Conversation
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 488ab25:
|
andrewkmin
force-pushed
the
release/v2026.2.8
branch
2 times, most recently
from
f5c6d82 to
19f37a1
Compare
There was a problem hiding this comment.
Pull request overview
Monorepo release sync for v2026.2.8, updating generated SDK surface areas to reflect the latest Public API/Auth Proxy swagger changes—most notably the new encrypted OTP flow and newly versioned OTP-related activity types.
Changes:
- Version OTP activities and update generated clients/types to use
*_V2/*_V3activity types and new OTP request/response shapes (encrypted bundles + required client signature). - Extend API/type definitions (e.g., asset metadata
name, supported CAIP-2 enums, TVC deployment spec changes, auth proxy additions likesocialLinkingClientIds). - Regenerate swagger/type artifacts across
sdk-types,sdk-server,sdk-browser,core, andhttp.
Reviewed changes
Copilot reviewed 17 out of 29 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-lock.yaml | Sync pnpm override formatting for rollup. |
| package.json | Sync pnpm override formatting for rollup. |
| .changeset/short-bars-worry.md | Release notes/changeset for v2026.2.8 features and versioned OTP activities. |
| packages/sdk-types/src/inputs/public_api.types.ts | Updates public API type inputs (OTP v2/v3, asset metadata, CAIP-2 enums, TVC changes). |
| packages/sdk-types/src/inputs/public_api.swagger.json | Updates public API swagger inputs (OTP v2/v3, asset metadata, CAIP-2 enums, TVC changes). |
| packages/sdk-types/src/inputs/auth_proxy.swagger.json | Adds auth-proxy OTP v2 endpoints/types. |
| packages/sdk-types/src/generated/types.ts | Regenerated SDK types to match updated inputs (OTP encryption/signature requirements, etc.). |
| packages/sdk-types/scripts/codegen.js | Codegen mapping extended for new versioned OTP activity types. |
| packages/sdk-server/src/inputs/public_api.types.ts | Server SDK input types synced to updated public API. |
| packages/sdk-server/src/inputs/public_api.swagger.json | Server SDK swagger inputs synced to updated public API. |
| packages/sdk-server/src/generated/sdk_api_types.ts | Server SDK API types regenerated for new initOtp result key. |
| packages/sdk-server/src/generated/sdk-client-base.ts | Server SDK client regenerated to submit versioned OTP activity types / result keys. |
| packages/sdk-server/scripts/codegen.js | Server codegen updated to map OTP activities to latest versions. |
| packages/sdk-browser/src/inputs/public_api.types.ts | Browser SDK input types synced to updated public API. |
| packages/sdk-browser/src/inputs/public_api.swagger.json | Browser SDK swagger inputs synced to updated public API. |
| packages/sdk-browser/src/generated/sdk_api_types.ts | Browser SDK API types regenerated for new initOtp result key. |
| packages/sdk-browser/src/generated/sdk-client-base.ts | Browser SDK client regenerated to submit versioned OTP activity types / result keys. |
| packages/sdk-browser/scripts/codegen.js | Browser codegen updated to map OTP activities to latest versions. |
| packages/sdk-browser/CHANGELOG.md | Fixes changelog entry typo for ACTIVITY_TYPE_INIT_OTP_AUTH. |
| packages/http/src/generated/services/coordinator/public/v1/public_api.* | Regenerated HTTP client artifacts to match updated public API swagger/types. |
| packages/http/CHANGELOG.md | Fixes changelog entry typo for ACTIVITY_TYPE_INIT_OTP_AUTH. |
| packages/core/src/inputs/public_api.swagger.json | Core swagger inputs synced to updated public API. |
| packages/core/src/inputs/auth_proxy.swagger.json | Adds auth-proxy OTP v2 endpoints/types in core inputs. |
| packages/core/src/generated/sdk-client-base.ts | Core client partially updated (initOtp + new auth-proxy v2 methods). |
| packages/core/scripts/codegen.js | Core codegen partially updated for INIT_OTP (missing other OTP mappings). |
| packages/core/CHANGELOG.md | Fixes changelog entry typo for ACTIVITY_TYPE_INIT_OTP_AUTH. |
Files not reviewed (10)
- packages/core/src/generated/sdk-client-base.ts: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.client.ts: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.fetcher.ts: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.swagger.json: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.types.ts: Language not supported
- packages/sdk-browser/src/generated/sdk-client-base.ts: Language not supported
- packages/sdk-browser/src/generated/sdk_api_types.ts: Language not supported
- packages/sdk-server/src/generated/sdk-client-base.ts: Language not supported
- packages/sdk-server/src/generated/sdk_api_types.ts: Language not supported
- packages/sdk-types/src/generated/types.ts: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.changeset/short-bars-worry.md
Outdated
| @@ -0,0 +1,19 @@ | |||
| --- | |||
| "@turnkey/sdk-browser": minor | |||
| "@turnkey/sdk-server": minor | |||
There was a problem hiding this comment.
Isn't this version bump a breaking change. sdk-server/browser will need major bumps I believe
andrewkmin
force-pushed
the
release/v2026.2.8
branch
5 times, most recently
from
a1fab82 to
d9738d9
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
andrewkmin
force-pushed
the
release/v2026.2.8
branch
from
d9738d9 to
9c4d0f3
Compare
andrewkmin
force-pushed
the
release/v2026.2.8
branch
from
9c4d0f3 to
21ad17e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 26 out of 37 changed files in this pull request and generated 5 comments.
Files not reviewed (11)
- packages/core/src/generated/sdk-client-base.ts: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.client.ts: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.fetcher.ts: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.swagger.json: Language not supported
- packages/http/src/generated/services/coordinator/public/v1/public_api.types.ts: Language not supported
- packages/sdk-browser/src/generated/sdk-client-base.ts: Language not supported
- packages/sdk-browser/src/generated/sdk_api_types.ts: Language not supported
- packages/sdk-server/src/generated/sdk-client-base.ts: Language not supported
- packages/sdk-server/src/generated/sdk_api_types.ts: Language not supported
- packages/sdk-types/src/generated/types.ts: Language not supported
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (initAuthResponse && initAuthResponse.otpId) { | ||
| setOtpId(initAuthResponse?.otpId!); | ||
| setOtpId(initAuthResponse.otpId); | ||
| setOtpEncryptionTargetBundle(initAuthResponse.otpEncryptionTargetBundle); | ||
| setStep(otpType); | ||
| } else { |
There was a problem hiding this comment.
handleSendOtp advances to the OTP verification step when otpId exists, but the encrypted OTP flow also requires otpEncryptionTargetBundle. If the backend returns an otpId without a bundle (or a bundle is accidentally dropped), the next step will crash/fail during JSON parsing/encryption. Consider gating the transition on both otpId and otpEncryptionTargetBundle (and surfacing a specific error) before calling setStep(otpType).
| @@ -88,10 +111,31 @@ const OtpVerification: React.FC<OtpVerificationProps> = ({ | |||
| setOtpError("Suborganization ID not found. Please try again."); | |||
| return; | |||
| } | |||
|
|
|||
| // Build the client signature proving we hold the session private key | |||
| const { message, publicKey: signingPublicKey } = | |||
| getClientSignatureMessageForLogin({ | |||
| verificationToken: verifyResponse!.verificationToken, | |||
| sessionPublicKey: publicKey, | |||
| }); | |||
There was a problem hiding this comment.
server.verifyOtp() can return undefined (e.g. invalid/expired code) and this code then dereferences verifyResponse!.verificationToken, which throws and falls into the generic catch message. Consider explicitly checking verifyResponse?.verificationToken after the call and setting a specific OTP error, rather than relying on a thrown error from the non-null assertion.
| setOtpError("Public key not found. Please try again."); | ||
| return; | ||
| } |
There was a problem hiding this comment.
handleValidateOtp has early return paths inside the try block (e.g. when publicKey is missing) before setIsLoading(false) runs, which can leave the UI stuck in a loading state. Consider resetting isLoading in a finally block (or setting it back to false immediately before returning on these paths).
| "@turnkey/sdk-types": minor | ||
| "@turnkey/http": minor |
There was a problem hiding this comment.
The changeset marks @turnkey/sdk-types as a minor bump, but this PR makes previously optional fields required (e.g. clientSignature for OTP login) and changes request/response shapes. Those are TypeScript-breaking changes for consumers and typically require a major bump to follow semver.
| "@turnkey/sdk-types": minor | |
| "@turnkey/http": minor | |
| "@turnkey/sdk-types": major | |
| "@turnkey/http": major |
| ### If you use `@turnkey/core` directly | ||
|
|
||
| The high-level `completeOtp()` method handles encryption and signing internally. If you call `verifyOtp()` / `loginWithOtp()` / `signUpWithOtp()` individually, here's the new flow: | ||
|
|
There was a problem hiding this comment.
This changeset states that @turnkey/core’s high-level completeOtp() handles encryption/signing internally, but the current implementation in packages/core/src/__clients__/core.ts still accepts a plaintext otpCode and calls proxyVerifyOtp (non-encrypted). Either update completeOtp()/verifyOtp() to use the encrypted bundle + v2 proxy endpoints, or adjust the migration guide to match the actual behavior shipped in this release.
- Add security/otp-enclave.mdx: comprehensive doc covering the enclave-first
OTP architecture (INIT_OTP_V3, VERIFY_OTP_V2, OTP_LOGIN_V2), including
sequence flows, key invariants, client-side security changes from SDK v2026.2.8,
and security controls (bundle sig verification, HPKE encryption, brute-force
protection, inflight limits)
- Update authentication/email.mdx:
- Add callout card linking to new security page with summary of SDK v2026.2.8
client-side security improvements
- Update activity type references: INIT_OTP → INIT_OTP_V3, VERIFY_OTP →
VERIFY_OTP_V2, OTP_LOGIN → OTP_LOGIN_V2
- Expand Breaking Change policy table with VERIFY_OTP_V2 and OTP_LOGIN_V2
version progression
- Update Authorization section to list both enclave (V3) and legacy auth (V3)
paths with correct activity types
- Update authentication/sms.mdx:
- Update How it Works activity types to V3/V2 equivalents
- Add note linking to OTP enclave security page
- Fix sandbox verify/login activity type references
- Update docs.json: add security/otp-enclave to Security tab navigation
References: tkhq/sdk#1220, tkhq/sdk#1221
Summary & Motivation
$title
How I Tested These Changes
Did you add a changeset?
yes
If updating one of our packages, you'll likely need to add a changeset to your PR. To do so, run
pnpm changeset.pnpm changesetwill generate a file where you should write a human friendly message about the changes. Note how this (example) includes the package name (should be auto added by the command) along with the type of semver change (major.minor.patch) (which you should set).These changes will be used at release time to determine what packages to publish and how to bump their version. For more context see this comment.