@terminal3/t3n-sdk 3.3.0 → 3.4.0

package/dist/src/client/t3n-client.d.ts

@@ -1,544 +0,0 @@
-/**
- * T3n Client - Main SDK class
- *
- * Provides a simple interface for establishing secure sessions with T3n nodes.
- * All cryptographic complexity is handled in WASM components.
- */
-import { T3nClientConfig } from "./config";
-import { type ContractResponseSchema } from "./contract-response";
-import { SessionId, Did, SessionStatus, AuthInput, EthAuthInput, HandshakeResult } from "../types";
-import { KycPollOptions, KycStatus } from "../types/kyc";
-import { OtpChannel, OtpRequestInput, OtpRequestResult, OtpVerifyInput, OtpVerifyResult, SubmitUserInputArgs, SubmitUserInputResult } from "../types/user";
-import { GetUsageOptions, UsagePage } from "../types/token";
-/**
- * Main T3n SDK Client
- */
-export declare class T3nClient {
-    private readonly config;
-    private readonly transport;
-    /**
-     * Resolved node base URL. Snapshotted in the constructor so the
-     * typed contract wrappers (`kycStatus`, `getSelfEthAddress`, …)
-     * can call `getScriptVersion()` against the same host the
-     * transport talks to. Used only by the `script_version: "latest"`
-     * resolution path in {@link executeUserContract}.
-     */
-    private readonly effectiveBaseUrl;
-    /**
-     * Server-minted session ID, set by {@link handshake} from the
-     * `Session-Id` response header (pentest M-1 / MAT-983). `null`
-     * until the handshake completes. Client code cannot set it — the
-     * former `config.sessionId` hook was the session-fixation vector
-     * this fix closes.
-     */
-    private sessionId;
-    /**
-     * Set by {@link sendRpcRequest} when an `auth.handshake` RPC is
-     * actually issued. Decouples the "flow completed without talking
-     * to a server" case (unit-test mocks that only exercise handler
-     * delegation) from the real "server must mint the id" invariant:
-     * we only enforce the mint requirement when a round-trip happened.
-     */
-    private handshakeSentRpc;
-    private readonly logger;
-    private readonly encryption;
-    private status;
-    /**
-     * In-flight WASM state-machine bytes. Holds the opaque state
-     * returned by `flow[method].next()` between iterations of
-     * `runFlow`. Always cleared at the top of `runFlow` and again
-     * once `tryFinalize` has extracted the terminal payload — so
-     * outside of an active loop these slots are always `null`.
-     */
-    private wasmState;
-    /**
-     * Terminal payloads produced by `flow[method].finish()`:
-     * - `handshake` → serialized session blob, used by
-     *   `getSessionState()` for subsequent `session.encrypt` calls.
-     * - `auth` → serialized DID; the public `authenticate()` decodes
-     *   it into `this.did` and the slot is otherwise unused.
-     * - `execute` → unused (executes return immediately to the caller).
-     *
-     * Stored in a dedicated field instead of reusing `wasmState`
-     * because the two meanings — "in-flight state machine" vs
-     * "finalized payload" — are semantically different and merging
-     * them invites the bug-class Devin flagged in PR #1140.
-     */
-    private finalizedPayload;
-    private did;
-    private handshakeResult;
-    constructor(config: T3nClientConfig);
-    /**
-     * Start the handshake process with the T3n node
-     */
-    handshake(): Promise<HandshakeResult>;
-    /**
-     * Authenticate with the T3n node.
-     *
-     * For OIDC, this runs a two-step nonce-bound flow:
-     * 1. Sends `InitOidcAuth` to server → receives session-binding nonce.
-     * 2. Calls `getIdToken(nonce)` callback so the app can include the
-     *    nonce in the Google authorization URL.
-     * 3. Sends `SubmitIdToken` with the nonce-bearing token → receives DID.
-     */
-    authenticate(authInput: AuthInput): Promise<Did>;
-    /**
-     * Add an Ethereum wallet as an additional authenticator on the
-     * already-authenticated account.
-     *
-     * Proves control of the wallet via SIWE and links it to the session's
-     * EXISTING DID (resolved server-side from the session) — it does NOT
-     * mint a new DID and does NOT change the session: `this.did` and
-     * `this.status` are left untouched, and no new cookie is issued.
-     *
-     * Requires a completed {@link authenticate} first (e.g. an OIDC
-     * login). Only Ethereum is supported — OIDC/email identities are
-     * established at login, not added afterwards.
-     *
-     * Reuses the same client-side eth state machine as login, but posts
-     * to the authenticated `auth.add-authenticator` route. If the wallet
-     * is already linked to a different account, the server rejects with a
-     * typed `eth_auth_map_conflict` error (resolve via account merge).
-     *
-     * @returns the existing DID the wallet was linked to.
-     */
-    addAuthMethod(authInput: EthAuthInput): Promise<Did>;
-    /**
-     * OIDC two-step authentication with session-binding nonce.
-     *
-     * Bypasses the WASM client state machine and makes two encrypted
-     * RPC calls directly:
-     * 1. `InitOidcAuth { provider }` → server generates nonce → returns
-     *    `ProvideNonce { nonce }`.
-     * 2. App calls `getIdToken(nonce)` to obtain a nonce-bound `id_token`.
-     * 3. `SubmitIdToken { id_token }` → server verifies token + nonce →
-     *    returns `Finish { did }`.
-     */
-    private authenticateOidc;
-    /**
-     * Execute an action on the T3n node.
-     *
-     * Returns the JSON-stringified contract response. Most callers should
-     * prefer {@link executeAndDecode}, which JSON-parses the response and
-     * optionally validates it with a schema.
-     */
-    execute(payload: unknown): Promise<string>;
-    /**
-     * Fetch the caller's usage feed — balance plus a bounded slice of
-     * recent token-ledger entries (charges, mints, transfers), newest
-     * first. T3-TS-030 Phase 1D step A (`token.get-usage`).
-     *
-     * `limit` defaults to 50 server-side and clamps silently to
-     * `1..=200`. `afterSeq` is the inclusive upper-bound `seq_no`
-     * passed back from a previous page's `next_cursor` to walk older
-     * entries. `kinds` filters by `TokenTxKind`; an empty array is
-     * treated as "no filter".
-     *
-     * Unlike {@link execute}, the body of this RPC is plaintext —
-     * `token.get-usage` is a session-authed read endpoint and the
-     * server-side handler does not run the encryption layer.
-     */
-    getUsage(opts?: GetUsageOptions): Promise<UsagePage>;
-    /**
-     * Execute an action with an attached binary blob using multipart RPC.
-     */
-    executeWithBlob(payload: unknown, blob: Blob): Promise<string>;
-    /**
-     * Execute an action and JSON-decode the response.
-     *
-     * The server strips its internal `ContractResponse` wrapper at
-     * `node/app/src/services/wasm.rs` before sending — the string returned
-     * by {@link execute} is the contract's decoded return value directly
-     * (no `{response, otp_state}` envelope). This helper is a typed
-     * `JSON.parse` with optional schema validation so callers stop
-     * reimplementing it at every call site.
-     *
-     * @param payload - action payload, identical to {@link execute}
-     * @param schema - optional validator applied to the parsed value
-     *   (e.g. a zod schema); anything exposing `.parse(value)` is accepted
-     * @returns the decoded response, typed as `T`
-     * @throws {ContractResponseError} when the response is not valid JSON
-     */
-    executeAndDecode<T = unknown>(payload: unknown, schema?: ContractResponseSchema<T>): Promise<T>;
-    /**
-     * Build the canonical `ExecuteActionRequest` shape the server
-     * expects in `node/primitives/src/action.rs::ExecuteActionRequest`
-     * (`script_name`, `script_version`, `function_name`, `input`,
-     * optional `pii_did`) and dispatch it through {@link execute}.
-     *
-     * Two pieces of glue live here that every typed user-contract
-     * wrapper would otherwise duplicate:
-     *
-     * 1. **Field naming.** The server deserialises strictly into
-     *    `script_name` / `script_version` / `function_name` —
-     *    sending `contract` / `version` / `function` produces
-     *    `Invalid action request: missing field …` 400s. Centralising
-     *    the names here means every wrapper agrees with the server.
-     * 2. **`"latest"` resolution.** `script_version` is `SemVer` on
-     *    the server, so a literal `"latest"` cannot be parsed. We
-     *    fetch the registered current version via
-     *    `GET /api/contracts/current?name=…` (cached per script name
-     *    in `getScriptVersion`) and forward the resolved
-     *    `MAJOR.MINOR.PATCH` string.
-     *
-     * Wrappers that need PII delegation can extend this helper
-     * later — current call sites are all SelfOnly so `pii_did` stays
-     * implicit.
-     */
-    private executeUserContract;
-    /**
-     * Return the authenticated user's Ethereum address from their
-     * T3N-hosted per-user wallet, as a 0x-prefixed lowercase hex string.
-     * Returns `null` if the user has no wallet yet (pre-backfill edge
-     * case — `tee:user` has not yet been migrated for this DID).
-     *
-     * Backed by the `tee:user/get-self-eth-address` contract function,
-     * which delegates to the signing host's `get-user-eth-address`
-     * primitive (T3-TS-027 §7.1). The request carries no body; the
-     * authenticated user's DID is read from session context by the host.
-     *
-     * Requires the session to be Authenticated (same precondition as
-     * {@link execute}).
-     *
-     * @throws if unauthenticated, if the node rejects the action, or if
-     *   the response is not a JSON string / `null`.
-     */
-    getSelfEthAddress(): Promise<string | null>;
-    /**
-     * Enumerate every wallet the authenticated user currently controls
-     * under T3-TS-028 multi-wallet custody.
-     *
-     * `primary` is the identity-bearing wallet — same address
-     * {@link getSelfEthAddress} returns, same address the host signs
-     * with under `sign-as-user`. `secondary` is an insertion-ordered
-     * list of archival wallets absorbed through prior
-     * {@link mergeProfiles} calls (most recent last); these are signable
-     * only via an explicit sign-with-wallet flow — never ambient.
-     *
-     * Backed by `tee:user/list-user-wallets` which delegates to the
-     * signing host's `list-user-wallets` primitive. See T3-TS-028 §7.1.
-     *
-     * @throws if unauthenticated, if the node rejects the action, or if
-     *   the response shape is unexpected.
-     */
-    listUserWallets(): Promise<{
-        primary: string;
-        secondary: string[];
-    }>;
-    /**
-     * Return the ownership audit trail for a specific wallet address.
-     *
-     * The response is an array of `AuditEntry` objects (newest last)
-     * describing every DID that has owned the wallet: `Created` at DID
-     * creation, `MergedFrom { source_did }` for every merge that pulled
-     * this wallet onto a new owner, `Abandoned` if
-     * {@link removeUserWithWalletAbandonment} was called on the last
-     * owner. Public-safe data: DIDs + timestamps + reason codes only,
-     * no key material or PII. See T3-TS-028 §4.1.
-     *
-     * @param walletAddress 0x-prefixed 40-char hex Ethereum address.
-     * @throws if the node rejects the action or if the response is not
-     *   a JSON array.
-     */
-    getWalletHistory(walletAddress: string): Promise<unknown[]>;
-    /**
-     * Remove the authenticated user's account AND explicitly abandon
-     * any wallets. Writes `Abandoned` audit rows to wallet history,
-     * clears the DID's wallet index, then runs the usual user-removal
-     * cleanup (profile, authenticators, VCs, attribution).
-     *
-     * `wallet_secrets[*]` is NOT deleted — key material stays preserved
-     * in the TEE but becomes unreachable from any DID. This path
-     * exists as an opt-in alternative to {@link removeUser}, which
-     * refuses when the DID owns wallets. Callers must sweep funds
-     * off-chain BEFORE calling this if they want to retain access —
-     * the host does not reconcile balances. See T3-TS-028 §6.2.
-     *
-     * Requires the session to be Authenticated (SelfOnly delegation).
-     *
-     * @throws if unauthenticated, if the node rejects the action, or if
-     *   the response cannot be decoded.
-     */
-    removeUserWithWalletAbandonment(): Promise<unknown>;
-    /**
-     * One-shot poll of `tee:user/contracts::kyc-status`.
-     *
-     * Returns the current snapshot of the authenticated user's Level 2
-     * KYC state — see [[KycStatus]] for the four possible terminal /
-     * non-terminal values. The caller usually wants
-     * [[kycStatusPoll]] (which loops with §8.4 cadence until a
-     * terminal status arrives), but the bare snapshot is useful for
-     * pages that need to render the user's standing without waiting
-     * (e.g. account-status views, "did the user finish KYC last time
-     * they were here?" gates).
-     *
-     * Phase one default — `providerId` defaults to `"veriff"` (the
-     * contract applies the same default when the field is absent),
-     * so the most common call site is `await t3n.kycStatus()`.
-     *
-     * @param providerId optional provider id, mirrored on the wire as
-     *   `input.provider_id`. Omit for phase-one MetaMask flows.
-     * @throws if unauthenticated, if the node rejects the action
-     *   (e.g. `precondition_failed:` when no `create-kyc-provider-session`
-     *   row exists yet), or if the response shape is unexpected.
-     */
-    kycStatus(providerId?: string): Promise<KycStatus>;
-    /**
-     * Dispatch a one-time code to the supplied contact via the host's
-     * OTP provider. Backed by `tee:user/contracts::otp-request`.
-     *
-     * The contract persists the unverified contact in the channel's
-     * pending slot (`pending_email` / `pending_phone`) and returns
-     * `OtpRequestResult` with `status = "otp_pending"` (or `undefined`
-     * when the node is configured with `skip_otp = true`). The next
-     * step is {@link otpVerify} with the code the user typed.
-     *
-     * Behaviour notes:
-     *
-     * - Contact is a discriminated object: `emailChannel` or
-     *   `smsChannel` (mirrors Rust `OtpRequest`). The legacy
-     *   `keys.generic_api.otp_channel` body shadow is rejected by the
-     *   contract.
-     * - SMS channel is gated on a verified email. Calling with
-     *   `channel = "sms"` against a DID that hasn't completed an
-     *   email roundtrip first throws.
-     * - On a fresh DID's first call, `result.isNewProfile === true`.
-     *   Use this signal — not [[otpVerify]]'s response — for "did the
-     *   user just register" gating.
-     *
-     * @throws {RpcError} if the node rejects the action; the message
-     *   carries the contract-side detail (e.g. sequential-flow guard
-     *   when the email is missing).
-     */
-    otpRequest(input: OtpRequestInput): Promise<OtpRequestResult>;
-    /**
-     * Redeem a one-time code and bind the contact to the
-     * authenticated DID. Backed by
-     * `tee:user/contracts::otp-verify`.
-     *
-     * On success the contract promotes the pending contact back to
-     * the canonical slot, writes the AUTH_MAP / DIDS_MAP /
-     * USER_AUTHS_MAP authenticator entries, stamps
-     * `verified_contacts.{email,phone}`, and mints the ambient
-     * `t3n.personal.contact.1` ownership VC when both contacts are
-     * now verified.
-     *
-     * If the contact is already owned by a different DID the
-     * contract refuses to silently reparent the authenticator and
-     * surfaces a `mergeSuggestion` instead — the caller resolves the
-     * merge (typically via {@link mergeProfiles}) and re-attempts.
-     *
-     * On a wrong / expired code the contract returns the result with
-     * `status = "otp_failed"` or `"otp_expired"` — no exception is
-     * thrown, the error is surfaced as data so the UI can stay on
-     * the verify screen and let the user retry.
-     *
-     * @throws {RpcError} if the node rejects the action outright
-     *   (network / decode / bad input shape). Branch on
-     *   `result.status` for retryable OTP failures.
-     */
-    otpVerify(input: OtpVerifyInput): Promise<OtpVerifyResult>;
-    /**
-     * Submit Level-1 user-input fields to the slim
-     * `tee:user/contracts::user-upsert`. The contract merges the
-     * supplied profile fields, validates them, mints
-     * `t3n.user-input.kyc.1` once every Level-1 field is present, and
-     * commits the write.
-     *
-     * **Pre-condition** (MAT-1374): the DID must already have a
-     * verified email — either because {@link otpVerify} bound one or
-     * because the session carries a proving authenticator (OIDC /
-     * Email auth). Calls without proof are rejected with
-     * {@link UserUpsertError} `kind = "EmailNotVerified"`. The
-     * recommended UX is "request OTP -> verify OTP -> submit user
-     * input" (or use {@link runOtpThenUserInput} which chains all
-     * three).
-     *
-     * The KYC webhook orphan-attestation flow stays here: when
-     * `requireExistingUser` is set, the contract identifies the user
-     * by DID (vendorData) instead of email and the gate is bypassed.
-     *
-     * @throws {UserUpsertError} when the contract returns a typed
-     *   error (`email_not_verified`, `legacy_field`, `user_not_found`).
-     *   Branch on `err.kind`.
-     * @throws {RpcError} for non-typed transport / decode failures.
-     */
-    submitUserInput(input: SubmitUserInputArgs): Promise<SubmitUserInputResult>;
-    /**
-     * Convenience helper: run the explicit OTP roundtrip and submit
-     * the slim user-upsert in one call.
-     *
-     * The caller supplies a `getOtpCode(contact, channel)` callback
-     * the SDK invokes between request and verify — this is where
-     * a UI prompts the user to type the code that arrived on email
-     * / SMS. Throw from the callback to abort the flow; the helper
-     * does not retry on its own.
-     *
-     * Returns the slim `submitUserInput` result on success. Throws
-     * {@link UserUpsertError} or `RpcError` on the same conditions
-     * as the underlying wrappers.
-     *
-     * Optional, opt-in path — the recommended default is to call
-     * {@link otpRequest}, {@link otpVerify}, and
-     * {@link submitUserInput} explicitly so the application owns the
-     * flow.
-     */
-    runOtpThenUserInput(args: {
-        channel: OtpChannel;
-        emailAddress?: string;
-        phoneNumber?: string;
-        profile: SubmitUserInputArgs["profile"];
-        organisationDid?: string;
-        attestations?: unknown;
-        keys?: Record<string, unknown>;
-        /**
-         * MAT-1618 testnet self-admit, propagated to the inner
-         * {@link submitUserInput} call. Inspect `result.tenantAdmit` for
-         * the outcome.
-         */
-        becomeDevTenant?: boolean;
-        getOtpCode: (contact: string, channel: OtpChannel) => Promise<string> | string;
-    }): Promise<SubmitUserInputResult>;
-    /**
-     * Poll `kyc-status` until a terminal status arrives or the
-     * configured timeout elapses.
-     *
-     * Cadence defaults to T3-TS-026 §8.4: 2-second interval for the
-     * first 30 seconds, then 5 seconds, with a 5-minute hard cap.
-     * Override via `opts.cadence` if you need different numbers
-     * (e.g. tests that don't want to wait the full 30 seconds before
-     * the slow window kicks in). [[KycStatusTimeoutError]] is thrown
-     * if the timeout elapses without reaching a terminal state.
-     *
-     * `opts.signal` cancels the loop synchronously — the helper
-     * stops sleeping and rejects with the abort reason; an
-     * already-in-flight `kycStatus()` request is allowed to settle
-     * but its result is discarded.
-     *
-     * `opts.onUpdate` fires once per snapshot, including
-     * intermediate `pending` ones. Errors thrown from the callback
-     * are swallowed so a misbehaving UI handler can't strand the
-     * poll loop.
-     *
-     * @throws [[KycStatusTimeoutError]] when the cadence's
-     *   `timeoutMs` elapses without a terminal status.
-     * @throws the abort reason when `opts.signal` is aborted.
-     * @throws the underlying RPC error when the contract or
-     *   transport raises (e.g. session expiry mid-poll).
-     */
-    kycStatusPoll(opts?: KycPollOptions): Promise<KycStatus>;
-    /**
-     * The server-minted session ID once handshake has completed, or
-     * `null` beforehand (pentest M-1 / MAT-983).
-     */
-    getSessionId(): SessionId | null;
-    getStatus(): SessionStatus;
-    getDid(): Did | null;
-    getLastSetCookie(): string | null;
-    getLastResponseHeaders(): Record<string, string>;
-    isAuthenticated(): boolean;
-    /**
-     * Run a WASM state machine flow to completion.
-     *
-     * Clears both `wasmState[method]` and `finalizedPayload[method]`
-     * at entry so a flow that previously threw partway (e.g. an RPC
-     * error) starts from a clean slate on retry. Without the reset,
-     * stale state from the failed attempt leaks into the new flow
-     * and `tryFinalize` may either spuriously succeed or run `next()`
-     * against a state that no longer matches the action we're sending.
-     *
-     * The `tryFinalize`-then-`next` order is load-bearing: the loop's
-     * exit condition fires *after* the previous iteration's
-     * `handleWasmRequest` has flushed the outbound peer reply, so
-     * every state-machine emission reaches the wire before we extract
-     * the final payload.
-     */
-    private runFlow;
-    /**
-     * Try to finalize the current flow. Returns the finish() payload
-     * (a serialized Session for handshake, a serialized DID for auth)
-     * or `null` if the state machine has not reached its terminal phase
-     * yet.
-     *
-     * The "not yet finalized" case is the loop's signal to keep
-     * iterating, not a real error. Any *other* failure must propagate
-     * so callers see real WASM errors instead of silent retries that
-     * spin forever.
-     *
-     * The terminal payload is stored in `finalizedPayload[method]`
-     * (a separate field from `wasmState[method]`) so the in-flight
-     * state-machine bytes and the finalized session/DID bytes never
-     * occupy the same slot. `getSessionState()` reads from
-     * `finalizedPayload.handshake`.
-     */
-    private tryFinalize;
-    /**
-     * Handle a WASM request based on its type
-     */
-    private handleWasmRequest;
-    /**
-     * Handle a send-remote request by calling the RPC endpoint
-     */
-    private handleSendRemote;
-    private captureHandshakeResult;
-    /**
-     * Handle a guest-to-host request using configured handlers
-     */
-    private handleGuestToHost;
-    /**
-     * Send an RPC request with automatic encryption/decryption
-     */
-    private sendRpcRequest;
-    /**
-     * Send a session-authenticated JSON-RPC request with plaintext
-     * params/result (no SessionEncryption layer). Used for tenant-facing
-     * read endpoints (`token.get-balance`, `token.get-usage`) where the
-     * server-side handler reads the JSON envelope directly.
-     *
-     * Auto-attaches the `Session-Id` header; surfaces JSON-RPC errors
-     * the same way as {@link sendRpcRequest} (typed
-     * `InsufficientCreditError` when applicable, `RpcError` otherwise).
-     * Returns the parsed `result` field — typically a JSON object the
-     * caller will narrow to the endpoint's response type.
-     */
-    private sendUnencryptedSessionRpc;
-    /**
-     * Inspect a JSON-RPC response for an `error` field and throw the
-     * appropriate typed exception. No-op when `response.error` is
-     * absent. Shared by every RPC path so wire-shape changes in the
-     * server's error envelope (typed-error subclasses, request-id
-     * placement, detail formatting) only need to land in one place.
-     *
-     * JSON-RPC `error.message` is the generic category string
-     * ("Invalid params", "Internal error", …). The node attaches the
-     * actionable text and per-request correlation id in `error.data`
-     * — see `node/api/src/responses/rpc.rs::from_service_error`.
-     * Extract both so callers (and toasts that only render `.message`)
-     * get the real reason plus an id an operator can grep in
-     * `api::error` logs.
-     *
-     * T3-TS-030 chargepoint denials surface as a typed
-     * `InsufficientCreditError` so frontends can branch on
-     * `instanceof` to render an "out of credit" UI without
-     * prefix-matching the message themselves. Wire format is pinned
-     * by `api/src/error.rs::service_insufficient_credit_wire_format_is_stable`.
-     */
-    private throwIfRpcError;
-    private sendMultipartRpcRequest;
-    /**
-     * Capture the server-minted `Session-Id` from the last handshake
-     * response headers (pentest M-1 / MAT-983). Validates shape so a
-     * broken or MITM'd response fails loudly instead of leaving a
-     * garbage value in the client. Idempotent: only the first valid
-     * mint per session is honoured — subsequent handshake RPC legs
-     * (none exist today, but the state-machine loop can iterate) do
-     * not overwrite an already-set value.
-     */
-    private captureMintedSessionId;
-    /**
-     * Get the finalized session blob (for `session.encrypt` calls).
-     * Populated by `tryFinalize` once the handshake state machine
-     * reaches its terminal phase.
-     */
-    private getSessionState;
-}

package/dist/src/client/transport.d.ts

@@ -1,131 +0,0 @@
-/**
- * Transport layer for T3n SDK
- *
- * Abstracts the communication with T3n nodes, allowing for different
- * implementations (HTTP, WebSocket, Mock) and easy testing.
- */
-/**
- * JSON-RPC request structure
- */
-export interface JsonRpcRequest {
-    jsonrpc: "2.0";
-    method: string;
-    params: unknown;
-    id: string | number;
-}
-/**
- * JSON-RPC response structure
- */
-export interface JsonRpcResponse {
-    jsonrpc: "2.0";
-    result?: unknown;
-    error?: {
-        code: number;
-        message: string;
-        data?: unknown;
-    };
-    id: string | number;
-}
-/**
- * Transport interface for sending requests to T3n nodes
- */
-export interface Transport {
-    /**
-     * Send a JSON-RPC request to the T3n node
-     * @param request - The JSON-RPC request to send
-     * @param headers - Additional headers to include
-     * @returns Promise that resolves to the JSON-RPC response
-     */
-    send(request: JsonRpcRequest, headers: Record<string, string>): Promise<JsonRpcResponse>;
-    /**
-     * Send a JSON-RPC request with an attached binary blob (multipart/form-data).
-     * Part 1 (name=jsonrpc): JSON-RPC envelope.
-     * Part 2 (name=blob): raw binary bytes (e.g. WASM bytecode).
-     */
-    sendMultipart?(request: JsonRpcRequest, headers: Record<string, string>, blob: Blob): Promise<JsonRpcResponse>;
-    /**
-     * Optional accessor for the latest Set-Cookie header value.
-     * (Useful in Node.js demos/tests; browsers block HttpOnly cookies.)
-     */
-    getLastSetCookie?(): string | null;
-    /**
-     * Optional accessor for the last response headers (debugging).
-     */
-    getLastResponseHeaders?(): Record<string, string>;
-}
-/**
- * HTTP transport implementation using fetch
- */
-export declare class HttpTransport implements Transport {
-    private baseUrl;
-    private timeout;
-    private lastSetCookie;
-    private lastResponseHeaders;
-    constructor(baseUrl: string, timeout?: number);
-    getLastSetCookie(): string | null;
-    getLastResponseHeaders(): Record<string, string>;
-    send(request: JsonRpcRequest, headers: Record<string, string>): Promise<JsonRpcResponse>;
-    sendMultipart(request: JsonRpcRequest, headers: Record<string, string>, blob: Blob): Promise<JsonRpcResponse>;
-}
-/**
- * Mock transport for testing
- *
- * @example
- * ```typescript
- * const mockTransport = new MockTransport();
- * mockTransport.mockResponse("auth.handshake", { result: "..." });
- *
- * const client = new T3nClient({
- *   transport: mockTransport,
- *   wasmComponent: mockWasm,
- * });
- * ```
- */
-export declare class MockTransport implements Transport {
-    private responses;
-    private responseHeaders;
-    private lastResponseHeaders;
-    private requests;
-    private multipartRequests;
-    /**
-     * Mock a response for a specific method
-     */
-    mockResponse(method: string, response: Partial<JsonRpcResponse>): void;
-    /**
-     * Mock response headers for a specific method. Used by tests to
-     * simulate the server-minted `Session-Id` header the SDK picks up
-     * from the `auth.handshake` response (MAT-983). Unset methods
-     * default to no headers.
-     */
-    mockResponseHeaders(method: string, headers: Record<string, string>): void;
-    /**
-     * Mock an error response for a specific method
-     */
-    mockError(method: string, code: number, message: string, data?: unknown): void;
-    getLastResponseHeaders(): Record<string, string>;
-    /**
-     * Get all requests that were sent
-     */
-    getRequests(): Array<{
-        request: JsonRpcRequest;
-        headers: Record<string, string>;
-    }>;
-    /**
-     * Get requests for a specific method
-     */
-    getRequestsForMethod(method: string): Array<{
-        request: JsonRpcRequest;
-        headers: Record<string, string>;
-    }>;
-    getMultipartRequests(): Array<{
-        request: JsonRpcRequest;
-        headers: Record<string, string>;
-        blob: Blob;
-    }>;
-    /**
-     * Clear all recorded requests
-     */
-    clearRequests(): void;
-    sendMultipart(request: JsonRpcRequest, headers: Record<string, string>, blob: Blob): Promise<JsonRpcResponse>;
-    send(request: JsonRpcRequest, headers: Record<string, string>): Promise<JsonRpcResponse>;
-}