@terminal3/t3n-sdk 2.13.0 → 3.0.0

package/dist/src/client/delegation.d.ts

@@ -31,11 +31,18 @@ export declare const AGENT_PUBKEY_LEN = 33;
 export declare const ETH_SIG_LEN = 65;
 export declare const MAX_CONTRACT_LEN = 46;
 export declare const MAX_FUNCTION_LEN = 64;
+export declare const MAX_FUNCTIONS_PER_CREDENTIAL = 16;
 export declare const MAX_SCOPE_LEN = 64;
 export declare const MAX_SCOPES_PER_CREDENTIAL = 32;
 export declare const MAX_METADATA_PER_CREDENTIAL = 16;
 export declare const MAX_METADATA_KEY_LEN = 64;
 export declare const MAX_METADATA_VALUE_LEN = 256;
+/**
+ * Canonical sorted list of the payroll v2 function surface. One source
+ * of truth for callers building a full-cycle credential — pass this
+ * (or a sorted subset) as `functions` to {@link buildDelegationCredential}.
+ */
+export declare const PAYROLL_FUNCTIONS_V1: readonly ["compute-payroll", "execute-disbursement", "finalize-audit", "submit-escalations", "validate-credentials"];
 /** User-to-agent delegation credential body. */
 export interface DelegationCredential {
     /** Domain tag, must equal {@link DELEGATION_CREDENTIAL_DOMAIN}. */
@@ -48,8 +55,11 @@ export interface DelegationCredential {
     org_did: string;
     /** Contract id, e.g. `"tee:payroll"`. */
     contract: string;
-    /** Function name, e.g. `"run-payroll"`. */
-    function: string;
+    /**
+     * Functions this credential authorises. Sorted ascending, deduped,
+     * each entry non-empty lowercase ASCII, 1..=16 entries.
+     */
+    functions: string[];
     /** Org-data scopes the contract may read on this user's behalf. */
     scopes: string[];
     /** Flat key-value labels checked against the org grant. */
@@ -176,7 +186,12 @@ export interface BuildDelegationCredentialOpts {
     agent_pubkey: Uint8Array;
     org_did: string;
     contract: string;
-    function: string;
+    /**
+     * Functions this credential authorises. Must be non-empty, sorted
+     * ascending, deduped — the same invariants enforced by
+     * {@link validateCredentialBody}.
+     */
+    functions: string[];
     scopes?: string[];
     metadata?: Record<string, string>;
     not_before_secs: bigint | number;
@@ -282,6 +297,54 @@ export declare class DelegationCustodialClient {
      */
     signCustodial(body: Record<string, unknown>): Promise<SignCustodialResult>;
 }
+/** Options for {@link revokeDelegation}. */
+export interface RevokeDelegationOpts {
+    /** Credential body to revoke. Already-encoded base64url-no-pad JCS bytes. */
+    credentialJcsB64u: string;
+    /**
+     * Omit (or pass `undefined`) to revoke the whole credential. Pass an
+     * array of function names to revoke a subset; the array must obey the
+     * same sort + dedupe invariants the credential's `functions` field
+     * enforces, and each entry must already appear in the credential's
+     * `functions` list (a revocation can only narrow the set, never grow
+     * it).
+     */
+    revokedFunctions?: string[];
+    /** Authenticated {@link T3nClient} for the credential's `user_did`. */
+    client: import("./t3n-client").T3nClient;
+    /**
+     * Override the resolved delegation contract version. Defaults to
+     * whatever `GET /api/contracts/current?name=tee:delegation/contracts`
+     * returns at call time.
+     */
+    scriptVersion?: string;
+    /** Override the node base URL used for `"latest"` resolution. */
+    baseUrl?: string;
+}
+/** Result of a successful {@link revokeDelegation} call. */
+export interface RevokeDelegationResult {
+    /** Credential id (base64url-no-pad, no padding). */
+    vcId: string;
+    /**
+     * Mirrors the persisted revocation state after merging: `null` means
+     * whole-credential, a sorted array means per-function. The contract
+     * may return a larger set than `opts.revokedFunctions` when an
+     * earlier per-function revocation existed for the same credential.
+     */
+    revokedFunctions: string[] | null;
+}
+/**
+ * Wraps the `tee:delegation/contracts::revoke` entrypoint. Only the
+ * credential's `user_did` may call this — the contract reads the
+ * authenticated DID from session context and rejects any other caller
+ * with `NotCredentialHolder`.
+ *
+ * Merge semantics are handled server-side: whole-credential revocations
+ * are sticky, and per-function revocations accumulate as a sorted +
+ * deduped union across calls. The returned `revokedFunctions` reflects
+ * the persisted state after merging, not just this call's input.
+ */
+export declare function revokeDelegation(opts: RevokeDelegationOpts): Promise<RevokeDelegationResult>;
 /** Options for {@link buildPayrollInvocation}. */
 export interface BuildPayrollInvocationOpts {
     credentialJcs: Uint8Array;

package/dist/src/index.d.ts

@@ -25,8 +25,8 @@ export type { OrgDataClientOptions, CreatePolicyInput, UpdateMetaInput, SetWrite
 export type { OrgDataActionWire, OrgPolicyMeta, OrgWriters, OrgContractGrants, UserGrant, EmployeeRecord, EmploymentStatus, ResidencyCategory, AgeBand, ExpenseClaim, MutationResponse, DataListResponse, DataGetResponse, } from "./types/org-data";
 export { DelegationCustodialClient } from "./client/delegation";
 export type { DelegationCustodialClientOpts, SignCustodialResult, } from "./client/delegation";
-export { DELEGATION_CREDENTIAL_DOMAIN, DELEGATION_INVOCATION_DOMAIN, VC_ID_LEN, NONCE_LEN, REQUEST_HASH_LEN, AGENT_PUBKEY_LEN, ETH_SIG_LEN, DEFAULT_INDIVIDUAL_THRESHOLD_CENTS, buildDelegationCredential, validateCredentialBody, canonicaliseCredential, canonicaliseRequest, requestHash, buildInvocationPreimage, eip191Digest, signCredential, ethRecoverEip191, signAgentInvocation, buildPayrollInvocation, buildPayrollDirectInvocation, compactDidFromBytes, b64uEncodeBytes, b64uDecodeStrict, _b64uEncode, } from "./client/delegation";
-export type { DelegationCredential, DelegationEnvelope, PayrollRunRequest, PayrollInvocationDelegated, PayrollInvocationDirect, PayrollInvocation, SignDelegationResponse, BuildDelegationCredentialOpts, BuildPayrollInvocationOpts, BuildPayrollDirectInvocationOpts, } from "./client/delegation";
+export { DELEGATION_CREDENTIAL_DOMAIN, DELEGATION_INVOCATION_DOMAIN, VC_ID_LEN, NONCE_LEN, REQUEST_HASH_LEN, AGENT_PUBKEY_LEN, ETH_SIG_LEN, MAX_FUNCTIONS_PER_CREDENTIAL, PAYROLL_FUNCTIONS_V1, DEFAULT_INDIVIDUAL_THRESHOLD_CENTS, buildDelegationCredential, validateCredentialBody, canonicaliseCredential, canonicaliseRequest, requestHash, buildInvocationPreimage, eip191Digest, signCredential, ethRecoverEip191, signAgentInvocation, buildPayrollInvocation, buildPayrollDirectInvocation, revokeDelegation, compactDidFromBytes, b64uEncodeBytes, b64uDecodeStrict, _b64uEncode, } from "./client/delegation";
+export type { DelegationCredential, DelegationEnvelope, PayrollRunRequest, PayrollInvocationDelegated, PayrollInvocationDirect, PayrollInvocation, SignDelegationResponse, BuildDelegationCredentialOpts, BuildPayrollInvocationOpts, BuildPayrollDirectInvocationOpts, RevokeDelegationOpts, RevokeDelegationResult, } from "./client/delegation";
 export { metamask_sign, metamask_get_address, eth_get_address, createDefaultHandlers, createMlKemPublicKeyHandler, createRandomHandler, } from "./client/handlers";
 export type { WasmComponent, ClientHandshake, ClientAuth, SessionCrypto, WasmNextResult, } from "./wasm";
 export { loadWasmComponent } from "./wasm";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@terminal3/t3n-sdk",
-  "version": "2.13.0",
+  "version": "3.0.0",
   "type": "module",
   "description": "T3n TypeScript SDK - A minimal SDK that mirrors the server's RPC handler approach",
   "main": "dist/index.js",
@@ -30,8 +30,6 @@
     "copy-wasm": "mkdir -p dist/wasm/generated && cp -r src/wasm/generated/* dist/wasm/generated/",
     "test": "vitest run",
     "test:watch": "vitest",
-    "e2e:agent": "tsx scripts/payroll-v2-agent-e2e.ts",
-    "e2e:member": "tsx scripts/payroll-v2-e2e.ts",
     "store-token": "tsx scripts/payroll-v2-store-token.ts",
     "test:coverage": "vitest run --coverage",
     "lint": "eslint src --ext .ts,.tsx",