@terminal3/t3n-sdk 3.3.0 → 3.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@terminal3/t3n-sdk",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "type": "module",
   "description": "T3n TypeScript SDK - A minimal SDK that mirrors the server's RPC handler approach",
   "main": "dist/index.js",
@@ -22,35 +22,6 @@
   "publishConfig": {
     "access": "public"
   },
-  "scripts": {
-    "build": "cross-env NODE_ENV=production T3N_SDK_SOURCEMAP=true rollup -c && pnpm run copy-wasm",
-    "build:public": "pnpm run clean && cross-env NODE_ENV=production T3N_SDK_SOURCEMAP=false rollup -c && pnpm run copy-wasm && node scripts/obfuscate-dist.js",
-    "build:watch": "cross-env NODE_ENV=development T3N_SDK_SOURCEMAP=true rollup -c -w",
-    "dev": "pnpm run build:watch",
-    "copy-wasm": "mkdir -p dist/wasm/generated && cp -r src/wasm/generated/* dist/wasm/generated/",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "store-token": "tsx scripts/payroll-v2-store-token.ts",
-    "test:coverage": "vitest run --coverage",
-    "lint": "eslint src --ext .ts,.tsx",
-    "lint:fix": "eslint src --ext .ts,.tsx --fix",
-    "type-check": "tsc --noEmit",
-    "clean": "rimraf dist",
-    "demo": "pnpm build && tsx demo.ts",
-    "demo:dev": "tsx demo.ts",
-    "demo:real-wasm": "tsx demo.ts",
-    "demo:tenant:admit": "tsx --tsconfig tsconfig.demo.json tenant-demo.ts --cmd admit",
-    "demo:tenant:setup": "tsx --tsconfig tsconfig.demo.json tenant-demo.ts --cmd setup",
-    "demo:tenant:fix-readers": "tsx --tsconfig tsconfig.demo.json tenant-demo.ts --cmd fix-readers",
-    "demo:tenant:search": "tsx --tsconfig tsconfig.demo.json tenant-demo.ts --cmd search",
-    "demo:tenant:book": "tsx --tsconfig tsconfig.demo.json tenant-demo.ts --cmd book",
-    "demo:tenant:self-admit": "tsx --tsconfig tsconfig.demo.json demo-tenant-self-admit.ts",
-    "verify:pack": "node scripts/verify-pack.js",
-    "prepublishOnly": "pnpm run build:public && pnpm run verify:pack",
-    "release": "node scripts/release.js release",
-    "release:tag-only": "node scripts/release.js tag-only",
-    "release:verify-version": "node scripts/release.js verify-version"
-  },
   "keywords": [
     "t3n",
     "blockchain",
@@ -71,40 +42,12 @@
     "url": "https://github.com/Terminal-3/trinity/issues"
   },
   "homepage": "https://github.com/Terminal-3/trinity/tree/main/client/t3n-sdk#readme",
-  "devDependencies": {
-    "@rollup/plugin-commonjs": "^25.0.8",
-    "@rollup/plugin-json": "^6.1.0",
-    "@rollup/plugin-node-resolve": "^15.3.1",
-    "@rollup/plugin-replace": "^5.0.7",
-    "@rollup/plugin-typescript": "^11.1.6",
-    "@types/jest": "^29.5.14",
-    "@types/mocha": "^10.0.10",
-    "@types/node": "^20.19.39",
-    "@typescript-eslint/eslint-plugin": "^6.21.0",
-    "@typescript-eslint/parser": "^6.21.0",
-    "@vitest/coverage-v8": "^4.1.4",
-    "cpy-cli": "^4.2.0",
-    "cross-env": "^7.0.3",
-    "eslint": "^8.57.1",
-    "javascript-obfuscator": "^4.2.2",
-    "jest": "^29.7.0",
-    "rimraf": "^5.0.10",
-    "rollup": "^4.60.1",
-    "rollup-plugin-dts": "^6.4.1",
-    "ts-jest": "^29.4.9",
-    "ts-node": "^10.9.2",
-    "tslib": "^2.8.1",
-    "tsx": "^4.21.0",
-    "typescript": "^5.9.3",
-    "vite": "^7.3.2",
-    "vitest": "^4.1.4"
+  "engines": {
+    "node": ">=16.0.0"
   },
   "peerDependencies": {
     "typescript": ">=4.5.0"
   },
-  "engines": {
-    "node": ">=16.0.0"
-  },
   "dependencies": {
     "@bytecodealliance/jco": "^1.17.6",
     "@bytecodealliance/preview2-shim": "^0.17.8",
@@ -112,5 +55,12 @@
     "@noble/hashes": "^2.2.0",
     "canonicalize": "^3.0.0",
     "ethers": "^6.16.0"
+  },
+  "t3n": {
+    "packMode": "public",
+    "supportedEnvironments": [
+      "testnet",
+      "production"
+    ]
   }
 }

package/README.OIDC.md

@@ -1,216 +0,0 @@
-# OIDC Authentication Guide
-
-## Quick Start
-
-### 1. Setup Google OAuth Client
-
-1. Go to [Google Cloud Console](https://console.cloud.google.com/)
-2. Create a new project or select existing one
-3. Enable "Google Sign-In" API
-4. Go to **Credentials** → **Create Credentials** → **OAuth 2.0 Client ID**
-5. Application type: **Web application**
-6. Authorized JavaScript origins:
-   ```
-   http://localhost:8081
-   ```
-   (Port 8081 is what the demo uses)
-7. Copy your **Client ID**
-
-### 2. Update the HTML File
-
-Edit `oidc-login.html` and replace:
-
-```html
-data-client_id="PUT_YOUR_WEB_CLIENT_ID_HERE"
-```
-
-With your actual Client ID:
-
-```html
-data-client_id="YOUR_ACTUAL_CLIENT_ID.apps.googleusercontent.com"
-```
-
-### 3. Get ID Token
-
-#### Option A: Using the Helper Script (Recommended)
-
-```bash
-npx tsx get-oidc-token.ts
-```
-
-This will:
-1. Open the browser with Google Sign-In
-2. Display your ID token after sign-in
-3. Provide code examples
-
-#### Option B: Manual (No CLI needed)
-
-1. Open `oidc-login.html` in your browser:
-   ```bash
-   open oidc-login.html  # macOS
-   # or
-   xdg-open oidc-login.html  # Linux
-   # or just double-click the file
-   ```
-
-2. Click "Sign in with Google"
-
-3. Copy the ID token displayed
-
-4. Use it in your code:
-   ```typescript
-   const authenticator = {
-     provider: "google",
-     id_token: "eyJhbGciOiJS..." // Your copied token
-   };
-   
-   await client.performAuthentication(authenticator);
-   ```
-
-### 4. Use in Demo
-
-```typescript
-// In demo.ts
-import * as readline from 'readline';
-
-async function getOidcToken(): Promise<string> {
-  console.log('\n🔐 OIDC Authentication');
-  console.log('1. Open oidc-login.html in your browser');
-  console.log('2. Sign in with Google');
-  console.log('3. Copy the ID token\n');
-  
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout
-  });
-  
-  return new Promise((resolve) => {
-    rl.question('Paste your ID token: ', (token) => {
-      rl.close();
-      resolve(token.trim());
-    });
-  });
-}
-
-// Usage
-const idToken = await getOidcToken();
-const authenticator = {
-  provider: "google",
-  id_token: idToken
-};
-
-await client.performAuthentication(authenticator);
-```
-
-## Supported Providers
-
-| Provider     | Status          | Setup Guide                                        |
-| ------------ | --------------- | -------------------------------------------------- |
-| **Google**   | ✅ Ready        | [Google OAuth Setup](https://developers.google.com/identity/sign-in/web/sign-in) |
-| **Microsoft** | ✅ Ready        | [Azure AD Setup](https://learn.microsoft.com/en-us/azure/active-directory/) |
-| **Apple**    | ✅ Ready        | [Sign in with Apple](https://developer.apple.com/sign-in-with-apple/) |
-| **GitHub**   | ✅ Ready        | [GitHub OAuth](https://docs.github.com/en/developers/apps/building-oauth-apps) |
-| **Facebook** | ✅ Ready        | [Facebook Login](https://developers.facebook.com/docs/facebook-login/) |
-
-## Architecture
-
-### Frontend-Driven PKCE Flow
-
-```
-┌─────────────┐         ┌──────────────┐         ┌─────────────┐
-│   Browser   │         │   T3n    │         │   Google    │
-│  (Popup)    │         │   Backend    │         │   OAuth     │
-└──────┬──────┘         └──────┬───────┘         └──────┬──────┘
-       │                       │                        │
-       │  1. Generate PKCE     │                        │
-       ├──────────────────────►│                        │
-       │  (code_verifier)      │                        │
-       │                       │                        │
-       │  2. Redirect to OAuth │                        │
-       ├───────────────────────┼───────────────────────►│
-       │  (with code_challenge)│                        │
-       │                       │                        │
-       │  3. User signs in     │                        │
-       │◄──────────────────────┼────────────────────────┤
-       │                       │                        │
-       │  4. Exchange code     │                        │
-       │  (with code_verifier) │                        │
-       ├───────────────────────┼───────────────────────►│
-       │                       │                        │
-       │  5. Receive ID token  │                        │
-       │◄──────────────────────┼────────────────────────┤
-       │                       │                        │
-       │  6. Send ID token     │                        │
-       ├──────────────────────►│                        │
-       │                       │                        │
-       │                       │  7. Verify token       │
-       │                       │  (fetch JWKS & validate)
-       │                       │                        │
-       │  8. Session created   │                        │
-       │◄──────────────────────┤                        │
-       │                       │                        │
-```
-
-### Key Benefits
-
-- ✅ **No Backend PKCE**: Frontend handles PKCE entirely
-- ✅ **Stateless Backend**: No session storage for PKCE
-- ✅ **Secure**: Backend independently verifies tokens
-- ✅ **Simple CLI**: Just paste the token, no complex flow
-- ✅ **Works Everywhere**: Browser handles OAuth, CLI gets result
-
-## Token Format
-
-The ID token is a JWT with three parts:
-
-```
-eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc...  (header)
-.
-eyJpc3MiOiJodHRwczovL2FjY291bnR...  (payload)
-.
-SflKxwRJSMeKKF2QT4fwpMeJf36POk6...  (signature)
-```
-
-### Payload Example
-
-```json
-{
-  "iss": "https://accounts.google.com",
-  "sub": "1234567890",
-  "email": "user@example.com",
-  "email_verified": true,
-  "name": "John Doe",
-  "picture": "https://...",
-  "iat": 1700000000,
-  "exp": 1700003600
-}
-```
-
-## Security Notes
-
-1. **Token Expiration**: ID tokens are short-lived (typically 1 hour)
-2. **Verification**: Backend always verifies token signature with JWKS
-3. **Email Verified**: Backend checks `email_verified` claim
-4. **CSRF Protection**: State parameter prevents CSRF attacks
-5. **PKCE**: Code verifier prevents authorization code interception
-
-## Troubleshooting
-
-### Token Already Expired
-
-ID tokens expire quickly. If you get an error:
-1. Get a fresh token from the browser
-2. Use it immediately
-
-### Invalid Token Format
-
-Make sure you copied the entire token (it's quite long!). Should have 3 parts separated by dots.
-
-### Provider Not Found
-
-Make sure `provider` matches exactly: `"google"`, `"microsoft"`, `"apple"`, etc. (lowercase)
-
-### CORS Errors in Browser
-
-For production, add your domain to OAuth client's authorized origins in Google Cloud Console.
-

package/dist/demo.d.ts

@@ -1,25 +0,0 @@
-/**
- * T3n SDK Real WASM Demo Script
- *
- * This script demonstrates the T3n SDK using the actual WASM component
- * built from the node session module.
- */
-import { SessionStatus, Did } from "./src/index";
-import { type ChildProcess } from "child_process";
-declare global {
-    var __oidcServerProcess: ChildProcess | undefined;
-}
-interface DemoResult {
-    sessionId: {
-        value: string;
-    } | null;
-    status: SessionStatus;
-    wasmLoaded: boolean;
-    authenticated: boolean;
-    did: Did | null;
-}
-/**
- * Main Demo Function
- */
-declare function runRealWasmDemo(): Promise<DemoResult>;
-export { runRealWasmDemo, type DemoResult };

package/dist/src/client/actions.d.ts

@@ -1,31 +0,0 @@
-/**
- * WASM Action Creators
- *
- * Creates the initial action payloads for WASM state machines.
- * These are JSON-serialized and passed to the WASM component to start flows.
- */
-import type { AuthInput } from "../types";
-/**
- * Create the initial handshake request
- * This kicks off the handshake state machine in WASM
- */
-export declare function createHandshakeAction(): Uint8Array;
-/**
- * Create the initial authentication request based on auth method
- * @param authInput - The authentication input (Ethereum or OIDC)
- */
-export declare function createAuthAction(authInput: AuthInput): Uint8Array;
-/**
- * Create the OIDC SubmitToken action for the second step of nonce-bound auth.
- * @param idToken - The id_token JWT obtained from the OIDC provider with the nonce
- */
-export declare function createOidcSubmitTokenAction(idToken: string): Uint8Array;
-/**
- * Create the initial action for the ADD-authenticator flow: link a new
- * Ethereum wallet to the session's already-authenticated DID. Drives
- * the same client state machine as {@link createAuthAction} (eth), but
- * the `AddAuthenticator` tag routes the server to the link path instead
- * of resolve-or-mint. Only Ethereum is supported — OIDC/email identities
- * are established at login, not added afterwards.
- */
-export declare function createAddEthAuthAction(address: string): Uint8Array;

package/dist/src/client/config.d.ts

@@ -1,33 +0,0 @@
-/**
- * Configuration types for T3n Client
- */
-import { WasmComponent } from "../wasm";
-import { GuestToHostHandlers } from "../types";
-import { Logger, LogLevel } from "../utils/logger";
-import { Transport } from "./transport";
-/**
- * Configuration interface for T3n Client
- */
-export interface T3nClientConfig {
-    /** Base URL of the T3n node (used if transport not provided) */
-    baseUrl?: string;
-    /** WASM component instance for cryptographic operations */
-    wasmComponent: WasmComponent;
-    /** Optional transport layer - if not provided, uses HttpTransport with baseUrl */
-    transport?: Transport;
-    /** Optional request timeout in milliseconds (default: 30000) - used for HttpTransport */
-    timeout?: number;
-    /** Optional custom headers to include in requests */
-    headers?: Record<string, string>;
-    /**
-     * Log level for this client instance.
-     * Defaults to global log level (LogLevel.ERROR) if not specified.
-     * Use LogLevel.DEBUG for verbose logging, LogLevel.INFO for informational messages,
-     * LogLevel.WARN for warnings, or LogLevel.ERROR for errors only.
-     */
-    logLevel?: LogLevel;
-    /** Optional custom logger - if provided, overrides logLevel */
-    logger?: Logger;
-    /** Optional guest-to-host request handlers - provides custom behavior for WASM requests */
-    handlers?: GuestToHostHandlers;
-}

package/dist/src/client/contract-response.d.ts

@@ -1,59 +0,0 @@
-/**
- * Contract response decoding for {@link T3nClient.execute}.
- *
- * ## On-wire shape
- *
- * Trinity contracts are declared as `result<list<u8>, string>` in WIT and
- * return JSON-encoded bytes. The server-side pipeline is:
- *
- * 1. `node/wasm/src/dynamic.rs:component_val_to_json` deserializes those
- *    bytes to a JSON `Value` (the contract's decoded return value).
- * 2. `node/wasm/src/runner.rs:run_dynamic` wraps that value in a
- *    `ContractResponse` struct internally for host-side bookkeeping —
- *    it carries an extracted `otp_state` alongside the response.
- * 3. **`node/app/src/services/wasm.rs:200`** then unwraps the struct with
- *    `Ok((response.response, tx_back))`, discarding the `otp_state` field
- *    and returning only the inner `Value` across the `WasmExecutor` trait
- *    boundary.
- * 4. `node/service/src/action.rs` serialises that plain `Value` through
- *    the session channel.
- *
- * The client therefore receives the contract's **decoded JSON value
- * directly** — no `{response, otp_state}` envelope, despite what the
- * struct name suggests. `parseContractResponse` reflects that reality:
- * it does a typed `JSON.parse` with optional schema validation, nothing
- * more. OTP flows read their `otp_status` / OTP fields directly off the
- * contract's response body; there is no separate envelope field for them
- * on this path.
- */
-import { T3nError } from "../utils/errors";
-/**
- * Minimal validator interface. Any library that exposes `.parse(value) -> T`
- * (zod, valibot, superstruct, custom) is compatible.
- */
-export interface ContractResponseSchema<T> {
-    parse(value: unknown): T;
-}
-/**
- * Thrown when the response string from {@link T3nClient.execute} cannot
- * be parsed as JSON.
- *
- * Schema-validation failures are NOT wrapped — they surface as whatever
- * error the caller's validator throws, preserving the rich diagnostics
- * those libraries already provide.
- */
-export declare class ContractResponseError extends T3nError {
-    readonly raw?: string | undefined;
-    constructor(message: string, raw?: string | undefined);
-}
-/**
- * Parse the JSON-encoded response returned by {@link T3nClient.execute}
- * into a typed value.
- *
- * @param raw - the string returned by {@link T3nClient.execute}
- * @param schema - optional validator applied to the parsed value
- * @returns the decoded response, typed as `T`
- * @throws {ContractResponseError} when `raw` is not valid JSON
- * @throws whatever the schema throws on validation failure (e.g. `ZodError`)
- */
-export declare function parseContractResponse<T = unknown>(raw: string, schema?: ContractResponseSchema<T>): T;