TryMellon

Changelog

Release history for @trymellon/js. Published automatically via semantic-release on push to main.

  1. v4.0.1 Bug fixes

    Patch release

    • Internal release housekeeping post-4.0.0 — no user-facing changes
  2. v4.0.0 Breaking changes

    Hosted onboarding sub-path + explicit session token in action signing

    • NEW: @trymellon/js/platform sub-path — stateless createPlatform({ apiBaseUrl }) factory exposing createSignupLink, getSignupStatus, awaitSignupCompletion. Bundle < 5 KB gzip (measured 2.92 KB)
    • NEW: TryMellonErrorCode gains INVALID_STATE — emitted by client.action.sign() when called without active session (fail-fast, zero HTTP)
    • BREAKING: client.platform.signUp() and OnboardingManager class removed from main bundle (ADR-SDK-005). Hosted onboarding lives exclusively under @trymellon/js/platform
    • BREAKING: X-App-Id header removed from defaultHeaders — ghost header cleanup (backend never read it). The appId config field still validated for back-compat
    • BREAKING: ApiClient.issueActionChallenge(body, sessionToken) and verifyActionSignature(challengeId, body, sessionToken) now require session token as positional argument
    • CHANGED: client.action.sign() passes user_session JWT explicitly via Authorization: Bearer override on POST /v1/actions/challenges and /verify (ADR-028 amendment 2026-04-23)
    • CHANGED: TryMellon.create(config).platform typed never (ADR-SDK-005 §2.3) — TS compiler rejects platform.signUp on all presets
    • PERF: core bundle 19.97 → 19.69 KB gzip (−0.28 KB from OnboardingManager removal)
  3. v3.7.0 New features

    B2B recovery SDK mapping

    • Added RECOVERY_USER_NOT_FOUND and RECOVERY_TICKET_LIMIT_EXCEEDED to TryMellonErrorCode union
    • Added WebhookEventType for recovery.enrollment.issued and recovery.enrollment.completed
    • Added RecoveryEnrollmentIssuedPayload and RecoveryEnrollmentCompletedPayload types
    • Exported new types from package barrel
    • Extracted BACKEND_ERROR_MAP to module-level for O(1) lookup on hot path
  4. v3.6.0 New features

    Web3 surface — SIWE + identity linking

    • Added client.siwe.{getNonce,prepareMessage,verifyAndSignIn} (preset web3 only)
    • Added client.identity.{linkEmail,verifyEmailLink,list,unlink} (preset web3 only)
    • Added preset: web3 to TryMellonConfig — narrows types at compile time
    • Added @trymellon/js/web3 sub-path for tree-shakeable web3 surface
    • Added prepareSiweMessage standalone export via sub-path
  5. v3.5.0 New features

    Action signing + DBSC session binding

    • Added client.action.sign(opts) — payloadHash SHA-256 hex, JWT 120s TTL
    • Added KP-DBSC-01 session binding via DeviceKeyVerifierImpl (ECDSA P-256)
    • Added client.getContextHash() — SHA-256 hex 64 of browser context
  6. v3.4.0 New features

    Offline JWT validation

    • Added client.session.verifyOffline(token) — WebCrypto, JWKS TTL 1h, clock skew ±30s
    • RS256 signature lock — rejects HS256 tokens
    • Flattens https://trymellon.dev/claims namespace to customClaims in SessionClaims
  7. v3.3.0 New features

    OIDC discovery + token introspection

    • Published JWKS at /.well-known/jwks.json with kid and RS256 alg
    • Added OIDC discovery at /.well-known/openid-configuration
    • Added token introspection endpoint RFC 7662 compatible
    • Added revocation push webhooks for session.revoked and credential.revoked
  8. v3.2.0 New features

    Shared SSE + polling fallback · unified abort semantics

    • Shared SSE-with-polling fallback (withSseFallback) extracted between cross-device and bridge flows — single tested implementation
    • Bridge: AbortSignal during SSE wait now propagates correctly (was silently dropped — operations hung instead of resolving)
    • Unified ABORT_ERROR code (previously ABORT_ERROR + ABORTED coexisted) — breaking at consumer level for code checking ABORTED
    • Mapped 13 backend QR_* error codes (qr_rate_limited, qr_session_expired, etc.) to SDK errors — were surfaced as unknown errors
    • validateSession: 30s cache + request coalescing — concurrent calls during single page render hit network once
    • README §Action Signing section + ActionSignOptions / ActionSignResult types documented
    • Fixed: startEmailFallback / verifyEmailCode payload field userId → user_id (backend expects snake_case — flow was silently failing)