Changelog

Release history for @trymellon/js. Published automatically via semantic-release on push to main.

v3.7.0 New features 2026-04-17

B2B recovery SDK mapping
- Added RECOVERY_USER_NOT_FOUND and RECOVERY_TICKET_LIMIT_EXCEEDED to TryMellonErrorCode union
- Added WebhookEventType for recovery.enrollment.issued and recovery.enrollment.completed
- Added RecoveryEnrollmentIssuedPayload and RecoveryEnrollmentCompletedPayload types
- Exported new types from package barrel
- Extracted BACKEND_ERROR_MAP to module-level for O(1) lookup on hot path
v3.6.0 New features 2026-04-09

Web3 surface — SIWE + identity linking
- Added client.siwe.{getNonce,prepareMessage,verifyAndSignIn} (preset web3 only)
- Added client.identity.{linkEmail,verifyEmailLink,list,unlink} (preset web3 only)
- Added preset: web3 to TryMellonConfig — narrows types at compile time
- Added @trymellon/js/web3 sub-path for tree-shakeable web3 surface
- Added prepareSiweMessage standalone export via sub-path
v3.5.0 New features 2026-03-28

Action signing + DBSC session binding
- Added client.action.sign(opts) — payloadHash SHA-256 hex, JWT 120s TTL
- Added KP-DBSC-01 session binding via DeviceKeyVerifierImpl (ECDSA P-256)
- Added client.getContextHash() — SHA-256 hex 64 of browser context
v3.4.0 New features 2026-03-14

Offline JWT validation
- Added client.session.verifyOffline(token) — WebCrypto, JWKS TTL 1h, clock skew ±30s
- RS256 signature lock — rejects HS256 tokens
- Flattens https://trymellon.dev/claims namespace to customClaims in SessionClaims
v3.3.0 New features 2026-03-01

OIDC discovery + token introspection
- Published JWKS at /.well-known/jwks.json with kid and RS256 alg
- Added OIDC discovery at /.well-known/openid-configuration
- Added token introspection endpoint RFC 7662 compatible
- Added revocation push webhooks for session.revoked and credential.revoked

B2B recovery SDK mapping

Web3 surface — SIWE + identity linking

Action signing + DBSC session binding

Offline JWT validation

OIDC discovery + token introspection