@abloatai/ablo 0.7.0 → 0.9.0

package/dist/client/ApiClient.js

@@ -171,32 +171,36 @@ export function createProtocolClient(options) {
     function createAgentModelClient(agentClient, name) {
         const base = agentClient.model(name);
         return {
-            retrieve(id, options) {
+            retrieve(params) {
                 // Reads are never blocked by a claim (coordination.md): a claim
                 // serializes WRITERS, not readers. So — unlike the create/update/
                 // delete paths below — retrieve does NOT apply the agent claimed
                 // default; options pass through and the read path's `'return'`
                 // default keeps a claimed row readable. A caller can still opt into
                 // gating with an explicit `ifClaimed` (developer's choice).
-                return base.retrieve(id, options);
+                return base.retrieve(params);
             },
-            create(data, mutationOptions) {
-                const id = mutationOptions?.id ?? createModelId();
-                return withAgentIntent(agentClient, name, id, mutationOptions, (commitIntent) => base.create(data, {
-                    ...stripAgentRuntimeOptions(mutationOptions),
+            create(params) {
+                const id = params.id ?? createModelId();
+                return withAgentIntent(agentClient, name, id, params, (commitIntent) => base.create({
+                    ...stripAgentRuntimeOptions(params),
                     id,
+                    data: params.data,
                     intent: commitIntent,
                 }));
             },
-            update(id, data, mutationOptions) {
-                return withAgentIntent(agentClient, name, id, mutationOptions, (commitIntent) => base.update(id, data, {
-                    ...stripAgentRuntimeOptions(mutationOptions),
+            update(params) {
+                return withAgentIntent(agentClient, name, params.id, params, (commitIntent) => base.update({
+                    ...stripAgentRuntimeOptions(params),
+                    id: params.id,
+                    data: params.data,
                     intent: commitIntent,
                 }));
             },
-            delete(id, mutationOptions) {
-                return withAgentIntent(agentClient, name, id, mutationOptions, (commitIntent) => base.delete(id, {
-                    ...stripAgentRuntimeOptions(mutationOptions),
+            delete(params) {
+                return withAgentIntent(agentClient, name, params.id, params, (commitIntent) => base.delete({
+                    ...stripAgentRuntimeOptions(params),
+                    id: params.id,
                     intent: commitIntent,
                 }));
             },
@@ -439,6 +443,35 @@ export function createProtocolClient(options) {
                 activeSessionsClosed: body.activeSessionsClosed,
             };
         },
+        async rotate(id, rotateOptions = {}) {
+            const graceSeconds = rotateOptions.graceSeconds ??
+                (rotateOptions.grace !== undefined ? toSeconds(rotateOptions.grace) : undefined);
+            const leaseSeconds = rotateOptions.leaseSeconds ??
+                (rotateOptions.lease !== undefined ? toSeconds(rotateOptions.lease) : undefined);
+            const body = await requestJson(`/v1/capabilities/${encodeURIComponent(id)}/rotate`, {
+                method: 'POST',
+                body: JSON.stringify({
+                    ...(graceSeconds !== undefined ? { graceSeconds } : {}),
+                    ...(leaseSeconds !== undefined ? { ttlSeconds: leaseSeconds } : {}),
+                }),
+            });
+            const newId = body.capabilityId ?? body.id;
+            if (!newId) {
+                throw new AbloValidationError('Capability rotate response did not include an id.', { code: 'capability_id_missing' });
+            }
+            return {
+                id: newId,
+                token: body.token,
+                expiresAt: body.expiresAt,
+                organizationId: body.organizationId,
+                scope: body.scope,
+                rotatedFrom: {
+                    id: body.rotatedFrom.capabilityId ?? body.rotatedFrom.id ?? id,
+                    expiresAt: body.rotatedFrom.expiresAt,
+                },
+                client: () => childClient(body.token),
+            };
+        },
         mint(options) {
             return capabilities.create(options);
         },
@@ -533,14 +566,39 @@ export function createProtocolClient(options) {
             return waitForNoIntents(target, options);
         },
     };
-    async function retrieveModel(modelName, id, options) {
-        await applyClaimedPolicy({ model: modelName, id }, options);
-        const query = await requestJson(`/v1/models/${encodeURIComponent(modelName)}/${encodeURIComponent(id)}`, {
+    async function listModel(modelName, options) {
+        const params = new URLSearchParams();
+        if (options?.limit !== undefined)
+            params.set('limit', String(options.limit));
+        if (options?.orderBy) {
+            const [col, dir] = Object.entries(options.orderBy)[0] ?? [];
+            if (col) {
+                params.set('order_by', col);
+                if (dir === 'desc')
+                    params.set('order', 'desc');
+            }
+        }
+        // The collection route turns any non-reserved query param into an equality
+        // filter (`?status=todo`). The wire is AND-only equality — matches what a
+        // stateless reactor needs; richer predicates stay on the stateful path.
+        if (options?.where && typeof options.where === 'object') {
+            for (const [k, v] of Object.entries(options.where)) {
+                if (v !== undefined && v !== null && typeof v !== 'object')
+                    params.set(k, String(v));
+            }
+        }
+        const qs = params.toString();
+        const res = await requestJson(`/v1/models/${encodeURIComponent(modelName)}${qs ? `?${qs}` : ''}`, { method: 'GET' });
+        return res.data ?? [];
+    }
+    async function retrieveModel(modelName, params) {
+        await applyClaimedPolicy({ model: modelName, id: params.id }, params);
+        const query = await requestJson(`/v1/models/${encodeURIComponent(modelName)}/${encodeURIComponent(params.id)}`, {
             method: 'GET',
         });
         const data = query.data;
         if (!data) {
-            throw new AbloValidationError(`Model row not found: ${modelName}/${id}`, { code: 'model_not_found' });
+            throw new AbloValidationError(`Model row not found: ${modelName}/${params.id}`, { code: 'model_not_found' });
         }
         return {
             data,
@@ -548,63 +606,170 @@ export function createProtocolClient(options) {
             claims: query.claims ?? [],
         };
     }
+    /**
+     * Single-op mutation over the model-scoped routes — the canonical surface
+     * that mirrors `ablo.<model>.create/update/delete`:
+     *
+     *   POST   /v1/models/:model        create
+     *   PATCH  /v1/models/:model/:id     update
+     *   DELETE /v1/models/:model/:id     delete
+     *
+     * This replaces the previous indirection through `POST /v1/commits`. The raw
+     * `commits.create(...)` resource is still the path for ATOMIC MULTI-OP
+     * envelopes — this helper is the one-op, one-record path only.
+     */
+    async function mutateModel(action, modelName, id, data, options) {
+        const clientTxId = createClientTxId(options?.idempotencyKey);
+        const encModel = encodeURIComponent(modelName);
+        const path = action === 'create'
+            ? `/v1/models/${encModel}`
+            : `/v1/models/${encModel}/${encodeURIComponent(id)}`;
+        const method = action === 'create' ? 'POST' : action === 'update' ? 'PATCH' : 'DELETE';
+        const requestBody = {
+            idempotencyKey: clientTxId,
+            intent: normalizeIntentId(options?.intent),
+            onStale: options?.onStale,
+            readAt: options?.readAt,
+        };
+        if (action === 'create')
+            requestBody.id = id;
+        if (data !== undefined)
+            requestBody.data = data;
+        const body = await requestJson(path, {
+            method,
+            idempotencyKey: clientTxId,
+            body: JSON.stringify(requestBody),
+        });
+        // `requestJson` throws via `translateHttpError` on any non-2xx, so reaching
+        // here implies success. Narrow `status` to the `CommitWait`-compatible
+        // subset; `'rejected'` only appears on a thrown rejection body.
+        const status = body.status === 'queued' ? 'queued' : 'confirmed';
+        return {
+            id: body.serverTxId ?? body.id ?? body.clientTxId ?? clientTxId,
+            status,
+            lastSyncId: body.lastSyncId,
+        };
+    }
     function model(name) {
+        // Durable lease + FIFO wait-line over HTTP (the existing claim routes). A
+        // claim is server state, not a subscription — acquire/hold/release are plain
+        // request/response, so a stateless agent participates in coordination too.
+        const claimPath = (id) => `/v1/models/${encodeURIComponent(name)}/${encodeURIComponent(id)}/claim`;
+        const isClaimHandle = (value) => typeof value === 'object' &&
+            value !== null &&
+            value.object === 'claim' &&
+            typeof value.claimId === 'string' &&
+            typeof value.release === 'function';
+        const claimMeta = (options) => {
+            if (!options?.description)
+                return options?.meta;
+            return { ...(options.meta ?? {}), description: options.description };
+        };
+        const acquireClaim = async (params) => {
+            const body = await requestJson(claimPath(params.id), {
+                method: 'POST',
+                body: JSON.stringify({
+                    action: params.action ?? 'editing',
+                    ...(params.ttl !== undefined ? { ttl: params.ttl } : {}),
+                    ...(params.description !== undefined ? { description: params.description } : {}),
+                    ...(claimMeta(params) ? { meta: claimMeta(params) } : {}),
+                    // `wait` (default true) → queue behind the holder; false → fail-fast
+                    // with AbloClaimedError (work-distribution dedup).
+                    queue: params.wait ?? true,
+                }),
+            });
+            if (body.status === 'queued') {
+                throw new AbloClaimedError(`Target ${name}/${params.id} is held; queued at position ${body.position ?? 0}. ` +
+                    `The HTTP client cannot await the grant without a WebSocket.`, { code: 'intent_queued' });
+            }
+            return body.intent?.id ?? body.id ?? body.intentId ?? createIntentId();
+        };
+        const releaseClaim = (params) => requestJson(claimPath(isClaimHandle(params) ? params.target.id : params.id), { method: 'DELETE' }).then(() => undefined);
+        async function claimImpl(params) {
+            const claimId = await acquireClaim(params);
+            const { data } = await retrieveModel(name, { id: params.id });
+            const release = () => releaseClaim(params);
+            return {
+                object: 'claim',
+                claimId,
+                target: {
+                    model: name,
+                    id: params.id,
+                    ...(params.field ? { field: params.field } : {}),
+                    ...(params.path ? { path: params.path } : {}),
+                    ...(params.range ? { range: params.range } : {}),
+                    ...(claimMeta(params) ? { meta: claimMeta(params) } : {}),
+                },
+                action: params.action ?? 'editing',
+                ...(params.description ? { description: params.description } : {}),
+                data,
+                release,
+                revoke: () => {
+                    void release().catch(() => { });
+                },
+                [Symbol.asyncDispose]: release,
+            };
+        }
+        const intentsForEntity = async (params) => requestJson(`/v1/intents?model=${encodeURIComponent(name)}&id=${encodeURIComponent(params.id)}${params.field ? `&field=${encodeURIComponent(params.field)}` : ''}`, { method: 'GET' });
+        const claim = Object.assign(claimImpl, {
+            release: releaseClaim,
+            state: async (params) => {
+                const res = await intentsForEntity(params);
+                return res.intents?.[0] ?? null;
+            },
+            queue: async (params) => {
+                const res = await intentsForEntity(params);
+                return { object: 'list', data: res.queue ?? [] };
+            },
+            reorder: async (params) => {
+                await requestJson(`${claimPath(params.id)}/reorder`, {
+                    method: 'POST',
+                    // The reorder route's payload is `{ heldBy, intentId }[]` — Intent's id
+                    // IS the intentId.
+                    body: JSON.stringify({ order: params.order.map((i) => ({ heldBy: i.heldBy, intentId: i.id })) }),
+                });
+            },
+        });
+        const withMutationClaim = async (id, input, run) => {
+            const claimInput = input?.claim;
+            if (!claimInput)
+                return run(input);
+            if (isClaimHandle(claimInput)) {
+                return run({ ...input, intent: { id: claimInput.claimId }, claim: undefined });
+            }
+            const claimId = await acquireClaim({ id, ...claimInput });
+            try {
+                return await run({ ...input, intent: { id: claimId }, claim: undefined });
+            }
+            finally {
+                await releaseClaim({ id }).catch(() => { });
+            }
+        };
         return {
-            retrieve(id, options) {
-                return retrieveModel(name, id, options);
+            claim,
+            retrieve(params) {
+                return retrieveModel(name, params);
+            },
+            list(options) {
+                return listModel(name, options);
             },
-            async create(data, mutationOptions) {
-                const id = mutationOptions?.id ?? createModelId();
-                await applyClaimedPolicy({ model: name, id }, mutationOptions);
-                return commits.create({
-                    intent: mutationOptions?.intent,
-                    idempotencyKey: mutationOptions?.idempotencyKey,
-                    readAt: mutationOptions?.readAt,
-                    onStale: mutationOptions?.onStale,
-                    wait: mutationOptions?.wait,
-                    operations: [
-                        {
-                            action: 'create',
-                            model: name,
-                            id,
-                            data,
-                        },
-                    ],
+            async create(params) {
+                const id = params.id ?? createModelId();
+                return withMutationClaim(id, params, async (options) => {
+                    await applyClaimedPolicy({ model: name, id }, options);
+                    return mutateModel('create', name, id, params.data, options);
                 });
             },
-            async update(id, data, mutationOptions) {
-                await applyClaimedPolicy({ model: name, id }, mutationOptions);
-                return commits.create({
-                    intent: mutationOptions?.intent,
-                    idempotencyKey: mutationOptions?.idempotencyKey,
-                    readAt: mutationOptions?.readAt,
-                    onStale: mutationOptions?.onStale,
-                    wait: mutationOptions?.wait,
-                    operations: [
-                        {
-                            action: 'update',
-                            model: name,
-                            id,
-                            data,
-                        },
-                    ],
+            async update(params) {
+                return withMutationClaim(params.id, params, async (options) => {
+                    await applyClaimedPolicy({ model: name, id: params.id }, options);
+                    return mutateModel('update', name, params.id, params.data, options);
                 });
             },
-            async delete(id, mutationOptions) {
-                await applyClaimedPolicy({ model: name, id }, mutationOptions);
-                return commits.create({
-                    intent: mutationOptions?.intent,
-                    idempotencyKey: mutationOptions?.idempotencyKey,
-                    readAt: mutationOptions?.readAt,
-                    onStale: mutationOptions?.onStale,
-                    wait: mutationOptions?.wait,
-                    operations: [
-                        {
-                            action: 'delete',
-                            model: name,
-                            id,
-                        },
-                    ],
+            async delete(params) {
+                return withMutationClaim(params.id, params, async (options) => {
+                    await applyClaimedPolicy({ model: name, id: params.id }, options);
+                    return mutateModel('delete', name, params.id, undefined, options);
                 });
             },
         };
@@ -620,6 +785,11 @@ export function createProtocolClient(options) {
         commits,
         model,
         agent: createAgent,
+        async getAuthToken() {
+            // Mirror `authHeaders()`: a configured API key wins, else the
+            // construction-time auth token. Resolve the (possibly async) key setter.
+            return (await resolveApiKeyValue(configuredApiKey)) ?? configuredAuthToken ?? null;
+        },
         async beginTurn(turnOptions) {
             const task = await tasks.create(turnOptions);
             let closed = false;

package/dist/client/auth.d.ts

@@ -29,6 +29,7 @@ export interface AuthResolveInput {
         readonly apiKey?: string | ApiKeySetter | null;
         readonly authToken?: string | null;
         readonly baseURL?: string | null;
+        readonly databaseUrl?: string | null;
         readonly dangerouslyAllowBrowser?: boolean;
     };
     readonly env: Record<string, string | undefined>;
@@ -41,16 +42,34 @@ export interface AuthResolveInput {
 export declare function readProcessEnv(): Record<string, string | undefined>;
 export declare function resolveApiKey(input: AuthResolveInput): string | ApiKeySetter | null;
 export declare function resolveAuthToken(input: AuthResolveInput): string | null;
-export declare const ABLO_DEFAULT_BASE_URL = "wss://mesh.ablo.finance";
+/**
+ * Resolve the direct-URL connector's Postgres connection string.
+ *
+ * The default Data Source path should not call this: the customer keeps
+ * `DATABASE_URL` in their app and exposes `dataSource(...)`. This helper exists
+ * only for the opt-in direct connector where Ablo registers a dedicated tenant
+ * database. Returns null for Ablo-managed storage.
+ */
+export declare function resolveDatabaseUrl(input: AuthResolveInput): string | null;
+export declare const ABLO_HOSTED_API_DOMAIN = "api.abloatai.com";
+export declare const ABLO_HOSTED_HTTP_BASE_URL = "https://api.abloatai.com";
+export declare const ABLO_DEFAULT_BASE_URL = "wss://api.abloatai.com";
+/**
+ * Normalize old hosted aliases to the public API domain. Self-hosted/custom
+ * URLs pass through unchanged; only first-party legacy hosts are rewritten.
+ */
+export declare function normalizeAbloHostedBaseUrl(rawUrl: string): string;
 export declare function resolveBaseURL(input: AuthResolveInput): string;
 /**
  * Browser guard — apiKey is server-side-only by default. Same check
  * Anthropic, OpenAI, and Stripe ship: shipping `sk_live_...` to a
  * browser exposes it in every visitor's network tab. Consumers opt
- * in explicitly when they have a publishable key or a server proxy.
+ * in explicitly when the browser holds a minted session token
+ * (`ek_`/`rk_`) or routes through a server proxy.
  */
 export declare function assertBrowserSafety(input: {
     apiKey: string | ApiKeySetter | null;
+    databaseUrl?: string | null;
     dangerouslyAllowBrowser: boolean | undefined;
 }): void;
 /**

package/dist/client/auth.js

@@ -27,19 +27,71 @@ export function resolveApiKey(input) {
 export function resolveAuthToken(input) {
     return input.options.authToken ?? null;
 }
-export const ABLO_DEFAULT_BASE_URL = 'wss://mesh.ablo.finance';
+/**
+ * Resolve the direct-URL connector's Postgres connection string.
+ *
+ * The default Data Source path should not call this: the customer keeps
+ * `DATABASE_URL` in their app and exposes `dataSource(...)`. This helper exists
+ * only for the opt-in direct connector where Ablo registers a dedicated tenant
+ * database. Returns null for Ablo-managed storage.
+ */
+export function resolveDatabaseUrl(input) {
+    return input.options.databaseUrl ?? input.env.DATABASE_URL ?? null;
+}
+export const ABLO_HOSTED_API_DOMAIN = 'api.abloatai.com';
+export const ABLO_HOSTED_HTTP_BASE_URL = `https://${ABLO_HOSTED_API_DOMAIN}`;
+export const ABLO_DEFAULT_BASE_URL = `wss://${ABLO_HOSTED_API_DOMAIN}`;
+const LEGACY_HOSTED_API_HOSTS = new Set([
+    'mesh.ablo.finance',
+    'mesh-staging.ablo.finance',
+    'api.ablo.finance',
+    'sync-staging.ablo.finance',
+]);
+/**
+ * Normalize old hosted aliases to the public API domain. Self-hosted/custom
+ * URLs pass through unchanged; only first-party legacy hosts are rewritten.
+ */
+export function normalizeAbloHostedBaseUrl(rawUrl) {
+    const trimmed = rawUrl.trim();
+    if (!trimmed)
+        return trimmed;
+    // A scheme-less value (e.g. `api-staging.abloatai.com`) is a RELATIVE URL:
+    // `new URL()` throws on it, and downstream `fetch` then resolves it against
+    // the current page — producing `https://<app-host>/<route>/api-staging…/api/
+    // auth/identity`, a 404 from the app's own origin. Prepend a scheme so the
+    // base is absolute. `https` mirrors `ABLO_HOSTED_HTTP_BASE_URL`; the socket
+    // layer derives `wss` from it. An existing scheme (ws/wss/http/https) is
+    // preserved untouched.
+    const schemed = /^[a-z][a-z0-9+.-]*:\/\//i.test(trimmed) ? trimmed : `https://${trimmed}`;
+    try {
+        const url = new URL(schemed);
+        if (!LEGACY_HOSTED_API_HOSTS.has(url.hostname))
+            return schemed.replace(/\/+$/, '');
+        url.hostname = ABLO_HOSTED_API_DOMAIN;
+        if (url.protocol === 'http:')
+            url.protocol = 'https:';
+        if (url.protocol === 'ws:')
+            url.protocol = 'wss:';
+        return url.toString().replace(/\/+$/, '');
+    }
+    catch {
+        return schemed;
+    }
+}
 export function resolveBaseURL(input) {
-    return input.options.baseURL ?? ABLO_DEFAULT_BASE_URL;
+    return normalizeAbloHostedBaseUrl(input.options.baseURL ?? ABLO_DEFAULT_BASE_URL);
 }
 /**
  * Browser guard — apiKey is server-side-only by default. Same check
  * Anthropic, OpenAI, and Stripe ship: shipping `sk_live_...` to a
  * browser exposes it in every visitor's network tab. Consumers opt
- * in explicitly when they have a publishable key or a server proxy.
+ * in explicitly when the browser holds a minted session token
+ * (`ek_`/`rk_`) or routes through a server proxy.
  */
 export function assertBrowserSafety(input) {
+    const inBrowser = typeof window !== 'undefined';
     if (!input.dangerouslyAllowBrowser &&
-        typeof window !== 'undefined' &&
+        inBrowser &&
         typeof input.apiKey === 'string' &&
         input.apiKey.startsWith('sk_')) {
         throw new AbloAuthenticationError("It looks like you're running in a browser-like environment.\n\n" +
@@ -49,6 +101,14 @@ export function assertBrowserSafety(input) {
             '`dangerouslyAllowBrowser` option to `true`, e.g.,\n\n' +
             '    Ablo({ schema, apiKey, dangerouslyAllowBrowser: true });\n', { code: 'browser_apikey_blocked' });
     }
+    // `databaseUrl` carries DB credentials and is NEVER browser-safe, so
+    // `dangerouslyAllowBrowser` does not override it. Register your database from
+    // a server-side runtime.
+    if (inBrowser && typeof input.databaseUrl === 'string' && input.databaseUrl.length > 0) {
+        throw new AbloAuthenticationError('Ablo `databaseUrl` cannot be used in a browser-like environment — it ' +
+            'carries your database credentials. Initialize the client with ' +
+            '`databaseUrl` from a server-side runtime only.', { code: 'browser_database_url_blocked' });
+    }
 }
 /**
  * Resolve an `ApiKeySetter` callable to its current string value.
@@ -77,5 +137,17 @@ export async function resolveApiKeyValue(apiKey) {
  * preserves the protocol family (ws → http, wss → https).
  */
 export function resolveBootstrapBaseUrl(input) {
-    return input.bootstrapBaseUrl ?? `${input.url.replace(/^ws/, 'http')}/api`;
+    if (input.bootstrapBaseUrl) {
+        // Coerce ws/wss → http/https on the override path too. This base URL is
+        // used for HTTP fetches (identity resolve, apiKey exchange, bootstrap) and
+        // the browser `fetch` rejects ws/wss schemes outright ("URL scheme \"wss\"
+        // is not supported"). apps/web derives this override as `${baseUrl}/api`
+        // where `baseUrl` may carry a WebSocket scheme, so the override can
+        // legitimately arrive as `wss://…` — normalize it here rather than
+        // faceplanting at fetch time. The derive branch below already does this;
+        // the override branch silently skipped it.
+        return normalizeAbloHostedBaseUrl(input.bootstrapBaseUrl).replace(/^ws/, 'http');
+    }
+    const url = normalizeAbloHostedBaseUrl(input.url);
+    return `${url.replace(/^ws/, 'http')}/api`;
 }

package/dist/client/createInternalComponents.d.ts

@@ -16,6 +16,7 @@ import { ObjectPool } from '../ObjectPool.js';
 import { SyncClient } from '../SyncClient.js';
 import { HydrationCoordinator } from '../sync/HydrationCoordinator.js';
 import { BootstrapHelper } from '../sync/BootstrapHelper.js';
+import type { AuthCredentialSource } from '../auth/credentialSource.js';
 import type { Schema, SchemaRecord } from '../schema/schema.js';
 import { type AbloPersistence } from './persistence.js';
 export interface InternalComponentsInput<S extends SchemaRecord> {
@@ -31,6 +32,7 @@ export interface InternalComponentsInput<S extends SchemaRecord> {
         readonly offline?: boolean;
         readonly inMemory?: boolean;
     };
+    readonly auth?: AuthCredentialSource;
 }
 export interface InternalComponents {
     readonly modelRegistry: ModelRegistry;

package/dist/client/createInternalComponents.js

@@ -19,7 +19,7 @@ import { BootstrapHelper } from '../sync/BootstrapHelper.js';
 import { resolveBootstrapBaseUrl } from './auth.js';
 import { shouldUseInMemoryPersistence } from './persistence.js';
 export function createInternalComponents(input) {
-    const { schema, url, options } = input;
+    const { schema, url, options, auth } = input;
     // The registry is created here but model registration happens in
     // the caller (Ablo.ts owns `registerModelsFromSchema` since the
     // schema-to-class translation depends on private helpers there).
@@ -37,6 +37,7 @@ export function createInternalComponents(input) {
         baseUrl: bootstrapBaseUrl,
         syncGroups: options.syncGroups,
         instantModels: deriveInstantModels(schema),
+        getAuthToken: auth?.getAuthToken,
     });
     const database = new Database(modelRegistry, bootstrapHelper, {
         // Point-solution default: no browser-local durable store unless the
@@ -55,7 +56,13 @@ export function createInternalComponents(input) {
         registry: modelRegistry,
         schema,
         baseUrl: bootstrapBaseUrl,
+        getAuthToken: auth?.getAuthToken,
     });
+    // Drop the lazy-lane hydration ledger on reconnect. While connected, the
+    // WebSocket delta stream keeps hydrated rows fresh so repeat reads serve
+    // pure-local with no network; after a drop, deltas may have been missed, so
+    // the next read of each query must re-confirm with the server once.
+    syncClient.on('sync:reconnecting', () => hydration.invalidate());
     return {
         modelRegistry,
         objectPool,