     * @param session - Session state (opaque bytes)
-     * @param ciphertext - Data to decrypt
-     * @returns Promise with decrypted bytes
-     */
-    decrypt(session: Uint8Array, ciphertext: Uint8Array): Promise<Uint8Array>;
+    encrypt(keys: Uint8Array, plaintext: Uint8Array): Uint8Array;
+    decrypt(keys: Uint8Array, ciphertext: Uint8Array): Uint8Array;
 }
-/**
- * Main WASM Component interface - mirrors the WIT interface exactly
- *
- * This is completely opaque to the TypeScript layer. All state machine logic,
- * authentication flows, and cryptographic operations are handled in WASM.
- */
+export interface Validation {
+    authenticated: boolean;
+    did?: string;
+    exp: bigint;
+}
+export interface CookieIface {
+    validate(cookieValue: string, teeAddress: Uint8Array, nowSec: bigint): Validation;
+}
+/** Fully instantiated session component. */
 export interface WasmComponent {
-    /** Client handshake operations */
-    flow: {
-        handshake: ClientHandshake;
-        auth: ClientAuth;
-        execute: ClientExecute;
-    };
-    session: SessionCrypto;
+    clientHandshake: ClientHandshake;
+    clientAuth: ClientAuth;
+    serverHandshake: ServerHandshake;
+    sessionCrypto: SessionCrypto;
+    cookie: CookieIface;
 }

package/dist/src/wasm/loader.d.ts

@@ -1,43 +1,73 @@
 /**
- * WASM Component Loader
+ * WASM Component Loader — async direct-call shape.
  *
- * This module provides utilities for loading and initializing the WASM component.
- * The actual WASM loading implementation will depend on the build system and
- * deployment environment.
+ * Loads the `tee:session@1.0.0` jco-transpiled component. Host
+ * imports (`host:session-interfaces/*`) are supplied at
+ * instantiation; the caller can override any of them via
+ * `WasmLoadConfig.hostImports` to plug a custom KEM public-key
+ * source, ETH signer, etc. Defaults cover the common case for the
+ * browser SDK:
+ *
+ *   - `entropy.random`:        WebCrypto `getRandomValues`
+ *   - `kem.mlKemPublicKey`:    HTTP fetch of /pubkey (caller sets URL)
+ *   - `kem.decapsulate`:       server-only; client-side stub returns error
+ *   - `eth-signer.eth-sign`:   injected wallet (window.ethereum) if present
+ *   - `session-ops.now-ms`:    Date.now()
+ *   - `session-ops.tee-address`, `set-cookie`: caller-supplied or stubs
  */
 import { WasmComponent } from "./interface";
 import { Logger } from "../utils/logger";
+/**
+ * Host imports supplied at WASM instantiation. Any subset may be
+ * overridden by the caller; unset ones fall back to a safe default
+ * (or an error stub for server-only methods like `decapsulate`).
+ */
+export interface SessionHostImports {
+    /** Fetch the server's ML-KEM public key (client-side). */
+    mlKemPublicKey?: () => Uint8Array | Promise<Uint8Array>;
+    /** CSPRNG. Defaults to WebCrypto `getRandomValues`. */
+    random?: (len: number) => Uint8Array;
+    /** EIP-191 / SIWE signer. Defaults to error (caller must supply). */
+    ethSign?: (message: Uint8Array) => Uint8Array | Promise<Uint8Array>;
+    /**
+     * OIDC user-interaction callback. The contract supplies the
+     * server-bound `nonce`; the SDK consumer runs whatever popup /
+     * redirect flow is appropriate for `provider` and returns the
+     * IdP-signed `id_token`. Defaults to error (caller must supply
+     * when using OIDC auth).
+     */
+    getIdToken?: (provider: string, nonce: string) => string | Promise<string>;
+    /** Current time in ms. Defaults to Date.now() (as bigint). */
+    nowMs?: () => bigint;
+    /** TEE address — server-only; client stub returns 20 zero bytes. */
+    teeAddress?: () => Uint8Array;
+    /** Called when the guest emits a refreshed cookie. */
+    setCookie?: (value: string) => void;
+    /**
+     * HTTP transport the contract uses to POST JSON-RPC requests. The
+     * SDK wires this to its `Transport` under the hood — the contract
+     * supplies the method name and params bytes; the SDK layers on the
+     * Session-Id header, JSON-RPC envelope, and returns the raw result
+     * bytes.
+     */
+    postRpc?: (method: string, sessionId: string, params: string) => string | Promise<string>;
+}
 /**
  * Configuration for WASM component loading
  */
 export interface WasmLoadConfig {
     /** Path or URL to the WASM module */
     wasmPath?: string;
-    /** Custom fetch function for loading WASM */
-    fetchFn?: typeof fetch;
-    /** Additional initialization options */
-    initOptions?: Record<string, unknown>;
     /** Optional logger instance - if not provided, uses global default */
     logger?: Logger;
+    /** Overrides for the host-import functions. */
+    hostImports?: SessionHostImports;
 }
 /**
- * Load and initialize the T3n WASM component
+ * Load and initialize the T3n WASM component (async direct-call).
  *
- * @param config - Optional configuration for loading the WASM component
- * @returns Promise that resolves to the initialized WASM component
- *
- * @example
- * ```typescript
- * const wasmComponent = await loadWasmComponent({
- *   wasmPath: '/path/to/t3n.wasm'
- * });
- * ```
+ * The caller normally only needs to override `mlKemPublicKey` (to
+ * point at the node URL) and `ethSign` (to bridge to the browser
+ * wallet). All other imports have sensible defaults.
  */
 export declare function loadWasmComponent(config?: WasmLoadConfig): Promise<WasmComponent>;
-/**
- * Load the real T3n WASM component
- *
- * @param logger - Logger instance for WASM operations
- * @returns Promise that resolves to the initialized WASM component
- */
-export declare function loadRealWasmComponent(logger: Logger): Promise<WasmComponent>;

package/dist/wasm/generated/interfaces/host-session-interfaces-contract-dispatch.d.ts

@@ -0,0 +1,2 @@
+/** @module Interface host:session-interfaces/contract-dispatch@1.0.0 **/
+export function executeAction(contract: string, version: string, functionName: string, did: string, payload: Uint8Array): Uint8Array;

package/dist/wasm/generated/interfaces/host-session-interfaces-entropy.d.ts

@@ -0,0 +1,2 @@
+/** @module Interface host:session-interfaces/entropy@1.0.0 **/
+export function random(len: number): Uint8Array;

package/dist/wasm/generated/interfaces/host-session-interfaces-eth-signer.d.ts

@@ -0,0 +1,2 @@
+/** @module Interface host:session-interfaces/eth-signer@1.0.0 **/
+export function ethSign(message: Uint8Array): Uint8Array;

package/dist/wasm/generated/interfaces/host-session-interfaces-kem.d.ts

@@ -0,0 +1,3 @@
+/** @module Interface host:session-interfaces/kem@1.0.0 **/
+export function mlKemPublicKey(): Uint8Array;
+export function decapsulate(ciphertext: Uint8Array): Uint8Array;

package/dist/wasm/generated/interfaces/host-session-interfaces-oidc-client.d.ts

@@ -0,0 +1,2 @@
+/** @module Interface host:session-interfaces/oidc-client@1.0.0 **/
+export function getIdToken(provider: string, nonce: string): string;

package/dist/wasm/generated/interfaces/host-session-interfaces-oidc.d.ts

@@ -0,0 +1,3 @@
+/** @module Interface host:session-interfaces/oidc@1.0.0 **/
+export function fetchJwks(jwksUri: string): Uint8Array;
+export function fetchClientId(providerName: string): string;

package/dist/wasm/generated/interfaces/host-session-interfaces-session-ops.d.ts

@@ -0,0 +1,9 @@
+/** @module Interface host:session-interfaces/session-ops@1.0.0 **/
+export function nowMs(): bigint;
+export function teeAddress(): Uint8Array;
+export function fetchOrCreateDid(authenticatorHashes: Array<Uint8Array>, did: string | undefined): string;
+export function fetchProviderConfig(providerId: string): Uint8Array;
+export function setCookie(cookieValue: string): void;
+export function registerScript(name: string, version: string, wasmBytes: Uint8Array, sourceHash: string | undefined): boolean;
+export function syncUserAuths(): Uint8Array;
+export function updateMeasurements(measurementsBase64: string): boolean;

package/dist/wasm/generated/interfaces/host-session-interfaces-transport.d.ts

@@ -0,0 +1,2 @@
+/** @module Interface host:session-interfaces/transport@1.0.0 **/
+export function postRpc(method: string, sessionId: string, params: string): string;