@aooth/auth-moost 0.1.18 → 0.1.19

package/dist/atscript/index.d.mts

@@ -1,2 +1,2 @@
-import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-D7ZfanKT.mjs";
+import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-uqegc32h.mjs";
 export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };

package/dist/atscript/index.mjs

@@ -1,2 +1,2 @@
-import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-D7ZfanKT.mjs";
+import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-uqegc32h.mjs";
 export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };

package/dist/{forms-D7ZfanKT.mjs → forms-uqegc32h.mjs}

@@ -447,7 +447,7 @@ defineAnnotatedType("object", ProveControlOtpForm).prop("intro", defineAnnotated
 	name: "align",
 	value: "center"
 }, true).annotate("ui.form.pushDown", true).optional().$type).annotate("meta.label", "Confirm your identity").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Verify and link");
-defineAnnotatedType("object", AuthorizeConsentForm).prop("notice", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 1).annotate("ui.form.fn.value", "(_, _d, ctx) => { const a = ctx.public?.authz; const who = a?.clientName ? \"“\" + a.clientName + \"”\" : \"A local application\"; const sc = a?.scope ? \" It is requesting access to: \" + a.scope + \".\" : \"\"; return who + \" wants to sign in to your account.\" + sc + \" Authorize this only if you started it.\"; }").$type).prop("deny", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.order", 10).annotate("ui.form.action", {
+defineAnnotatedType("object", AuthorizeConsentForm).prop("notice", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 1).annotate("ui.form.fn.value", "(_, _d, ctx) => { const a = ctx.public?.authz; const host = a?.clientName && a?.redirectHost ? \" (\" + a.redirectHost + \")\" : \"\"; const who = a?.clientName ? \"“\" + a.clientName + \"”\" + host : \"A local application\"; const sc = a?.scope ? \" It is requesting access to: \" + a.scope + \".\" : \"\"; return who + \" wants to sign in to your account.\" + sc + \" Authorize this only if you started it.\"; }").$type).prop("deny", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.order", 10).annotate("ui.form.action", {
 	id: "deny",
 	label: "Deny"
 }).annotate("ui.form.attr", {

package/dist/index.d.mts

@@ -6,7 +6,7 @@ import { FinishWfOpts, WfFinished, useAtscriptWf } from "@atscript/moost-wf";
 import { MoostWf, WfOutlet, WfOutletTokenConfig, WfStateStrategy } from "@moostjs/event-wf";
 import { FederatedLoginService, NormalizedProfile, OAuthProviderRegistry } from "@aooth/idp";
 import { TAtscriptAnnotatedType } from "@atscript/typescript/utils";
-import { AuthCodeStore, ClientRedirectPolicy, IdTokenSigner, OidcClaimsResolver, PendingAuthorizationStore } from "@aooth/auth/authz";
+import { AuthCodeStore, AuthorizationServerMetadata, AuthorizationServerMetadata as AuthorizationServerMetadata$1, BuildAuthorizationServerMetadataOptions, BuildProtectedResourceMetadataOptions, ClientRedirectPolicy, DynamicClientRegistration, DynamicClientRegistration as DynamicClientRegistration$1, DynamicClientRegistrationOptions, IdTokenSigner, OidcClaimsResolver, PendingAuthorizationStore, ProtectedResourceMetadata, WwwAuthenticateBearerChallengeOptions, buildAuthorizationServerMetadata, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer } from "@aooth/auth/authz";
 
 //#region src/auth.config.d.ts
 /** Resolved cookie attributes. Same shape is used for both access + refresh. */
@@ -852,6 +852,7 @@ interface OidcDiscoveryDocument {
   authorization_endpoint: string;
   token_endpoint: string;
   jwks_uri: string;
+  registration_endpoint?: string;
   response_types_supported: string[];
   grant_types_supported: string[];
   subject_types_supported: string[];
@@ -860,6 +861,23 @@ interface OidcDiscoveryDocument {
   code_challenge_methods_supported: string[];
   token_endpoint_auth_methods_supported: string[];
 }
+/** RFC 7591 §3.2.1 registration response — public client, so no secret fields. */
+interface ClientRegistrationSuccess {
+  client_id: string;
+  /** Seconds since epoch (the RFC's unit — NOT ms). */
+  client_id_issued_at: number;
+  redirect_uris: string[];
+  token_endpoint_auth_method: string;
+  grant_types: string[];
+  response_types: string[];
+  client_name?: string;
+  scope?: string;
+}
+/** RFC 7591 §3.2.2 registration error response. */
+interface ClientRegistrationFailure {
+  error: string;
+  error_description?: string;
+}
 /**
  * The authorization-server endpoints (AUTH-SERVER.md). Turns the existing login
  * workflow into an OAuth/OIDC authorization server for the app's OWN clients — a
@@ -909,21 +927,75 @@ declare class AuthorizeController {
    * custom login path.
    */
   protected loginPath(): string;
-  authorize(responseType: string | undefined, redirectUri: string | undefined, clientId: string | undefined, state: string | undefined, codeChallenge: string | undefined, codeChallengeMethod: string | undefined, scope: string | undefined, nonce: string | undefined): Promise<string>;
+  /**
+   * The issuer identifier for the RFC 8414 metadata document. Defaults to the
+   * Tier-2 signer's issuer; a SIGNER-LESS deployment that serves MCP connector
+   * clients must **override** this (return `{origin}/auth`-style, byte-exact —
+   * never derived from the Host header, which would let a request inject its
+   * host into a cacheable discovery document). `undefined` ⇒ the
+   * `oauth-authorization-server` endpoint 404s.
+   */
+  protected getIssuer(): string | undefined;
+  /**
+   * The RFC 7591 dynamic-client-registration operation, or `undefined` (the
+   * default) to disable DCR — then `POST /auth/register` 404s and neither
+   * discovery document advertises a `registration_endpoint`. **Override** in a
+   * subclass: inject a `DynamicClientStore` (the `DYNAMIC_CLIENT_STORE_TOKEN`
+   * provider) as a required ctor param, build one `DynamicClientRegistration`
+   * around it, and return it here. Same plain-getter pattern as
+   * {@link getIdTokenSigner} (an optional `@Inject` panics in moost's
+   * route-table pass).
+   */
+  protected getDynamicClientRegistration(): DynamicClientRegistration$1 | undefined;
+  /**
+   * `scopes_supported` for the RFC 8414 document (optional per the RFC; omitted
+   * by default — deliberately NOT inheriting the OIDC document's hardcoded
+   * list, which describes Tier-2 sign-in scopes). Override to advertise what
+   * connector clients may request.
+   */
+  protected scopesSupported(): string[] | undefined;
+  authorize(responseType: string | undefined, redirectUri: string | undefined, clientId: string | undefined, state: string | undefined, codeChallenge: string | undefined, codeChallengeMethod: string | undefined, scope: string | undefined, nonce: string | undefined, resource: string | undefined): Promise<string>;
   token(body: {
     grant_type?: string;
     code?: string;
     code_verifier?: string;
     client_id?: string;
     client_secret?: string;
+    resource?: string | string[];
   } | undefined): Promise<TokenSuccess | TokenError>;
   /**
    * OIDC discovery (Tier 2). Derives every endpoint from the signer's `issuer`
    * (configured as `{origin}/auth`), so a relying `OidcProvider` configured with
    * the same `issuer` resolves `/authorize`, `/token`, and `/jwks` automatically.
-   * 404 when no signer is wired (Tier-1-only deployment).
+   * 404 when no signer is wired (Tier-1-only deployment). When DCR is also
+   * wired, `registration_endpoint` is advertised here too — in a combined
+   * deployment a client that prefers `openid-configuration` over the RFC 8414
+   * document must see the same capability set.
    */
   discovery(): OidcDiscoveryDocument | TokenError;
+  /**
+   * RFC 8414 Authorization Server Metadata — the OAuth-flavored discovery MCP
+   * connector clients fetch (OAUTH.md R1). Served signer-INDEPENDENTLY: it
+   * needs only an issuer ({@link getIssuer} — overridable for a Tier-1-style
+   * deployment with no `IdTokenSigner`). Mounted under the controller this is
+   * the suffix form `{issuer}/.well-known/oauth-authorization-server`; the
+   * RFC-correct path-insertion form at the HTTP-server ROOT
+   * (`/.well-known/oauth-authorization-server/<issuer-path>`) cannot be
+   * registered by a prefix-mounted controller — consumers mount it themselves
+   * from the exported `buildAuthorizationServerMetadata` (re-exported by this
+   * package).
+   */
+  oauthServerMetadata(): AuthorizationServerMetadata$1 | TokenError;
+  /**
+   * RFC 7591 Dynamic Client Registration (OAUTH.md R2) — anonymous by spec;
+   * 404 unless a registration operation is wired ({@link
+   * getDynamicClientRegistration}). A thin HTTP adapter: validation, abuse
+   * knobs (guard / cap / never-used GC) and persistence live in
+   * `DynamicClientRegistration` (`@aooth/auth`). Public clients only — the
+   * response carries NO `client_secret` and NO `client_secret_expires_at`
+   * (RFC 7591 §3.2.1 requires them only when a secret is issued).
+   */
+  register(body: unknown): Promise<ClientRegistrationSuccess | ClientRegistrationFailure | TokenError>;
   /** The signer's public JWKS (Tier 2). 404 when no signer is wired. */
   jwks(): Promise<Awaited<ReturnType<IdTokenSigner["jwks"]>>> | TokenError;
   /** Fail soft: 302 the validated client redirect with an `?error=` (+ echoed `state`). */
@@ -1013,6 +1085,17 @@ declare const AUTH_CODE_STORE_TOKEN = "aooth:AuthCodeStore";
  * `CompositeClientPolicy` of both) under this string.
  */
 declare const CLIENT_REDIRECT_POLICY_TOKEN = "aooth:ClientRedirectPolicy";
+/**
+ * DI token for the {@link import("@aooth/auth/authz").DynamicClientStore}
+ * (RFC 7591 dynamic registrations) — an abstract class, same auto-instantiation
+ * hazard as the store tokens above. The BASE `AuthorizeController` never
+ * injects it (DCR is optional, and an optional `@Inject` panics in moost's
+ * route-table pass): a consumer subclass that enables DCR adds it as a
+ * REQUIRED ctor param, builds a `DynamicClientRegistration` around it, and
+ * overrides `getDynamicClientRegistration()`. The same store instance also
+ * backs the `DynamicClientPolicy` composed into the redirect policy.
+ */
+declare const DYNAMIC_CLIENT_STORE_TOKEN = "aooth:DynamicClientStore";
 //#endregion
 //#region src/workflow/auth-workflow.ctx.d.ts
 type MfaTransport = "sms" | "email" | "totp";
@@ -1295,6 +1378,16 @@ interface AuthWfAdminState {
   availableRoles?: string[];
   roles?: string[];
   userExtras?: Record<string, unknown>;
+  /**
+   * Re-invite decision stamp — set by `admin-form` when `duplicateInviteCheck`
+   * returns `'reuse'` (the default for a row still parked on
+   * `account.pendingInvitation`). `create-user` then refreshes the existing
+   * row (fresh roles + extras, `pendingInvitation` re-asserted) instead of
+   * creating, and `send-email` mints a fresh magic link. Re-validated in
+   * `create-user` against a fresh read: non-pending row → 409, vanished row →
+   * normal create path.
+   */
+  reuseExisting?: boolean;
   /**
    * Outlet-pause idempotency marker for `send-email`. Flipped to `true`
    * after the first dispatch so the invitee's magic-link resume — which
@@ -1577,13 +1670,15 @@ interface AuthWfPublicState {
   newPasswordRequired?: boolean;
   /**
    * Mirrors the display-only fields of `ctx.authz` — the requesting client's
-   * id/name and granted scope, shown on the authorize-consent form. The
-   * `handle` and the `approved` gate stay server-only (never whitelisted onto
-   * the wire).
+   * id/name, granted scope, and the VALIDATED redirect host (the trustworthy
+   * identity shown next to the attacker-choosable `clientName`), shown on the
+   * authorize-consent form. The `handle` and the `approved` gate stay
+   * server-only (never whitelisted onto the wire).
    */
   authz?: {
     clientName?: string;
     scope?: string;
+    redirectHost?: string;
   };
 }
 /** Unified workflow context shape — one type for all three flows. */
@@ -1657,14 +1752,17 @@ interface AuthWfCtx {
    * "Continue with <provider>" detour mid-authorize. Presence routes the login
    * tail to the `authz-consent` → `mint-authz-code` terminal (deliver an auth
    * code to the client) INSTEAD of `issue`/`redirect` — no browser session is
-   * minted. `clientName`/`scope` are staged by `authz-consent` for the consent
-   * form's display copy; `approved` is the explicit user-consent gate the
-   * `mint-authz-code` terminal requires before it will mint a code.
+   * minted. `clientName`/`scope`/`redirectHost` are staged by `authz-consent`
+   * for the consent form's display copy (`redirectHost` is parsed from the
+   * VALIDATED redirect — the trustworthy identity next to the registrant-chosen
+   * name); `approved` is the explicit user-consent gate the `mint-authz-code`
+   * terminal requires before it will mint a code.
    */
   authz?: {
     handle: string;
     clientName?: string;
     scope?: string;
+    redirectHost?: string;
     approved?: boolean;
   };
   /**
@@ -1897,14 +1995,21 @@ declare class AuthWorkflow {
     email: string;
   }): Promise<string[]> | string[];
   /**
-   * Override the structural duplicate rule for `admin-form`. Default: any
-   * existing row → `'reject'`; nothing → `'allow'`. Multi-tenant apps that
-   * allow re-inviting the same email into a different tenant override.
+   * Override the structural duplicate rule for `admin-form`. Default: a row
+   * still parked on `account.pendingInvitation` → `'reuse'` (re-invite:
+   * `create-user` refreshes the existing record in place and `send-email`
+   * mints a fresh magic link — see `createUser`); any other existing row →
+   * `'reject'`; nothing → `'allow'`.
+   *
+   * Multi-tenant apps that allow re-inviting the same email into a different
+   * tenant override to `'allow'`. Apps that want the strict legacy behavior
+   * ("Invite already pending" error on a duplicate invite of a pending user)
+   * return `'reject'` for pending rows.
    */
   protected duplicateInviteCheck(input: {
     email: string;
     existingUser: UserCredentials | null;
-  }): Promise<"allow" | "reject"> | "allow" | "reject";
+  }): Promise<"allow" | "reject" | "reuse"> | "allow" | "reject" | "reuse";
   /**
    * Implements the "log out other sessions" branch of `sessionPolicy.concurrencyLimit`.
    * Default revokes every existing session via `auth.revokeAllForUser` — which is
@@ -2496,6 +2601,19 @@ declare class AuthWorkflow {
    * Create the user row from `ctx.admin.userExtras` (plus the admin-supplied
    * `ctx.admin.roles`), then stamp `pendingInvitation = true` via a follow-up
    * deep-merge update so `createUser`-applied account defaults survive.
+   *
+   * Re-invite (`ctx.admin.reuseExisting`, stamped by `admin-form` on a
+   * `'reuse'` verdict): REFRESH the existing row instead of creating — apply
+   * the freshly-picked roles + `prepareUser` extras, re-assert
+   * `pendingInvitation`, and leave password/MFA state untouched (a pending
+   * record never had usable credentials). `send-email` downstream then mints
+   * a fresh durable handle, i.e. a new full-TTL magic link. Guarded by a
+   * FRESH `pendingInvitation` read: a `'reuse'` verdict for an accepted
+   * account 409s as a logic error rather than silently re-pending a live
+   * user; a row that vanished since `admin-form` falls through to the normal
+   * create path. The refresh is a deep-merge update: arrays (`roles`)
+   * replace wholesale, but extras keys the current `prepareUser` no longer
+   * returns linger from the original invite.
    */
   createUser(ctx: AuthWfCtx): Promise<undefined>;
   /**
@@ -3186,4 +3304,4 @@ interface AuditEmitter {
   emit(event: AuditEvent): Promise<void> | void;
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, type AuditEmitter, type AuditEvent, type AuthBindings, type AuthContext, AuthController, type AuthDeliveryPayload, type AuthEmailEvent, type AuthEmailKind, type AuthEmailOutletDeps, AuthGuarded, type AuthLoginResponse, type AuthLogoutBody, type AuthOkResponse, type AuthOptions, type AuthRefreshBody, type AuthSmsEvent, type AuthSmsKind, type AuthWfCompletionState, type AuthWfConsentsState, type AuthWfCtx, type AuthWfMfaEnrollState, type AuthWfOAuthState, type AuthWfPasswordUiState, type AuthWfPincodeUiState, AuthWorkflow, type AuthWorkflowOpts, AuthorizeController, AuthorizeRuntime, type BuildMagicLinkUrl, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, type ConcurrencyLimitOptions, type ConnectedAccount, type ConsentDescriptor, type ConsentDescriptorLike, type ConsentEvent, ConsentStore, DEFAULT_AUTH_WORKFLOWS, type EmailSender, type EnrichedSession, FEDERATED_IDENTITY_STORE_TOKEN, type IssueResult, type LoginRedirect, type MfaSummary, type MfaTransport, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, type ResolvedAuthCookieConfig, type ResolvedAuthOptions, type ResolvedAuthWorkflowOpts, type SessionEnricher, SessionEnricherProvider, type SessionInfo, SessionsController, type SmsSender, type SsoProvider, type TAuthMeta, UserId, WfTrigger, type WfTriggerOpts, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, type AuditEmitter, type AuditEvent, type AuthBindings, type AuthContext, AuthController, type AuthDeliveryPayload, type AuthEmailEvent, type AuthEmailKind, type AuthEmailOutletDeps, AuthGuarded, type AuthLoginResponse, type AuthLogoutBody, type AuthOkResponse, type AuthOptions, type AuthRefreshBody, type AuthSmsEvent, type AuthSmsKind, type AuthWfCompletionState, type AuthWfConsentsState, type AuthWfCtx, type AuthWfMfaEnrollState, type AuthWfOAuthState, type AuthWfPasswordUiState, type AuthWfPincodeUiState, AuthWorkflow, type AuthWorkflowOpts, type AuthorizationServerMetadata, AuthorizeController, AuthorizeRuntime, type BuildAuthorizationServerMetadataOptions, type BuildMagicLinkUrl, type BuildProtectedResourceMetadataOptions, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, type ConcurrencyLimitOptions, type ConnectedAccount, type ConsentDescriptor, type ConsentDescriptorLike, type ConsentEvent, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, type DynamicClientRegistrationOptions, type EmailSender, type EnrichedSession, FEDERATED_IDENTITY_STORE_TOKEN, type IssueResult, type LoginRedirect, type MfaSummary, type MfaTransport, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, type ProtectedResourceMetadata, Public, RESERVED_USER_KEYS, type ResolvedAuthCookieConfig, type ResolvedAuthOptions, type ResolvedAuthWorkflowOpts, type SessionEnricher, SessionEnricherProvider, type SessionInfo, SessionsController, type SmsSender, type SsoProvider, type TAuthMeta, UserId, WfTrigger, type WfTriggerOpts, WfTriggerProvider, type WwwAuthenticateBearerChallengeOptions, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { C as Select2faForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, y as ProveControlOtpForm } from "./forms-D7ZfanKT.mjs";
+import { C as Select2faForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, y as ProveControlOtpForm } from "./forms-uqegc32h.mjs";
 import { Controller, HandlerPaths, Inherit, Inject, InjectMoostLogger, Injectable, Intercept, MoostInit, Optional, Param, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext } from "moost";
 import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
 import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
@@ -10,7 +10,7 @@ import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
 import { createAsHttpOutlet, finishWf, handleAsOutletRequest, useAtscriptWf } from "@atscript/moost-wf";
 import { EncapsulatedStateStrategy, MoostWf, Step, StepRetriableError, StepTTL, Workflow, WorkflowParam, WorkflowSchema, createEmailOutlet, outletEmail, swapStrategy, useWfFinished, useWfState } from "@moostjs/event-wf";
 import { FederatedLoginService, OAuthError, OAuthProviderRegistry, generateRandomState, pkceChallengeFor } from "@aooth/idp";
-import { AuthorizeError, NoopOidcClaimsResolver } from "@aooth/auth/authz";
+import { ClientRegistrationError, DynamicClientRegistration, NoopOidcClaimsResolver, buildAuthorizationServerMetadata, buildAuthorizationServerMetadata as buildAuthorizationServerMetadata$1, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, canonicalizeIssuer as canonicalizeIssuer$1 } from "@aooth/auth/authz";
 //#region \0@oxc-project+runtime@0.133.0/helpers/esm/decorate.js
 function __decorate(decorators, target, key, desc) {
 	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -705,6 +705,17 @@ const AUTH_CODE_STORE_TOKEN = "aooth:AuthCodeStore";
 * `CompositeClientPolicy` of both) under this string.
 */
 const CLIENT_REDIRECT_POLICY_TOKEN = "aooth:ClientRedirectPolicy";
+/**
+* DI token for the {@link import("@aooth/auth/authz").DynamicClientStore}
+* (RFC 7591 dynamic registrations) — an abstract class, same auto-instantiation
+* hazard as the store tokens above. The BASE `AuthorizeController` never
+* injects it (DCR is optional, and an optional `@Inject` panics in moost's
+* route-table pass): a consumer subclass that enables DCR adds it as a
+* REQUIRED ctor param, builds a `DynamicClientRegistration` around it, and
+* overrides `getDynamicClientRegistration()`. The same store instance also
+* backs the `DynamicClientPolicy` composed into the redirect policy.
+*/
+const DYNAMIC_CLIENT_STORE_TOKEN = "aooth:DynamicClientStore";
 //#endregion
 //#region \0@oxc-project+runtime@0.133.0/helpers/esm/decorateParam.js
 function __decorateParam(paramIndex, decorator) {
@@ -1170,11 +1181,19 @@ let AuthWorkflow = class AuthWorkflow {
 		return [];
 	}
 	/**
-	* Override the structural duplicate rule for `admin-form`. Default: any
-	* existing row → `'reject'`; nothing → `'allow'`. Multi-tenant apps that
-	* allow re-inviting the same email into a different tenant override.
+	* Override the structural duplicate rule for `admin-form`. Default: a row
+	* still parked on `account.pendingInvitation` → `'reuse'` (re-invite:
+	* `create-user` refreshes the existing record in place and `send-email`
+	* mints a fresh magic link — see `createUser`); any other existing row →
+	* `'reject'`; nothing → `'allow'`.
+	*
+	* Multi-tenant apps that allow re-inviting the same email into a different
+	* tenant override to `'allow'`. Apps that want the strict legacy behavior
+	* ("Invite already pending" error on a duplicate invite of a pending user)
+	* return `'reject'` for pending rows.
 	*/
 	duplicateInviteCheck(input) {
+		if (input.existingUser?.account?.pendingInvitation) return "reuse";
 		return input.existingUser ? "reject" : "allow";
 	}
 	/**
@@ -1751,7 +1770,11 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 		if (ctx.newPasswordRequired !== void 0) pub.newPasswordRequired = ctx.newPasswordRequired;
 		if (ctx.authz) {
-			const sub = pickDefined(ctx.authz, ["clientName", "scope"]);
+			const sub = pickDefined(ctx.authz, [
+				"clientName",
+				"scope",
+				"redirectHost"
+			]);
 			if (sub) pub.authz = sub;
 		}
 		ctx.public = pub;
@@ -2430,14 +2453,16 @@ let AuthWorkflow = class AuthWorkflow {
 			if (parsed.find((r) => !allowed.has(r)) !== void 0) throw this.throwPublic(ctx, wf, { errors: { roles: "Invalid role" } });
 		}
 		const existing = await this.users.findByHandle(email);
-		if (await this.duplicateInviteCheck({
+		const action = await this.duplicateInviteCheck({
 			email,
 			existingUser: existing
-		}) === "reject") {
+		});
+		if (action === "reject") {
 			if (existing?.account?.pendingInvitation) throw this.throwPublic(ctx, wf, { errors: { email: "Invite already pending" } });
 			if (existing) throw this.throwPublic(ctx, wf, { errors: { email: "User already exists" } });
 			throw this.throwPublic(ctx, wf, { errors: { email: "Duplicate invite rejected" } });
 		}
+		if (action === "reuse") (ctx.admin ??= {}).reuseExisting = true;
 		ctx.email = email;
 		if (parsed.length > 0) (ctx.admin ??= {}).roles = parsed;
 	}
@@ -2473,6 +2498,19 @@ let AuthWorkflow = class AuthWorkflow {
 	* Create the user row from `ctx.admin.userExtras` (plus the admin-supplied
 	* `ctx.admin.roles`), then stamp `pendingInvitation = true` via a follow-up
 	* deep-merge update so `createUser`-applied account defaults survive.
+	*
+	* Re-invite (`ctx.admin.reuseExisting`, stamped by `admin-form` on a
+	* `'reuse'` verdict): REFRESH the existing row instead of creating — apply
+	* the freshly-picked roles + `prepareUser` extras, re-assert
+	* `pendingInvitation`, and leave password/MFA state untouched (a pending
+	* record never had usable credentials). `send-email` downstream then mints
+	* a fresh durable handle, i.e. a new full-TTL magic link. Guarded by a
+	* FRESH `pendingInvitation` read: a `'reuse'` verdict for an accepted
+	* account 409s as a logic error rather than silently re-pending a live
+	* user; a row that vanished since `admin-form` falls through to the normal
+	* create path. The refresh is a deep-merge update: arrays (`roles`)
+	* replace wholesale, but extras keys the current `prepareUser` no longer
+	* returns linger from the original invite.
 	*/
 	async createUser(ctx) {
 		if (!ctx.email) throw new HttpError$1(500, "Workflow state corrupted: missing email");
@@ -2481,6 +2519,18 @@ let AuthWorkflow = class AuthWorkflow {
 			...ctx.admin?.userExtras,
 			...adminRoles && adminRoles.length > 0 && { roles: adminRoles }
 		};
+		if (ctx.admin?.reuseExisting) {
+			const existing = await this.users.findByHandle(ctx.email);
+			if (existing) {
+				if (!existing.account?.pendingInvitation) throw new HttpError$1(409, "User already exists");
+				await this.users.update(existing.id, {
+					...fields,
+					account: { pendingInvitation: true }
+				});
+				ctx.subject = existing.id;
+				return;
+			}
+		}
 		let created;
 		try {
 			created = await this.users.createUser(ctx.email, void 0, fields);
@@ -3696,8 +3746,12 @@ let AuthWorkflow = class AuthWorkflow {
 			} });
 			return;
 		}
-		if (req.clientId !== void 0) authz.clientName = req.clientId;
+		const clientName = req.clientName ?? req.clientId;
+		if (clientName !== void 0) authz.clientName = clientName;
 		if (req.scope !== void 0) authz.scope = req.scope;
+		try {
+			authz.redirectHost = new URL(req.redirectUri).host;
+		} catch {}
 		const wf = this.useAtscriptWfPublic(ctx, this.opts.forms.authzConsent);
 		if (wf.resolveAction() === "deny") {
 			await pending.delete(authz.handle);
@@ -3762,6 +3816,7 @@ let AuthWorkflow = class AuthWorkflow {
 			redirectUri: req.redirectUri,
 			...req.clientId !== void 0 && { clientId: req.clientId },
 			...req.scope !== void 0 && { scope: req.scope },
+			...req.resource !== void 0 && { resource: req.resource },
 			...req.nonce !== void 0 && { nonce: req.nonce },
 			...req.idToken !== void 0 && { idToken: req.idToken },
 			...req.accessToken !== void 0 && { accessToken: req.accessToken },
@@ -5969,7 +6024,36 @@ let AuthorizeController = class AuthorizeController {
 	loginPath() {
 		return "/login";
 	}
-	async authorize(responseType, redirectUri, clientId, state, codeChallenge, codeChallengeMethod, scope, nonce) {
+	/**
+	* The issuer identifier for the RFC 8414 metadata document. Defaults to the
+	* Tier-2 signer's issuer; a SIGNER-LESS deployment that serves MCP connector
+	* clients must **override** this (return `{origin}/auth`-style, byte-exact —
+	* never derived from the Host header, which would let a request inject its
+	* host into a cacheable discovery document). `undefined` ⇒ the
+	* `oauth-authorization-server` endpoint 404s.
+	*/
+	getIssuer() {
+		return this.getIdTokenSigner()?.issuer;
+	}
+	/**
+	* The RFC 7591 dynamic-client-registration operation, or `undefined` (the
+	* default) to disable DCR — then `POST /auth/register` 404s and neither
+	* discovery document advertises a `registration_endpoint`. **Override** in a
+	* subclass: inject a `DynamicClientStore` (the `DYNAMIC_CLIENT_STORE_TOKEN`
+	* provider) as a required ctor param, build one `DynamicClientRegistration`
+	* around it, and return it here. Same plain-getter pattern as
+	* {@link getIdTokenSigner} (an optional `@Inject` panics in moost's
+	* route-table pass).
+	*/
+	getDynamicClientRegistration() {}
+	/**
+	* `scopes_supported` for the RFC 8414 document (optional per the RFC; omitted
+	* by default — deliberately NOT inheriting the OIDC document's hardcoded
+	* list, which describes Tier-2 sign-in scopes). Override to advertise what
+	* connector clients may request.
+	*/
+	scopesSupported() {}
+	async authorize(responseType, redirectUri, clientId, state, codeChallenge, codeChallengeMethod, scope, nonce, resource) {
 		const res = useResponse(current());
 		if (!redirectUri) {
 			res.status = 400;
@@ -5982,17 +6066,22 @@ let AuthorizeController = class AuthorizeController {
 				redirectUri,
 				...scope !== void 0 && { scope }
 			});
-		} catch (e) {
+		} catch {
 			res.status = 400;
-			return e instanceof AuthorizeError ? `invalid request: ${e.code}` : "invalid request";
+			return "invalid request";
 		}
 		if (responseType !== "code" || !codeChallenge || codeChallengeMethod !== "S256") return this.redirectError(resolved.redirectUri, "invalid_request", state);
+		if (resource !== void 0) {
+			if (useUrlParams(current()).params().getAll("resource").length > 1 || resource.length > 2e3) return this.redirectError(resolved.redirectUri, "invalid_target", state);
+		}
 		const binding = randomBytes(32).toString("base64url");
 		const { handle, expiresAt } = await this.pending.create({
 			...resolved.clientId !== void 0 && { clientId: resolved.clientId },
+			...resolved.clientName !== void 0 && { clientName: resolved.clientName },
 			redirectUri: resolved.redirectUri,
 			codeChallenge,
 			...state !== void 0 && { clientState: state },
+			...resource !== void 0 && { resource },
 			...resolved.scope !== void 0 && { scope: resolved.scope },
 			...nonce !== void 0 && { nonce },
 			...resolved.idToken !== void 0 && { idToken: resolved.idToken },
@@ -6049,6 +6138,14 @@ let AuthorizeController = class AuthorizeController {
 			res.status = 401;
 			return { error: "invalid_client" };
 		}
+		if (Array.isArray(body.resource)) {
+			res.status = 400;
+			return { error: "invalid_target" };
+		}
+		if (row.resource !== void 0 && body.resource !== void 0 && row.resource !== body.resource) {
+			res.status = 400;
+			return { error: "invalid_target" };
+		}
 		const wantIdToken = row.idToken === true;
 		const wantAccessToken = row.accessToken !== false;
 		if (!wantIdToken && !wantAccessToken) {
@@ -6100,7 +6197,10 @@ let AuthorizeController = class AuthorizeController {
 	* OIDC discovery (Tier 2). Derives every endpoint from the signer's `issuer`
 	* (configured as `{origin}/auth`), so a relying `OidcProvider` configured with
 	* the same `issuer` resolves `/authorize`, `/token`, and `/jwks` automatically.
-	* 404 when no signer is wired (Tier-1-only deployment).
+	* 404 when no signer is wired (Tier-1-only deployment). When DCR is also
+	* wired, `registration_endpoint` is advertised here too — in a combined
+	* deployment a client that prefers `openid-configuration` over the RFC 8414
+	* document must see the same capability set.
 	*/
 	discovery() {
 		const res = useResponse(current());
@@ -6115,6 +6215,7 @@ let AuthorizeController = class AuthorizeController {
 			authorization_endpoint: `${iss}/authorize`,
 			token_endpoint: `${iss}/token`,
 			jwks_uri: `${iss}/jwks`,
+			...this.getDynamicClientRegistration() && { registration_endpoint: `${iss}/register` },
 			response_types_supported: ["code"],
 			grant_types_supported: ["authorization_code"],
 			subject_types_supported: ["public"],
@@ -6128,6 +6229,81 @@ let AuthorizeController = class AuthorizeController {
 			token_endpoint_auth_methods_supported: ["none", "client_secret_post"]
 		};
 	}
+	/**
+	* RFC 8414 Authorization Server Metadata — the OAuth-flavored discovery MCP
+	* connector clients fetch (OAUTH.md R1). Served signer-INDEPENDENTLY: it
+	* needs only an issuer ({@link getIssuer} — overridable for a Tier-1-style
+	* deployment with no `IdTokenSigner`). Mounted under the controller this is
+	* the suffix form `{issuer}/.well-known/oauth-authorization-server`; the
+	* RFC-correct path-insertion form at the HTTP-server ROOT
+	* (`/.well-known/oauth-authorization-server/<issuer-path>`) cannot be
+	* registered by a prefix-mounted controller — consumers mount it themselves
+	* from the exported `buildAuthorizationServerMetadata` (re-exported by this
+	* package).
+	*/
+	oauthServerMetadata() {
+		const res = useResponse(current());
+		const rawIssuer = this.getIssuer();
+		if (!rawIssuer) {
+			res.status = 404;
+			return { error: "not_found" };
+		}
+		const issuer = canonicalizeIssuer$1(rawIssuer);
+		return buildAuthorizationServerMetadata$1({
+			issuer,
+			...this.getDynamicClientRegistration() && { registrationEndpoint: `${issuer}/register` },
+			...this.getIdTokenSigner() && { jwksUri: `${issuer}/jwks` },
+			...this.scopesSupported() && { scopesSupported: this.scopesSupported() }
+		});
+	}
+	/**
+	* RFC 7591 Dynamic Client Registration (OAUTH.md R2) — anonymous by spec;
+	* 404 unless a registration operation is wired ({@link
+	* getDynamicClientRegistration}). A thin HTTP adapter: validation, abuse
+	* knobs (guard / cap / never-used GC) and persistence live in
+	* `DynamicClientRegistration` (`@aooth/auth`). Public clients only — the
+	* response carries NO `client_secret` and NO `client_secret_expires_at`
+	* (RFC 7591 §3.2.1 requires them only when a secret is issued).
+	*/
+	async register(body) {
+		const res = useResponse(current());
+		const registration = this.getDynamicClientRegistration();
+		if (!registration) {
+			res.status = 404;
+			return { error: "not_found" };
+		}
+		if (!(useHeaders(current())["content-type"] ?? "").includes("application/json")) {
+			res.status = 400;
+			return {
+				error: "invalid_client_metadata",
+				error_description: "registration requests must be application/json"
+			};
+		}
+		try {
+			const client = await registration.register(body);
+			res.status = 201;
+			return {
+				client_id: client.clientId,
+				client_id_issued_at: Math.floor(client.createdAt / 1e3),
+				redirect_uris: client.redirectUris,
+				token_endpoint_auth_method: client.tokenEndpointAuthMethod,
+				grant_types: client.grantTypes,
+				response_types: client.responseTypes,
+				...client.clientName !== void 0 && { client_name: client.clientName },
+				...client.scope !== void 0 && { scope: client.scope }
+			};
+		} catch (e) {
+			if (e instanceof ClientRegistrationError) {
+				res.status = 400;
+				return {
+					error: e.code,
+					error_description: e.message
+				};
+			}
+			res.status = 500;
+			return { error: "server_error" };
+		}
+	}
 	/** The signer's public JWKS (Tier 2). 404 when no signer is wired. */
 	jwks() {
 		const res = useResponse(current());
@@ -6160,6 +6336,7 @@ __decorate([
 	__decorateParam(5, Query("code_challenge_method")),
 	__decorateParam(6, Query("scope")),
 	__decorateParam(7, Query("nonce")),
+	__decorateParam(8, Query("resource")),
 	__decorateMetadata("design:type", Function),
 	__decorateMetadata("design:paramtypes", [
 		Object,
@@ -6169,6 +6346,7 @@ __decorate([
 		Object,
 		Object,
 		Object,
+		Object,
 		Object
 	]),
 	__decorateMetadata("design:returntype", Promise)
@@ -6188,6 +6366,21 @@ __decorate([
 	__decorateMetadata("design:paramtypes", []),
 	__decorateMetadata("design:returntype", Object)
 ], AuthorizeController.prototype, "discovery", null);
+__decorate([
+	Get(".well-known/oauth-authorization-server"),
+	Public(),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", []),
+	__decorateMetadata("design:returntype", Object)
+], AuthorizeController.prototype, "oauthServerMetadata", null);
+__decorate([
+	Post("register"),
+	Public(),
+	__decorateParam(0, Body()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthorizeController.prototype, "register", null);
 __decorate([
 	Get("jwks"),
 	Public(),
@@ -6244,4 +6437,4 @@ function createAuthEmailOutlet(deps) {
 	});
 }
 //#endregion
-export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildInviteAlreadyAcceptedEnvelope, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };
+export { ADD_MFA_WORKFLOW, AUTHZ_BINDING_COOKIE, AUTH_CODE_STORE_TOKEN, AuthController, AuthGuarded, AuthWorkflow, AuthorizeController, AuthorizeRuntime, CHANGE_PASSWORD_WORKFLOW, CLIENT_REDIRECT_POLICY_TOKEN, ConsentStore, DEFAULT_AUTH_WORKFLOWS, DYNAMIC_CLIENT_STORE_TOKEN, DynamicClientRegistration, FEDERATED_IDENTITY_STORE_TOKEN, OAUTH_CSRF_COOKIE, OAuthController, OAuthRuntime, PENDING_AUTHORIZATION_STORE_TOKEN, Public, RESERVED_USER_KEYS, SessionEnricherProvider, SessionsController, UserId, WfTrigger, WfTriggerProvider, authGuardInterceptor, authzBindingCookieAttrs, buildAuthorizationServerMetadata, buildInviteAlreadyAcceptedEnvelope, buildProtectedResourceMetadata, buildWwwAuthenticateBearerChallenge, canonicalizeIssuer, createAuthEmailOutlet, deriveWfStateSecret, generateMagicLinkToken, getAuthMate, isSafeRelativeRedirect, oauthCsrfCookieAttrs, parseInviteRoles, resolveOAuthRedirect, stripReservedUserKeys, useAuth };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.18",
+  "version": "0.1.19",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -59,10 +59,10 @@
   "dependencies": {
     "@atscript/moost-wf": "^0.1.98",
     "@wooksjs/http-body": "^0.7.19",
-    "@aooth/arbac-moost": "^0.1.18",
-    "@aooth/auth": "0.1.18",
-    "@aooth/idp": "0.1.18",
-    "@aooth/user": "0.1.18"
+    "@aooth/auth": "0.1.19",
+    "@aooth/arbac-moost": "^0.1.19",
+    "@aooth/idp": "0.1.19",
+    "@aooth/user": "0.1.19"
   },
   "devDependencies": {
     "@atscript/core": "^0.1.75",

package/src/atscript/models/forms.as

@@ -991,15 +991,20 @@ export interface ProveControlOtpForm {
  * client it never approved. Fieldless apart from the explanatory paragraph; the
  * primary submit ('Authorize') records consent and proceeds to the mint, the
  * 'Deny' action 302s the client back with `error=access_denied`. The requesting
- * client + scope ride the `@wf.context.pass 'public'` `ctx.public.authz`
- * whitelist (display-only — the handle / approval gate stay server-side).
+ * client + scope + validated redirect host ride the `@wf.context.pass 'public'`
+ * `ctx.public.authz` whitelist (display-only — the handle / approval gate stay
+ * server-side). `clientName` is REGISTRANT-SUPPLIED text (a DCR client names
+ * itself), so the copy pairs it with the validated redirect host — where the
+ * code is actually delivered, which a self-chosen name can't fake — and the
+ * `ui.paragraph` renderer emits a TEXT node (never markup/links), so a
+ * malicious name can't become a clickable phish.
  */
 @meta.label 'Authorize access'
 @wf.context.pass 'public'
 @ui.form.submit.text 'Authorize'
 export interface AuthorizeConsentForm {
     @ui.form.order 1
-    @ui.form.fn.value '(_, _d, ctx) => { const a = ctx.public?.authz; const who = a?.clientName ? "“" + a.clientName + "”" : "A local application"; const sc = a?.scope ? " It is requesting access to: " + a.scope + "." : ""; return who + " wants to sign in to your account." + sc + " Authorize this only if you started it."; }'
+    @ui.form.fn.value '(_, _d, ctx) => { const a = ctx.public?.authz; const host = a?.clientName && a?.redirectHost ? " (" + a.redirectHost + ")" : ""; const who = a?.clientName ? "“" + a.clientName + "”" + host : "A local application"; const sc = a?.scope ? " It is requesting access to: " + a.scope + "." : ""; return who + " wants to sign in to your account." + sc + " Authorize this only if you started it."; }'
     notice: ui.paragraph
 
     @ui.form.order 10

package/src/atscript/models/forms.as.d.ts

@@ -474,7 +474,7 @@ export declare class ProveControlOtpForm {
 
 /**
  * Atscript interface **AuthorizeConsentForm**
- * @see {@link ./forms.as:1000:18}
+ * @see {@link ./forms.as:1005:18}
  */
 export declare class AuthorizeConsentForm {
   // notice: ui.paragraph