spaps-sdk 1.10.2 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -8,6 +8,12 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and
8
8
 
9
9
  ### Added
10
10
 
11
+ - Added browser-safe `entitlements.listCurrentUserProjects()` and `entitlements.checkCurrentUserProjectAccess(...)` helpers for project grant reads.
12
+
13
+ ## [1.10.2] - 2026-06-04
14
+
15
+ ### Added
16
+
11
17
  - Added `issueReporting.getAttachmentAccess(attachmentId)` as the canonical screenshot access helper while keeping `getAttachmentAccessUrl` as a backward-compatible alias.
12
18
 
13
19
  ## [1.10.1] - 2026-05-16
package/PERMISSIONS.md CHANGED
@@ -2,6 +2,27 @@
2
2
 
3
3
  Client-side permission checking and role management utilities for SPAPS applications.
4
4
 
5
+ ## Browser-Safe Project Access
6
+
7
+ The SDK exposes read-only helpers for current-user project access:
8
+
9
+ ```typescript
10
+ await spaps.entitlements.listCurrentUserProjects({
11
+ entitlementKey: 'pds.project.viewer'
12
+ });
13
+
14
+ await spaps.entitlements.checkCurrentUserProjectAccess({
15
+ projectId: 'project_123',
16
+ entitlementKey: 'pds.project.viewer'
17
+ });
18
+ ```
19
+
20
+ These helpers are safe for publishable-key browser contexts because SPAPS
21
+ validates the JWT subject server-side. The SDK does not expose browser methods
22
+ for account membership invitation, project grant, project revoke, or account
23
+ capability mutation. Keep those operations in a trusted backend using a secret
24
+ key and admin access token.
25
+
5
26
  ## 🚀 Quick Start
6
27
 
7
28
  ```typescript
@@ -387,4 +408,4 @@ interface PermissionCheckResult {
387
408
  4. **Role-based UI**: Show/hide features based on user permissions
388
409
  5. **Custom admin management**: Use custom admin lists for multi-tenant apps
389
410
  6. **Testing**: Test permission logic with various user states
390
- 7. **Type safety**: Use TypeScript interfaces for better development experience
411
+ 7. **Type safety**: Use TypeScript interfaces for better development experience
package/README.md CHANGED
@@ -88,7 +88,7 @@ Relevant environment variables:
88
88
  | `appLinks` | Authenticated create and public resolve helpers for application-scoped short links |
89
89
  | `marketing` | Browser-safe attribution/experiment event emission and server-side experiment results |
90
90
  | `email` | Template lookup, preview, and send helpers |
91
- | `entitlements` | User and resource entitlement queries |
91
+ | `entitlements` | User/resource entitlement queries and browser-safe current-user project access reads |
92
92
  | `usage` | Secret-key usage authorization and immutable usage recording |
93
93
  | `skillEvals` | Paid blind skill-eval cases, review rooms, reviewer marks, insight inboxes, and controlled reveal |
94
94
  | `dayrate` | Availability, Stripe booking, x402 booking-hold, and checkout-status helpers |
@@ -97,6 +97,33 @@ Relevant environment variables:
97
97
 
98
98
  ## Common Patterns
99
99
 
100
+ ### Browser-Safe Project Access Reads
101
+
102
+ Use a publishable key and an authenticated user JWT in browser code. These
103
+ helpers only read project access for the current user; membership invitation,
104
+ project grant, project revoke, and account capability mutation remain
105
+ server-only operations.
106
+
107
+ ```ts
108
+ const spaps = new SPAPSClient({
109
+ apiUrl: "https://api.example.test",
110
+ publishableKey: "spaps_pub_example",
111
+ });
112
+
113
+ spaps.setAccessToken(userAccessToken);
114
+
115
+ const projects = await spaps.entitlements.listCurrentUserProjects({
116
+ entitlementKey: "pds.project.viewer",
117
+ });
118
+
119
+ const access = await spaps.entitlements.checkCurrentUserProjectAccess({
120
+ projectId: "project_123",
121
+ entitlementKey: "pds.project.viewer",
122
+ });
123
+
124
+ console.log(projects.count, access.has_access);
125
+ ```
126
+
100
127
  ### Typed Secure Messages
101
128
 
102
129
  ```ts
@@ -484,7 +511,7 @@ npm run test:readme
484
511
  ## Metadata
485
512
 
486
513
  - `package_name`: `spaps-sdk`
487
- - `latest_version`: `1.10.1`
514
+ - `latest_version`: `1.10.2`
488
515
  - `minimum_runtime`: `Node.js >=14.0.0`
489
516
  - `api_base_url`: `https://api.sweetpotato.dev`
490
517
 
package/dist/index.d.mts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as spaps_types from 'spaps-types';
2
- import { ResourceType, Entitlement, CreateProductRequest, Product, UpdateProductRequest, CreatePriceRequest, Price, ProductSyncResult, CryptoReconcileRequest, CreateSecureMessageRequest, SecureMessage, IssueReportScope, IssueReportStatusResult, IssueReportStatus, IssueReportListResult, IssueReport, CreateIssueReportRequest, IssueReportAttachmentOut, ListIssueReportAttachmentsResponse, IssueReportAttachmentAccessResponse, IssueReportingVoiceTokenResult, UpdateIssueReportRequest, ReplyIssueReportRequest, ListIssueReportMessagesResponse, CreateReporterMessageRequest, IssueReportMessage, CreateOperatorMessageRequest, RetractOperatorMessageRequest, CreateAppLinkRequest, AppLink, UpdateAppLinkRequest, AuthResponse, User as User$1, CreateCryptoInvoiceRequest, CryptoInvoiceStatusSnapshot, CheckoutSession, X402ResourceStatusResponse, X402ActionResponse, X402ReceiptResponse, X402ReceiptListResponse, X402HandoffVerification, DayrateAvailabilityResponse, DayrateBookingRequest, DayrateBookingResponse, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayrateX402BookingRequest, DayrateX402BookingResponse, DayrateCheckoutStatusResponse, UsageControlFeaturesResponse, UsageControlStatusRequest, UsageControlStatusResponse, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, Subscription, VerifyCryptoWebhookSignatureOptions } from 'spaps-types';
3
- export { AdminPermission, AdminRole, AdminUser, ApiResponse, AppLink, AuthResponse, CheckoutSession, CreateAppLinkRequest, CreateCryptoInvoiceRequest, CreateIssueReportRequest, CreateOperatorMessageRequest, CreatePriceRequest, CreateProductRequest, CreateReporterMessageRequest, CreateSecureMessageInput, CreateSecureMessageRequest, CryptoInvoice, CryptoInvoiceResponse, CryptoInvoiceStatusSnapshot, CryptoReconcileRequest, DayrateAvailabilityResponse, DayrateAvailableSlot, DayrateBookingRequest, DayrateBookingResponse, DayrateCheckoutStatus, DayrateCheckoutStatusBooking, DayrateCheckoutStatusResponse, DayrateDayOfWeek, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayratePriceBreakdown, DayrateSlotType, DayrateX402BookingRequest, DayrateX402BookingResponse, Entitlement, IssueReport, IssueReportAttachmentAccessResponse, IssueReportAttachmentOut, IssueReportListResult, IssueReportMessage, IssueReportStatus, IssueReportStatusResult, IssueReportTarget, IssueReportingInputMode, IssueReportingVoiceProvider, IssueReportingVoiceTokenResult, LinkedIssueReportCase, ListIssueReportAttachmentsResponse, ListIssueReportMessagesResponse, Price, Product, ProductSyncResult, ReplyIssueReportRequest, ResourceType, RetractOperatorMessageRequest, SecureMessage, SecureMessageOutput, Subscription, TokenPair, UpdateAppLinkRequest, UpdateIssueReportRequest, UpdateProductRequest, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlDecision, UsageControlDimensions, UsageControlError, UsageControlErrorCode, UsageControlFeaturesResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, UsageControlLedgerEvent, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlRecordStatus, UsageControlStatusRequest, UsageControlStatusResponse, User, UserProfile, UserRole, UserWallet, VerifyCryptoWebhookSignatureOptions, X402ActionFreeResponse, X402ActionOutcome, X402ActionPendingResponse, X402ActionReplayedResponse, X402ActionResponse, X402ActionSettledResponse, X402ExecuteActionRequest, X402HandoffAuthorization, X402HandoffVerification, X402HandoffVerifyRequest, X402PaymentAccept, X402PaymentRequirement, X402ProjectionStatus, X402Receipt, X402ReceiptListResponse, X402ReceiptResponse, X402ReceiptStatus, X402Resource, X402ResourceStatus, X402ResourceStatusResponse, atomicToMoneyUnits, createSecureMessageRequestSchema, isX402PaymentRequired, isX402ResourceStatus, moneyUnitsToAtomic, roundHalfToPositiveInfinity, secureMessageMetadataSchema, secureMessageSchema, validatePositiveAmountAtomic } from 'spaps-types';
2
+ import { ResourceType, Entitlement, CreateProductRequest, Product, UpdateProductRequest, CreatePriceRequest, Price, ProductSyncResult, CryptoReconcileRequest, CreateSecureMessageRequest, SecureMessage, ListProjectGrantsResponse, ProjectAccessCheckResponse, IssueReportScope, IssueReportStatusResult, IssueReportStatus, IssueReportListResult, IssueReport, CreateIssueReportRequest, IssueReportAttachmentOut, ListIssueReportAttachmentsResponse, IssueReportAttachmentAccessResponse, IssueReportingVoiceTokenResult, UpdateIssueReportRequest, ReplyIssueReportRequest, ListIssueReportMessagesResponse, CreateReporterMessageRequest, IssueReportMessage, CreateOperatorMessageRequest, RetractOperatorMessageRequest, CreateAppLinkRequest, AppLink, UpdateAppLinkRequest, AuthResponse, User as User$1, CreateCryptoInvoiceRequest, CryptoInvoiceStatusSnapshot, CheckoutSession, X402ResourceStatusResponse, X402ActionResponse, X402ReceiptResponse, X402ReceiptListResponse, X402HandoffVerification, DayrateAvailabilityResponse, DayrateBookingRequest, DayrateBookingResponse, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayrateX402BookingRequest, DayrateX402BookingResponse, DayrateCheckoutStatusResponse, UsageControlFeaturesResponse, UsageControlStatusRequest, UsageControlStatusResponse, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, Subscription, VerifyCryptoWebhookSignatureOptions } from 'spaps-types';
3
+ export { AdminPermission, AdminRole, AdminUser, ApiResponse, AppLink, AuthResponse, CheckoutSession, CreateAppLinkRequest, CreateCryptoInvoiceRequest, CreateIssueReportRequest, CreateOperatorMessageRequest, CreatePriceRequest, CreateProductRequest, CreateReporterMessageRequest, CreateSecureMessageInput, CreateSecureMessageRequest, CryptoInvoice, CryptoInvoiceResponse, CryptoInvoiceStatusSnapshot, CryptoReconcileRequest, DayrateAvailabilityResponse, DayrateAvailableSlot, DayrateBookingRequest, DayrateBookingResponse, DayrateCheckoutStatus, DayrateCheckoutStatusBooking, DayrateCheckoutStatusResponse, DayrateDayOfWeek, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayratePriceBreakdown, DayrateSlotType, DayrateX402BookingRequest, DayrateX402BookingResponse, Entitlement, IssueReport, IssueReportAttachmentAccessResponse, IssueReportAttachmentOut, IssueReportListResult, IssueReportMessage, IssueReportStatus, IssueReportStatusResult, IssueReportTarget, IssueReportingInputMode, IssueReportingVoiceProvider, IssueReportingVoiceTokenResult, LinkedIssueReportCase, ListIssueReportAttachmentsResponse, ListIssueReportMessagesResponse, ListProjectGrantsResponse, Price, Product, ProductSyncResult, ProjectAccessCheckResponse, ProjectGrant, ProjectGrantStatus, ReplyIssueReportRequest, ResourceType, RetractOperatorMessageRequest, SecureMessage, SecureMessageOutput, Subscription, TokenPair, UpdateAppLinkRequest, UpdateIssueReportRequest, UpdateProductRequest, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlDecision, UsageControlDimensions, UsageControlError, UsageControlErrorCode, UsageControlFeaturesResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, UsageControlLedgerEvent, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlRecordStatus, UsageControlStatusRequest, UsageControlStatusResponse, User, UserProfile, UserRole, UserWallet, VerifyCryptoWebhookSignatureOptions, X402ActionFreeResponse, X402ActionOutcome, X402ActionPendingResponse, X402ActionReplayedResponse, X402ActionResponse, X402ActionSettledResponse, X402ExecuteActionRequest, X402HandoffAuthorization, X402HandoffVerification, X402HandoffVerifyRequest, X402PaymentAccept, X402PaymentRequirement, X402ProjectionStatus, X402Receipt, X402ReceiptListResponse, X402ReceiptResponse, X402ReceiptStatus, X402Resource, X402ResourceStatus, X402ResourceStatusResponse, atomicToMoneyUnits, createSecureMessageRequestSchema, isX402PaymentRequired, isX402ResourceStatus, moneyUnitsToAtomic, roundHalfToPositiveInfinity, secureMessageMetadataSchema, secureMessageSchema, validatePositiveAmountAtomic } from 'spaps-types';
4
4
 
5
5
  /**
6
6
  * Permission checking utilities for SPAPS SDK
@@ -417,6 +417,22 @@ interface EntitlementCheckResult {
417
417
  /** The matching entitlement, if any */
418
418
  entitlement?: Entitlement;
419
419
  }
420
+ interface CurrentUserProjectGrantListParams {
421
+ /** Filter to one project entitlement key, such as "pds.project.viewer" */
422
+ entitlementKey?: string;
423
+ /** Maximum number of project grants to return */
424
+ limit?: number;
425
+ /** Zero-based item offset */
426
+ offset?: number;
427
+ /** Opaque pagination cursor */
428
+ cursor?: string;
429
+ }
430
+ interface CurrentUserProjectAccessParams {
431
+ /** Project to check */
432
+ projectId: string;
433
+ /** Project entitlement key to check, such as "pds.project.viewer" */
434
+ entitlementKey: string;
435
+ }
420
436
  type SupportedIssueReportScope = Extract<IssueReportScope, 'mine'>;
421
437
  interface IssueReportListParams {
422
438
  status?: IssueReportStatus;
@@ -698,6 +714,7 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
698
714
  private headerProvider?;
699
715
  private unwrapApiResponse;
700
716
  private skillEvalMutationConfig;
717
+ private requireCurrentUserIdFromAccessToken;
701
718
  private isAxiosResponse;
702
719
  private isResponseLikeWithData;
703
720
  private isApiResponse;
@@ -779,6 +796,20 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
779
796
  * @param resourceId - Optional specific resource ID.
780
797
  */
781
798
  listByResource: (resourceType: ResourceType, resourceId?: string) => Promise<Entitlement[]>;
799
+ /**
800
+ * List project grants for the authenticated user.
801
+ *
802
+ * Browser/publishable-key contexts are safe here because the server requires
803
+ * the JWT subject to match the path user id.
804
+ */
805
+ listCurrentUserProjects: (params?: CurrentUserProjectGrantListParams) => Promise<ListProjectGrantsResponse>;
806
+ /**
807
+ * Check whether the authenticated user has one project entitlement.
808
+ *
809
+ * The helper does not accept user/email overrides; publishable-key callers
810
+ * are scoped by the server to the JWT identity.
811
+ */
812
+ checkCurrentUserProjectAccess: (params: CurrentUserProjectAccessParams) => Promise<ProjectAccessCheckResponse>;
782
813
  };
783
814
  /**
784
815
  * Issue reporting namespace for authenticated end-user issue flows.
@@ -1478,4 +1509,4 @@ declare function createServerClient(secretKey: string, options?: Omit<SPAPSConfi
1478
1509
  */
1479
1510
  declare function detectKeyType(key: string): ApiKeyType | null;
1480
1511
 
1481
- export { type AdminConfig, type ApiKeyType, type CheckoutLineItem, type CheckoutLineItemPriceData, type CreateCheckoutSessionPayload, type CreateSkillEvalCaseRequest, type CreateSkillEvalGovernanceSnapshotRequest, DEFAULT_ADMIN_ACCOUNTS, type EmailSendOptions, type EmailSendResult, type EmailTemplate, type EmailTemplatePreview, type EntitlementCheckResult, type EntitlementListParams, type FeatureContext, type FeatureDefinition, FeatureEvaluator, type HeaderProvider, type ImportSkillEvalGovernanceOutcomeRequest, type IssueReportAttachmentUploadOptions, type IssueReportListParams, type IssueReportStatusParams, type MarketingEventIngestRequest, type MarketingEventIngestResponse, type MarketingEventType, type MarketingExperimentDecision, type MarketingExperimentEffectDecision, type MarketingExperimentMinSampleDecision, type MarketingExperimentRecommendation, type MarketingExperimentResultsResponse, type MarketingExperimentSrmDecision, type MarketingExperimentSrmStatus, type MarketingExperimentVariantResult, type PermissionCheckResult, PermissionChecker, type RespondToSkillEvalReviewRequest, type RevealSkillEvalEvidenceRequest, RoleHierarchy, SPAPSClient as SPAPS, SPAPSClient, type SPAPSConfig, type SPAPSEnvelope, type SkillEvalAccessMode, type SkillEvalActorAccess, type SkillEvalCandidateInput, type SkillEvalCandidateResponse, type SkillEvalCasePolicy, type SkillEvalCaseResponse, type SkillEvalConfidence, type SkillEvalCreateOptions, type SkillEvalDisclosurePolicy, type SkillEvalEligibilitySource, type SkillEvalGovernanceOutcomeResult, type SkillEvalGovernancePurpose, type SkillEvalGovernanceSnapshotResult, type SkillEvalInsight, type SkillEvalInsightsResponse, type SkillEvalModelEffort, type SkillEvalMutationOptions, type SkillEvalPosterResponse, type SkillEvalPosterResponseResult, type SkillEvalRevealField, type SkillEvalRevealResult, type SkillEvalReviewMarkInput, type SkillEvalReviewMarkKind, type SkillEvalReviewResponse, type SkillEvalReviewRoom, type SkillEvalReviewerEligibilityInput, type SkillEvalRewardEvent, type SubmitSkillEvalReviewRequest, type TemplateVariable, TokenManager, WalletUtils, WebSocketAuthHelper, type WebSocketAuthHelperConfig, type X402ExecuteActionOptions, X402PaymentRequiredSDKError, type X402ReceiptListParams, type X402VerifyHandoffOptions, canAccessAdmin, createBrowserClient, createPermissionChecker, createServerClient, SPAPSClient as default, defaultPermissionChecker, detectKeyType, getRoleAwareErrorMessage, getUserDisplay, getUserRole, hasPermission, isAdminAccount, isEnvelope, isErrorEnvelope, isSuccessEnvelope, unwrapEnvelope, unwrapNestedData, verifyCryptoWebhookSignature };
1512
+ export { type AdminConfig, type ApiKeyType, type CheckoutLineItem, type CheckoutLineItemPriceData, type CreateCheckoutSessionPayload, type CreateSkillEvalCaseRequest, type CreateSkillEvalGovernanceSnapshotRequest, type CurrentUserProjectAccessParams, type CurrentUserProjectGrantListParams, DEFAULT_ADMIN_ACCOUNTS, type EmailSendOptions, type EmailSendResult, type EmailTemplate, type EmailTemplatePreview, type EntitlementCheckResult, type EntitlementListParams, type FeatureContext, type FeatureDefinition, FeatureEvaluator, type HeaderProvider, type ImportSkillEvalGovernanceOutcomeRequest, type IssueReportAttachmentUploadOptions, type IssueReportListParams, type IssueReportStatusParams, type MarketingEventIngestRequest, type MarketingEventIngestResponse, type MarketingEventType, type MarketingExperimentDecision, type MarketingExperimentEffectDecision, type MarketingExperimentMinSampleDecision, type MarketingExperimentRecommendation, type MarketingExperimentResultsResponse, type MarketingExperimentSrmDecision, type MarketingExperimentSrmStatus, type MarketingExperimentVariantResult, type PermissionCheckResult, PermissionChecker, type RespondToSkillEvalReviewRequest, type RevealSkillEvalEvidenceRequest, RoleHierarchy, SPAPSClient as SPAPS, SPAPSClient, type SPAPSConfig, type SPAPSEnvelope, type SkillEvalAccessMode, type SkillEvalActorAccess, type SkillEvalCandidateInput, type SkillEvalCandidateResponse, type SkillEvalCasePolicy, type SkillEvalCaseResponse, type SkillEvalConfidence, type SkillEvalCreateOptions, type SkillEvalDisclosurePolicy, type SkillEvalEligibilitySource, type SkillEvalGovernanceOutcomeResult, type SkillEvalGovernancePurpose, type SkillEvalGovernanceSnapshotResult, type SkillEvalInsight, type SkillEvalInsightsResponse, type SkillEvalModelEffort, type SkillEvalMutationOptions, type SkillEvalPosterResponse, type SkillEvalPosterResponseResult, type SkillEvalRevealField, type SkillEvalRevealResult, type SkillEvalReviewMarkInput, type SkillEvalReviewMarkKind, type SkillEvalReviewResponse, type SkillEvalReviewRoom, type SkillEvalReviewerEligibilityInput, type SkillEvalRewardEvent, type SubmitSkillEvalReviewRequest, type TemplateVariable, TokenManager, WalletUtils, WebSocketAuthHelper, type WebSocketAuthHelperConfig, type X402ExecuteActionOptions, X402PaymentRequiredSDKError, type X402ReceiptListParams, type X402VerifyHandoffOptions, canAccessAdmin, createBrowserClient, createPermissionChecker, createServerClient, SPAPSClient as default, defaultPermissionChecker, detectKeyType, getRoleAwareErrorMessage, getUserDisplay, getUserRole, hasPermission, isAdminAccount, isEnvelope, isErrorEnvelope, isSuccessEnvelope, unwrapEnvelope, unwrapNestedData, verifyCryptoWebhookSignature };
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as spaps_types from 'spaps-types';
2
- import { ResourceType, Entitlement, CreateProductRequest, Product, UpdateProductRequest, CreatePriceRequest, Price, ProductSyncResult, CryptoReconcileRequest, CreateSecureMessageRequest, SecureMessage, IssueReportScope, IssueReportStatusResult, IssueReportStatus, IssueReportListResult, IssueReport, CreateIssueReportRequest, IssueReportAttachmentOut, ListIssueReportAttachmentsResponse, IssueReportAttachmentAccessResponse, IssueReportingVoiceTokenResult, UpdateIssueReportRequest, ReplyIssueReportRequest, ListIssueReportMessagesResponse, CreateReporterMessageRequest, IssueReportMessage, CreateOperatorMessageRequest, RetractOperatorMessageRequest, CreateAppLinkRequest, AppLink, UpdateAppLinkRequest, AuthResponse, User as User$1, CreateCryptoInvoiceRequest, CryptoInvoiceStatusSnapshot, CheckoutSession, X402ResourceStatusResponse, X402ActionResponse, X402ReceiptResponse, X402ReceiptListResponse, X402HandoffVerification, DayrateAvailabilityResponse, DayrateBookingRequest, DayrateBookingResponse, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayrateX402BookingRequest, DayrateX402BookingResponse, DayrateCheckoutStatusResponse, UsageControlFeaturesResponse, UsageControlStatusRequest, UsageControlStatusResponse, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, Subscription, VerifyCryptoWebhookSignatureOptions } from 'spaps-types';
3
- export { AdminPermission, AdminRole, AdminUser, ApiResponse, AppLink, AuthResponse, CheckoutSession, CreateAppLinkRequest, CreateCryptoInvoiceRequest, CreateIssueReportRequest, CreateOperatorMessageRequest, CreatePriceRequest, CreateProductRequest, CreateReporterMessageRequest, CreateSecureMessageInput, CreateSecureMessageRequest, CryptoInvoice, CryptoInvoiceResponse, CryptoInvoiceStatusSnapshot, CryptoReconcileRequest, DayrateAvailabilityResponse, DayrateAvailableSlot, DayrateBookingRequest, DayrateBookingResponse, DayrateCheckoutStatus, DayrateCheckoutStatusBooking, DayrateCheckoutStatusResponse, DayrateDayOfWeek, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayratePriceBreakdown, DayrateSlotType, DayrateX402BookingRequest, DayrateX402BookingResponse, Entitlement, IssueReport, IssueReportAttachmentAccessResponse, IssueReportAttachmentOut, IssueReportListResult, IssueReportMessage, IssueReportStatus, IssueReportStatusResult, IssueReportTarget, IssueReportingInputMode, IssueReportingVoiceProvider, IssueReportingVoiceTokenResult, LinkedIssueReportCase, ListIssueReportAttachmentsResponse, ListIssueReportMessagesResponse, Price, Product, ProductSyncResult, ReplyIssueReportRequest, ResourceType, RetractOperatorMessageRequest, SecureMessage, SecureMessageOutput, Subscription, TokenPair, UpdateAppLinkRequest, UpdateIssueReportRequest, UpdateProductRequest, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlDecision, UsageControlDimensions, UsageControlError, UsageControlErrorCode, UsageControlFeaturesResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, UsageControlLedgerEvent, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlRecordStatus, UsageControlStatusRequest, UsageControlStatusResponse, User, UserProfile, UserRole, UserWallet, VerifyCryptoWebhookSignatureOptions, X402ActionFreeResponse, X402ActionOutcome, X402ActionPendingResponse, X402ActionReplayedResponse, X402ActionResponse, X402ActionSettledResponse, X402ExecuteActionRequest, X402HandoffAuthorization, X402HandoffVerification, X402HandoffVerifyRequest, X402PaymentAccept, X402PaymentRequirement, X402ProjectionStatus, X402Receipt, X402ReceiptListResponse, X402ReceiptResponse, X402ReceiptStatus, X402Resource, X402ResourceStatus, X402ResourceStatusResponse, atomicToMoneyUnits, createSecureMessageRequestSchema, isX402PaymentRequired, isX402ResourceStatus, moneyUnitsToAtomic, roundHalfToPositiveInfinity, secureMessageMetadataSchema, secureMessageSchema, validatePositiveAmountAtomic } from 'spaps-types';
2
+ import { ResourceType, Entitlement, CreateProductRequest, Product, UpdateProductRequest, CreatePriceRequest, Price, ProductSyncResult, CryptoReconcileRequest, CreateSecureMessageRequest, SecureMessage, ListProjectGrantsResponse, ProjectAccessCheckResponse, IssueReportScope, IssueReportStatusResult, IssueReportStatus, IssueReportListResult, IssueReport, CreateIssueReportRequest, IssueReportAttachmentOut, ListIssueReportAttachmentsResponse, IssueReportAttachmentAccessResponse, IssueReportingVoiceTokenResult, UpdateIssueReportRequest, ReplyIssueReportRequest, ListIssueReportMessagesResponse, CreateReporterMessageRequest, IssueReportMessage, CreateOperatorMessageRequest, RetractOperatorMessageRequest, CreateAppLinkRequest, AppLink, UpdateAppLinkRequest, AuthResponse, User as User$1, CreateCryptoInvoiceRequest, CryptoInvoiceStatusSnapshot, CheckoutSession, X402ResourceStatusResponse, X402ActionResponse, X402ReceiptResponse, X402ReceiptListResponse, X402HandoffVerification, DayrateAvailabilityResponse, DayrateBookingRequest, DayrateBookingResponse, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayrateX402BookingRequest, DayrateX402BookingResponse, DayrateCheckoutStatusResponse, UsageControlFeaturesResponse, UsageControlStatusRequest, UsageControlStatusResponse, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, Subscription, VerifyCryptoWebhookSignatureOptions } from 'spaps-types';
3
+ export { AdminPermission, AdminRole, AdminUser, ApiResponse, AppLink, AuthResponse, CheckoutSession, CreateAppLinkRequest, CreateCryptoInvoiceRequest, CreateIssueReportRequest, CreateOperatorMessageRequest, CreatePriceRequest, CreateProductRequest, CreateReporterMessageRequest, CreateSecureMessageInput, CreateSecureMessageRequest, CryptoInvoice, CryptoInvoiceResponse, CryptoInvoiceStatusSnapshot, CryptoReconcileRequest, DayrateAvailabilityResponse, DayrateAvailableSlot, DayrateBookingRequest, DayrateBookingResponse, DayrateCheckoutStatus, DayrateCheckoutStatusBooking, DayrateCheckoutStatusResponse, DayrateDayOfWeek, DayrateMultiBookingRequest, DayrateMultiBookingResponse, DayratePriceBreakdown, DayrateSlotType, DayrateX402BookingRequest, DayrateX402BookingResponse, Entitlement, IssueReport, IssueReportAttachmentAccessResponse, IssueReportAttachmentOut, IssueReportListResult, IssueReportMessage, IssueReportStatus, IssueReportStatusResult, IssueReportTarget, IssueReportingInputMode, IssueReportingVoiceProvider, IssueReportingVoiceTokenResult, LinkedIssueReportCase, ListIssueReportAttachmentsResponse, ListIssueReportMessagesResponse, ListProjectGrantsResponse, Price, Product, ProductSyncResult, ProjectAccessCheckResponse, ProjectGrant, ProjectGrantStatus, ReplyIssueReportRequest, ResourceType, RetractOperatorMessageRequest, SecureMessage, SecureMessageOutput, Subscription, TokenPair, UpdateAppLinkRequest, UpdateIssueReportRequest, UpdateProductRequest, UsageControlAuthorizeRequest, UsageControlAuthorizeResponse, UsageControlDecision, UsageControlDimensions, UsageControlError, UsageControlErrorCode, UsageControlFeaturesResponse, UsageControlHistoryRequest, UsageControlHistoryResponse, UsageControlLedgerEvent, UsageControlRecordRequest, UsageControlRecordResponse, UsageControlRecordStatus, UsageControlStatusRequest, UsageControlStatusResponse, User, UserProfile, UserRole, UserWallet, VerifyCryptoWebhookSignatureOptions, X402ActionFreeResponse, X402ActionOutcome, X402ActionPendingResponse, X402ActionReplayedResponse, X402ActionResponse, X402ActionSettledResponse, X402ExecuteActionRequest, X402HandoffAuthorization, X402HandoffVerification, X402HandoffVerifyRequest, X402PaymentAccept, X402PaymentRequirement, X402ProjectionStatus, X402Receipt, X402ReceiptListResponse, X402ReceiptResponse, X402ReceiptStatus, X402Resource, X402ResourceStatus, X402ResourceStatusResponse, atomicToMoneyUnits, createSecureMessageRequestSchema, isX402PaymentRequired, isX402ResourceStatus, moneyUnitsToAtomic, roundHalfToPositiveInfinity, secureMessageMetadataSchema, secureMessageSchema, validatePositiveAmountAtomic } from 'spaps-types';
4
4
 
5
5
  /**
6
6
  * Permission checking utilities for SPAPS SDK
@@ -417,6 +417,22 @@ interface EntitlementCheckResult {
417
417
  /** The matching entitlement, if any */
418
418
  entitlement?: Entitlement;
419
419
  }
420
+ interface CurrentUserProjectGrantListParams {
421
+ /** Filter to one project entitlement key, such as "pds.project.viewer" */
422
+ entitlementKey?: string;
423
+ /** Maximum number of project grants to return */
424
+ limit?: number;
425
+ /** Zero-based item offset */
426
+ offset?: number;
427
+ /** Opaque pagination cursor */
428
+ cursor?: string;
429
+ }
430
+ interface CurrentUserProjectAccessParams {
431
+ /** Project to check */
432
+ projectId: string;
433
+ /** Project entitlement key to check, such as "pds.project.viewer" */
434
+ entitlementKey: string;
435
+ }
420
436
  type SupportedIssueReportScope = Extract<IssueReportScope, 'mine'>;
421
437
  interface IssueReportListParams {
422
438
  status?: IssueReportStatus;
@@ -698,6 +714,7 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
698
714
  private headerProvider?;
699
715
  private unwrapApiResponse;
700
716
  private skillEvalMutationConfig;
717
+ private requireCurrentUserIdFromAccessToken;
701
718
  private isAxiosResponse;
702
719
  private isResponseLikeWithData;
703
720
  private isApiResponse;
@@ -779,6 +796,20 @@ declare class SPAPSClient<SecureMessageMetadata extends Record<string, any> = Re
779
796
  * @param resourceId - Optional specific resource ID.
780
797
  */
781
798
  listByResource: (resourceType: ResourceType, resourceId?: string) => Promise<Entitlement[]>;
799
+ /**
800
+ * List project grants for the authenticated user.
801
+ *
802
+ * Browser/publishable-key contexts are safe here because the server requires
803
+ * the JWT subject to match the path user id.
804
+ */
805
+ listCurrentUserProjects: (params?: CurrentUserProjectGrantListParams) => Promise<ListProjectGrantsResponse>;
806
+ /**
807
+ * Check whether the authenticated user has one project entitlement.
808
+ *
809
+ * The helper does not accept user/email overrides; publishable-key callers
810
+ * are scoped by the server to the JWT identity.
811
+ */
812
+ checkCurrentUserProjectAccess: (params: CurrentUserProjectAccessParams) => Promise<ProjectAccessCheckResponse>;
782
813
  };
783
814
  /**
784
815
  * Issue reporting namespace for authenticated end-user issue flows.
@@ -1478,4 +1509,4 @@ declare function createServerClient(secretKey: string, options?: Omit<SPAPSConfi
1478
1509
  */
1479
1510
  declare function detectKeyType(key: string): ApiKeyType | null;
1480
1511
 
1481
- export { type AdminConfig, type ApiKeyType, type CheckoutLineItem, type CheckoutLineItemPriceData, type CreateCheckoutSessionPayload, type CreateSkillEvalCaseRequest, type CreateSkillEvalGovernanceSnapshotRequest, DEFAULT_ADMIN_ACCOUNTS, type EmailSendOptions, type EmailSendResult, type EmailTemplate, type EmailTemplatePreview, type EntitlementCheckResult, type EntitlementListParams, type FeatureContext, type FeatureDefinition, FeatureEvaluator, type HeaderProvider, type ImportSkillEvalGovernanceOutcomeRequest, type IssueReportAttachmentUploadOptions, type IssueReportListParams, type IssueReportStatusParams, type MarketingEventIngestRequest, type MarketingEventIngestResponse, type MarketingEventType, type MarketingExperimentDecision, type MarketingExperimentEffectDecision, type MarketingExperimentMinSampleDecision, type MarketingExperimentRecommendation, type MarketingExperimentResultsResponse, type MarketingExperimentSrmDecision, type MarketingExperimentSrmStatus, type MarketingExperimentVariantResult, type PermissionCheckResult, PermissionChecker, type RespondToSkillEvalReviewRequest, type RevealSkillEvalEvidenceRequest, RoleHierarchy, SPAPSClient as SPAPS, SPAPSClient, type SPAPSConfig, type SPAPSEnvelope, type SkillEvalAccessMode, type SkillEvalActorAccess, type SkillEvalCandidateInput, type SkillEvalCandidateResponse, type SkillEvalCasePolicy, type SkillEvalCaseResponse, type SkillEvalConfidence, type SkillEvalCreateOptions, type SkillEvalDisclosurePolicy, type SkillEvalEligibilitySource, type SkillEvalGovernanceOutcomeResult, type SkillEvalGovernancePurpose, type SkillEvalGovernanceSnapshotResult, type SkillEvalInsight, type SkillEvalInsightsResponse, type SkillEvalModelEffort, type SkillEvalMutationOptions, type SkillEvalPosterResponse, type SkillEvalPosterResponseResult, type SkillEvalRevealField, type SkillEvalRevealResult, type SkillEvalReviewMarkInput, type SkillEvalReviewMarkKind, type SkillEvalReviewResponse, type SkillEvalReviewRoom, type SkillEvalReviewerEligibilityInput, type SkillEvalRewardEvent, type SubmitSkillEvalReviewRequest, type TemplateVariable, TokenManager, WalletUtils, WebSocketAuthHelper, type WebSocketAuthHelperConfig, type X402ExecuteActionOptions, X402PaymentRequiredSDKError, type X402ReceiptListParams, type X402VerifyHandoffOptions, canAccessAdmin, createBrowserClient, createPermissionChecker, createServerClient, SPAPSClient as default, defaultPermissionChecker, detectKeyType, getRoleAwareErrorMessage, getUserDisplay, getUserRole, hasPermission, isAdminAccount, isEnvelope, isErrorEnvelope, isSuccessEnvelope, unwrapEnvelope, unwrapNestedData, verifyCryptoWebhookSignature };
1512
+ export { type AdminConfig, type ApiKeyType, type CheckoutLineItem, type CheckoutLineItemPriceData, type CreateCheckoutSessionPayload, type CreateSkillEvalCaseRequest, type CreateSkillEvalGovernanceSnapshotRequest, type CurrentUserProjectAccessParams, type CurrentUserProjectGrantListParams, DEFAULT_ADMIN_ACCOUNTS, type EmailSendOptions, type EmailSendResult, type EmailTemplate, type EmailTemplatePreview, type EntitlementCheckResult, type EntitlementListParams, type FeatureContext, type FeatureDefinition, FeatureEvaluator, type HeaderProvider, type ImportSkillEvalGovernanceOutcomeRequest, type IssueReportAttachmentUploadOptions, type IssueReportListParams, type IssueReportStatusParams, type MarketingEventIngestRequest, type MarketingEventIngestResponse, type MarketingEventType, type MarketingExperimentDecision, type MarketingExperimentEffectDecision, type MarketingExperimentMinSampleDecision, type MarketingExperimentRecommendation, type MarketingExperimentResultsResponse, type MarketingExperimentSrmDecision, type MarketingExperimentSrmStatus, type MarketingExperimentVariantResult, type PermissionCheckResult, PermissionChecker, type RespondToSkillEvalReviewRequest, type RevealSkillEvalEvidenceRequest, RoleHierarchy, SPAPSClient as SPAPS, SPAPSClient, type SPAPSConfig, type SPAPSEnvelope, type SkillEvalAccessMode, type SkillEvalActorAccess, type SkillEvalCandidateInput, type SkillEvalCandidateResponse, type SkillEvalCasePolicy, type SkillEvalCaseResponse, type SkillEvalConfidence, type SkillEvalCreateOptions, type SkillEvalDisclosurePolicy, type SkillEvalEligibilitySource, type SkillEvalGovernanceOutcomeResult, type SkillEvalGovernancePurpose, type SkillEvalGovernanceSnapshotResult, type SkillEvalInsight, type SkillEvalInsightsResponse, type SkillEvalModelEffort, type SkillEvalMutationOptions, type SkillEvalPosterResponse, type SkillEvalPosterResponseResult, type SkillEvalRevealField, type SkillEvalRevealResult, type SkillEvalReviewMarkInput, type SkillEvalReviewMarkKind, type SkillEvalReviewResponse, type SkillEvalReviewRoom, type SkillEvalReviewerEligibilityInput, type SkillEvalRewardEvent, type SubmitSkillEvalReviewRequest, type TemplateVariable, TokenManager, WalletUtils, WebSocketAuthHelper, type WebSocketAuthHelperConfig, type X402ExecuteActionOptions, X402PaymentRequiredSDKError, type X402ReceiptListParams, type X402VerifyHandoffOptions, canAccessAdmin, createBrowserClient, createPermissionChecker, createServerClient, SPAPSClient as default, defaultPermissionChecker, detectKeyType, getRoleAwareErrorMessage, getUserDisplay, getUserRole, hasPermission, isAdminAccount, isEnvelope, isErrorEnvelope, isSuccessEnvelope, unwrapEnvelope, unwrapNestedData, verifyCryptoWebhookSignature };
package/dist/index.js CHANGED
@@ -563,6 +563,17 @@ var SPAPSClient = class _SPAPSClient {
563
563
  }
564
564
  return { headers: { "If-Match": String(ifMatch) } };
565
565
  }
566
+ requireCurrentUserIdFromAccessToken() {
567
+ if (!this.accessToken) {
568
+ throw new Error("Authentication required. Please authenticate first.");
569
+ }
570
+ const payload = TokenManager.decodePayload(this.accessToken);
571
+ const userId = payload?.user_id ?? payload?.sub;
572
+ if (typeof userId !== "string" || userId.length === 0) {
573
+ throw new Error("Current user id not found in access token.");
574
+ }
575
+ return userId;
576
+ }
566
577
  isAxiosResponse(value) {
567
578
  if (!value || typeof value !== "object") {
568
579
  return false;
@@ -701,6 +712,46 @@ var SPAPSClient = class _SPAPSClient {
701
712
  return payload.entitlements;
702
713
  }
703
714
  return payload;
715
+ },
716
+ /**
717
+ * List project grants for the authenticated user.
718
+ *
719
+ * Browser/publishable-key contexts are safe here because the server requires
720
+ * the JWT subject to match the path user id.
721
+ */
722
+ listCurrentUserProjects: async (params) => {
723
+ const userId = this.requireCurrentUserIdFromAccessToken();
724
+ const q = new URLSearchParams();
725
+ if (params?.entitlementKey) q.append("entitlement_key", params.entitlementKey);
726
+ if (params?.limit !== void 0) q.append("limit", String(params.limit));
727
+ if (params?.offset !== void 0) q.append("offset", String(params.offset));
728
+ if (params?.cursor) q.append("cursor", params.cursor);
729
+ const qs = q.toString();
730
+ const res = await this.client.get(
731
+ `/api/project-grants/user/${encodeURIComponent(userId)}/projects${qs ? `?${qs}` : ""}`,
732
+ { headers: { Authorization: `Bearer ${this.accessToken}` } }
733
+ );
734
+ return this.unwrapApiResponse(res, "Failed to list current user project grants");
735
+ },
736
+ /**
737
+ * Check whether the authenticated user has one project entitlement.
738
+ *
739
+ * The helper does not accept user/email overrides; publishable-key callers
740
+ * are scoped by the server to the JWT identity.
741
+ */
742
+ checkCurrentUserProjectAccess: async (params) => {
743
+ if (!this.accessToken) {
744
+ throw new Error("Authentication required. Please authenticate first.");
745
+ }
746
+ const q = new URLSearchParams({
747
+ project_id: params.projectId,
748
+ entitlement_key: params.entitlementKey
749
+ });
750
+ const res = await this.client.get(
751
+ `/api/project-grants/check?${q.toString()}`,
752
+ { headers: { Authorization: `Bearer ${this.accessToken}` } }
753
+ );
754
+ return this.unwrapApiResponse(res, "Failed to check current user project access");
704
755
  }
705
756
  };
706
757
  /**
package/dist/index.mjs CHANGED
@@ -528,6 +528,17 @@ var SPAPSClient = class _SPAPSClient {
528
528
  }
529
529
  return { headers: { "If-Match": String(ifMatch) } };
530
530
  }
531
+ requireCurrentUserIdFromAccessToken() {
532
+ if (!this.accessToken) {
533
+ throw new Error("Authentication required. Please authenticate first.");
534
+ }
535
+ const payload = TokenManager.decodePayload(this.accessToken);
536
+ const userId = payload?.user_id ?? payload?.sub;
537
+ if (typeof userId !== "string" || userId.length === 0) {
538
+ throw new Error("Current user id not found in access token.");
539
+ }
540
+ return userId;
541
+ }
531
542
  isAxiosResponse(value) {
532
543
  if (!value || typeof value !== "object") {
533
544
  return false;
@@ -666,6 +677,46 @@ var SPAPSClient = class _SPAPSClient {
666
677
  return payload.entitlements;
667
678
  }
668
679
  return payload;
680
+ },
681
+ /**
682
+ * List project grants for the authenticated user.
683
+ *
684
+ * Browser/publishable-key contexts are safe here because the server requires
685
+ * the JWT subject to match the path user id.
686
+ */
687
+ listCurrentUserProjects: async (params) => {
688
+ const userId = this.requireCurrentUserIdFromAccessToken();
689
+ const q = new URLSearchParams();
690
+ if (params?.entitlementKey) q.append("entitlement_key", params.entitlementKey);
691
+ if (params?.limit !== void 0) q.append("limit", String(params.limit));
692
+ if (params?.offset !== void 0) q.append("offset", String(params.offset));
693
+ if (params?.cursor) q.append("cursor", params.cursor);
694
+ const qs = q.toString();
695
+ const res = await this.client.get(
696
+ `/api/project-grants/user/${encodeURIComponent(userId)}/projects${qs ? `?${qs}` : ""}`,
697
+ { headers: { Authorization: `Bearer ${this.accessToken}` } }
698
+ );
699
+ return this.unwrapApiResponse(res, "Failed to list current user project grants");
700
+ },
701
+ /**
702
+ * Check whether the authenticated user has one project entitlement.
703
+ *
704
+ * The helper does not accept user/email overrides; publishable-key callers
705
+ * are scoped by the server to the JWT identity.
706
+ */
707
+ checkCurrentUserProjectAccess: async (params) => {
708
+ if (!this.accessToken) {
709
+ throw new Error("Authentication required. Please authenticate first.");
710
+ }
711
+ const q = new URLSearchParams({
712
+ project_id: params.projectId,
713
+ entitlement_key: params.entitlementKey
714
+ });
715
+ const res = await this.client.get(
716
+ `/api/project-grants/check?${q.toString()}`,
717
+ { headers: { Authorization: `Bearer ${this.accessToken}` } }
718
+ );
719
+ return this.unwrapApiResponse(res, "Failed to check current user project access");
669
720
  }
670
721
  };
671
722
  /**
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "spaps-sdk",
3
- "version": "1.10.2",
3
+ "version": "1.11.0",
4
4
  "description": "Sweet Potato Authentication & Payment Service SDK - Zero-config client with built-in permission checking, role-based access control, and dayrate scheduling",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -81,4 +81,4 @@
81
81
  "engines": {
82
82
  "node": ">=14.0.0"
83
83
  }
84
- }
84
+ }