npm - @trymellon/js - Versions diffs - 2.2.1 → 2.3.1 - Mend

@trymellon/js 2.2.1 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/dist/angular.cjs +1 -1
package/dist/angular.cjs.map +1 -1
package/dist/angular.d.cts +7 -6
package/dist/angular.d.ts +7 -6
package/dist/angular.js +1 -1
package/dist/angular.js.map +1 -1
package/dist/index.cjs +2 -2
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +166 -16
package/dist/index.d.ts +166 -16
package/dist/index.global.js +2 -2
package/dist/index.global.js.map +1 -1
package/dist/index.js +2 -2
package/dist/index.js.map +1 -1
package/dist/react.cjs +1 -1
package/dist/react.cjs.map +1 -1
package/dist/react.d.cts +10 -2
package/dist/react.d.ts +10 -2
package/dist/react.js +1 -1
package/dist/react.js.map +1 -1
package/dist/{trymellon-P7BPxIry.d.cts → trymellon-CO_2wLZz.d.cts} +164 -16
package/dist/{trymellon-P7BPxIry.d.ts → trymellon-CO_2wLZz.d.ts} +164 -16
package/dist/ui/index.d.ts +39 -4
package/dist/ui/index.js +5 -5
package/dist/ui/index.js.map +1 -1
package/dist/vue.cjs +1 -1
package/dist/vue.cjs.map +1 -1
package/dist/vue.d.cts +10 -2
package/dist/vue.d.ts +10 -2
package/dist/vue.js +1 -1
package/dist/vue.js.map +1 -1
package/package.json +23 -2

package/dist/index.d.cts CHANGED Viewed

@@ -1,4 +1,4 @@
-type TryMellonErrorCode = 'NOT_SUPPORTED' | 'USER_CANCELLED' | 'PASSKEY_NOT_FOUND' | 'SESSION_EXPIRED' | 'NETWORK_FAILURE' | 'INVALID_ARGUMENT' | 'TIMEOUT' | 'ABORTED' | 'ABORT_ERROR' | 'CHALLENGE_MISMATCH' | 'UNKNOWN_ERROR';
+type TryMellonErrorCode = 'NOT_SUPPORTED' | 'USER_CANCELLED' | 'PASSKEY_NOT_FOUND' | 'SESSION_EXPIRED' | 'NETWORK_FAILURE' | 'INVALID_ARGUMENT' | 'TIMEOUT' | 'ABORTED' | 'ABORT_ERROR' | 'CHALLENGE_MISMATCH' | 'TICKET_NOT_FOUND' | 'TICKET_EXPIRED' | 'TICKET_ALREADY_USED' | 'PIN_MISMATCH' | 'PIN_LOCKED' | 'BRIDGE_SESSION_EXPIRED' | 'UNKNOWN_ERROR';
 declare class TryMellonError extends Error {
     readonly code: TryMellonErrorCode;
     readonly details?: unknown;
@@ -35,11 +35,12 @@ interface TelemetrySender {
 type Branded<T, B> = T & {
     __brand: B;
 };
-type AppId = Branded<string, 'AppId'>;
 type ExternalUserId = Branded<string, 'ExternalUserId'>;
+/** 64-character hex string (SHA-256). Used to bind enrollment ticket to browser context. */
+type ContextHash = Branded<string, 'ContextHash'>;
 type TryMellonConfig = {
     /** Application identifier (tenant). Required for API requests. */
-    appId: string | AppId;
+    appId: string;
     /** API key for authentication. Required for API requests. */
     publishableKey: string;
     apiBaseUrl?: string;
@@ -70,6 +71,14 @@ type TryMellonConfig = {
      * Set this in Node or when the document origin is not the correct one (e.g. SSR).
      */
     origin?: string;
+    /**
+     * Optional storage for context hash (e.g. sessionStorage). If not set, browser sessionStorage or in-memory fallback is used.
+     * Injected for testability and SSR; must implement getItem/setItem.
+     */
+    contextHashStorage?: {
+        getItem(key: string): string | null;
+        setItem(key: string, value: string): void;
+    };
 };
 interface RegisterOptions {
     /**
@@ -117,19 +126,19 @@ type SuccessEventUserInfo = {
 /** Success payload: token always present (03-eventos-seguridad). Nonce when flow generates it. */
 type SuccessEventPayload = {
     type: 'success';
-    operation: 'register' | 'authenticate';
+    operation: 'register' | 'authenticate' | 'enroll';
     token: string;
     user?: SuccessEventUserInfo;
     nonce?: string;
 };
 type EventPayload = {
     type: 'start';
-    operation: 'register' | 'authenticate';
+    operation: 'register' | 'authenticate' | 'enroll';
     nonce?: string;
 } | SuccessEventPayload | {
     type: 'error';
     error: TryMellonError;
-    operation?: 'register' | 'authenticate';
+    operation?: 'register' | 'authenticate' | 'enroll';
     nonce?: string;
 } | {
     type: 'cancelled';
@@ -152,6 +161,31 @@ type EmailFallbackVerifyResult = {
     /** Set when successUrl was passed and allowed by application allowlist */
     redirectUrl?: string;
 };
+type EnrollOptions = {
+    ticketId: string;
+    signal?: AbortSignal;
+};
+/** Result of finish enrollment; aligns with backend envelope (session_token). */
+type EnrollmentResult = {
+    sessionToken: string;
+};
+/** Backend response for POST /v1/enrollment/register/options. Validators use this shape. */
+type EnrollmentStartResponse = {
+    session_id: string;
+    challenge: RegisterStartResponse['challenge'];
+};
+/** Backend response for POST /v1/enrollment/register. Validators use this shape. */
+type EnrollmentFinishResponse = {
+    credential_id: string;
+    status: string;
+    session_token: string;
+    user: {
+        user_id: string;
+        external_user_id?: string;
+        email?: string;
+        metadata?: Record<string, unknown>;
+    };
+};
 type RecoveryVerifyResponse = {
     challenge: Record<string, unknown>;
     recovery_session_id: string;
@@ -288,6 +322,62 @@ type CrossDeviceVerifyRegistrationRequest = {
     session_id: string;
     credential: RegisterFinishRequest['credential'];
 };
+/** Response from GET context/:sessionId (auth or registration). Aligns with backend unwrapped result. */
+type BridgeContextResponse = {
+    type: 'auth' | 'registration';
+    options: Record<string, unknown>;
+    application_name?: string;
+};
+/** Response from POST verify/:sessionId (challenge / options for WebAuthn). */
+type BridgeChallengeResponse = {
+    session_id: string;
+    challenge?: string;
+    registration_options?: Record<string, unknown>;
+    authentication_options?: Record<string, unknown>;
+};
+/** Backend result of POST complete (enrollment). Validators use this shape. */
+type BridgeCompleteEnrollmentResult = {
+    credential_id: string;
+    entity_id: string;
+    user_id: string;
+    session_token: string;
+};
+/** Backend result of POST complete (auth). */
+type BridgeCompleteAuthResult = {
+    session_token: string;
+};
+/** Options for bridge flows: PIN callback, optional preset PIN, abort signal. */
+type BridgeOptions = {
+    onPinRequired?: () => Promise<string>;
+    presencePin?: string;
+    signal?: AbortSignal;
+};
+/** Public result of bridge enrollment: sessionToken and optional credential/user/entity ids. */
+type BridgeEnrollmentResult = {
+    sessionToken: string;
+    credentialId?: string;
+    userId?: string;
+    entityId?: string;
+};
+/** Public result of bridge auth: sessionToken only. */
+type BridgeAuthResult = {
+    sessionToken: string;
+};
+/** Union: bridge completion returns enrollment or auth result. */
+type BridgeResult = BridgeEnrollmentResult | BridgeAuthResult;
+/** Status snapshot from GET .../status/:sessionId (polling or SSE event). Terminal: pin_verified | pin_locked | completed. */
+type BridgeStatusSnapshot = {
+    status: 'pending' | 'pin_verified' | 'pin_locked' | 'completed';
+    ts?: string;
+};
+/** Options for complete(): BridgeOptions plus kind and enrollment-only fields. */
+type BridgeCompleteOptions = BridgeOptions & {
+    kind: 'enrollment' | 'auth';
+    /** Required when completing enrollment bridge. */
+    ticketId?: string;
+    /** Required when completing enrollment bridge. */
+    entityId?: string;
+};
 type RegisterStartRequest = {
     external_user_id: string;
 };
@@ -435,10 +525,10 @@ interface AuthenticateResult {
 }
 type SessionValidateResponse = {
     valid: boolean;
-    user_id: string;
-    external_user_id: string;
-    tenant_id: string;
-    app_id: string;
+    userId: string;
+    externalUserId: string;
+    tenantId: string;
+    appId: string;
 };
 type OnboardingStartRequest = {
     user_role: 'maintainer' | 'app_user';
@@ -508,6 +598,8 @@ type OnboardingRegisterResponseWithChallenge = OnboardingRegisterResponse & {
     challenge?: RegisterStartResponse['challenge'];
 };
+/** Bridge kind: enrollment-bridge (registration flow) or auth-bridge (auth flow). */
+type BridgeKind = 'enrollment' | 'auth';
 declare class ApiClient {
     private readonly httpClient;
     private readonly baseUrl;
@@ -554,6 +646,49 @@ declare class ApiClient {
     verifyCrossDeviceRegistration(request: CrossDeviceVerifyRegistrationRequest): Promise<Result<void, TryMellonError>>;
     verifyAccountRecoveryOtp(externalUserId: string, otp: string): Promise<Result<RecoveryVerifyResponse, TryMellonError>>;
     completeAccountRecovery(recoverySessionId: string, credential: Record<string, unknown>): Promise<Result<RecoveryCompleteResponse, TryMellonError>>;
+    startEnrollment(ticketId: string, contextHash: string, headers?: Record<string, string>): Promise<Result<EnrollmentStartResponse, TryMellonError>>;
+    finishEnrollment(ticketId: string, body: {
+        credential: unknown;
+        context_hash: string;
+    }, headers?: Record<string, string>): Promise<Result<EnrollmentFinishResponse, TryMellonError>>;
+    private bridgePrefix;
+    getBridgeContext(sessionId: string, kind: BridgeKind, headers?: Record<string, string>): Promise<Result<BridgeContextResponse, TryMellonError>>;
+    verifyBridgePin(sessionId: string, pin: string, kind: BridgeKind, headers?: Record<string, string>): Promise<Result<BridgeChallengeResponse, TryMellonError>>;
+    completeBridgeEnrollment(body: {
+        session_id: string;
+        ticket_id: string;
+        entity_id: string;
+        context_hash: string;
+        registration_response: {
+            id: string;
+            rawId: string;
+            response: {
+                clientDataJSON: string;
+                attestationObject: string;
+            };
+            type: string;
+        };
+    }, headers?: Record<string, string>): Promise<Result<BridgeCompleteEnrollmentResult, TryMellonError>>;
+    completeBridgeAuth(body: {
+        session_id: string;
+        credential: {
+            id: string;
+            rawId: string;
+            response: {
+                authenticatorData: string;
+                clientDataJSON: string;
+                signature: string;
+                userHandle?: string;
+            };
+            type: string;
+        };
+    }, headers?: Record<string, string>): Promise<Result<BridgeCompleteAuthResult, TryMellonError>>;
+    /**
+     * Full URL for GET bridge status (polling or EventSource). Same path as getBridgeStatus.
+     * Used by BridgeManager for SSE when EventSource is available (browser only; Node has no EventSource).
+     */
+    getBridgeStatusUrl(sessionId: string, kind: BridgeKind): string;
+    getBridgeStatus(sessionId: string, kind: BridgeKind, headers?: Record<string, string>): Promise<Result<BridgeStatusSnapshot, TryMellonError>>;
 }
 declare class OnboardingManager {
@@ -581,20 +716,35 @@ declare class TryMellon {
     private authService;
     private recoveryService;
     onboarding: OnboardingManager;
-    /**
-     * Creates a new TryMellon instance.
-     * Validates config and returns a Result.
-     * @param config SDK configuration
-     */
+    private readonly enrollmentManager;
+    private readonly bridgeManager;
+    private readonly contextHashStorage;
+    private static validateConfig;
     static create(config: TryMellonConfig): Result<TryMellon, TryMellonError>;
     /**
      * @deprecated Use `TryMellon.create(config)` instead to handle validation errors safely.
      * This constructor will throw errors if configuration is invalid.
      */
     constructor(config: TryMellonConfig);
+    /**
+     * Bridge (KP-BRIDGE-04): complete enrollment or auth from a second device (e.g. mobile scanning desktop QR).
+     * Use kind 'enrollment' for enrollment-bridge sessions, 'auth' for auth-bridge sessions.
+     */
+    get bridge(): {
+        getContext(sessionId: string, kind: 'enrollment' | 'auth'): Promise<Result<BridgeContextResponse, TryMellonError>>;
+        verifyPin(sessionId: string, pin: string, kind: 'enrollment' | 'auth'): Promise<Result<BridgeChallengeResponse, TryMellonError>>;
+        complete(sessionId: string, options?: BridgeCompleteOptions): Promise<Result<BridgeResult, TryMellonError>>;
+        waitForResult(sessionId: string, options?: {
+            useSse?: boolean;
+            kind?: 'enrollment' | 'auth';
+            timeoutMs?: number;
+        }): Promise<Result<BridgeStatusSnapshot, TryMellonError>>;
+    };
     static isSupported(): boolean;
     register(options: RegisterOptions): Promise<Result<RegisterResult, TryMellonError>>;
     authenticate(options: AuthenticateOptions): Promise<Result<AuthenticateResult, TryMellonError>>;
+    enroll(options: EnrollOptions): Promise<Result<EnrollmentResult, TryMellonError>>;
+    getContextHash(): string;
     validateSession(sessionToken: string): Promise<Result<SessionValidateResponse, TryMellonError>>;
     getStatus(): Promise<ClientStatus>;
     on(event: TryMellonEvent, handler: EventHandler): () => void;
@@ -636,4 +786,4 @@ declare class ConsoleLogger implements Logger {
     error(message: string, meta?: Record<string, unknown>): void;
 }
-export { type AuthenticateOptions, type AuthenticateResult, type ClientStatus, ConsoleLogger, type EmailFallbackStartOptions, type EmailFallbackVerifyOptions, type EmailFallbackVerifyResult, type EventHandler, type EventPayload, type LogLevel, type Logger, type OnboardingCompleteOptions, type OnboardingCompleteResult, type OnboardingRegisterPasskeyOptions, type OnboardingRegisterPasskeyResult, type OnboardingRegisterResult, type OnboardingStartOptions, type OnboardingStartResult, type OnboardingStatusResult, type RegisterOptions, type RegisterResult, type Result, SANDBOX_SESSION_TOKEN, type SessionValidateResponse, TryMellon, type TryMellonConfig, TryMellonError, type TryMellonErrorCode, type TryMellonEvent, createError, createInvalidArgumentError, createNetworkError, createNotSupportedError, createTimeoutError, createUserCancelledError, err, isTryMellonError, mapWebAuthnError, ok };
+export { type AuthenticateOptions, type AuthenticateResult, type BridgeAuthResult, type BridgeChallengeResponse, type BridgeCompleteOptions, type BridgeContextResponse, type BridgeEnrollmentResult, type BridgeOptions, type BridgeResult, type BridgeStatusSnapshot, type ClientStatus, ConsoleLogger, type ContextHash, type EmailFallbackStartOptions, type EmailFallbackVerifyOptions, type EmailFallbackVerifyResult, type EnrollOptions, type EnrollmentResult, type EventHandler, type EventPayload, type LogLevel, type Logger, type OnboardingCompleteOptions, type OnboardingCompleteResult, type OnboardingRegisterPasskeyOptions, type OnboardingRegisterPasskeyResult, type OnboardingRegisterResult, type OnboardingStartOptions, type OnboardingStartResult, type OnboardingStatusResult, type RegisterOptions, type RegisterResult, type Result, SANDBOX_SESSION_TOKEN, type SessionValidateResponse, TryMellon, type TryMellonConfig, TryMellonError, type TryMellonErrorCode, type TryMellonEvent, createError, createInvalidArgumentError, createNetworkError, createNotSupportedError, createTimeoutError, createUserCancelledError, err, isTryMellonError, mapWebAuthnError, ok };

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-type TryMellonErrorCode = 'NOT_SUPPORTED' | 'USER_CANCELLED' | 'PASSKEY_NOT_FOUND' | 'SESSION_EXPIRED' | 'NETWORK_FAILURE' | 'INVALID_ARGUMENT' | 'TIMEOUT' | 'ABORTED' | 'ABORT_ERROR' | 'CHALLENGE_MISMATCH' | 'UNKNOWN_ERROR';
+type TryMellonErrorCode = 'NOT_SUPPORTED' | 'USER_CANCELLED' | 'PASSKEY_NOT_FOUND' | 'SESSION_EXPIRED' | 'NETWORK_FAILURE' | 'INVALID_ARGUMENT' | 'TIMEOUT' | 'ABORTED' | 'ABORT_ERROR' | 'CHALLENGE_MISMATCH' | 'TICKET_NOT_FOUND' | 'TICKET_EXPIRED' | 'TICKET_ALREADY_USED' | 'PIN_MISMATCH' | 'PIN_LOCKED' | 'BRIDGE_SESSION_EXPIRED' | 'UNKNOWN_ERROR';
 declare class TryMellonError extends Error {
     readonly code: TryMellonErrorCode;
     readonly details?: unknown;
@@ -35,11 +35,12 @@ interface TelemetrySender {
 type Branded<T, B> = T & {
     __brand: B;
 };
-type AppId = Branded<string, 'AppId'>;
 type ExternalUserId = Branded<string, 'ExternalUserId'>;
+/** 64-character hex string (SHA-256). Used to bind enrollment ticket to browser context. */
+type ContextHash = Branded<string, 'ContextHash'>;
 type TryMellonConfig = {
     /** Application identifier (tenant). Required for API requests. */
-    appId: string | AppId;
+    appId: string;
     /** API key for authentication. Required for API requests. */
     publishableKey: string;
     apiBaseUrl?: string;
@@ -70,6 +71,14 @@ type TryMellonConfig = {
      * Set this in Node or when the document origin is not the correct one (e.g. SSR).
      */
     origin?: string;
+    /**
+     * Optional storage for context hash (e.g. sessionStorage). If not set, browser sessionStorage or in-memory fallback is used.
+     * Injected for testability and SSR; must implement getItem/setItem.
+     */
+    contextHashStorage?: {
+        getItem(key: string): string | null;
+        setItem(key: string, value: string): void;
+    };
 };
 interface RegisterOptions {
     /**
@@ -117,19 +126,19 @@ type SuccessEventUserInfo = {
 /** Success payload: token always present (03-eventos-seguridad). Nonce when flow generates it. */
 type SuccessEventPayload = {
     type: 'success';
-    operation: 'register' | 'authenticate';
+    operation: 'register' | 'authenticate' | 'enroll';
     token: string;
     user?: SuccessEventUserInfo;
     nonce?: string;
 };
 type EventPayload = {
     type: 'start';
-    operation: 'register' | 'authenticate';
+    operation: 'register' | 'authenticate' | 'enroll';
     nonce?: string;
 } | SuccessEventPayload | {
     type: 'error';
     error: TryMellonError;
-    operation?: 'register' | 'authenticate';
+    operation?: 'register' | 'authenticate' | 'enroll';
     nonce?: string;
 } | {
     type: 'cancelled';
@@ -152,6 +161,31 @@ type EmailFallbackVerifyResult = {
     /** Set when successUrl was passed and allowed by application allowlist */
     redirectUrl?: string;
 };
+type EnrollOptions = {
+    ticketId: string;
+    signal?: AbortSignal;
+};
+/** Result of finish enrollment; aligns with backend envelope (session_token). */
+type EnrollmentResult = {
+    sessionToken: string;
+};
+/** Backend response for POST /v1/enrollment/register/options. Validators use this shape. */
+type EnrollmentStartResponse = {
+    session_id: string;
+    challenge: RegisterStartResponse['challenge'];
+};
+/** Backend response for POST /v1/enrollment/register. Validators use this shape. */
+type EnrollmentFinishResponse = {
+    credential_id: string;
+    status: string;
+    session_token: string;
+    user: {
+        user_id: string;
+        external_user_id?: string;
+        email?: string;
+        metadata?: Record<string, unknown>;
+    };
+};
 type RecoveryVerifyResponse = {
     challenge: Record<string, unknown>;
     recovery_session_id: string;
@@ -288,6 +322,62 @@ type CrossDeviceVerifyRegistrationRequest = {
     session_id: string;
     credential: RegisterFinishRequest['credential'];
 };
+/** Response from GET context/:sessionId (auth or registration). Aligns with backend unwrapped result. */
+type BridgeContextResponse = {
+    type: 'auth' | 'registration';
+    options: Record<string, unknown>;
+    application_name?: string;
+};
+/** Response from POST verify/:sessionId (challenge / options for WebAuthn). */
+type BridgeChallengeResponse = {
+    session_id: string;
+    challenge?: string;
+    registration_options?: Record<string, unknown>;
+    authentication_options?: Record<string, unknown>;
+};
+/** Backend result of POST complete (enrollment). Validators use this shape. */
+type BridgeCompleteEnrollmentResult = {
+    credential_id: string;
+    entity_id: string;
+    user_id: string;
+    session_token: string;
+};
+/** Backend result of POST complete (auth). */
+type BridgeCompleteAuthResult = {
+    session_token: string;
+};
+/** Options for bridge flows: PIN callback, optional preset PIN, abort signal. */
+type BridgeOptions = {
+    onPinRequired?: () => Promise<string>;
+    presencePin?: string;
+    signal?: AbortSignal;
+};
+/** Public result of bridge enrollment: sessionToken and optional credential/user/entity ids. */
+type BridgeEnrollmentResult = {
+    sessionToken: string;
+    credentialId?: string;
+    userId?: string;
+    entityId?: string;
+};
+/** Public result of bridge auth: sessionToken only. */
+type BridgeAuthResult = {
+    sessionToken: string;
+};
+/** Union: bridge completion returns enrollment or auth result. */
+type BridgeResult = BridgeEnrollmentResult | BridgeAuthResult;
+/** Status snapshot from GET .../status/:sessionId (polling or SSE event). Terminal: pin_verified | pin_locked | completed. */
+type BridgeStatusSnapshot = {
+    status: 'pending' | 'pin_verified' | 'pin_locked' | 'completed';
+    ts?: string;
+};
+/** Options for complete(): BridgeOptions plus kind and enrollment-only fields. */
+type BridgeCompleteOptions = BridgeOptions & {
+    kind: 'enrollment' | 'auth';
+    /** Required when completing enrollment bridge. */
+    ticketId?: string;
+    /** Required when completing enrollment bridge. */
+    entityId?: string;
+};
 type RegisterStartRequest = {
     external_user_id: string;
 };
@@ -435,10 +525,10 @@ interface AuthenticateResult {
 }
 type SessionValidateResponse = {
     valid: boolean;
-    user_id: string;
-    external_user_id: string;
-    tenant_id: string;
-    app_id: string;
+    userId: string;
+    externalUserId: string;
+    tenantId: string;
+    appId: string;
 };
 type OnboardingStartRequest = {
     user_role: 'maintainer' | 'app_user';
@@ -508,6 +598,8 @@ type OnboardingRegisterResponseWithChallenge = OnboardingRegisterResponse & {
     challenge?: RegisterStartResponse['challenge'];
 };
+/** Bridge kind: enrollment-bridge (registration flow) or auth-bridge (auth flow). */
+type BridgeKind = 'enrollment' | 'auth';
 declare class ApiClient {
     private readonly httpClient;
     private readonly baseUrl;
@@ -554,6 +646,49 @@ declare class ApiClient {
     verifyCrossDeviceRegistration(request: CrossDeviceVerifyRegistrationRequest): Promise<Result<void, TryMellonError>>;
     verifyAccountRecoveryOtp(externalUserId: string, otp: string): Promise<Result<RecoveryVerifyResponse, TryMellonError>>;
     completeAccountRecovery(recoverySessionId: string, credential: Record<string, unknown>): Promise<Result<RecoveryCompleteResponse, TryMellonError>>;
+    startEnrollment(ticketId: string, contextHash: string, headers?: Record<string, string>): Promise<Result<EnrollmentStartResponse, TryMellonError>>;
+    finishEnrollment(ticketId: string, body: {
+        credential: unknown;
+        context_hash: string;
+    }, headers?: Record<string, string>): Promise<Result<EnrollmentFinishResponse, TryMellonError>>;
+    private bridgePrefix;
+    getBridgeContext(sessionId: string, kind: BridgeKind, headers?: Record<string, string>): Promise<Result<BridgeContextResponse, TryMellonError>>;
+    verifyBridgePin(sessionId: string, pin: string, kind: BridgeKind, headers?: Record<string, string>): Promise<Result<BridgeChallengeResponse, TryMellonError>>;
+    completeBridgeEnrollment(body: {
+        session_id: string;
+        ticket_id: string;
+        entity_id: string;
+        context_hash: string;
+        registration_response: {
+            id: string;
+            rawId: string;
+            response: {
+                clientDataJSON: string;
+                attestationObject: string;
+            };
+            type: string;
+        };
+    }, headers?: Record<string, string>): Promise<Result<BridgeCompleteEnrollmentResult, TryMellonError>>;
+    completeBridgeAuth(body: {
+        session_id: string;
+        credential: {
+            id: string;
+            rawId: string;
+            response: {
+                authenticatorData: string;
+                clientDataJSON: string;
+                signature: string;
+                userHandle?: string;
+            };
+            type: string;
+        };
+    }, headers?: Record<string, string>): Promise<Result<BridgeCompleteAuthResult, TryMellonError>>;
+    /**
+     * Full URL for GET bridge status (polling or EventSource). Same path as getBridgeStatus.
+     * Used by BridgeManager for SSE when EventSource is available (browser only; Node has no EventSource).
+     */
+    getBridgeStatusUrl(sessionId: string, kind: BridgeKind): string;
+    getBridgeStatus(sessionId: string, kind: BridgeKind, headers?: Record<string, string>): Promise<Result<BridgeStatusSnapshot, TryMellonError>>;
 }
 declare class OnboardingManager {
@@ -581,20 +716,35 @@ declare class TryMellon {
     private authService;
     private recoveryService;
     onboarding: OnboardingManager;
-    /**
-     * Creates a new TryMellon instance.
-     * Validates config and returns a Result.
-     * @param config SDK configuration
-     */
+    private readonly enrollmentManager;
+    private readonly bridgeManager;
+    private readonly contextHashStorage;
+    private static validateConfig;
     static create(config: TryMellonConfig): Result<TryMellon, TryMellonError>;
     /**
      * @deprecated Use `TryMellon.create(config)` instead to handle validation errors safely.
      * This constructor will throw errors if configuration is invalid.
      */
     constructor(config: TryMellonConfig);
+    /**
+     * Bridge (KP-BRIDGE-04): complete enrollment or auth from a second device (e.g. mobile scanning desktop QR).
+     * Use kind 'enrollment' for enrollment-bridge sessions, 'auth' for auth-bridge sessions.
+     */
+    get bridge(): {
+        getContext(sessionId: string, kind: 'enrollment' | 'auth'): Promise<Result<BridgeContextResponse, TryMellonError>>;
+        verifyPin(sessionId: string, pin: string, kind: 'enrollment' | 'auth'): Promise<Result<BridgeChallengeResponse, TryMellonError>>;
+        complete(sessionId: string, options?: BridgeCompleteOptions): Promise<Result<BridgeResult, TryMellonError>>;
+        waitForResult(sessionId: string, options?: {
+            useSse?: boolean;
+            kind?: 'enrollment' | 'auth';
+            timeoutMs?: number;
+        }): Promise<Result<BridgeStatusSnapshot, TryMellonError>>;
+    };
     static isSupported(): boolean;
     register(options: RegisterOptions): Promise<Result<RegisterResult, TryMellonError>>;
     authenticate(options: AuthenticateOptions): Promise<Result<AuthenticateResult, TryMellonError>>;
+    enroll(options: EnrollOptions): Promise<Result<EnrollmentResult, TryMellonError>>;
+    getContextHash(): string;
     validateSession(sessionToken: string): Promise<Result<SessionValidateResponse, TryMellonError>>;
     getStatus(): Promise<ClientStatus>;
     on(event: TryMellonEvent, handler: EventHandler): () => void;
@@ -636,4 +786,4 @@ declare class ConsoleLogger implements Logger {
     error(message: string, meta?: Record<string, unknown>): void;
 }
-export { type AuthenticateOptions, type AuthenticateResult, type ClientStatus, ConsoleLogger, type EmailFallbackStartOptions, type EmailFallbackVerifyOptions, type EmailFallbackVerifyResult, type EventHandler, type EventPayload, type LogLevel, type Logger, type OnboardingCompleteOptions, type OnboardingCompleteResult, type OnboardingRegisterPasskeyOptions, type OnboardingRegisterPasskeyResult, type OnboardingRegisterResult, type OnboardingStartOptions, type OnboardingStartResult, type OnboardingStatusResult, type RegisterOptions, type RegisterResult, type Result, SANDBOX_SESSION_TOKEN, type SessionValidateResponse, TryMellon, type TryMellonConfig, TryMellonError, type TryMellonErrorCode, type TryMellonEvent, createError, createInvalidArgumentError, createNetworkError, createNotSupportedError, createTimeoutError, createUserCancelledError, err, isTryMellonError, mapWebAuthnError, ok };
+export { type AuthenticateOptions, type AuthenticateResult, type BridgeAuthResult, type BridgeChallengeResponse, type BridgeCompleteOptions, type BridgeContextResponse, type BridgeEnrollmentResult, type BridgeOptions, type BridgeResult, type BridgeStatusSnapshot, type ClientStatus, ConsoleLogger, type ContextHash, type EmailFallbackStartOptions, type EmailFallbackVerifyOptions, type EmailFallbackVerifyResult, type EnrollOptions, type EnrollmentResult, type EventHandler, type EventPayload, type LogLevel, type Logger, type OnboardingCompleteOptions, type OnboardingCompleteResult, type OnboardingRegisterPasskeyOptions, type OnboardingRegisterPasskeyResult, type OnboardingRegisterResult, type OnboardingStartOptions, type OnboardingStartResult, type OnboardingStatusResult, type RegisterOptions, type RegisterResult, type Result, SANDBOX_SESSION_TOKEN, type SessionValidateResponse, TryMellon, type TryMellonConfig, TryMellonError, type TryMellonErrorCode, type TryMellonEvent, createError, createInvalidArgumentError, createNetworkError, createNotSupportedError, createTimeoutError, createUserCancelledError, err, isTryMellonError, mapWebAuthnError, ok };