@aooth/auth-moost 0.1.2 → 0.1.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -51,20 +51,22 @@
     "access": "public"
   },
   "dependencies": {
-    "@atscript/moost-wf": "^0.1.65",
-    "@aooth/arbac-moost": "^0.1.2",
-    "@aooth/auth": "0.1.2",
-    "@aooth/user": "0.1.2"
+    "@atscript/moost-wf": "^0.1.76",
+    "@wooksjs/http-body": "^0.7.15",
+    "@aooth/arbac-moost": "^0.1.4",
+    "@aooth/auth": "0.1.4",
+    "@aooth/user": "0.1.4"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.56",
-    "@atscript/typescript": "^0.1.56",
-    "@atscript/ui": "^0.1.65",
-    "@moostjs/event-http": "^0.6.10",
-    "@moostjs/event-wf": "^0.6.10",
-    "moost": "^0.6.10",
-    "unplugin-atscript": "^0.1.56",
-    "wooks": "^0.7.12"
+    "@atscript/core": "^0.1.61",
+    "@atscript/typescript": "^0.1.61",
+    "@atscript/ui": "^0.1.76",
+    "@atscript/ui-fns": "^0.1.76",
+    "@moostjs/event-http": "^0.6.17",
+    "@moostjs/event-wf": "^0.6.17",
+    "moost": "^0.6.17",
+    "unplugin-atscript": "^0.1.61",
+    "wooks": "^0.7.15"
   },
   "peerDependencies": {
     "@atscript/moost-wf": ">=0.1.58",
@@ -73,6 +75,7 @@
     "@moostjs/event-wf": ">=0.6.10",
     "@wooksjs/event-core": ">=0.7.12",
     "@wooksjs/event-http": ">=0.7.12",
+    "@wooksjs/http-body": ">=0.7.12",
     "moost": ">=0.6.10"
   },
   "peerDependenciesMeta": {
@@ -81,10 +84,11 @@
     }
   },
   "scripts": {
-    "gen:atscript": "node --experimental-strip-types scripts/gen-as.mjs",
+    "gen:atscript": "asc",
     "build": "vp pack",
     "dev": "vp pack --watch",
     "test": "vp test",
-    "check": "vp check"
+    "check": "vp check",
+    "postinstall": "asc"
   }
 }

package/src/atscript/models/forms.as

@@ -1,9 +1,61 @@
+/**
+ * Inline consent collection — a single dynamic `consents: string[]` field
+ * attached to whichever carrier form the user is already filling out.
+ * Carrier forms `extends WithInlineConsentForm` to inherit it without
+ * duplication.
+ *
+ * Backend transport: `@wf.context.pass 'pendingConsents'` ships the
+ * descriptor array (set by the `prepare-consents` @Step from
+ * `ConsentStore.getPendingConsents()`) to the client. The
+ * `@ui.form.fn.attr 'pendingConsents'` expression below binds it onto the
+ * `AsConsentArray` component (`@atscript/vue-aooth`) which renders one
+ * checkbox per descriptor; the user-submitted `string[]` carries back the
+ * SUBSET of `descriptor.id`s the user ticked.
+ *
+ * SPA-side hide-when-empty: `AsConsentArray` self-hides when
+ * `pendingConsents` is empty / unset — no `@ui.form.fn.hidden` is needed
+ * on the field. A carrier form whose customer hasn't configured any
+ * pending consents renders WITHOUT this block.
+ *
+ * SECURITY (silent-drop): the server-side `processInlineConsent` helper
+ * uses its OWN `ctx.pendingConsents` as the authoritative whitelist; any
+ * id submitted by the client outside that set is silently dropped (audit
+ * invariant — see helper rationale). The client cannot forge audit rows
+ * by submitting ids it was never shown.
+ *
+ * SECURITY (mandatory-by-message): each `ConsentDescriptor.required`
+ * non-empty string IS the per-row error copy AND the form-level error the
+ * server throws when a required consent is missing from the submitted set.
+ * Absent / empty ⇒ optional (the `ConsentEvent.accepted` boolean lets
+ * customers persist the un-ticked-optional decision for audit).
+ */
+@wf.context.pass 'pendingConsents'
+@wf.context.pass 'consentsPersisted'
+export interface WithInlineConsentForm {
+    @meta.label 'Pending consents'
+    @ui.form.component 'AsConsentArray'
+    @ui.form.fn.attr 'pendingConsents', '(_, _d, ctx) => ctx.pendingConsents'
+    @ui.form.grid.colSpan '12'
+    consents: string[]
+}
+
 /**
  * Default login credentials form.
  *
  * Override via `setupAuthWorkflows({ forms: { loginCredentials: MyForm } })`.
+ *
+ * SSO provider ids (configured via
+ * `opts.alternateCredentials.ssoProviders[].id`) are NOT declared here —
+ * consumers who enable SSO supply their own `loginCredentials` form and add a
+ * matching phantom `ui.action` field per provider so
+ * `useAtscriptWf(form).resolveAction()` accepts the dynamic ids.
  */
+@wf.context.pass 'altForgotPassword'
+@wf.context.pass 'altSignup'
+@wf.context.pass 'altMagicLink'
+@ui.form.submit.text 'Sign in'
 export interface LoginCredentialsForm {
+    @ui.form.order 10
     @ui.form.type 'text'
     @meta.label 'Username'
     @ui.form.autocomplete 'username'
@@ -11,19 +63,46 @@ export interface LoginCredentialsForm {
     @expect.minLength 1
     username: string
 
+    @ui.form.order 20
     @ui.form.type 'password'
     @meta.label 'Password'
     @ui.form.autocomplete 'current-password'
     @meta.sensitive
     @meta.required
     @expect.minLength 1
+    @ui.form.action 'forgotPassword', 'Forgot password?'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.altForgotPassword'
+    @wf.action.withData 'forgotPassword'
     password: string
+
+    @ui.form.order 30
+    @ui.form.action 'signup', 'Sign up'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.altSignup'
+    signup?: ui.action
+
+    @ui.form.order 40
+    @ui.form.action 'magicLink', 'Sign in with a magic link'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.altMagicLink'
+    magicLink?: ui.action
 }
 
 /**
- * MFA code form (TOTP today; email/SMS OTP later).
+ * MFA code form. Shared by TOTP, email-OTP, and SMS-OTP branches — the
+ * leading `transportHint` paragraph reads `mfaMethod` + `pinSentTo` (masked
+ * recipient) out of the workflow context so the operator knows which factor
+ * the workflow is currently verifying. The hint requires `installDynamicResolver()`
+ * from `@atscript/ui-fns` on the consumer side; without it `@ui.form.fn.value`
+ * stays inert and the paragraph renders empty.
  */
+@wf.context.pass 'mfaMethod'
+@wf.context.pass 'pinSentTo'
+@wf.context.pass 'mfaMethodCount'
+@wf.context.pass 'mfaBackupCodes'
+@ui.form.submit.text 'Verify'
 export interface MfaCodeForm {
+    @ui.form.fn.value '(_, _d, ctx) => ctx.mfaMethod === "totp" ? "Enter the current 6-digit code from your authenticator app." : ctx.mfaMethod ? "Code sent to " + (ctx.pinSentTo || "your " + ctx.mfaMethod) + " — check the dev server console for the code." : "Enter your verification code."'
+    transportHint?: ui.paragraph
+
     @ui.form.type 'text'
     @meta.label 'Verification code'
     @ui.form.autocomplete 'one-time-code'
@@ -32,6 +111,14 @@ export interface MfaCodeForm {
     @expect.maxLength 12
     @expect.pattern '^[0-9]+$'
     code: string
+
+    @ui.form.action 'useDifferentMethod', 'Use a different method'
+    @ui.form.fn.hidden '(_, _d, ctx) => (ctx.mfaMethodCount ?? 0) < 2'
+    useDifferentMethod?: ui.action
+
+    @ui.form.action 'useBackupCode', 'Use backup code'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.mfaBackupCodes'
+    useBackupCode?: ui.action
 }
 
 /**
@@ -69,6 +156,9 @@ export interface EmailIdentifierForm {
     @ui.form.autocomplete 'email'
     @meta.required
     email: string.email
+
+    @ui.form.action 'backToLogin', 'Back to sign-in'
+    backToLogin?: ui.action
 }
 
 /**
@@ -76,8 +166,27 @@ export interface EmailIdentifierForm {
  *
  * `confirmPassword` equality is enforced in the workflow step (cross-field
  * checks are not expressible via atscript annotations).
+ *
+ * `@wf.context.pass 'passwordPolicies'` whitelists the workflow ctx key so the
+ * prior preparePasswordRules / setPassword steps can ship the transferable
+ * password-policy rules (`UserService.getTransferablePolicies()`) to the
+ * client for rendering rule hints next to the inputs. Without this annotation
+ * the key is stripped by `extractPassContext` before reaching the client.
+ *
+ * Phase 7 — `passwordRules: ui.paragraph` is a phantom display field bound to
+ * the `AsPasswordRules` component (`@atscript/vue-aooth`); the
+ * `@ui.form.fn.attr 'policies'` expression reads `ctx.passwordPolicies` (the
+ * transferable list seeded by the workflow's `prepare-password-rules` @Step)
+ * and the `@ui.form.fn.attr 'password'` expression reads
+ * `data.newPassword` so the rule-fulfillment readout updates live on every
+ * keystroke. `WithInlineConsentForm` continues to supply the inline-consent
+ * `consents: string[]` block via `AsConsentArray` (Phase 5).
  */
-export interface SetPasswordForm {
+@wf.context.pass 'passwordPolicies'
+@wf.context.pass 'pendingConsents'
+@wf.context.pass 'consentsPersisted'
+export interface SetPasswordForm extends WithInlineConsentForm {
+    @ui.form.order 10
     @ui.form.type 'password'
     @meta.label 'New password'
     @ui.form.autocomplete 'new-password'
@@ -86,6 +195,7 @@ export interface SetPasswordForm {
     @expect.minLength 8
     newPassword: string
 
+    @ui.form.order 20
     @ui.form.type 'password'
     @meta.label 'Confirm password'
     @ui.form.autocomplete 'new-password'
@@ -93,6 +203,41 @@ export interface SetPasswordForm {
     @meta.required
     @expect.minLength 8
     confirmPassword: string
+
+    /**
+     * Phantom display field — `ui.paragraph` carries no submission value;
+     * it exists purely so `AsPasswordRules` (registered on the SPA via
+     * `<AsWfForm :components>`) renders one row per `ctx.passwordPolicies`
+     * descriptor between the confirm-password input and the action buttons.
+     *
+     * The `policies` attr reads from workflow context (seeded by the
+     * `prepare-password-rules` @Step via
+     * `UserService.getTransferablePolicies()`); the `password` attr reads
+     * from the live form-data so each row's `data-passed` flag re-evaluates
+     * on every keystroke. The `(_, data) => data.newPassword` shape is
+     * load-bearing — a regression that froze the `password` attr at first
+     * render (e.g. `() => data.newPassword`) would silently lie about
+     * policy fulfillment after the user starts typing.
+     */
+    @ui.form.order 25
+    @meta.label 'Password requirements'
+    @ui.form.component 'AsPasswordRules'
+    @ui.form.fn.attr 'policies', '(_, _d, ctx) => ctx.passwordPolicies'
+    @ui.form.fn.attr 'password', '(_, data) => data.newPassword'
+    @ui.form.grid.colSpan '12'
+    passwordRules: ui.paragraph
+
+    @ui.form.order 30
+    @ui.form.action 'logout', 'Logout'
+    logout?: ui.action
+
+    @ui.form.order 40
+    @ui.form.action 'cancel', 'Cancel'
+    cancel?: ui.action
+
+    @ui.form.order 50
+    @ui.form.action 'backToLogin', 'Back to sign-in'
+    backToLogin?: ui.action
 }
 
 /**
@@ -121,9 +266,12 @@ export interface InviteForm {
     // UX: select-on-array currently renders single-text-per-item via AsArray;
     // dedicated multi-select widget tracked as atscript-ui follow-up.
     @ui.form.type 'select'
-    @ui.form.fn.options '(_, _data, context) => Array.isArray(context.availableRoles) ? context.availableRoles.map(r => ({ value: r, label: r })) : []'
+    @ui.form.fn.options '(_, _data, context) => Array.isArray(context.availableRoles) ? context.availableRoles.map(r => ({ key: r, label: r })) : []'
     @meta.label 'Roles'
     roles?: string[]
+
+    @ui.form.action 'cancel', 'Cancel'
+    cancel?: ui.action
 }
 
 /**
@@ -137,6 +285,9 @@ export interface InviteEmailForm {
     @ui.form.autocomplete 'email'
     @meta.required
     email: string.email
+
+    @ui.form.action 'cancel', 'Cancel'
+    cancel?: ui.action
 }
 
 /**
@@ -145,11 +296,15 @@ export interface InviteEmailForm {
  * `'email'` or `'shareableLink'`.
  */
 export interface InviteSendModeForm {
-    @ui.form.type 'text'
+    @ui.form.type 'radio'
+    @ui.form.options 'Email', 'email'
+    @ui.form.options 'Shareable link', 'shareableLink'
     @meta.label 'Delivery mode'
     @meta.required
-    @expect.pattern '^(email|shareableLink)$'
     mode: string
+
+    @ui.form.action 'cancel', 'Cancel'
+    cancel?: ui.action
 }
 
 /**
@@ -158,25 +313,51 @@ export interface InviteSendModeForm {
  * The workflow renders this only when the user has >1 enrolled methods after
  * `opts.mfaTransports` filtering. `methodName` is the `MfaMethod.name`
  * (e.g. `"totp"`, `"email"`, `"sms"`); the workflow itself validates that the
- * supplied value is in the user's enrolled set.
+ * supplied value is in the user's enrolled set. The dropdown options are
+ * built from `ctx.mfaEnrolledMethods` (a `MfaSummary[]` populated by
+ * `prepareMfaOptions`) so the user only sees factors they actually have.
  */
+@wf.context.pass 'mfaBackupCodes'
+@wf.context.pass 'mfaEnrolledMethods'
 export interface Select2faForm {
-    @ui.form.type 'text'
+    @ui.form.type 'radio'
+    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.mfaEnrolledMethods) ? ctx.mfaEnrolledMethods.map(m => ({ key: m.methodName, label: m.kind === "totp" ? "TOTP (Authenticator app)" : m.kind === "email" ? "Email" : m.kind === "sms" ? "SMS" : m.kind })) : []'
     @meta.label 'MFA method'
     @meta.required
     methodName: string
 
     @ui.form.type 'checkbox'
     @meta.label 'Save as default'
-    saveAsDefault?: boolean
+    @meta.default 'false'
+    saveAsDefault: boolean
+
+    @ui.form.action 'useBackupCode', 'Use backup code'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.mfaBackupCodes'
+    useBackupCode?: ui.action
 }
 
 /**
  * Generic 6-digit pincode form — used by both login and recovery OTP flows.
  *
  * `rememberDevice` is rendered only when `opts.deviceTrust && opts.deviceTrustOptIn`.
+ *
+ * The leading `transportHint` paragraph reads `mfaMethod` + `pinSentTo` (the
+ * masked recipient set by the pincode-send step) out of the workflow context
+ * so the operator can see which factor the workflow is currently verifying.
+ * Requires `installDynamicResolver()` from `@atscript/ui-fns` on the consumer
+ * side; without it `@ui.form.fn.value` stays inert and the paragraph renders empty.
  */
+@wf.context.pass 'mfaMethod'
+@wf.context.pass 'pinSentTo'
+@wf.context.pass 'mfaMethodCount'
+@wf.context.pass 'mfaBackupCodes'
+@wf.context.pass 'deviceTrustOptIn'
+@wf.context.pass 'recoveryTransportCount'
+@ui.form.submit.text 'Verify'
 export interface PincodeForm {
+    @ui.form.fn.value '(_, _d, ctx) => ctx.mfaMethod === "totp" ? "Enter the current 6-digit code from your authenticator app." : ctx.mfaMethod ? "Code sent to " + (ctx.pinSentTo || "your " + ctx.mfaMethod) + " — check the dev server console for the code." : "Enter your verification code."'
+    transportHint?: ui.paragraph
+
     @ui.form.type 'text'
     @meta.label 'Verification code'
     @ui.form.autocomplete 'one-time-code'
@@ -188,13 +369,37 @@ export interface PincodeForm {
 
     @ui.form.type 'checkbox'
     @meta.label 'Remember this device'
-    rememberDevice?: boolean
+    @meta.default 'false'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.deviceTrustOptIn'
+    rememberDevice: boolean
+
+    @ui.form.action 'resend', 'Resend code'
+    resend?: ui.action
+
+    @ui.form.action 'useDifferentMethod', 'Use a different method'
+    @ui.form.fn.hidden '(_, _d, ctx) => (ctx.mfaMethodCount ?? 0) < 2'
+    useDifferentMethod?: ui.action
+
+    @ui.form.action 'useBackupCode', 'Use backup code'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.mfaBackupCodes'
+    useBackupCode?: ui.action
+
+    @ui.form.action 'backToLogin', 'Back to sign-in'
+    backToLogin?: ui.action
+
+    @ui.form.action 'useDifferentTransport', 'Use a different transport'
+    @ui.form.fn.hidden '(_, _d, ctx) => (ctx.recoveryTransportCount ?? 0) < 2'
+    useDifferentTransport?: ui.action
 }
 
 /**
- * Email-only form for the `ensureEmail` enrollment loop.
+ * Email-only form for the `ask/email` enrollment step.
  */
-export interface AskEmailForm {
+@wf.context.pass 'pendingConsents'
+@wf.context.pass 'consentsPersisted'
+@wf.context.pass 'otpDisclosure'
+export interface AskEmailForm extends WithInlineConsentForm {
+    @ui.form.order 10
     @ui.form.type 'text'
     @meta.label 'Email'
     @ui.form.autocomplete 'email'
@@ -203,10 +408,14 @@ export interface AskEmailForm {
 }
 
 /**
- * Phone-only form for the `ensurePhone` enrollment loop. Free-form text —
+ * Phone-only form for the `ask/phone` enrollment step. Free-form text —
  * E.164 normalization happens server-side.
  */
-export interface AskPhoneForm {
+@wf.context.pass 'pendingConsents'
+@wf.context.pass 'consentsPersisted'
+@wf.context.pass 'otpDisclosure'
+export interface AskPhoneForm extends WithInlineConsentForm {
+    @ui.form.order 10
     @ui.form.type 'text'
     @meta.label 'Phone (E.164)'
     @ui.form.autocomplete 'tel'
@@ -215,48 +424,131 @@ export interface AskPhoneForm {
 }
 
 /**
- * Terms & conditions acceptance form.
+ * Forced MFA enrollment — method picker for `mfa-enroll-required`. Options
+ * come from `ctx.enrollAvailableTransports` so only consumer-enabled
+ * transports appear.
  */
-export interface TermsAcceptForm {
+@wf.context.pass 'enrollAvailableTransports'
+@wf.context.pass 'enrollMode'
+export interface EnrollPickMethodForm {
+    @ui.form.type 'radio'
+    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.enrollAvailableTransports) ? ctx.enrollAvailableTransports.map(t => ({ key: t, label: t === "totp" ? "Authenticator app (TOTP)" : t === "sms" ? "SMS" : t === "email" ? "Email" : t })) : []'
+    @meta.label 'Choose a verification method'
+    @meta.required
+    method: string
+
+    @ui.form.action 'skip', 'Skip for now'
+    @ui.form.fn.hidden '(_, _d, ctx) => ctx.enrollMode !== "optional"'
+    skip?: ui.action
+}
+
+/**
+ * Forced MFA enrollment — address collection for sms/email. TOTP skips this
+ * form (secret is provisioned server-side).
+ *
+ * `skip` is hidden unless `enrollMode === 'optional'` (`'required'` mode
+ * forbids backing out mid-flow). `useDifferentMethod` is hidden when the
+ * consumer has only one transport configured (nothing to switch to).
+ */
+@wf.context.pass 'enrollMethod'
+@wf.context.pass 'enrollMode'
+@wf.context.pass 'enrollAvailableTransports'
+export interface EnrollAddressForm {
     @ui.form.type 'text'
-    @meta.label 'Accepted version'
+    @meta.label 'Address'
     @meta.required
-    acceptedVersion: string
+    address: string
 
-    @ui.form.type 'checkbox'
-    @meta.label 'I accept the Terms & Conditions'
+    @ui.form.action 'skip', 'Skip for now'
+    @ui.form.fn.hidden '(_, _d, ctx) => ctx.enrollMode !== "optional"'
+    skip?: ui.action
+
+    @ui.form.action 'useDifferentMethod', 'Use a different method'
+    @ui.form.fn.hidden '(_, _d, ctx) => (ctx.enrollAvailableTransports?.length ?? 0) < 2'
+    useDifferentMethod?: ui.action
+}
+
+/**
+ * Forced MFA enrollment — confirm code, shared by all three transports. The
+ * leading paragraph swaps between "scan this QR" (totp) and "code sent to …"
+ * (sms/email) based on `enrollMethod`; `enrollSecret` / `enrollUri` are passed
+ * for the totp QR + manual-entry fallback.
+ */
+@wf.context.pass 'enrollMethod'
+@wf.context.pass 'enrollMode'
+@wf.context.pass 'enrollSecret'
+@wf.context.pass 'enrollUri'
+@wf.context.pass 'enrollAvailableTransports'
+@wf.context.pass 'pinSentTo'
+@ui.form.submit.text 'Confirm'
+export interface EnrollConfirmForm {
+    @ui.form.fn.value '(_, _d, ctx) => ctx.enrollMethod === "totp" ? "Scan the QR with your authenticator app, or enter the secret manually. Then type the 6-digit code it generates." : ctx.enrollMethod ? "Code sent to " + (ctx.pinSentTo || "your " + ctx.enrollMethod) + ". Enter it below to confirm." : "Enter the code to confirm enrollment."'
+    transportHint?: ui.paragraph
+
+    @ui.form.type 'text'
+    @meta.label 'Code'
+    @ui.form.autocomplete 'one-time-code'
     @meta.required
-    accepted: boolean
+    @expect.minLength 4
+    @expect.maxLength 12
+    @expect.pattern '^[0-9]+$'
+    code: string
+
+    @ui.form.action 'resend', 'Resend code'
+    @ui.form.fn.hidden '(_, _d, ctx) => ctx.enrollMethod === "totp"'
+    resend?: ui.action
+
+    @ui.form.action 'useDifferentMethod', 'Use a different method'
+    @ui.form.fn.hidden '(_, _d, ctx) => (ctx.enrollAvailableTransports?.length ?? 0) < 2'
+    useDifferentMethod?: ui.action
+
+    @ui.form.action 'skip', 'Skip for now'
+    @ui.form.fn.hidden '(_, _d, ctx) => ctx.enrollMode !== "optional"'
+    skip?: ui.action
 }
 
 /**
  * Default minimal profile completion form. Consumers replace via
  * `LoginWorkflowOptions.profileCompleteForm` for richer shapes.
  */
-export interface ProfileCompleteForm {
+@wf.context.pass 'pendingConsents'
+@wf.context.pass 'consentsPersisted'
+export interface ProfileCompleteForm extends WithInlineConsentForm {
+    @ui.form.order 10
     @ui.form.type 'text'
     @meta.label 'First name'
     firstName?: string
 
+    @ui.form.order 20
     @ui.form.type 'text'
     @meta.label 'Last name'
     lastName?: string
 }
 
 /**
- * Marketing consent opt-in.
+ * Standalone consent-bump prompt. Fires for returning users with pending
+ * consents (set by `prepare-consents` from `ConsentStore.getPendingConsents`)
+ * who did NOT pass through any onboarding carrier form (`AskEmailForm` /
+ * `AskPhoneForm` / `SetPasswordForm` / `ProfileCompleteForm`) on this login —
+ * those carrier forms collect consents inline via `WithInlineConsentForm`'s
+ * inherited `AsConsentArray` field. The bump-prompt only renders the same
+ * inherited consent block (no additional fields).
  */
-export interface ConsentMarketingForm {
-    @ui.form.type 'checkbox'
-    @meta.label 'I would like to receive marketing emails'
-    optIn?: boolean
+@wf.context.pass 'pendingConsents'
+@wf.context.pass 'consentsPersisted'
+export interface TermsBumpForm extends WithInlineConsentForm {
 }
 
 /**
  * Tenant picker — `tenantId` matches one of `ctx.availableTenants[].id`.
+ * Options are built from `ctx.availableTenants` (set by the workflow's
+ * `tenant-select` step / `loadTenants` hook); `@wf.context.pass` whitelists
+ * the key so it survives `extractPassContext`.
  */
+@wf.context.pass 'availableTenants'
 export interface TenantSelectForm {
-    @ui.form.type 'text'
+    @ui.form.type 'radio'
+    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.availableTenants) ? ctx.availableTenants.map(t => ({ key: t.id, label: t.name })) : []'
     @meta.label 'Tenant'
     @meta.required
     tenantId: string
@@ -264,9 +556,14 @@ export interface TenantSelectForm {
 
 /**
  * Persona picker — `personaId` matches one of `ctx.availablePersonas[].id`.
+ * Options are built from `ctx.availablePersonas` (set by the workflow's
+ * `persona-select` step / `loadPersonas` hook); `@wf.context.pass` whitelists
+ * the key so it survives `extractPassContext`.
  */
+@wf.context.pass 'availablePersonas'
 export interface PersonaSelectForm {
-    @ui.form.type 'text'
+    @ui.form.type 'radio'
+    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.availablePersonas) ? ctx.availablePersonas.map(p => ({ key: p.id, label: p.label })) : []'
     @meta.label 'Persona'
     @meta.required
     personaId: string
@@ -282,6 +579,12 @@ export interface ConcurrencyLimitForm {
     @meta.required
     @expect.pattern '^(logoutOthers|cancel)$'
     action: string
+
+    @ui.form.action 'cancel', 'Cancel'
+    cancel?: ui.action
+
+    @ui.form.action 'logoutOthers', 'Log out other sessions'
+    logoutOthers?: ui.action
 }
 
 /**
@@ -302,24 +605,32 @@ export interface MagicLinkRequestForm {
  * `RecoveryWorkflowOptions.deliveryMode === 'choice'`.
  */
 export interface RecoveryModeSelectForm {
-    @ui.form.type 'text'
+    @ui.form.type 'radio'
+    @ui.form.options 'Magic link', 'magicLink'
+    @ui.form.options 'One-time code', 'otp'
     @meta.label 'Recovery method'
     @meta.required
-    @expect.pattern '^(magicLink|otp)$'
     mode: string
+
+    @ui.form.action 'backToLogin', 'Back to sign-in'
+    backToLogin?: ui.action
 }
 
 /**
  * Recovery factor-verification form — used when
  * `RecoveryWorkflowOptions.requireKnownRecoveryFactor` is true. The user
  * picks a factor type and supplies its value; the server validates against
- * the enrolled factor (phone last-4 or current TOTP code).
+ * the enrolled factor (phone last-4 or current TOTP code). Options are
+ * built from `ctx.availableRecoveryFactors` (workflow whitelist ∩ user's
+ * enrolled factors), so users only see factors they can actually verify
+ * AND that the admin hasn't disabled via `opts.preReset.allowedFactors`.
  */
+@wf.context.pass 'availableRecoveryFactors'
 export interface RecoveryFactorForm {
-    @ui.form.type 'text'
+    @ui.form.type 'radio'
+    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.availableRecoveryFactors) ? ctx.availableRecoveryFactors : []'
     @meta.label 'Factor'
     @meta.required
-    @expect.pattern '^(phone|totp)$'
     factor: string
 
     @ui.form.type 'text'
@@ -328,4 +639,7 @@ export interface RecoveryFactorForm {
     @expect.minLength 4
     @expect.maxLength 12
     value: string
+
+    @ui.form.action 'backToLogin', 'Back to sign-in'
+    backToLogin?: ui.action
 }