[js] gga example app: split main.ts into config/turnkey/webauthn/api-client/ui + flows modules (#28471)

## What
Split the ~1450-line `src/main.ts` into a small ES-module tree: `config.ts`, `turnkey.ts` (crypto), `webauthn.ts` (ceremonies), `api-client.ts`, `ui.ts`, and a `flows/` directory (`customer`, `email-otp`, `oauth`, `passkey`, `manage`, `money`, shared `context`). `main.ts` becomes a thin bootstrap.

## Why
P4 example app, PR 1 in `40-example-app-design.md` §1.5/§5. The single file mixed Turnkey crypto, HTTP, logging, DOM wiring, and every flow handler, and accreted into a tool only its author could drive. Carving it into modules lands first so later PRs touch small files; the `manage.ts` extraction also removes the 3× delete/export duplication (one shared panel instead of one per credential type).

## Place in the stack
Base: #28470 (real WebAuthn ceremony + env-driven URL). Second PR of the **P4 example-app** stack.

## Notable points
- **Pure refactor, no behavior change** — mechanical module move; `index.html` untouched. `tsc` + manual sandbox smoke prove equivalence.
- Manual test tool (no automated UI tests). Type gate: `build` + `lint`/`format`.

---
Part of the Turnkey login-family migration program. See `sparkcore/sparkcore/grid/docs/login-migration/00-program-plan.md`.

GitOrigin-RevId: fe1f4c2ca75d37fb07e37b9902241db970ce26d8

Author: carsonp6

apps/examples/grid-global-accounts-example-app/src/api-client.ts

@@ -0,0 +1,104 @@
+// HTTP client + auth header + mode resolution.
+
+import { API_BASE, type Mode } from "./config";
+import { el } from "./ui";
+
+let authClientId: HTMLInputElement | null = null;
+let authClientSecret: HTMLInputElement | null = null;
+let modeSelect: HTMLSelectElement | null = null;
+
+function getAuthClientId(): HTMLInputElement {
+  if (!authClientId) authClientId = el<HTMLInputElement>("auth-client-id");
+  return authClientId;
+}
+
+function getAuthClientSecret(): HTMLInputElement {
+  if (!authClientSecret)
+    authClientSecret = el<HTMLInputElement>("auth-client-secret");
+  return authClientSecret;
+}
+
+function getModeSelect(): HTMLSelectElement {
+  if (!modeSelect) modeSelect = el<HTMLSelectElement>("mode-select");
+  return modeSelect;
+}
+
+export function getMode(): Mode {
+  return getModeSelect().value === "production" ? "production" : "sandbox";
+}
+
+function getAuthHeader(): string {
+  return (
+    "Basic " +
+    btoa(
+      `${getAuthClientId().value.trim()}:${getAuthClientSecret().value.trim()}`,
+    )
+  );
+}
+
+export async function apiPost(
+  path: string,
+  body: Record<string, unknown> | undefined,
+  extraHeaders: Record<string, string> = {},
+): Promise<{ status: number; data: unknown }> {
+  const res = await fetch(API_BASE + path, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: getAuthHeader(),
+      ...extraHeaders,
+    },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  });
+  const raw = await res.text();
+  const data = raw ? JSON.parse(raw) : null;
+  if (!res.ok) throw new Error(`HTTP ${res.status}: ${raw}`);
+  return { status: res.status, data };
+}
+
+export async function apiDelete(
+  path: string,
+  extraHeaders: Record<string, string> = {},
+): Promise<{ status: number; data: unknown }> {
+  const res = await fetch(API_BASE + path, {
+    method: "DELETE",
+    headers: {
+      Authorization: getAuthHeader(),
+      ...extraHeaders,
+    },
+  });
+  const raw = await res.text();
+  const data = raw ? JSON.parse(raw) : null;
+  if (!res.ok) throw new Error(`HTTP ${res.status}: ${raw}`);
+  return { status: res.status, data };
+}
+
+export async function apiPatch(
+  path: string,
+  body: Record<string, unknown>,
+  extraHeaders: Record<string, string> = {},
+): Promise<{ status: number; data: unknown }> {
+  const res = await fetch(API_BASE + path, {
+    method: "PATCH",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: getAuthHeader(),
+      ...extraHeaders,
+    },
+    body: JSON.stringify(body),
+  });
+  const raw = await res.text();
+  const data = raw ? JSON.parse(raw) : null;
+  if (!res.ok) throw new Error(`HTTP ${res.status}: ${raw}`);
+  return { status: res.status, data };
+}
+
+export async function apiGet(path: string): Promise<unknown> {
+  const res = await fetch(API_BASE + path, {
+    headers: { Authorization: getAuthHeader() },
+  });
+  const raw = await res.text();
+  const data = raw ? JSON.parse(raw) : null;
+  if (!res.ok) throw new Error(`HTTP ${res.status}: ${raw}`);
+  return data;
+}

apps/examples/grid-global-accounts-example-app/src/config.ts

@@ -0,0 +1,15 @@
+// Grid Global Accounts — Example App: shared config + constants.
+
+export type Mode = "sandbox" | "production";
+export type CredType = "email_otp" | "oauth" | "passkey";
+
+// Sandbox magic signature injected into signed-retry headers and the execute
+// signature. In production these are wrong — a real stamp must be supplied.
+export const SANDBOX_SIG = "sandbox-valid-signature";
+
+// All requests proxy through Vite at `/api` and forward to the configured Grid
+// backend. Credentials are entered manually in the UI — never embedded.
+export const API_BASE = "/api";
+
+// Turnkey API stamp scheme — must match what `@turnkey/api-key-stamper` emits.
+export const TURNKEY_STAMP_SCHEME = "SIGNATURE_SCHEME_TK_API_P256";

apps/examples/grid-global-accounts-example-app/src/flows/context.ts

@@ -0,0 +1,61 @@
+// Cross-flow wallet context: account / credential / session ids shared between
+// the per-credential-type tabs and the money + manage flows.
+
+import { el } from "../ui";
+
+let ctxAccountId: HTMLInputElement | null = null;
+let ctxCredentialId: HTMLInputElement | null = null;
+let ctxSessionId: HTMLInputElement | null = null;
+
+function accountIdEl(): HTMLInputElement {
+  if (!ctxAccountId) ctxAccountId = el<HTMLInputElement>("ctx-account-id");
+  return ctxAccountId;
+}
+function credentialIdEl(): HTMLInputElement {
+  if (!ctxCredentialId)
+    ctxCredentialId = el<HTMLInputElement>("ctx-credential-id");
+  return ctxCredentialId;
+}
+function sessionIdEl(): HTMLInputElement {
+  if (!ctxSessionId) ctxSessionId = el<HTMLInputElement>("ctx-session-id");
+  return ctxSessionId;
+}
+
+// First-call-wins by design: the account id is established once (Create
+// Customer) and shared across every credential-type tab, so a later per-type
+// flow must not clobber it. Credential/session ids below are per-type and do
+// overwrite. To switch accounts, clear the field in the UI.
+export function setCtxAccount(id: string): void {
+  if (!accountIdEl().value) accountIdEl().value = id;
+}
+export function setCtxCredential(id: string): void {
+  credentialIdEl().value = id;
+}
+export function setCtxSession(id: string): void {
+  sessionIdEl().value = id;
+}
+
+export function requireAccountId(): string {
+  const id = accountIdEl().value.trim();
+  if (!id)
+    throw new Error(
+      "Internal Account ID is required — run Create Customer first.",
+    );
+  return id;
+}
+
+export function requireCredentialId(): string {
+  const id = credentialIdEl().value.trim();
+  if (!id)
+    throw new Error(
+      "Credential ID is required — run Create for this type first.",
+    );
+  return id;
+}
+
+export function requireSessionId(): string {
+  const id = sessionIdEl().value.trim();
+  if (!id)
+    throw new Error("Session ID is required — run Verify for this type first.");
+  return id;
+}

apps/examples/grid-global-accounts-example-app/src/flows/customer.ts

@@ -0,0 +1,150 @@
+// Shared setup: create customer, platform config (OTP + branding), balance.
+
+import { apiGet, apiPatch, apiPost } from "../api-client";
+import { addLog, bindClick, el, maybeEl } from "../ui";
+import { setCtxAccount } from "./context";
+
+// ----- Create customer + Fetch balance -----
+
+export function wireCustomerFlows(): void {
+  const createPlatformCustomerId = el<HTMLInputElement>(
+    "create-platform-customer-id",
+  );
+  const createCustomerName = el<HTMLInputElement>("create-customer-name");
+  const createCustomerEmail = el<HTMLInputElement>("create-customer-email");
+  const balanceCustomerId = el<HTMLInputElement>("balance-customer-id");
+
+  bindClick(
+    "btn-create-customer",
+    "create-customer-status",
+    "Create Customer",
+    "Creating customer...",
+    async () => {
+      const platformCustomerId =
+        createPlatformCustomerId.value.trim() || `test-${Date.now()}`;
+      const fullName = createCustomerName.value.trim() || "Test User";
+      const email = createCustomerEmail.value.trim();
+      const body: Record<string, unknown> = {
+        customerType: "BUSINESS",
+        platformCustomerId,
+        region: "US",
+        currencies: ["USDB"],
+        businessInfo: {
+          legalName: fullName,
+          taxId: "12-3456789",
+          incorporatedOn: "2020-01-01",
+        },
+      };
+      if (email) body.email = email;
+      const { data: customer } = await apiPost("/customers", body);
+      addLog("Create Customer", customer);
+      const customerId = (customer as Record<string, unknown>).id as string;
+      if (!balanceCustomerId.value) balanceCustomerId.value = customerId;
+      const accounts = (await apiGet(
+        `/customers/internal-accounts?customerId=${customerId}&currency=USDB`,
+      )) as { data: Array<{ id: string }> };
+      addLog("Internal Accounts", accounts);
+      if (accounts.data && accounts.data.length > 0) {
+        setCtxAccount(accounts.data[0].id);
+        return `Customer: ${customerId}\nAccount: ${accounts.data[0].id}\nEmbedded wallet pre-created at customer-create time.`;
+      }
+      return `Customer: ${customerId}\nNo USDB account found yet — wallet provisioning may be in progress.`;
+    },
+  );
+
+  bindClick(
+    "btn-fetch-balance",
+    "balance-status",
+    "Fetch Balance",
+    "Fetching balance...",
+    async () => {
+      const customerId = balanceCustomerId.value.trim();
+      if (!customerId) throw new Error("Customer ID is required.");
+      const data = (await apiGet(
+        `/customers/internal-accounts?customerId=${encodeURIComponent(customerId)}`,
+      )) as { data: Array<Record<string, unknown>> };
+      addLog("Fetch Balance", data);
+      return JSON.stringify(
+        data.data?.map((a) => ({
+          id: a.id,
+          currency: a.currency,
+          balance: a.balance,
+        })) ?? [],
+        null,
+        2,
+      );
+    },
+  );
+
+  wirePlatformConfigFlows();
+}
+
+// ----- Platform config (OTP + branding) — GET to populate, PATCH to save -----
+
+function wirePlatformConfigFlows(): void {
+  const cfgAppName = maybeEl<HTMLInputElement>("cfg-app-name");
+  const cfgOtpLength = maybeEl<HTMLInputElement>("cfg-otp-length");
+  const cfgAlphanumeric = maybeEl<HTMLInputElement>("cfg-alphanumeric");
+  const cfgExpirationSeconds = maybeEl<HTMLInputElement>(
+    "cfg-expiration-seconds",
+  );
+  const cfgSendFromEmail = maybeEl<HTMLInputElement>("cfg-send-from-email");
+  const cfgSendFromName = maybeEl<HTMLInputElement>("cfg-send-from-name");
+  const cfgReplyToEmail = maybeEl<HTMLInputElement>("cfg-reply-to-email");
+  const cfgLogoUrl = maybeEl<HTMLInputElement>("cfg-logo-url");
+
+  function readConfigForm(): Record<string, unknown> {
+    // Only include fields the user touched (non-empty) so we PATCH a real partial.
+    const ewc: Record<string, unknown> = {};
+    if (cfgAppName?.value.trim()) ewc.appName = cfgAppName.value.trim();
+    if (cfgOtpLength?.value.trim())
+      ewc.otpLength = parseInt(cfgOtpLength.value, 10);
+    if (cfgAlphanumeric) ewc.alphanumeric = cfgAlphanumeric.checked;
+    if (cfgExpirationSeconds?.value.trim())
+      ewc.expirationSeconds = parseInt(cfgExpirationSeconds.value, 10);
+    if (cfgSendFromEmail?.value.trim())
+      ewc.sendFromEmailAddress = cfgSendFromEmail.value.trim();
+    if (cfgSendFromName?.value.trim())
+      ewc.sendFromEmailSenderName = cfgSendFromName.value.trim();
+    if (cfgReplyToEmail?.value.trim())
+      ewc.replyToEmailAddress = cfgReplyToEmail.value.trim();
+    if (cfgLogoUrl?.value.trim()) ewc.logoUrl = cfgLogoUrl.value.trim();
+    return { embeddedWalletConfig: ewc };
+  }
+
+  function applyConfigToForm(cfg: unknown): void {
+    const ewc = (cfg as { embeddedWalletConfig?: Record<string, unknown> })
+      ?.embeddedWalletConfig;
+    if (!ewc) return;
+    if (cfgAppName && typeof ewc.appName === "string")
+      cfgAppName.value = ewc.appName;
+    if (cfgOtpLength && typeof ewc.otpLength === "number")
+      cfgOtpLength.value = String(ewc.otpLength);
+    if (cfgAlphanumeric && typeof ewc.alphanumeric === "boolean")
+      cfgAlphanumeric.checked = ewc.alphanumeric;
+    if (cfgExpirationSeconds && typeof ewc.expirationSeconds === "number")
+      cfgExpirationSeconds.value = String(ewc.expirationSeconds);
+    if (cfgSendFromEmail && typeof ewc.sendFromEmailAddress === "string")
+      cfgSendFromEmail.value = ewc.sendFromEmailAddress;
+    if (cfgSendFromName && typeof ewc.sendFromEmailSenderName === "string")
+      cfgSendFromName.value = ewc.sendFromEmailSenderName;
+    if (cfgReplyToEmail && typeof ewc.replyToEmailAddress === "string")
+      cfgReplyToEmail.value = ewc.replyToEmailAddress;
+    if (cfgLogoUrl && typeof ewc.logoUrl === "string")
+      cfgLogoUrl.value = ewc.logoUrl;
+  }
+
+  bindClick("btn-cfg-load", "cfg-status", "Load Config", "Loading…", async () => {
+    const cfg = await apiGet("/config");
+    addLog("GET /config", cfg);
+    applyConfigToForm(cfg);
+    return "Config loaded into form.";
+  });
+
+  bindClick("btn-cfg-save", "cfg-status", "Save Config", "Saving…", async () => {
+    const body = readConfigForm();
+    const { data } = await apiPatch("/config", body);
+    addLog("PATCH /config", data);
+    return "Config saved.";
+  });
+}