Node M2M Auth SDK Refactor/Deprecation

Initial release of @wristband/typescript-m2m-auth, a full rewrite and rename of the former @wristband/node-m2m-auth package. The SDK has been redesigned to be runtime-agnostic, async-only, and dependency-free. The @wristband/node-m2m-auth is now considered deprecated.

Breaking Changes

Package renamed from @wristband/node-m2m-auth to @wristband/typescript-m2m-auth
Config key renamed: appDomain → wristbandApplicationVanityDomain
Instantiation changed: direct class instantiation (new WristbandM2MAuthClient()) replaced by factory function (createWristbandM2MClient())
Sync client removed: SDK is now async-only — no synchronous variant
destroy() method removed: background refresh now uses recursive setTimeout with .unref?.() — no manual cleanup required

Added

createWristbandM2MClient(config) factory function as the sole public instantiation API
WristbandM2MClient public TypeScript interface for consumers
WristbandM2MAuthConfig interface with optional tokenExpirationBuffer and backgroundTokenRefreshInterval fields
TokenRequestError custom error class for 5xx detection and retry logic
Automatic retry on 5xx errors — 3 attempts with 100ms delay between each
Background token refresh via recursive setTimeout with .unref?.() for Node.js, Deno, and Bun compatibility.
clearToken() method to manually invalidate the cached token
ESM + CJS dual output; UMD is no longer supported
Zero runtime dependencies
Full test suite coverage
npm audit vulnerabilities fixed

Changed

Minimum Node.js version raised to 20
TypeScript raised to ^5.x
All token expiration logic uses Date.now() throughout
sleep() extracted as an exported utility for testability
Migrated build to Rollup

Deprecated

@wristband/node-m2m-auth : use @wristband/typescript-m2m-auth going forward