@terminal3/t3n-sdk 1.3.2 → 2.1.0

package/README.md

@@ -86,6 +86,88 @@ const oidcCredentials = {
 const did = await client.authenticate(createOidcAuthInput(oidcCredentials));
 ```
 
+## Migrating from 1.x
+
+`@terminal3/t3n-sdk@2.0.0` cuts over to `tee:user/contracts@2.0.0`
+(MAT-1374). The implicit-dispatch monolith `user-upsert` on the user
+contract was split into three explicit functions on the same
+contract:
+
+- `otp-request` — request + dispatch an OTP code.
+- `otp-verify` — redeem an OTP and bind the contact.
+- `user-upsert` (slim) — Level 1 user-input ingest only. Rejects
+  callers without a verified email with the typed
+  `UserUpsertError { kind: "EmailNotVerified" }` (wire form
+  `email_not_verified:<detail>`).
+
+If you used the typed `T3nClient` methods to wrap `executeAction`,
+the SDK now ships `client.otpRequest` / `client.otpVerify` /
+`client.submitUserInput` (plus a convenience
+`client.runOtpThenUserInput`) so you can migrate one call site at a
+time:
+
+| Pre-2.0.0 (`tee:user@1.5.0`)                                                             | 2.x (`tee:user@2.0.0`, contract ≥ 2.1.0 for discriminated OTP)         |
+| ---------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| `executeAction({ function_name: "user-upsert", input: { profile: { email_address } } })` | `client.otpRequest({ emailChannel: { emailAddress } })`                |
+| `executeAction({ function_name: "user-upsert", input: { profile, otp_code } })`          | `client.otpVerify({ otpCode, request: { emailChannel: { emailAddress } } })` |
+| `executeAction({ function_name: "user-upsert", input: { profile, keys: { generic_api: { otp_channel: "sms" } } } })` | `client.otpRequest({ smsChannel: { phoneNumber } })` |
+| `executeAction({ function_name: "user-upsert", input: { profile } })` (post-OTP)         | `client.submitUserInput({ profile })`                                 |
+
+### Worked example: full email + L1 ingest
+
+```typescript
+import { T3nClient, UserUpsertError } from "@terminal3/t3n-sdk";
+
+// 1) Bind the user's email via OTP.
+const requested = await client.otpRequest({
+  emailChannel: { emailAddress: "alice@example.com" },
+});
+const code = await prompt(`Code sent to ${requested.contact}: `);
+await client.otpVerify({
+  otpCode: code,
+  request: { emailChannel: { emailAddress: "alice@example.com" } },
+});
+
+// 2) Slim user-upsert: Level 1 user-input ingest. Rejects with
+// UserUpsertError(kind: "EmailNotVerified") if step 1 was skipped.
+try {
+  const result = await client.submitUserInput({
+    profile: {
+      first_name: "Alice",
+      last_name: "Smith",
+      country_of_residence: "US",
+      // ...other Level-1 fields
+    },
+  });
+  console.log("tx:", result.txHash);
+} catch (err) {
+  if (err instanceof UserUpsertError && err.kind === "EmailNotVerified") {
+    // run otp-request + otp-verify, then retry.
+  }
+  throw err;
+}
+```
+
+For tests that "just want it to work", `runOtpThenUserInput` chains
+the three calls behind a single `getOtpCode` callback.
+
+### Hard-error fields
+
+Passing any of these to the wrong function returns the typed
+`UserUpsertError(kind: "LegacyField")` (wire form
+`legacy_field:<detail>`):
+
+- `otp_code` to anything other than `otp-verify`.
+- `keys.generic_api.otp_channel` to anything (channel is now a
+  top-level field).
+
+### Raw `executeAction` callers
+
+If you bypass the typed wrappers, see the migration table above:
+the function names (`otp-request` / `otp-verify` / `user-upsert`)
+and JSON input shapes line up 1:1 with the wrappers' camelCase
+fields converted to `snake_case`.
+
 ## Architecture
 
 The T3n SDK follows the same architectural principles as the server's `rpc.rs`:

package/dist/index.d.ts

@@ -325,6 +325,281 @@ type AuthInput = EthAuthInput | OidcAuthInput;
 declare function createEthAuthInput(address: string): EthAuthInput;
 declare function createOidcAuthInput(credentials: OidcCredentials): OidcAuthInput;
 
+/**
+ * Error classes for T3n SDK
+ */
+/**
+ * Base error class for T3n SDK errors
+ */
+declare class T3nError extends Error {
+    readonly code?: string | undefined;
+    constructor(message: string, code?: string | undefined);
+}
+/**
+ * Error thrown when session is in invalid state for operation
+ */
+declare class SessionStateError extends T3nError {
+    readonly currentState: string;
+    constructor(message: string, currentState: string);
+}
+/**
+ * Error thrown during authentication process
+ */
+declare class AuthenticationError extends T3nError {
+    readonly authMethod?: string | undefined;
+    constructor(message: string, authMethod?: string | undefined);
+}
+/**
+ * Error thrown during handshake process
+ */
+declare class HandshakeError extends T3nError {
+    constructor(message: string);
+}
+/**
+ * Error thrown during RPC communication.
+ *
+ * `message` is the human-readable error (preferring the server's
+ * `error.data.detail` when present, with the request id appended in
+ * `[<id>]` form so a UI that only surfaces `.message` still gives an
+ * operator something to grep). The structured fields below preserve
+ * the same info for callers that want to render or log them
+ * separately — e.g. a toast that shows `detail` but surfaces
+ * `requestId` in a "copy for support" affordance.
+ */
+declare class RpcError extends T3nError {
+    readonly rpcMethod?: string | undefined;
+    readonly httpStatus?: number | undefined;
+    /** Server-attached detail (JSON-RPC `error.data.detail`). User-facing kinds
+     *  carry the specific reason here; internal kinds omit it. */
+    readonly detail?: string | undefined;
+    /** Per-request correlation id (JSON-RPC `error.data.request_id`). */
+    readonly requestId?: string | undefined;
+    constructor(message: string, rpcMethod?: string | undefined, httpStatus?: number | undefined, 
+    /** Server-attached detail (JSON-RPC `error.data.detail`). User-facing kinds
+     *  carry the specific reason here; internal kinds omit it. */
+    detail?: string | undefined, 
+    /** Per-request correlation id (JSON-RPC `error.data.request_id`). */
+    requestId?: string | undefined);
+}
+/**
+ * Error thrown when WASM operations fail
+ */
+declare class WasmError extends T3nError {
+    readonly operation?: string | undefined;
+    readonly payload?: unknown | undefined;
+    constructor(message: string, operation?: string | undefined, payload?: unknown | undefined);
+}
+/**
+ * Decode WASM error message from comma-separated byte array format
+ * WASM errors often come as "83,101,114,100,101..." which represents ASCII bytes
+ *
+ * @param errorMessage - The error message string that may contain comma-separated bytes
+ * @returns Decoded error message if it was encoded, otherwise original message
+ */
+declare function decodeWasmErrorMessage(errorMessage: string): string;
+/**
+ * Extract and decode error from WASM ComponentError
+ *
+ * @param error - The error object from WASM
+ * @returns Decoded error message
+ */
+declare function extractWasmError(error: unknown): string;
+
+/**
+ * MAT-1374 — wire types for the explicit `otp-request` /
+ * `otp-verify` / slim `user-upsert` exports on `tee:user/contracts`
+ * (`tee:user@2.0.0`).
+ *
+ * Pre-2.0.0 the user contract dispatched OTP request and OTP verify
+ * implicitly from the input shape of a single `user-upsert` call.
+ * 2.0.0 splits that surface into three explicit functions; the
+ * shapes here mirror the Rust types in
+ * `node/tee_contracts/user/src/otp_types.rs` and
+ * `node/tee_contracts/user/src/upsert_types.rs`.
+ *
+ * Keep the two in sync — bytes flow directly from the contract
+ * through the JSON-RPC envelope into the SDK wrappers
+ * (`T3nClient.otpRequest`, `T3nClient.otpVerify`,
+ * `T3nClient.submitUserInput`).
+ */
+
+/**
+ * OTP delivery channel. Matches the `OtpContactChannel` Rust enum
+ * with `serde(rename_all = "snake_case")`.
+ */
+type OtpChannel = "email" | "sms";
+/**
+ * Discriminated OTP contact target. Mirrors the Rust `OtpRequest` enum
+ * (`email_channel` / `sms_channel` on the wire). Exactly one branch is
+ * set — no parallel optional email + phone with a separate channel tag.
+ *
+ * The legacy `keys.generic_api.otp_channel` body shadow was removed
+ * in 2.0.0 — the contract rejects calls carrying it with a
+ * `legacy_field` error.
+ */
+type OtpRequestInput = {
+    emailChannel: {
+        emailAddress: string;
+    };
+} | {
+    smsChannel: {
+        phoneNumber: string;
+    };
+};
+/**
+ * Response returned by `otp-request`. Mirrors `OtpResponse` in
+ * `otp_types.rs`.
+ *
+ * - `contact` echoes the OTP destination so clients that race
+ *   multiple channels can correlate replies.
+ * - `expiresAtSec` is the Unix-second TTL the host minted for the
+ *   pending OTP. Absent in `skip_otp` test environments.
+ * - `status` is `"otp_pending"` on the happy path. `"otp_failed"`
+ *   only appears on retry without a fresh request — usually you
+ *   shouldn't see it on `otp-request`.
+ * - `txHash` is the host-enriched ledger ref for the OTP-pending
+ *   write (the contract leaves it `null`; the host injects).
+ * - `isNewProfile` is `true` on a fresh DID's first OTP request —
+ *   read this to detect "did the user just register".
+ */
+interface OtpRequestResult {
+    contact: string;
+    channel: OtpChannel;
+    expiresAtSec?: number;
+    status?: string;
+    txHash?: string;
+    isNewProfile?: boolean;
+}
+/**
+ * Input to `T3nClient.otpVerify`. `otpCode` is mandatory; `request`
+ * repeats the same discriminated contact shape as {@link OtpRequestInput}.
+ */
+interface OtpVerifyInput {
+    otpCode: string;
+    request: OtpRequestInput;
+}
+/**
+ * Suggestion surfaced when the bind-target contact already belongs
+ * to another DID. The contract refuses to silently steal the
+ * authenticator; the caller must resolve the merge (typically via
+ * `merge-profiles`) before re-attempting verify.
+ */
+interface OtpMergeSuggestion {
+    existingDid: string;
+    currentDid: string;
+    email?: string;
+    phone?: string;
+    channel: OtpChannel;
+}
+/**
+ * Response returned by `otp-verify`. Mirrors
+ * `OtpVerifyResponse` in `otp_types.rs`.
+ *
+ * - `email` is populated on `channel = "email"` success;
+ *   `phone` on `channel = "sms"` success. Mutually exclusive on
+ *   the happy path.
+ * - `status` carries `"otp_failed"` / `"otp_expired"` on retry; the
+ *   happy path leaves it `undefined`.
+ * - `mergeSuggestion` is set when the contact-to-bind is already
+ *   owned by another DID. Wire it into your merge UX.
+ */
+interface OtpVerifyResult {
+    txHash?: string;
+    did: string;
+    channel: OtpChannel;
+    email?: string;
+    phone?: string;
+    status?: string;
+    mergeSuggestion?: OtpMergeSuggestion;
+    isNewProfile?: boolean;
+}
+/**
+ * Level-1 user-input fields accepted by the slim `user-upsert`.
+ * The Rust contract validates these via `validate_profile`; the
+ * shape is intentionally open so callers can add provider-specific
+ * fields on top of the canonical six.
+ */
+interface UserInputProfile {
+    firstName?: string;
+    lastName?: string;
+    email_address?: string;
+    phone_number?: string;
+    birthdate?: string;
+    nationality?: string;
+    [key: string]: unknown;
+}
+/**
+ * Input to `T3nClient.submitUserInput`. Maps onto the slim
+ * `user-upsert` request shape: `{ profile, organisation_did?,
+ * attestations?, keys? }`.
+ */
+interface SubmitUserInputArgs {
+    profile: UserInputProfile;
+    organisationDid?: string;
+    attestations?: unknown;
+    keys?: Record<string, unknown>;
+    /**
+     * KYC webhook orphan-attestation flow. When set, the contract
+     * skips the email-not-verified gate and only records the
+     * attestation if the DID has no profile yet (T3-TS-026 §13).
+     * Most callers should leave this `undefined`.
+     */
+    requireExistingUser?: boolean;
+}
+/**
+ * Response shape returned by the slim `user-upsert`. Carries the
+ * post-merge tx hash plus the L1 merge diagnostics
+ * (`refusedFields`, `mergeSuggestion`) the pre-2.0.0 omnibus
+ * `UpsertResponse` already surfaced.
+ */
+interface SubmitUserInputResult {
+    txHash?: string;
+    refusedFields?: string[];
+    mergeSuggestion?: OtpMergeSuggestion;
+    userFound?: boolean;
+}
+/**
+ * Discriminator for {@link UserUpsertError}. Mirrors the
+ * `UserUpsertError` Rust enum and its `<code>:<detail>` wire
+ * format (see `upsert_types.rs::UserUpsertError::code`). Branch
+ * with a `switch` over `kind`.
+ *
+ * - `EmailNotVerified` — the slim `user-upsert` was called against
+ *   a DID that has no verified email and no proving authenticator.
+ *   Run `otpRequest` + `otpVerify` first (or accept an
+ *   OIDC/Email-authed session).
+ * - `LegacyField` — caller passed a pre-2.0.0 dispatch field
+ *   (`otp_code` to a non-verify export, or
+ *   `keys.generic_api.otp_channel` anywhere). Migrate the call
+ *   site to the new explicit functions.
+ * - `UserNotFound` — `requireExistingUser` was set but no profile
+ *   exists for the DID. The attestation is recorded for audit;
+ *   no profile created.
+ */
+type UserUpsertErrorKind = "EmailNotVerified" | "LegacyField" | "UserNotFound";
+/**
+ * Typed wrapper for the `<code>:<detail>` errors the slim
+ * `user-upsert` and the OTP entry points emit. `kind` is the
+ * structured discriminator the SDK derives from the error code
+ * prefix; `code` and `detail` retain the wire components for
+ * fall-through logging.
+ *
+ * Throw site: `T3nClient.submitUserInput` (and friends) when the
+ * contract returns a string error matching the
+ * `<code>:<detail>` shape.
+ */
+declare class UserUpsertError extends T3nError {
+    readonly kind: UserUpsertErrorKind | "Unknown";
+    readonly detail: string;
+    constructor(code: string, detail: string);
+    /**
+     * Try to parse a contract error string into a `UserUpsertError`.
+     * Returns `null` if `raw` doesn't match the `<code>:<detail>`
+     * shape — caller falls back to a generic error.
+     */
+    static fromWire(raw: string): UserUpsertError | null;
+}
+
 /**
  * Public types export for T3n SDK
  */
@@ -515,86 +790,6 @@ interface T3nClientConfig {
     handlers?: GuestToHostHandlers;
 }
 
-/**
- * Error classes for T3n SDK
- */
-/**
- * Base error class for T3n SDK errors
- */
-declare class T3nError extends Error {
-    readonly code?: string | undefined;
-    constructor(message: string, code?: string | undefined);
-}
-/**
- * Error thrown when session is in invalid state for operation
- */
-declare class SessionStateError extends T3nError {
-    readonly currentState: string;
-    constructor(message: string, currentState: string);
-}
-/**
- * Error thrown during authentication process
- */
-declare class AuthenticationError extends T3nError {
-    readonly authMethod?: string | undefined;
-    constructor(message: string, authMethod?: string | undefined);
-}
-/**
- * Error thrown during handshake process
- */
-declare class HandshakeError extends T3nError {
-    constructor(message: string);
-}
-/**
- * Error thrown during RPC communication.
- *
- * `message` is the human-readable error (preferring the server's
- * `error.data.detail` when present, with the request id appended in
- * `[<id>]` form so a UI that only surfaces `.message` still gives an
- * operator something to grep). The structured fields below preserve
- * the same info for callers that want to render or log them
- * separately — e.g. a toast that shows `detail` but surfaces
- * `requestId` in a "copy for support" affordance.
- */
-declare class RpcError extends T3nError {
-    readonly rpcMethod?: string | undefined;
-    readonly httpStatus?: number | undefined;
-    /** Server-attached detail (JSON-RPC `error.data.detail`). User-facing kinds
-     *  carry the specific reason here; internal kinds omit it. */
-    readonly detail?: string | undefined;
-    /** Per-request correlation id (JSON-RPC `error.data.request_id`). */
-    readonly requestId?: string | undefined;
-    constructor(message: string, rpcMethod?: string | undefined, httpStatus?: number | undefined, 
-    /** Server-attached detail (JSON-RPC `error.data.detail`). User-facing kinds
-     *  carry the specific reason here; internal kinds omit it. */
-    detail?: string | undefined, 
-    /** Per-request correlation id (JSON-RPC `error.data.request_id`). */
-    requestId?: string | undefined);
-}
-/**
- * Error thrown when WASM operations fail
- */
-declare class WasmError extends T3nError {
-    readonly operation?: string | undefined;
-    readonly payload?: unknown | undefined;
-    constructor(message: string, operation?: string | undefined, payload?: unknown | undefined);
-}
-/**
- * Decode WASM error message from comma-separated byte array format
- * WASM errors often come as "83,101,114,100,101..." which represents ASCII bytes
- *
- * @param errorMessage - The error message string that may contain comma-separated bytes
- * @returns Decoded error message if it was encoded, otherwise original message
- */
-declare function decodeWasmErrorMessage(errorMessage: string): string;
-/**
- * Extract and decode error from WASM ComponentError
- *
- * @param error - The error object from WASM
- * @returns Decoded error message
- */
-declare function extractWasmError(error: unknown): string;
-
 /**
  * Contract response decoding for {@link T3nClient.execute}.
  *
@@ -1030,6 +1225,116 @@ declare class T3nClient {
      *   row exists yet), or if the response shape is unexpected.
      */
     kycStatus(providerId?: string): Promise<KycStatus>;
+    /**
+     * Dispatch a one-time code to the supplied contact via the host's
+     * OTP provider. Backed by `tee:user/contracts::otp-request`.
+     *
+     * The contract persists the unverified contact in the channel's
+     * pending slot (`pending_email` / `pending_phone`) and returns
+     * `OtpRequestResult` with `status = "otp_pending"` (or `undefined`
+     * when the node is configured with `skip_otp = true`). The next
+     * step is {@link otpVerify} with the code the user typed.
+     *
+     * Behaviour notes:
+     *
+     * - Contact is a discriminated object: `emailChannel` or
+     *   `smsChannel` (mirrors Rust `OtpRequest`). The legacy
+     *   `keys.generic_api.otp_channel` body shadow is rejected by the
+     *   contract.
+     * - SMS channel is gated on a verified email. Calling with
+     *   `channel = "sms"` against a DID that hasn't completed an
+     *   email roundtrip first throws.
+     * - On a fresh DID's first call, `result.isNewProfile === true`.
+     *   Use this signal — not [[otpVerify]]'s response — for "did the
+     *   user just register" gating.
+     *
+     * @throws {RpcError} if the node rejects the action; the message
+     *   carries the contract-side detail (e.g. sequential-flow guard
+     *   when the email is missing).
+     */
+    otpRequest(input: OtpRequestInput): Promise<OtpRequestResult>;
+    /**
+     * Redeem a one-time code and bind the contact to the
+     * authenticated DID. Backed by
+     * `tee:user/contracts::otp-verify`.
+     *
+     * On success the contract promotes the pending contact back to
+     * the canonical slot, writes the AUTH_MAP / DIDS_MAP /
+     * USER_AUTHS_MAP authenticator entries, stamps
+     * `verified_contacts.{email,phone}`, and mints the ambient
+     * `t3n.personal.contact.1` ownership VC when both contacts are
+     * now verified.
+     *
+     * If the contact is already owned by a different DID the
+     * contract refuses to silently reparent the authenticator and
+     * surfaces a `mergeSuggestion` instead — the caller resolves the
+     * merge (typically via {@link mergeProfiles}) and re-attempts.
+     *
+     * On a wrong / expired code the contract returns the result with
+     * `status = "otp_failed"` or `"otp_expired"` — no exception is
+     * thrown, the error is surfaced as data so the UI can stay on
+     * the verify screen and let the user retry.
+     *
+     * @throws {RpcError} if the node rejects the action outright
+     *   (network / decode / bad input shape). Branch on
+     *   `result.status` for retryable OTP failures.
+     */
+    otpVerify(input: OtpVerifyInput): Promise<OtpVerifyResult>;
+    /**
+     * Submit Level-1 user-input fields to the slim
+     * `tee:user/contracts::user-upsert`. The contract merges the
+     * supplied profile fields, validates them, mints
+     * `t3n.user-input.kyc.1` once every Level-1 field is present, and
+     * commits the write.
+     *
+     * **Pre-condition** (MAT-1374): the DID must already have a
+     * verified email — either because {@link otpVerify} bound one or
+     * because the session carries a proving authenticator (OIDC /
+     * Email auth). Calls without proof are rejected with
+     * {@link UserUpsertError} `kind = "EmailNotVerified"`. The
+     * recommended UX is "request OTP -> verify OTP -> submit user
+     * input" (or use {@link runOtpThenUserInput} which chains all
+     * three).
+     *
+     * The KYC webhook orphan-attestation flow stays here: when
+     * `requireExistingUser` is set, the contract identifies the user
+     * by DID (vendorData) instead of email and the gate is bypassed.
+     *
+     * @throws {UserUpsertError} when the contract returns a typed
+     *   error (`email_not_verified`, `legacy_field`, `user_not_found`).
+     *   Branch on `err.kind`.
+     * @throws {RpcError} for non-typed transport / decode failures.
+     */
+    submitUserInput(input: SubmitUserInputArgs): Promise<SubmitUserInputResult>;
+    /**
+     * Convenience helper: run the explicit OTP roundtrip and submit
+     * the slim user-upsert in one call.
+     *
+     * The caller supplies a `getOtpCode(contact, channel)` callback
+     * the SDK invokes between request and verify — this is where
+     * a UI prompts the user to type the code that arrived on email
+     * / SMS. Throw from the callback to abort the flow; the helper
+     * does not retry on its own.
+     *
+     * Returns the slim `submitUserInput` result on success. Throws
+     * {@link UserUpsertError} or `RpcError` on the same conditions
+     * as the underlying wrappers.
+     *
+     * Optional, opt-in path — the recommended default is to call
+     * {@link otpRequest}, {@link otpVerify}, and
+     * {@link submitUserInput} explicitly so the application owns the
+     * flow.
+     */
+    runOtpThenUserInput(args: {
+        channel: OtpChannel;
+        emailAddress?: string;
+        phoneNumber?: string;
+        profile: SubmitUserInputArgs["profile"];
+        organisationDid?: string;
+        attestations?: unknown;
+        keys?: Record<string, unknown>;
+        getOtpCode: (contact: string, channel: OtpChannel) => Promise<string> | string;
+    }): Promise<SubmitUserInputResult>;
     /**
      * Poll `kyc-status` until a terminal status arrives or the
      * configured timeout elapses.
@@ -1423,5 +1728,5 @@ declare function clearKeyCache(): void;
  */
 declare function loadConfig(baseUrl?: string): SdkConfig;
 
-export { AuthMethod, AuthenticationError, ContractResponseError, DEFAULT_KYC_POLL_CADENCE, HandshakeError, HttpTransport, KycStatusTimeoutError, LogLevel, MockTransport, NODE_URLS, RpcError, SessionStateError, SessionStatus, T3nClient, T3nError, TERMINAL_KYC_STATUSES, WasmError, bytesToString, clearKeyCache, createDefaultHandlers, createEthAuthInput, createLogger, createMlKemPublicKeyHandler, createOidcAuthInput, createRandomHandler, decodeWasmErrorMessage, eth_get_address, extractWasmError, fetchDkgAttestation, fetchMlKemPublicKey, generateRandomString, generateUUID, getEnvironment, getEnvironmentName, getGlobalLogLevel, getLogger, getNodeUrl, getScriptVersion, loadConfig, loadWasmComponent, metamask_get_address, metamask_sign, parseContractResponse, redactSecrets, redactSecretsFromJson, setEnvironment, setGlobalLogLevel, setNodeUrl, stringToBytes, validateConfig, verifyDkgAttestation, verifyTdxQuote };
-export type { AuthInput, ClientAuth, ClientHandshake, ConfigValidationResult, ContractResponseSchema, Did, DkgAttestation, DkgVerifyResult, Environment, EthAuthInput, GuestToHostHandler, GuestToHostHandlers, HandshakeResult, JsonRpcRequest, JsonRpcResponse, KycPollCadence, KycPollOptions, KycStatus, KycStatusKind, Logger, OidcAuthInput, OidcCredentials, PeerQuoteResult, QuoteVerifyResult, SdkConfig, SessionCrypto, SessionId, T3nClientConfig, Transport, WasmComponent, WasmNextResult };
+export { AuthMethod, AuthenticationError, ContractResponseError, DEFAULT_KYC_POLL_CADENCE, HandshakeError, HttpTransport, KycStatusTimeoutError, LogLevel, MockTransport, NODE_URLS, RpcError, SessionStateError, SessionStatus, T3nClient, T3nError, TERMINAL_KYC_STATUSES, UserUpsertError, WasmError, bytesToString, clearKeyCache, createDefaultHandlers, createEthAuthInput, createLogger, createMlKemPublicKeyHandler, createOidcAuthInput, createRandomHandler, decodeWasmErrorMessage, eth_get_address, extractWasmError, fetchDkgAttestation, fetchMlKemPublicKey, generateRandomString, generateUUID, getEnvironment, getEnvironmentName, getGlobalLogLevel, getLogger, getNodeUrl, getScriptVersion, loadConfig, loadWasmComponent, metamask_get_address, metamask_sign, parseContractResponse, redactSecrets, redactSecretsFromJson, setEnvironment, setGlobalLogLevel, setNodeUrl, stringToBytes, validateConfig, verifyDkgAttestation, verifyTdxQuote };
+export type { AuthInput, ClientAuth, ClientHandshake, ConfigValidationResult, ContractResponseSchema, Did, DkgAttestation, DkgVerifyResult, Environment, EthAuthInput, GuestToHostHandler, GuestToHostHandlers, HandshakeResult, JsonRpcRequest, JsonRpcResponse, KycPollCadence, KycPollOptions, KycStatus, KycStatusKind, Logger, OidcAuthInput, OidcCredentials, OtpChannel, OtpMergeSuggestion, OtpRequestInput, OtpRequestResult, OtpVerifyInput, OtpVerifyResult, PeerQuoteResult, QuoteVerifyResult, SdkConfig, SessionCrypto, SessionId, SubmitUserInputArgs, SubmitUserInputResult, T3nClientConfig, Transport, UserInputProfile, UserUpsertErrorKind, WasmComponent, WasmNextResult };