npm - @terminal3/t3n-sdk - Versions diffs - 2.12.0 → 3.0.0 - Mend

@terminal3/t3n-sdk 2.12.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts +70 -5
package/dist/index.esm.js +1 -1
package/dist/index.js +1 -1
package/dist/src/client/delegation.d.ts +66 -3
package/dist/src/index.d.ts +2 -2
package/dist/src/types/user.d.ts +2 -0
package/package.json +2 -3

package/dist/index.d.ts CHANGED Viewed

@@ -554,6 +554,8 @@ interface UserInputProfile {
     phone_number?: string;
     birthdate?: string;
     nationality?: string;
+    campaign_code?: string;
+    role?: string;
     [key: string]: unknown;
 }
 /**
@@ -1966,6 +1968,13 @@ declare const NONCE_LEN = 16;
 declare const REQUEST_HASH_LEN = 32;
 declare const AGENT_PUBKEY_LEN = 33;
 declare const ETH_SIG_LEN = 65;
+declare const MAX_FUNCTIONS_PER_CREDENTIAL = 16;
+/**
+ * Canonical sorted list of the payroll v2 function surface. One source
+ * of truth for callers building a full-cycle credential — pass this
+ * (or a sorted subset) as `functions` to {@link buildDelegationCredential}.
+ */
+declare const PAYROLL_FUNCTIONS_V1: readonly ["compute-payroll", "execute-disbursement", "finalize-audit", "submit-escalations", "validate-credentials"];
 /** User-to-agent delegation credential body. */
 interface DelegationCredential {
     /** Domain tag, must equal {@link DELEGATION_CREDENTIAL_DOMAIN}. */
@@ -1978,8 +1987,11 @@ interface DelegationCredential {
     org_did: string;
     /** Contract id, e.g. `"tee:payroll"`. */
     contract: string;
-    /** Function name, e.g. `"run-payroll"`. */
-    function: string;
+    /**
+     * Functions this credential authorises. Sorted ascending, deduped,
+     * each entry non-empty lowercase ASCII, 1..=16 entries.
+     */
+    functions: string[];
     /** Org-data scopes the contract may read on this user's behalf. */
     scopes: string[];
     /** Flat key-value labels checked against the org grant. */
@@ -2102,7 +2114,12 @@ interface BuildDelegationCredentialOpts {
     agent_pubkey: Uint8Array;
     org_did: string;
     contract: string;
-    function: string;
+    /**
+     * Functions this credential authorises. Must be non-empty, sorted
+     * ascending, deduped — the same invariants enforced by
+     * {@link validateCredentialBody}.
+     */
+    functions: string[];
     scopes?: string[];
     metadata?: Record<string, string>;
     not_before_secs: bigint | number;
@@ -2208,6 +2225,54 @@ declare class DelegationCustodialClient {
      */
     signCustodial(body: Record<string, unknown>): Promise<SignCustodialResult>;
 }
+/** Options for {@link revokeDelegation}. */
+interface RevokeDelegationOpts {
+    /** Credential body to revoke. Already-encoded base64url-no-pad JCS bytes. */
+    credentialJcsB64u: string;
+    /**
+     * Omit (or pass `undefined`) to revoke the whole credential. Pass an
+     * array of function names to revoke a subset; the array must obey the
+     * same sort + dedupe invariants the credential's `functions` field
+     * enforces, and each entry must already appear in the credential's
+     * `functions` list (a revocation can only narrow the set, never grow
+     * it).
+     */
+    revokedFunctions?: string[];
+    /** Authenticated {@link T3nClient} for the credential's `user_did`. */
+    client: T3nClient;
+    /**
+     * Override the resolved delegation contract version. Defaults to
+     * whatever `GET /api/contracts/current?name=tee:delegation/contracts`
+     * returns at call time.
+     */
+    scriptVersion?: string;
+    /** Override the node base URL used for `"latest"` resolution. */
+    baseUrl?: string;
+}
+/** Result of a successful {@link revokeDelegation} call. */
+interface RevokeDelegationResult {
+    /** Credential id (base64url-no-pad, no padding). */
+    vcId: string;
+    /**
+     * Mirrors the persisted revocation state after merging: `null` means
+     * whole-credential, a sorted array means per-function. The contract
+     * may return a larger set than `opts.revokedFunctions` when an
+     * earlier per-function revocation existed for the same credential.
+     */
+    revokedFunctions: string[] | null;
+}
+/**
+ * Wraps the `tee:delegation/contracts::revoke` entrypoint. Only the
+ * credential's `user_did` may call this — the contract reads the
+ * authenticated DID from session context and rejects any other caller
+ * with `NotCredentialHolder`.
+ *
+ * Merge semantics are handled server-side: whole-credential revocations
+ * are sticky, and per-function revocations accumulate as a sorted +
+ * deduped union across calls. The returned `revokedFunctions` reflects
+ * the persisted state after merging, not just this call's input.
+ */
+declare function revokeDelegation(opts: RevokeDelegationOpts): Promise<RevokeDelegationResult>;
 /** Options for {@link buildPayrollInvocation}. */
 interface BuildPayrollInvocationOpts {
     credentialJcs: Uint8Array;
@@ -2767,5 +2832,5 @@ declare function clearKeyCache(): void;
  */
 declare function loadConfig(baseUrl?: string): SdkConfig;
-export { AGENT_PUBKEY_LEN, AuthMethod, AuthenticationError, ContractResponseError, DEFAULT_INDIVIDUAL_THRESHOLD_CENTS, DEFAULT_KYC_POLL_CADENCE, DELEGATION_CREDENTIAL_DOMAIN, DELEGATION_INVOCATION_DOMAIN, DelegationCustodialClient, ETH_SIG_LEN, HandshakeError, HttpTransport, KycStatusTimeoutError, LogLevel, MockTransport, NODE_URLS, NONCE_LEN, OrgDataClient, REQUEST_HASH_LEN, RpcError, SessionExpiredError, SessionOrgDataClient, SessionStateError, SessionStatus, T3nClient, T3nError, TERMINAL_KYC_STATUSES, UserUpsertError, VC_ID_LEN, WasmError, _b64uEncode, assertShape, b64uDecodeStrict, b64uEncodeBytes, buildDelegationCredential, buildInvocationPreimage, buildPayrollDirectInvocation, buildPayrollInvocation, bytesToString, canonicaliseCredential, canonicaliseRequest, clearKeyCache, compactDidFromBytes, createDefaultHandlers, createEthAuthInput, createLogger, createMlKemPublicKeyHandler, createOidcAuthInput, createOrgDataClientFromSession, createRandomHandler, decodeWasmErrorMessage, eip191Digest, ethRecoverEip191, eth_get_address, extractWasmError, fetchDkgAttestation, fetchMlKemPublicKey, generateRandomString, generateUUID, getEnvironment, getEnvironmentName, getGlobalLogLevel, getLogger, getNodeUrl, getScriptVersion, isDataGetResponse, isDataListResponse, isMutationResponse, isObject, isOrgContractGrants, isOrgPolicyMeta, isOrgWriters, loadConfig, loadWasmComponent, metamask_get_address, metamask_sign, parseContractResponse, redactSecrets, redactSecretsFromJson, requestHash, setEnvironment, setGlobalLogLevel, setNodeUrl, signAgentInvocation, signCredential, stringToBytes, validateConfig, validateCredentialBody, verifyDkgAttestation, verifyTdxQuote };
-export type { AgeBand, AuthInput, BuildDelegationCredentialOpts, BuildPayrollDirectInvocationOpts, BuildPayrollInvocationOpts, ClientAuth, ClientHandshake, ConfigValidationResult, ContractResponseSchema, CreatePolicyInput, DataGetInput, DataGetResponse, DataListInput, DataListResponse, DelegationCredential, DelegationCustodialClientOpts, DelegationEnvelope, DeleteDataInput, DeleteGrantsInput, DeleteScopeInput, Did, DkgAttestation, DkgVerifyResult, EmployeeRecord, EmploymentStatus, Environment, EthAuthInput, ExecuteOrgDataActionOptions, ExpenseClaim, GrantsGetInput, GuestToHostHandler, GuestToHostHandlers, HandshakeResult, JsonRpcRequest, JsonRpcResponse, KycPollCadence, KycPollOptions, KycStatus, KycStatusKind, Logger, MutationResponse, OidcAuthInput, OidcCredentials, OrgContractGrants, OrgDataActionWire, OrgDataClientOptions, OrgPolicyMeta, OrgWriters, OtpChannel, OtpMergeSuggestion, OtpRequestInput, OtpRequestResult, OtpVerifyInput, OtpVerifyResult, PayrollInvocation, PayrollInvocationDelegated, PayrollInvocationDirect, PayrollRunRequest, PeerQuoteResult, PolicyGetInput, QuoteVerifyResult, ResidencyCategory, SdkConfig, SessionCrypto, SessionId, SetGrantsInput, SetWritersInput, SignCustodialResult, SignDelegationResponse, SubmitUserInputArgs, SubmitUserInputResult, T3nClientConfig, TenantAdmitProjection, TenantAdmitStatus, Transport, UpdateMetaInput, UserGrant, UserInputProfile, UserUpsertErrorKind, WasmComponent, WasmNextResult, WriteDataInput, WritersGetInput };
+export { AGENT_PUBKEY_LEN, AuthMethod, AuthenticationError, ContractResponseError, DEFAULT_INDIVIDUAL_THRESHOLD_CENTS, DEFAULT_KYC_POLL_CADENCE, DELEGATION_CREDENTIAL_DOMAIN, DELEGATION_INVOCATION_DOMAIN, DelegationCustodialClient, ETH_SIG_LEN, HandshakeError, HttpTransport, KycStatusTimeoutError, LogLevel, MAX_FUNCTIONS_PER_CREDENTIAL, MockTransport, NODE_URLS, NONCE_LEN, OrgDataClient, PAYROLL_FUNCTIONS_V1, REQUEST_HASH_LEN, RpcError, SessionExpiredError, SessionOrgDataClient, SessionStateError, SessionStatus, T3nClient, T3nError, TERMINAL_KYC_STATUSES, UserUpsertError, VC_ID_LEN, WasmError, _b64uEncode, assertShape, b64uDecodeStrict, b64uEncodeBytes, buildDelegationCredential, buildInvocationPreimage, buildPayrollDirectInvocation, buildPayrollInvocation, bytesToString, canonicaliseCredential, canonicaliseRequest, clearKeyCache, compactDidFromBytes, createDefaultHandlers, createEthAuthInput, createLogger, createMlKemPublicKeyHandler, createOidcAuthInput, createOrgDataClientFromSession, createRandomHandler, decodeWasmErrorMessage, eip191Digest, ethRecoverEip191, eth_get_address, extractWasmError, fetchDkgAttestation, fetchMlKemPublicKey, generateRandomString, generateUUID, getEnvironment, getEnvironmentName, getGlobalLogLevel, getLogger, getNodeUrl, getScriptVersion, isDataGetResponse, isDataListResponse, isMutationResponse, isObject, isOrgContractGrants, isOrgPolicyMeta, isOrgWriters, loadConfig, loadWasmComponent, metamask_get_address, metamask_sign, parseContractResponse, redactSecrets, redactSecretsFromJson, requestHash, revokeDelegation, setEnvironment, setGlobalLogLevel, setNodeUrl, signAgentInvocation, signCredential, stringToBytes, validateConfig, validateCredentialBody, verifyDkgAttestation, verifyTdxQuote };
+export type { AgeBand, AuthInput, BuildDelegationCredentialOpts, BuildPayrollDirectInvocationOpts, BuildPayrollInvocationOpts, ClientAuth, ClientHandshake, ConfigValidationResult, ContractResponseSchema, CreatePolicyInput, DataGetInput, DataGetResponse, DataListInput, DataListResponse, DelegationCredential, DelegationCustodialClientOpts, DelegationEnvelope, DeleteDataInput, DeleteGrantsInput, DeleteScopeInput, Did, DkgAttestation, DkgVerifyResult, EmployeeRecord, EmploymentStatus, Environment, EthAuthInput, ExecuteOrgDataActionOptions, ExpenseClaim, GrantsGetInput, GuestToHostHandler, GuestToHostHandlers, HandshakeResult, JsonRpcRequest, JsonRpcResponse, KycPollCadence, KycPollOptions, KycStatus, KycStatusKind, Logger, MutationResponse, OidcAuthInput, OidcCredentials, OrgContractGrants, OrgDataActionWire, OrgDataClientOptions, OrgPolicyMeta, OrgWriters, OtpChannel, OtpMergeSuggestion, OtpRequestInput, OtpRequestResult, OtpVerifyInput, OtpVerifyResult, PayrollInvocation, PayrollInvocationDelegated, PayrollInvocationDirect, PayrollRunRequest, PeerQuoteResult, PolicyGetInput, QuoteVerifyResult, ResidencyCategory, RevokeDelegationOpts, RevokeDelegationResult, SdkConfig, SessionCrypto, SessionId, SetGrantsInput, SetWritersInput, SignCustodialResult, SignDelegationResponse, SubmitUserInputArgs, SubmitUserInputResult, T3nClientConfig, TenantAdmitProjection, TenantAdmitStatus, Transport, UpdateMetaInput, UserGrant, UserInputProfile, UserUpsertErrorKind, WasmComponent, WasmNextResult, WriteDataInput, WritersGetInput };