tredi-sdk 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md ADDED
@@ -0,0 +1,55 @@
1
+ # Changelog
2
+
3
+ All notable changes to this project are documented here.
4
+
5
+ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
+ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
+
8
+ ## [Unreleased]
9
+
10
+ <!--
11
+ Add entries under the relevant heading as you work. Move them into a new
12
+ versioned section on release.
13
+
14
+ ### Added
15
+ ### Changed
16
+ ### Deprecated
17
+ ### Removed
18
+ ### Fixed
19
+ ### Security
20
+ -->
21
+
22
+ ### Security
23
+
24
+ - Every request now rejects an id (`mediaId`, `postId`, `replyId`, `userId`,
25
+ `containerId`, ...) that contains `?`, `#`, or whitespace before it's
26
+ interpolated into the request path, throwing `ThreadsValidationError`
27
+ instead of silently building a request with smuggled query params or an
28
+ unintended path. This matters most when an id comes from untrusted input
29
+ (e.g. an inbound webhook payload) and was never validated by the caller.
30
+ - Added regression tests pinning down that OAuth secrets (`client_secret`,
31
+ the one-time `code`) and access tokens never reach a configured `logger`,
32
+ including for `exchangeForLongLivedToken` (a GET request where
33
+ `client_secret` is genuinely part of the URL sent to Meta, though never
34
+ part of what the SDK logs) and for failed requests.
35
+
36
+ ## [0.1.0] - 2026-06-20
37
+
38
+ ### Added
39
+
40
+ - Initial release.
41
+ - `ThreadsClient` with resource namespaces: `profile`, `posts`, `publishing`,
42
+ `replies`, `insights`, `mentions`, `search`.
43
+ - Standalone OAuth helpers: `getAuthorizationUrl`, `exchangeCodeForToken`,
44
+ `exchangeForLongLivedToken`, `refreshLongLivedToken`.
45
+ - Core HTTP engine: per-request timeout, idempotency-aware retries with
46
+ exponential backoff + jitter, `Retry-After` support.
47
+ - Typed error hierarchy (`ThreadsError` and subtypes) with Graph error mapping.
48
+ - Redacting logging hooks — access tokens, app secrets, and OAuth codes are
49
+ never logged.
50
+ - Dual ESM/CJS build with type declarations; `sideEffects: false`.
51
+ - Post deletion (`publishing.deletePost`) and polls (`publishing.publishPoll`).
52
+
53
+ <!-- Replace egnedko once this repo has a real home on GitHub. -->
54
+ [Unreleased]: https://github.com/egnedko/tredi-sdk/compare/v0.1.0...HEAD
55
+ [0.1.0]: https://github.com/egnedko/tredi-sdk/releases/tag/v0.1.0
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Ievgen Gniedko
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,278 @@
1
+ # Tredi (Threads API sdk)
2
+
3
+ <!-- Replace egnedko once this repo has a real home on GitHub. -->
4
+ [![CI](https://github.com/egnedko/tredi-sdk/actions/workflows/ci.yml/badge.svg)](https://github.com/egnedko/tredi-sdk/actions/workflows/ci.yml)
5
+ [![npm version](https://img.shields.io/npm/v/tredi-sdk.svg)](https://www.npmjs.com/package/tredi-sdk)
6
+ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
7
+
8
+ A typed, ESM-first SDK for the [Meta Threads API](https://developers.facebook.com/docs/threads).
9
+
10
+ - **TypeScript-first** — strict types, every endpoint and field modeled from the official docs.
11
+ - **Zero runtime dependencies** — uses the platform `fetch` (Node 18+, Bun, Deno, edge).
12
+ - **Production-ready** — request timeout, idempotency-safe retries with backoff, typed errors, redacting log hooks.
13
+ - **ESM + CJS** — dual output, `sideEffects: false`, tree-shakeable.
14
+ - **Security-first** — access tokens and app secrets are never written to logs.
15
+
16
+ > Scope: this SDK models the documented Threads endpoints — publishing (text, image, video, carousel, polls, deletion), posts, replies & moderation, insights, mentions, keyword search, quota, OAuth. See [Coverage](#coverage).
17
+
18
+ ## Documentation
19
+
20
+ - [API Reference](./docs/api-reference.md) — every export, signatures, scopes, endpoint mapping
21
+ - [Architecture](./docs/architecture.md) — design, request lifecycle, retry model, decisions (with diagrams)
22
+ - [Guides](./docs/guides.md) — task recipes: OAuth, publishing, reply automation, analytics, errors
23
+ - [Examples](./examples) — runnable scripts
24
+
25
+ ## Install
26
+
27
+ ```bash
28
+ pnpm add tredi-sdk
29
+ # or: npm i tredi-sdk / yarn add tredi-sdk
30
+ ```
31
+
32
+ Requires Node 18+ (global `fetch`). On older runtimes, pass a `fetch` implementation in the client config.
33
+
34
+ ## Quick start
35
+
36
+ ```ts
37
+ import { ThreadsClient } from 'tredi-sdk'
38
+
39
+ const threads = new ThreadsClient({ accessToken: process.env.THREADS_TOKEN! })
40
+
41
+ // Who am I?
42
+ const me = await threads.profile.get()
43
+ console.log(me.username)
44
+
45
+ // Publish a text post (create container → publish, handled for you)
46
+ const post = await threads.publishing.publishText('Hello, Threads 👋')
47
+ console.log('Published:', post.id)
48
+ ```
49
+
50
+ ## Authentication
51
+
52
+ Token-exchange helpers are standalone functions (tree-shakeable) and **must run server-side** — they require your app secret.
53
+
54
+ ```ts
55
+ import {
56
+ getAuthorizationUrl,
57
+ exchangeCodeForToken,
58
+ exchangeForLongLivedToken,
59
+ refreshLongLivedToken,
60
+ } from 'tredi-sdk'
61
+
62
+ // 1. Redirect the user to the authorization window.
63
+ const url = getAuthorizationUrl({
64
+ clientId: process.env.THREADS_APP_ID!,
65
+ redirectUri: 'https://app.example.com/auth/threads/callback',
66
+ scopes: ['threads_basic', 'threads_content_publish', 'threads_manage_replies'],
67
+ state: csrfToken, // verify this on the callback
68
+ })
69
+
70
+ // 2. In your callback handler, exchange the code for a short-lived token.
71
+ const short = await exchangeCodeForToken({
72
+ clientId: process.env.THREADS_APP_ID!,
73
+ clientSecret: process.env.THREADS_APP_SECRET!,
74
+ code,
75
+ redirectUri: 'https://app.example.com/auth/threads/callback',
76
+ })
77
+
78
+ // 3. Upgrade to a long-lived (~60 day) token and store it.
79
+ const long = await exchangeForLongLivedToken({
80
+ clientSecret: process.env.THREADS_APP_SECRET!,
81
+ shortLivedToken: short.access_token,
82
+ })
83
+
84
+ // 4. Before it expires (and at least 24h old), refresh it for another 60 days.
85
+ const refreshed = await refreshLongLivedToken({ longLivedToken: long.access_token })
86
+ ```
87
+
88
+ **Scopes** (validated against the docs): `threads_basic` (required), `threads_content_publish`, `threads_read_replies`, `threads_manage_replies`, `threads_manage_insights`, `threads_keyword_search`, `threads_delete`, `threads_location_tagging`.
89
+
90
+ ## Usage
91
+
92
+ ### Profile
93
+
94
+ ```ts
95
+ await threads.profile.get() // the token owner ("me")
96
+ await threads.profile.get({ userId: '178...' }) // a specific user
97
+ ```
98
+
99
+ ### Posts (retrieve & discover)
100
+
101
+ ```ts
102
+ const page = await threads.posts.list({ limit: 25 })
103
+ for (const post of page.data) console.log(post.text)
104
+
105
+ // Cursor pagination
106
+ const next = await threads.posts.list({ after: page.paging?.cursors?.after })
107
+
108
+ // A single post
109
+ await threads.posts.get('MEDIA_ID', { fields: ['id', 'text', 'permalink'] })
110
+ ```
111
+
112
+ ### Publishing
113
+
114
+ ```ts
115
+ // Text, image, video, carousel — each handles the container→publish flow.
116
+ await threads.publishing.publishText('gm ☕')
117
+ await threads.publishing.publishImage({ imageUrl: 'https://…/a.jpg', text: 'caption', altText: 'a cat' })
118
+ await threads.publishing.publishVideo({ videoUrl: 'https://…/v.mp4' }) // waits for processing
119
+ await threads.publishing.publishCarousel({
120
+ items: [{ imageUrl: 'https://…/1.jpg' }, { imageUrl: 'https://…/2.jpg' }],
121
+ text: 'a set',
122
+ })
123
+ await threads.publishing.publishPoll('Coffee or tea?', { optionA: 'Coffee', optionB: 'Tea' })
124
+
125
+ // Or drive the two steps manually for full control.
126
+ const { id: creationId } = await threads.publishing.createContainer({ mediaType: 'TEXT', text: 'hi' })
127
+ await threads.publishing.publishContainer(creationId)
128
+
129
+ // Delete a published post (requires the `threads_delete` scope).
130
+ await threads.publishing.deletePost(post.id)
131
+
132
+ // Remaining quotas (250 posts / 1000 replies / 100 deletes per 24h).
133
+ const limit = await threads.publishing.getPublishingLimit()
134
+ ```
135
+
136
+ ### Replies & moderation
137
+
138
+ ```ts
139
+ const replies = await threads.replies.list('MEDIA_ID')
140
+ const thread = await threads.replies.conversation('MEDIA_ID')
141
+
142
+ await threads.replies.publish('MEDIA_ID', 'Thanks for reading!')
143
+ await threads.replies.hide('REPLY_ID')
144
+ await threads.replies.unhide('REPLY_ID')
145
+
146
+ // Reply-approval queue (when enabled on the post)
147
+ const pending = await threads.replies.listPending('MEDIA_ID', { approvalStatus: 'pending' })
148
+ await threads.replies.managePending('REPLY_ID', true) // approve
149
+ ```
150
+
151
+ ### Insights
152
+
153
+ ```ts
154
+ await threads.insights.media('MEDIA_ID') // views, likes, replies, reposts, quotes, shares
155
+ await threads.insights.user({ metrics: ['views', 'followers_count'] })
156
+ await threads.insights.user({ metrics: ['follower_demographics'], breakdown: 'country' })
157
+ ```
158
+
159
+ ### Mentions & keyword search
160
+
161
+ ```ts
162
+ const mentions = await threads.mentions.list()
163
+ const found = await threads.search.keyword('cold brew', { searchType: 'RECENT', limit: 50 })
164
+ ```
165
+
166
+ ## Configuration
167
+
168
+ ```ts
169
+ new ThreadsClient({
170
+ accessToken: '…', // required
171
+ userId: 'me', // default node for user-scoped calls
172
+ baseUrl: 'https://graph.threads.net',
173
+ version: 'v1.0',
174
+ timeoutMs: 30_000,
175
+ retry: { maxRetries: 2, initialDelayMs: 500, maxDelayMs: 8_000, backoffFactor: 2 }, // or `false`
176
+ logger: myLogger, // optional, see below
177
+ fetch: customFetch, // optional, for non-standard runtimes/tests
178
+ })
179
+ ```
180
+
181
+ ## Error handling
182
+
183
+ Every failure is an instance of `ThreadsError`. Narrow with `instanceof`:
184
+
185
+ | Class | When |
186
+ |---|---|
187
+ | `ThreadsValidationError` | Bad input — no request was sent |
188
+ | `ThreadsTimeoutError` | Request exceeded `timeoutMs` |
189
+ | `ThreadsNetworkError` | Connection failed before any response |
190
+ | `ThreadsAPIError` | Non-2xx response (`status`, `code`, `subcode`, `type`, `fbtraceId`) |
191
+ | `ThreadsAuthError` | Invalid/expired token (HTTP 401 or code 190) |
192
+ | `ThreadsRateLimitError` | Throttled (HTTP 429 / throttle code); `retryAfterMs` when known |
193
+
194
+ ```ts
195
+ import { ThreadsRateLimitError, ThreadsAuthError } from 'tredi-sdk'
196
+
197
+ try {
198
+ await threads.publishing.publishText('hi')
199
+ } catch (err) {
200
+ if (err instanceof ThreadsAuthError) await refreshAndRetry()
201
+ else if (err instanceof ThreadsRateLimitError) await wait(err.retryAfterMs ?? 60_000)
202
+ else throw err
203
+ }
204
+ ```
205
+
206
+ ## Retries & rate limits
207
+
208
+ Automatic retries use exponential backoff with equal jitter and honor a server `Retry-After`. Retries are **idempotency-aware** so a publish is never duplicated:
209
+
210
+ - **GET** retries on network errors, timeouts, `429`, and `5xx`.
211
+ - **POST** retries **only** on network errors and `429` (request rejected before processing) — never on `5xx`/timeout, which may have already taken effect.
212
+
213
+ Disable with `retry: false`, or tune per the [config](#configuration).
214
+
215
+ ## Logging & security
216
+
217
+ The SDK never writes to the console. Pass a `logger` to receive structured events; **tokens, app secrets, and OAuth codes are always redacted** before they reach it.
218
+
219
+ ```ts
220
+ const logger = { log: (level, message, ctx) => console[level]?.(message, ctx) }
221
+ new ThreadsClient({ accessToken, logger })
222
+ // → debug "threads.request.success" { method, url: "…access_token=REDACTED", attempt, durationMs }
223
+ ```
224
+
225
+ Security notes:
226
+
227
+ - Token-exchange helpers require the app secret — call them **server-side only**.
228
+ - Tokens are held in memory on the client instance and sent per request; they are never logged. Use `client.withToken(t)` to scope a token per user without mutating shared config.
229
+ - For multi-tenant storage, encrypt tokens at rest (e.g. Supabase Vault).
230
+
231
+ ## ESM / CJS & tree-shaking
232
+
233
+ Ships both ESM (`import`) and CJS (`require`) with `sideEffects: false`. Import only the OAuth helpers and your bundle won't pull in the client, and vice-versa.
234
+
235
+ ## Escape hatch
236
+
237
+ Need an endpoint the SDK doesn't model yet? Call any path with full response typing:
238
+
239
+ ```ts
240
+ const data = await threads.request<{ data: unknown[] }>({
241
+ method: 'GET',
242
+ path: '/me/threads',
243
+ params: { fields: 'id,text', limit: 5 },
244
+ })
245
+ ```
246
+
247
+ ## Coverage
248
+
249
+ | Area | Status |
250
+ |---|---|
251
+ | OAuth (code → short → long → refresh) | ✅ |
252
+ | Profile, Posts, Single media | ✅ |
253
+ | Publishing (text/image/video/carousel, container status, quota) | ✅ |
254
+ | Replies, Conversation, Hide/Unhide, Approval queue | ✅ |
255
+ | Insights (media + user, demographics breakdown) | ✅ |
256
+ | Mentions, Keyword search | ✅ |
257
+ | Post deletion | ✅ |
258
+
259
+ ## Development
260
+
261
+ ```bash
262
+ pnpm install
263
+ pnpm typecheck # tsc --noEmit
264
+ pnpm test # vitest (unit + mock-based)
265
+ pnpm test:coverage
266
+ pnpm lint # eslint
267
+ pnpm build # tsup → dist (esm + cjs + d.ts)
268
+ ```
269
+
270
+ ## Contributing
271
+
272
+ Issues and PRs welcome — see [CONTRIBUTING.md](./CONTRIBUTING.md). Please
273
+ follow the [Code of Conduct](./CODE_OF_CONDUCT.md). Found a security issue?
274
+ See [SECURITY.md](./SECURITY.md) instead of opening a public issue.
275
+
276
+ ## License
277
+
278
+ MIT — see [LICENSE](./LICENSE).