@textrp/briij-js-sdk 43.2.1 → 44.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@textrp/briij-js-sdk",
-  "version": "43.2.1",
+  "version": "44.0.0",
   "description": "Briij Client-Server SDK for JavaScript and TypeScript",
   "engines": {
     "node": ">=22.0.0"
@@ -39,6 +39,7 @@
     "another-json": "^0.2.0",
     "bs58": "^6.0.0",
     "content-type": "^1.0.4",
+    "did-resolver": "^4.1.0",
     "jwt-decode": "^4.0.0",
     "loglevel": "^1.9.2",
     "matrix-events-sdk": "0.0.1",
@@ -46,6 +47,7 @@
     "oidc-client-ts": "^3.0.1",
     "p-retry": "7",
     "sdp-transform": "^3.0.0",
+    "snarkjs": "^0.7.6",
     "unhomoglyph": "^1.0.6",
     "uuid": "13",
     "xrpl": "^4.6.0"

package/src/@types/auth.ts

@@ -270,6 +270,50 @@ export interface WalletIdentityAccountData {
     public_key?: string | null;
     network?: string | null;
     key_type?: string | null;
+    did_uri?: string | null;
+    credential_id?: string | null;
+    e2ee_pubkey_commitment?: string | null;
+}
+
+interface DidVerificationMethod {
+    id: string;
+    type: string;
+    controller: string;
+    publicKeyMultibase?: string;
+    blockchainAccountId?: string;
+}
+
+export interface DidResolutionResult {
+    did_uri: string;
+    resolution_type?: string;
+    did_document: {
+        id: string;
+        verificationMethod: DidVerificationMethod[];
+        authentication: string[];
+        service?: Array<Record<string, string>>;
+    };
+}
+
+export interface CredentialCreateResult {
+    credential_id: string;
+    status: string;
+}
+
+export interface CredentialVerifyResult {
+    credential_id: string;
+    valid: boolean;
+}
+
+export interface ZkpVerifyResult {
+    valid: boolean;
+    verified_at?: number;
+    reason?: string;
+}
+
+export interface DidCredentialMetadata {
+    didUri: string;
+    credentialId: string;
+    issuedAt: number;
 }
 
 export interface XrplWalletLoginRequest extends Omit<LoginRequest, "type"> {

package/src/@types/snarkjs.d.ts

@@ -0,0 +1,17 @@
+declare module "snarkjs" {
+    export const groth16: {
+        fullProve: (
+            input: Record<string, string>,
+            wasmPath: string,
+            zkeyPath: string,
+        ) => Promise<{
+            proof: Record<string, unknown>;
+            publicSignals: string[] | Record<string, string>;
+        }>;
+        verify: (
+            verificationKey: Record<string, unknown>,
+            publicSignals: string[] | Record<string, string>,
+            proof: Record<string, unknown>,
+        ) => Promise<boolean>;
+    };
+}

package/src/auth/credential.ts

@@ -0,0 +1,63 @@
+/*
+Copyright 2026 Xurge Digital Lab
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+*/
+
+export interface CredentialCreateRequest {
+    did_uri: string;
+    subject: string;
+    e2ee_pubkey_commitment: string;
+}
+
+export interface CredentialCreateResponse {
+    credential_id: string;
+    status: string;
+}
+
+export interface CredentialVerifyResponse {
+    credential_id: string;
+    valid: boolean;
+}
+
+export interface DidCredentialMetadata {
+    didUri: string;
+    credentialId: string;
+    issuedAt: number;
+}
+
+const METADATA_KEY = "briij.did_credential_metadata";
+const memoryMetadata = new Map<string, DidCredentialMetadata>();
+
+export async function requestCredentialCreate(
+    requester: (path: string, method: "POST", body: CredentialCreateRequest) => Promise<CredentialCreateResponse>,
+    payload: CredentialCreateRequest,
+): Promise<CredentialCreateResponse> {
+    return requester("/credential/create", "POST", payload);
+}
+
+export async function verifyCredential(
+    requester: (path: string, method: "POST", body: { credential_id: string }) => Promise<CredentialVerifyResponse>,
+    credentialId: string,
+): Promise<CredentialVerifyResponse> {
+    return requester("/credential/verify", "POST", { credential_id: credentialId });
+}
+
+export function storeDidCredentialMetadata(userId: string, metadata: DidCredentialMetadata): void {
+    memoryMetadata.set(userId, metadata);
+    if (globalThis.localStorage) {
+        globalThis.localStorage.setItem(`${METADATA_KEY}:${userId}`, JSON.stringify(metadata));
+    }
+}
+
+export function loadDidCredentialMetadata(userId: string): DidCredentialMetadata | null {
+    const fromMemory = memoryMetadata.get(userId);
+    if (fromMemory) return fromMemory;
+    const raw = globalThis.localStorage?.getItem(`${METADATA_KEY}:${userId}`);
+    if (!raw) return null;
+    return JSON.parse(raw) as DidCredentialMetadata;
+}

package/src/auth/did.ts

@@ -0,0 +1,89 @@
+/*
+Copyright 2026 Xurge Digital Lab
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+*/
+
+import { Resolver } from "did-resolver";
+
+export interface DidVerificationMethod {
+    id: string;
+    type: string;
+    controller: string;
+    publicKeyMultibase?: string;
+    blockchainAccountId?: string;
+}
+
+export interface DidDocumentShape {
+    id: string;
+    verificationMethod: DidVerificationMethod[];
+    authentication: string[];
+    service?: Array<Record<string, string>>;
+}
+
+export interface DidResolutionResponse {
+    did_uri: string;
+    resolution_type?: string;
+    did_document: DidDocumentShape;
+}
+
+const fallbackResolver = new Resolver({});
+
+export function deriveXrplDid(address: string, network: "testnet" | "mainnet" = "testnet"): string {
+    if (!address || !address.startsWith("r")) {
+        throw new Error("Invalid XRPL address");
+    }
+    return `did:xrpl:${network}:${address}`;
+}
+
+export function createMinimalDidDocument(didUri: string, e2eePubkeyCommitment: string): DidDocumentShape {
+    return {
+        id: didUri,
+        verificationMethod: [
+            {
+                id: `${didUri}#owner`,
+                type: "EcdsaSecp256k1RecoveryMethod2020",
+                controller: didUri,
+            },
+            {
+                id: `${didUri}#e2ee`,
+                type: "E2EEPublicKeyCommitment",
+                controller: didUri,
+                publicKeyMultibase: e2eePubkeyCommitment,
+            },
+        ],
+        authentication: [`${didUri}#owner`],
+        service: [
+            {
+                id: `${didUri}#did-resolution`,
+                type: "BriijDidResolution",
+                serviceEndpoint: "/_matrix/client/v3/did/resolve",
+            },
+        ],
+    };
+}
+
+export async function resolveDidViaHomeserver(
+    requester: (path: string, method: "GET") => Promise<DidResolutionResponse>,
+    account: string,
+): Promise<DidResolutionResponse> {
+    const direct = await requester(`/did/resolve?account=${encodeURIComponent(account)}`, "GET");
+    if (direct?.did_document?.id) {
+        return direct;
+    }
+
+    // Keep a resolver instance available for future DID-method plugins.
+    const fallback = await fallbackResolver.resolve(`did:xrpl:testnet:${account}`);
+    if (fallback.didDocument) {
+        return {
+            did_uri: fallback.didDocument.id,
+            did_document: fallback.didDocument as DidDocumentShape,
+            resolution_type: "resolver-fallback",
+        };
+    }
+    throw new Error("Failed to resolve DID document");
+}

package/src/auth/wallet.ts

@@ -0,0 +1,50 @@
+/*
+Copyright 2026 Xurge Digital Lab
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+*/
+
+import { XRPL_WALLET_LOGIN_TYPE } from "../@types/auth.ts";
+
+export interface WalletProofResult {
+    address: string;
+    signature: string;
+    publicKey?: string;
+    network?: string;
+}
+
+export interface WalletLoginSubmission {
+    type: typeof XRPL_WALLET_LOGIN_TYPE;
+    address: string;
+    signature: string;
+    public_key?: string;
+    network: string;
+    session: string;
+    username?: string;
+}
+
+export type WalletProofProvider = (challenge: string, network: string) => Promise<WalletProofResult>;
+
+/**
+ * Normalizes wallet proof payload to the login body used by the homeserver.
+ */
+export function buildWalletLoginSubmission(
+    proof: WalletProofResult,
+    session: string,
+    network: string,
+    username?: string,
+): WalletLoginSubmission {
+    return {
+        type: XRPL_WALLET_LOGIN_TYPE,
+        session,
+        address: proof.address,
+        signature: proof.signature,
+        public_key: proof.publicKey,
+        network: proof.network ?? network,
+        username,
+    };
+}

package/src/auth/zkpE2EE.ts

@@ -0,0 +1,88 @@
+/*
+Copyright 2026 Xurge Digital Lab
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+*/
+
+export interface E2eeZkInput {
+    didUri: string;
+    xrplAddress: string;
+    e2eePrivateKey: string;
+    credentialId: string;
+}
+
+export interface E2eeZkProofPayload {
+    proof: Record<string, unknown>;
+    publicSignals: string[] | Record<string, string>;
+}
+
+export interface E2eeZkGenerateOptions {
+    wasmPath: string;
+    zkeyPath: string;
+    fullProve?: (
+        input: Record<string, string>,
+        wasmPath: string,
+        zkeyPath: string,
+    ) => Promise<E2eeZkProofPayload>;
+}
+
+export interface E2eeZkVerifyOptions {
+    verificationKey: Record<string, unknown>;
+    verify?: (
+        verificationKey: Record<string, unknown>,
+        publicSignals: E2eeZkProofPayload["publicSignals"],
+        proof: E2eeZkProofPayload["proof"],
+    ) => Promise<boolean>;
+}
+
+async function sha256Hex(input: string): Promise<string> {
+    if (!globalThis.crypto?.subtle) {
+        return input;
+    }
+    const digest = await globalThis.crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+    return Array.from(new Uint8Array(digest))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+
+export async function generateE2eeZkProof(
+    input: E2eeZkInput,
+    options: E2eeZkGenerateOptions,
+): Promise<E2eeZkProofPayload> {
+    const fullProve =
+        options.fullProve ??
+        (async (signals, wasmPath, zkeyPath) => {
+            const snarkjs = await import("snarkjs");
+            return snarkjs.groth16.fullProve(signals, wasmPath, zkeyPath);
+        });
+
+    const e2eePrivateKeyHash = await sha256Hex(input.e2eePrivateKey);
+    return fullProve(
+        {
+            did_uri: input.didUri,
+            xrpl_address: input.xrplAddress,
+            credential_id: input.credentialId,
+            e2ee_privkey_hash: e2eePrivateKeyHash,
+        },
+        options.wasmPath,
+        options.zkeyPath,
+    );
+}
+
+export async function verifyE2eeZkProof(
+    payload: E2eeZkProofPayload,
+    options: E2eeZkVerifyOptions,
+): Promise<boolean> {
+    const verifier =
+        options.verify ??
+        (async (verificationKey, publicSignals, proof) => {
+            const snarkjs = await import("snarkjs");
+            return snarkjs.groth16.verify(verificationKey, publicSignals, proof);
+        });
+
+    return verifier(options.verificationKey, payload.publicSignals, payload.proof);
+}

package/src/briij.ts

@@ -49,6 +49,18 @@ export * from "./scheduler.ts";
 export * from "./filter.ts";
 export * from "./timeline-window.ts";
 export * from "./interactive-auth.ts";
+export * from "./auth/did.ts";
+export {
+    type CredentialCreateRequest,
+    type CredentialCreateResponse,
+    type CredentialVerifyResponse,
+    loadDidCredentialMetadata,
+    requestCredentialCreate,
+    storeDidCredentialMetadata,
+    verifyCredential,
+} from "./auth/credential.ts";
+export * from "./auth/wallet.ts";
+export * from "./auth/zkpE2EE.ts";
 export * from "./xrpl/identity.ts";
 export * from "./xrpl/trust.ts";
 export * from "./xrpl/verification.ts";

package/src/client.ts

@@ -204,6 +204,11 @@ import {
 } from "./webrtc/groupCall.ts";
 import { MediaHandler } from "./webrtc/mediaHandler.ts";
 import {
+    type CredentialCreateResult,
+    type CredentialVerifyResult,
+    type DidCredentialMetadata,
+    type DidResolutionResult,
+    type ZkpVerifyResult,
     type ILoginFlowsResponse,
     type IRefreshTokenResponse,
     type LoginRequest,
@@ -220,6 +225,15 @@ import {
     type XrplAuthCompleteRequest,
     type XrplWalletChallengePayload,
 } from "./@types/auth.ts";
+import { createMinimalDidDocument, deriveXrplDid, resolveDidViaHomeserver } from "./auth/did.ts";
+import {
+    loadDidCredentialMetadata,
+    requestCredentialCreate,
+    storeDidCredentialMetadata,
+    verifyCredential,
+} from "./auth/credential.ts";
+import { generateE2eeZkProof } from "./auth/zkpE2EE.ts";
+import { buildWalletLoginSubmission, type WalletProofProvider, type WalletProofResult } from "./auth/wallet.ts";
 import { TypedEventEmitter } from "./models/typed-event-emitter.ts";
 import { MAIN_ROOM_TIMELINE, ReceiptType } from "./@types/read_receipts.ts";
 import { type MSC3575SlidingSyncRequest, type MSC3575SlidingSyncResponse, type SlidingSync } from "./sliding-sync.ts";
@@ -6997,6 +7011,179 @@ export class BriijClient extends TypedEventEmitter<EmittedEvents, ClientEventHan
         });
     }
 
+    /**
+     * XRPL DID + credential login flow:
+     * 1) challenge request, 2) wallet proof submission, 3) DID resolve, 4) credential request.
+     */
+    public async loginWithXrplDidCredential(params: {
+        address: string;
+        username?: string;
+        network?: string;
+        didNetwork?: "testnet" | "mainnet";
+        e2eePubkeyCommitment?: string;
+        longevityMode?: boolean;
+        walletProofProvider: WalletProofProvider;
+        zkpLongevityMode?: {
+            enabled: boolean;
+            e2eePrivateKey?: string;
+            strict?: boolean;
+            generateProof?: (context: {
+                didUri: string;
+                xrplAddress: string;
+                credentialId: string;
+                e2eePubkeyCommitment: string;
+            }) => Promise<{ proof: Record<string, unknown>; publicSignals: string[] | Record<string, string> }>;
+        };
+    }): Promise<
+        LoginResponse & {
+            did: DidResolutionResult;
+            didDocument: ReturnType<typeof createMinimalDidDocument>;
+            credential: CredentialCreateResult;
+            credentialVerification: CredentialVerifyResult;
+            metadata: DidCredentialMetadata;
+            zkp?: ZkpVerifyResult;
+        }
+    > {
+        const network = params.network ?? "xrpl";
+        const didNetwork = params.didNetwork ?? "testnet";
+
+        const challenge = await this.getXrplAuthChallenge({
+            address: params.address,
+            network,
+            username: params.username,
+            preferred_localpart: params.username,
+        });
+
+        const walletProof: WalletProofResult = await params.walletProofProvider(challenge.challenge, network);
+        if (walletProof.address !== params.address) {
+            throw new Error("Wallet proof address mismatch");
+        }
+
+        const loginResponse = await this.completeXrplAuth(
+            buildWalletLoginSubmission(walletProof, challenge.session, network, params.username),
+        );
+        await this.applyLoginResponse(loginResponse, XRPL_WALLET_LOGIN_TYPE);
+
+        const didUri = deriveXrplDid(walletProof.address, didNetwork);
+        const commitment = params.e2eePubkeyCommitment ?? (await this.createE2eeCommitment(loginResponse.user_id));
+        const didDocument = createMinimalDidDocument(didUri, commitment);
+
+        const did = await resolveDidViaHomeserver(async (path: string) => {
+            return this.http.authedRequest<DidResolutionResult>(Method.Get, path);
+        }, walletProof.address);
+
+        const credential = await requestCredentialCreate(
+            async (path, method, body) => this.http.authedRequest<CredentialCreateResult>(Method.Post, path, undefined, body),
+            {
+                subject: walletProof.address,
+                did_uri: did.did_uri ?? didUri,
+                e2ee_pubkey_commitment: commitment,
+            },
+        );
+
+        const credentialVerification = await verifyCredential(
+            async (path, method, body) =>
+                this.http.authedRequest<CredentialVerifyResult>(Method.Post, path, undefined, body),
+            credential.credential_id,
+        );
+
+        const zkpModeEnabled = params.longevityMode ?? params.zkpLongevityMode?.enabled ?? false;
+        let zkp: ZkpVerifyResult | undefined;
+        if (zkpModeEnabled) {
+            try {
+                const generatedProof =
+                    (await params.zkpLongevityMode?.generateProof?.({
+                        didUri: did.did_uri ?? didUri,
+                        xrplAddress: walletProof.address,
+                        credentialId: credential.credential_id,
+                        e2eePubkeyCommitment: commitment,
+                    })) ??
+                    (await generateE2eeZkProof(
+                        {
+                            didUri: did.did_uri ?? didUri,
+                            xrplAddress: walletProof.address,
+                            credentialId: credential.credential_id,
+                            e2eePrivateKey: params.zkpLongevityMode?.e2eePrivateKey ?? commitment,
+                        },
+                        {
+                            wasmPath: "/circuits/e2ee_credential.wasm",
+                            zkeyPath: "/circuits/e2ee_credential.zkey",
+                        },
+                    ));
+
+                zkp = await this.http.authedRequest<ZkpVerifyResult>(Method.Post, "/zkp/verify", undefined, {
+                    proof: generatedProof.proof,
+                    public_signals: generatedProof.publicSignals,
+                    e2ee_pubkey_commitment: commitment,
+                });
+            } catch (error) {
+                if (params.zkpLongevityMode?.strict) {
+                    throw error;
+                }
+                zkp = { valid: false, reason: "zkp_verification_skipped" };
+            }
+        }
+
+        const metadata: DidCredentialMetadata = {
+            didUri: did.did_uri ?? didUri,
+            credentialId: credential.credential_id,
+            issuedAt: Date.now(),
+        };
+        storeDidCredentialMetadata(loginResponse.user_id, metadata);
+        await this.persistDidDeviceBinding({
+            didUri: metadata.didUri,
+            credentialId: metadata.credentialId,
+            e2eePubkeyCommitment: commitment,
+            xrplAddress: walletProof.address,
+            network,
+        });
+
+        return {
+            ...loginResponse,
+            did,
+            didDocument,
+            credential,
+            credentialVerification,
+            metadata,
+            zkp,
+        };
+    }
+
+    public getStoredDidCredentialMetadata(userId: string): DidCredentialMetadata | null {
+        return loadDidCredentialMetadata(userId);
+    }
+
+    private async createE2eeCommitment(seed: string): Promise<string> {
+        if (!globalThis.crypto?.subtle) {
+            return encodeUnpaddedBase64Url(new TextEncoder().encode(seed));
+        }
+        const digest = await globalThis.crypto.subtle.digest("SHA-256", new TextEncoder().encode(seed));
+        return Array.from(new Uint8Array(digest))
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+    }
+
+    private async persistDidDeviceBinding(binding: {
+        didUri: string;
+        credentialId: string;
+        e2eePubkeyCommitment: string;
+        xrplAddress: string;
+        network: string;
+    }): Promise<void> {
+        try {
+            await this.setAccountData(WALLET_IDENTITY_ACCOUNT_DATA_TYPE, {
+                chain_id: "xrpl",
+                account_id: binding.xrplAddress,
+                network: binding.network,
+                did_uri: binding.didUri,
+                credential_id: binding.credentialId,
+                e2ee_pubkey_commitment: binding.e2eePubkeyCommitment,
+            });
+        } catch (error) {
+            logger.warn("Failed to persist DID/E2EE device binding metadata", error);
+        }
+    }
+
     /**
      * Store a chain-agnostic wallet recovery envelope in account data.
      *

package/src/components/LoginStepper.tsx

@@ -0,0 +1,50 @@
+/*
+Copyright 2026 Xurge Digital Lab
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+*/
+
+/* Mermaid flow reference:
+flowchart LR
+  wallet[Connect Wallet] --> login[Submit wallet proof to /login]
+  login --> did[Resolve/Create DID]
+  did --> cred[Request CredentialCreate]
+  cred --> done[Persist DID + credential metadata]
+*/
+
+export interface LoginStepperProps {
+    currentStep: 1 | 2 | 3 | 4 | 5;
+    longevityModeEnabled?: boolean;
+}
+
+/**
+ * Lightweight JSX component for apps consuming the SDK.
+ */
+export function LoginStepper({ currentStep, longevityModeEnabled = false }: LoginStepperProps): string {
+    const longevityToggle = `${longevityModeEnabled ? "[x]" : "[ ]"} Enable Longevity Mode (ZKP)`;
+    const warning = longevityModeEnabled
+        ? "ZKP path enabled: strongest DID-bound E2EE continuity."
+        : "Warning: continuing without ZKP uses wallet-signature fallback only.";
+    const steps = [
+        "1. Wallet Proof",
+        "2. DID Resolve/Create",
+        "3. Credential Create",
+        "4. Persist Metadata",
+        "5. ZKP Longevity Verify (optional)",
+    ];
+    const renderedSteps = steps
+        .map((step, idx) => {
+            if (idx === 4 && !longevityModeEnabled) {
+                return `[ ] ${step}`;
+            }
+            const active = idx + 1 <= currentStep ? "[x]" : "[ ]";
+            return `${active} ${step}`;
+        })
+        .join("\n");
+
+    return `${longevityToggle}\n${warning}\n${renderedSteps}`;
+}