@aooth/auth-moost 0.1.22 → 0.1.23

package/dist/atscript/index.d.mts

@@ -138,7 +138,7 @@ declare class Select2faForm {
 }
 /**
  * Atscript interface **PincodeForm**
- * @see {@link ./forms.as:417:18}
+ * @see {@link ./forms.as:421:18}
  */
 declare class PincodeForm {
   // transportHint: ui.paragraph
@@ -157,7 +157,7 @@ declare class PincodeForm {
 }
 /**
  * Atscript interface **AskEmailForm**
- * @see {@link ./forms.as:456:18}
+ * @see {@link ./forms.as:460:18}
  */
 declare class AskEmailForm extends WithInlineConsentForm {
   // disclosure: ui.paragraph
@@ -174,7 +174,7 @@ declare class AskEmailForm extends WithInlineConsentForm {
 }
 /**
  * Atscript interface **AskPhoneForm**
- * @see {@link ./forms.as:486:18}
+ * @see {@link ./forms.as:490:18}
  */
 declare class AskPhoneForm extends WithInlineConsentForm {
   // disclosure: ui.paragraph
@@ -190,7 +190,7 @@ declare class AskPhoneForm extends WithInlineConsentForm {
 }
 /**
  * Atscript interface **EnrollPickMethodForm**
- * @see {@link ./forms.as:510:18}
+ * @see {@link ./forms.as:514:18}
  */
 declare class EnrollPickMethodForm {
   method: string; // skip: ui.action
@@ -206,7 +206,7 @@ declare class EnrollPickMethodForm {
 }
 /**
  * Atscript interface **EnrollAddressForm**
- * @see {@link ./forms.as:544:18}
+ * @see {@link ./forms.as:548:18}
  */
 declare class EnrollAddressForm {
   address: string; // skip: ui.action
@@ -223,7 +223,7 @@ declare class EnrollAddressForm {
 }
 /**
  * Atscript interface **EnrollConfirmForm**
- * @see {@link ./forms.as:590:18}
+ * @see {@link ./forms.as:594:18}
  */
 declare class EnrollConfirmForm {
   // transportHint: ui.paragraph
@@ -242,7 +242,7 @@ declare class EnrollConfirmForm {
 }
 /**
  * Atscript interface **EnrollTotpQrForm**
- * @see {@link ./forms.as:640:18}
+ * @see {@link ./forms.as:644:18}
  */
 declare class EnrollTotpQrForm {
   // qrCode: ui.paragraph
@@ -260,10 +260,11 @@ declare class EnrollTotpQrForm {
 }
 /**
  * Atscript interface **ManageMfaForm**
- * @see {@link ./forms.as:679:18}
+ * @see {@link ./forms.as:687:18}
  */
 declare class ManageMfaForm {
   // lockedNote: ui.paragraph
+  // requiredNote: ui.paragraph
   operation: string; // cancel: ui.action
   static __is_atscript_annotated_type: true;
   static type: TAtscriptTypeObject<keyof ManageMfaForm, ManageMfaForm>;
@@ -276,7 +277,7 @@ declare class ManageMfaForm {
 }
 /**
  * Atscript interface **RemoveMfaConfirmForm**
- * @see {@link ./forms.as:708:18}
+ * @see {@link ./forms.as:721:18}
  */
 declare class RemoveMfaConfirmForm {
   // notice: ui.paragraph
@@ -292,7 +293,7 @@ declare class RemoveMfaConfirmForm {
 }
 /**
  * Atscript interface **PasswordReauthForm**
- * @see {@link ./forms.as:731:18}
+ * @see {@link ./forms.as:744:18}
  */
 declare class PasswordReauthForm {
   password: string; // cancel: ui.action
@@ -305,9 +306,26 @@ declare class PasswordReauthForm {
   /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
   static toExampleData?: () => any;
 }
+/**
+ * Atscript interface **StepUpConfirmForm**
+ * @see {@link ./forms.as:775:18}
+ */
+declare class StepUpConfirmForm {
+  // notice: ui.paragraph
+  // useDifferentMethod: ui.action
+  // cancel: ui.action
+  static __is_atscript_annotated_type: true;
+  static type: TAtscriptTypeObject<keyof StepUpConfirmForm, StepUpConfirmForm>;
+  static metadata: TMetadataMap<AtscriptMetadata>;
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof StepUpConfirmForm>;
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any;
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any;
+}
 /**
  * Atscript interface **TermsBumpForm**
- * @see {@link ./forms.as:760:18}
+ * @see {@link ./forms.as:803:18}
  */
 declare class TermsBumpForm extends WithInlineConsentForm {
   static __is_atscript_annotated_type: true;
@@ -321,7 +339,7 @@ declare class TermsBumpForm extends WithInlineConsentForm {
 }
 /**
  * Atscript interface **ConcurrencyLimitForm**
- * @see {@link ./forms.as:773:18}
+ * @see {@link ./forms.as:816:18}
  */
 declare class ConcurrencyLimitForm {
   static __is_atscript_annotated_type: true;
@@ -335,7 +353,7 @@ declare class ConcurrencyLimitForm {
 }
 /**
  * Atscript interface **MagicLinkRequestForm**
- * @see {@link ./forms.as:783:18}
+ * @see {@link ./forms.as:826:18}
  */
 declare class MagicLinkRequestForm {
   identifier: string;
@@ -350,7 +368,7 @@ declare class MagicLinkRequestForm {
 }
 /**
  * Atscript interface **RecoveryModeSelectForm**
- * @see {@link ./forms.as:798:18}
+ * @see {@link ./forms.as:841:18}
  */
 declare class RecoveryModeSelectForm {
   mode: string;
@@ -365,7 +383,7 @@ declare class RecoveryModeSelectForm {
 }
 /**
  * Atscript interface **RecoveryFactorForm**
- * @see {@link ./forms.as:821:18}
+ * @see {@link ./forms.as:864:18}
  */
 declare class RecoveryFactorForm {
   factor: string;
@@ -381,7 +399,7 @@ declare class RecoveryFactorForm {
 }
 /**
  * Atscript interface **ChangePasswordForm**
- * @see {@link ./forms.as:855:18}
+ * @see {@link ./forms.as:898:18}
  */
 declare class ChangePasswordForm {
   // intro: ui.paragraph
@@ -399,7 +417,7 @@ declare class ChangePasswordForm {
 }
 /**
  * Atscript interface **ProveControlForm**
- * @see {@link ./forms.as:920:18}
+ * @see {@link ./forms.as:963:18}
  */
 declare class ProveControlForm {
   // intro: ui.paragraph
@@ -415,7 +433,7 @@ declare class ProveControlForm {
 }
 /**
  * Atscript interface **ProveControlOtpForm**
- * @see {@link ./forms.as:955:18}
+ * @see {@link ./forms.as:998:18}
  */
 declare class ProveControlOtpForm {
   // intro: ui.paragraph
@@ -432,7 +450,7 @@ declare class ProveControlOtpForm {
 }
 /**
  * Atscript interface **AuthorizeConsentForm**
- * @see {@link ./forms.as:1005:18}
+ * @see {@link ./forms.as:1048:18}
  */
 declare class AuthorizeConsentForm {
   // notice: ui.paragraph
@@ -447,4 +465,4 @@ declare class AuthorizeConsentForm {
   static toExampleData?: () => any;
 }
 //#endregion
-export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };
+export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, StepUpConfirmForm, TermsBumpForm, WithInlineConsentForm };

package/dist/atscript/index.mjs

@@ -1,2 +1,2 @@
-import { C as Select2faForm, D as WithInlineConsentForm, E as TermsBumpForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-uqegc32h.mjs";
-export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, TermsBumpForm, WithInlineConsentForm };
+import { C as Select2faForm, D as TermsBumpForm, E as StepUpConfirmForm, O as WithInlineConsentForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, b as RecoveryFactorForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, p as MagicLinkRequestForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, x as RecoveryModeSelectForm, y as ProveControlOtpForm } from "../forms-xaBNc5Ng.mjs";
+export { AskEmailForm, AskPhoneForm, AuthorizeConsentForm, ChangePasswordForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, EnrollTotpQrForm, InviteForm, LoginCredentialsForm, MagicLinkRequestForm, ManageMfaForm, MfaCodeForm, PasswordReauthForm, PincodeForm, ProveControlForm, ProveControlOtpForm, RecoveryFactorForm, RecoveryModeSelectForm, RemoveMfaConfirmForm, Select2faForm, SetPasswordForm, SignupForm, StepUpConfirmForm, TermsBumpForm, WithInlineConsentForm };

package/dist/{forms-uqegc32h.mjs → forms-xaBNc5Ng.mjs}

@@ -162,6 +162,15 @@ var PasswordReauthForm = class {
 		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
 	}
 };
+var StepUpConfirmForm = class {
+	static __is_atscript_annotated_type = true;
+	static type = {};
+	static metadata = /* @__PURE__ */ new Map();
+	static id = "StepUpConfirmForm";
+	static toJsonSchema() {
+		throwFeatureDisabled("JSON Schema", "jsonSchema", "emit.jsonSchema");
+	}
+};
 var TermsBumpForm = class {
 	static __is_atscript_annotated_type = true;
 	static type = {};
@@ -319,7 +328,7 @@ defineAnnotatedType("object", InviteForm).prop("email", defineAnnotatedType().de
 	flags: "",
 	message: "Invalid email format."
 }, true).$type).prop("roles", defineAnnotatedType("array").of(defineAnnotatedType().designType("string").tags("string").$type).annotate("ui.form.order", 20).annotate("ui.form.type", "select").annotate("ui.form.fn.options", "(_, _data, context) => Array.isArray(context.public?.admin?.availableRoles) ? context.public.admin.availableRoles.map(r => ({ key: r, label: r })) : []").annotate("meta.label", "Roles").$type).annotate("meta.label", "Send an invitation").annotate("meta.description", "Enter the recipient email address and pick the roles to grant on acceptance. They will receive a magic link to set their password.").annotate("wf.context.pass", "public", true);
-defineAnnotatedType("object", Select2faForm).prop("methodName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.order", 10).annotate("ui.form.type", "radio").annotate("ui.form.fn.options", "(_, _d, ctx) => Array.isArray(ctx.public?.mfa?.enrolledMethods) ? ctx.public.mfa.enrolledMethods.map(m => ({ key: m.methodName, label: m.kind === \"totp\" ? \"TOTP (Authenticator app)\" : m.kind === \"email\" ? \"Email\" : m.kind === \"sms\" ? \"SMS\" : m.kind })) : []").annotate("meta.label", "MFA method").annotate("meta.required", {}).$type).prop("saveAsDefault", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "Save as default").annotate("meta.default", "false").$type).prop("rememberDevice", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "Remember this device").annotate("meta.default", "false").annotate("ui.form.fn.hidden", "(_, _d, ctx) => !ctx.public?.trust?.optIn || !!ctx.public?.newPasswordRequired").$type).annotate("meta.label", "Choose a verification method").annotate("meta.description", "Pick how you would like to verify your identity.").annotate("wf.context.pass", "public", true);
+defineAnnotatedType("object", Select2faForm).prop("methodName", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.order", 10).annotate("ui.form.type", "radio").annotate("ui.form.fn.options", "(_, _d, ctx) => Array.isArray(ctx.public?.mfa?.enrolledMethods) ? ctx.public.mfa.enrolledMethods.map(m => ({ key: m.methodName, label: (m.kind === \"totp\" ? \"TOTP (Authenticator app)\" : m.kind === \"email\" ? \"Email\" : m.kind === \"sms\" ? \"SMS\" : m.kind) + (m.masked && (m.kind === \"email\" || m.kind === \"sms\") ? \" (\" + m.masked + \")\" : \"\") })) : []").annotate("meta.label", "MFA method").annotate("meta.required", {}).$type).prop("saveAsDefault", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "Save as default").annotate("meta.default", "false").$type).prop("rememberDevice", defineAnnotatedType().designType("boolean").tags("boolean").annotate("ui.form.type", "checkbox").annotate("meta.label", "Remember this device").annotate("meta.default", "false").annotate("ui.form.fn.hidden", "(_, _d, ctx) => !ctx.public?.trust?.optIn || !!ctx.public?.newPasswordRequired").$type).annotate("meta.label", "Choose a verification method").annotate("meta.description", "Pick how you would like to verify your identity.").annotate("wf.context.pass", "public", true);
 defineAnnotatedType("object", PincodeForm).prop("transportHint", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.fn.value", "(_, _d, ctx) => ctx.public?.mfa?.method === \"totp\" ? \"Enter the current 6-digit code from your authenticator app.\" : ctx.public?.pincode?.sentTo ? \"Code sent to \" + ctx.public.pincode.sentTo + \".\" : \"Enter your verification code.\"").optional().$type).prop("code", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.type", "text").annotate("meta.label", "Verification code").annotate("ui.form.autocomplete", "one-time-code").annotate("ui.form.fn.attr", {
 	name: "maxlength",
 	fn: "(_, _d, ctx) => ctx.public?.pincode?.codeLength"
@@ -394,7 +403,7 @@ defineAnnotatedType("object", EnrollTotpQrForm).prop("qrCode", defineAnnotatedTy
 	id: "skip",
 	label: "Skip for now"
 }).annotate("ui.form.fn.hidden", "(_, _d, ctx) => ctx.public?.mfaEnroll?.mode !== \"optional\"").optional().$type).annotate("meta.label", "Scan this QR code").annotate("meta.description", "Open your authenticator app and scan the code (or enter the key manually), then continue to enter the code it shows.").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Continue");
-defineAnnotatedType("object", ManageMfaForm).prop("lockedNote", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 5).annotate("ui.form.fn.value", "(_, _d, ctx) => (ctx.public?.manage?.locked?.length ?? 0) > 0 ? \"Some methods are also used to sign in and can’t be changed here.\" : \"\"").annotate("ui.form.fn.hidden", "(_, _d, ctx) => (ctx.public?.manage?.locked?.length ?? 0) === 0").$type).prop("operation", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.order", 10).annotate("ui.form.type", "radio").annotate("ui.form.fn.options", "(_, _d, ctx) => { const lbl = (t) => t === \"totp\" ? \"authenticator app\" : t === \"sms\" ? \"SMS\" : t === \"email\" ? \"email\" : t; const locked = ctx.public?.manage?.locked ?? []; const out = []; for (const t of (ctx.public?.manage?.candidates ?? [])) out.push({ key: \"add:\" + t, label: \"Add \" + lbl(t) }); for (const m of (ctx.public?.mfa?.enrolledMethods ?? [])) { if (locked.includes(m.kind)) continue; out.push({ key: \"replace:\" + m.kind, label: \"Change \" + lbl(m.kind) + (m.masked ? \" (\" + m.masked + \")\" : \"\") }); out.push({ key: \"remove:\" + m.kind, label: \"Remove \" + lbl(m.kind) }); } return out; }").annotate("meta.label", "What would you like to do?").annotate("meta.required", {}).$type).prop("cancel", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.action", {
+defineAnnotatedType("object", ManageMfaForm).prop("lockedNote", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 5).annotate("ui.form.fn.value", "(_, _d, ctx) => (ctx.public?.manage?.locked?.length ?? 0) > 0 ? \"Some methods are also used to sign in and can’t be changed here.\" : \"\"").annotate("ui.form.fn.hidden", "(_, _d, ctx) => (ctx.public?.manage?.locked?.length ?? 0) === 0").$type).prop("requiredNote", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 6).annotate("ui.form.fn.value", "(_, _d, ctx) => ctx.public?.manage?.removeBlocked ? \"Two-factor authentication is required for your account, so your last method can be changed but not removed.\" : \"\"").annotate("ui.form.fn.hidden", "(_, _d, ctx) => !ctx.public?.manage?.removeBlocked").$type).prop("operation", defineAnnotatedType().designType("string").tags("string").annotate("ui.form.order", 10).annotate("ui.form.type", "radio").annotate("ui.form.fn.options", "(_, _d, ctx) => { const lbl = (t) => t === \"totp\" ? \"authenticator app\" : t === \"sms\" ? \"SMS\" : t === \"email\" ? \"email\" : t; const locked = ctx.public?.manage?.locked ?? []; const out = []; for (const t of (ctx.public?.manage?.candidates ?? [])) out.push({ key: \"add:\" + t, label: \"Add \" + lbl(t) }); for (const m of (ctx.public?.mfa?.enrolledMethods ?? [])) { if (locked.includes(m.kind)) continue; out.push({ key: \"replace:\" + m.kind, label: \"Change \" + lbl(m.kind) + (m.masked ? \" (\" + m.masked + \")\" : \"\") }); if (!ctx.public?.manage?.removeBlocked) out.push({ key: \"remove:\" + m.kind, label: \"Remove \" + lbl(m.kind) }); } return out; }").annotate("meta.label", "What would you like to do?").annotate("meta.required", {}).$type).prop("cancel", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.action", {
 	id: "cancel",
 	label: "Cancel"
 }).annotate("ui.form.fn.hidden", "() => true").optional().$type).annotate("meta.label", "Manage two-factor authentication").annotate("meta.description", "Add, change, or remove a verification method.").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Continue");
@@ -406,6 +415,13 @@ defineAnnotatedType("object", PasswordReauthForm).prop("password", defineAnnotat
 	id: "cancel",
 	label: "Cancel"
 }).annotate("ui.form.fn.hidden", "() => true").optional().$type).annotate("meta.label", "Confirm your password").annotate("meta.description", "Re-enter your account password to manage your two-factor methods.").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Verify");
+defineAnnotatedType("object", StepUpConfirmForm).prop("notice", defineAnnotatedType().designType("phantom").tags("paragraph", "ui").annotate("ui.form.order", 1).annotate("ui.form.fn.value", "(_, _d, ctx) => { const kind = ctx.public?.mfa?.method; const m = (ctx.public?.mfa?.enrolledMethods ?? []).find(e => e.kind === kind); const to = m && m.masked ? \" to \" + m.masked : kind === \"sms\" ? \" to your phone\" : \" to your email\"; return \"To continue, we will send a verification code\" + to + \".\"; }").$type).prop("useDifferentMethod", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.action", {
+	id: "useDifferentMethod",
+	label: "Use a different method"
+}).annotate("ui.form.fn.hidden", "(_, _d, ctx) => (ctx.public?.mfa?.methodCount ?? 0) < 2").optional().$type).prop("cancel", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.action", {
+	id: "cancel",
+	label: "Cancel"
+}).annotate("ui.form.fn.hidden", "() => true").optional().$type).annotate("meta.label", "Verify your identity").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Continue");
 defineAnnotatedType("object", TermsBumpForm).prop("consents", defineAnnotatedType("array").of(defineAnnotatedType().designType("string").tags("string").$type).annotate("meta.label", "Pending consents").annotate("ui.form.component", "AsConsentArray").annotate("ui.form.fn.attr", {
 	name: "pendingConsents",
 	fn: "(_, _d, ctx) => ctx.public?.consents?.pending"
@@ -455,4 +471,4 @@ defineAnnotatedType("object", AuthorizeConsentForm).prop("notice", defineAnnotat
 	value: "center"
 }, true).annotate("ui.form.pushDown", true).optional().$type).annotate("meta.label", "Authorize access").annotate("wf.context.pass", "public", true).annotate("ui.form.submit.text", "Authorize");
 //#endregion
-export { Select2faForm as C, WithInlineConsentForm as D, TermsBumpForm as E, RemoveMfaConfirmForm as S, SignupForm as T, PincodeForm as _, ConcurrencyLimitForm as a, RecoveryFactorForm as b, EnrollConfirmForm as c, InviteForm as d, LoginCredentialsForm as f, PasswordReauthForm as g, MfaCodeForm as h, ChangePasswordForm as i, EnrollPickMethodForm as l, ManageMfaForm as m, AskPhoneForm as n, EmailIdentifierForm as o, MagicLinkRequestForm as p, AuthorizeConsentForm as r, EnrollAddressForm as s, AskEmailForm as t, EnrollTotpQrForm as u, ProveControlForm as v, SetPasswordForm as w, RecoveryModeSelectForm as x, ProveControlOtpForm as y };
+export { Select2faForm as C, TermsBumpForm as D, StepUpConfirmForm as E, WithInlineConsentForm as O, RemoveMfaConfirmForm as S, SignupForm as T, PincodeForm as _, ConcurrencyLimitForm as a, RecoveryFactorForm as b, EnrollConfirmForm as c, InviteForm as d, LoginCredentialsForm as f, PasswordReauthForm as g, MfaCodeForm as h, ChangePasswordForm as i, EnrollPickMethodForm as l, ManageMfaForm as m, AskPhoneForm as n, EmailIdentifierForm as o, MagicLinkRequestForm as p, AuthorizeConsentForm as r, EnrollAddressForm as s, AskEmailForm as t, EnrollTotpQrForm as u, ProveControlForm as v, SetPasswordForm as w, RecoveryModeSelectForm as x, ProveControlOtpForm as y };

package/dist/index.d.mts

@@ -1590,12 +1590,40 @@ interface AuthWfAddMfaState {
    * replay-resistant). Gates the one-time swap + the management menu.
    */
   stepUpDone?: boolean;
+  /**
+   * The user has explicitly consented to the step-up pincode dispatch —
+   * either by submitting `manage-stepup-confirm`'s "we'll send a code to
+   * ma•••@x" notice, or by picking a factor on `select-2fa` (choosing
+   * "Email (ma•••@x)" and submitting IS the consent). Gates the
+   * `manage-stepup-confirm` pause so opening the manage dialog never
+   * dispatches a code as a side effect. Also set when
+   * `resolveStepUpConfirmBeforeSend` opts the deployment out of the pause.
+   * Server-only; sms/email step-up only (TOTP dispatches nothing).
+   */
+  stepUpConfirmed?: boolean;
   /** The management action the user picked on the menu. */
   action?: "add" | "replace" | "remove";
   /** The transport the chosen `action` applies to. */
   target?: MfaTransport;
   /** Set by `confirm-remove-mfa` so `finish-add-mfa` can report which factor was removed. */
   removed?: MfaTransport;
+  /**
+   * Removing a factor is currently impossible: the user has exactly one
+   * confirmed (policy-allowed) factor and `mfaPolicy.mode === 'required'`.
+   * Computed by `manage-menu` before its pause and mirrored to
+   * `public.manage.removeBlocked` so `ManageMfaForm` omits the Remove option
+   * (and explains why) instead of offering an operation that can never
+   * succeed. Re-checked server-side in `manage-menu` + `confirm-remove-mfa`.
+   */
+  removeBlocked?: boolean;
+  /**
+   * Set by `confirm-remove-mfa` when it arrives in an un-removable state
+   * (stale/crafted route — the menu filters these): the step aborts to the
+   * `finish-add-mfa` terminal with a reason-specific message instead of
+   * pausing on a form whose only submit re-throws the same guard error
+   * (a dead-end loop, since the manage forms hide their built-in cancel).
+   */
+  blocked?: "last-required-factor" | "method-locked";
 }
 /**
  * Self-signup flow state. Populated by `init-signup` (policy from
@@ -1694,12 +1722,15 @@ interface AuthWfPublicState {
   mfaEnroll?: Pick<AuthWfMfaEnrollState, "method" | "mode" | "availableTransports" | "secret" | "uri">;
   /**
    * Mirrors the manage-MFA menu inputs — the un-enrolled transports the user
-   * can Add and the locked transports to omit from Change/Remove. The enrolled
-   * method list the menu cross-references is `public.mfa.enrolledMethods`.
+   * can Add, the locked transports to omit from Change/Remove, and the
+   * `removeBlocked` flag that omits the Remove option for the last confirmed
+   * factor under a `required` policy. The enrolled method list the menu
+   * cross-references is `public.mfa.enrolledMethods`.
    */
   manage?: {
     candidates?: MfaTransport[];
     locked?: MfaTransport[];
+    removeBlocked?: boolean;
   };
   /** Mirrors `ctx.defaults` — prefill source for the recovery email field. */
   defaults?: {
@@ -1888,7 +1919,8 @@ interface AuthWorkflowOpts {
     enrollConfirm?: TAtscriptAnnotatedType; /** Manage-MFA menu (Add / Change / Remove) shown after step-up. */
     manageMfa?: TAtscriptAnnotatedType; /** Confirm-removal pause for the manage-MFA "Remove" action. */
     removeMfaConfirm?: TAtscriptAnnotatedType; /** Password re-auth — step-up fallback when no factor is MFA-challengeable. */
-    passwordReauth?: TAtscriptAnnotatedType;
+    passwordReauth?: TAtscriptAnnotatedType; /** Step-up dispatch consent — "we'll send a code to ma•••@x" notice before the step-up pincode send. */
+    stepUpConfirm?: TAtscriptAnnotatedType;
     select2fa?: TAtscriptAnnotatedType;
     mfaCode?: TAtscriptAnnotatedType;
     pincode?: TAtscriptAnnotatedType;
@@ -1944,6 +1976,7 @@ interface ResolvedAuthWorkflowOpts {
     manageMfa: TAtscriptAnnotatedType;
     removeMfaConfirm: TAtscriptAnnotatedType;
     passwordReauth: TAtscriptAnnotatedType;
+    stepUpConfirm: TAtscriptAnnotatedType;
     select2fa: TAtscriptAnnotatedType;
     mfaCode: TAtscriptAnnotatedType;
     pincode: TAtscriptAnnotatedType;
@@ -2236,6 +2269,39 @@ declare class AuthWorkflow {
    * typed would confirm an unproven inbox. Never asked for TOTP.
    */
   protected resolveEnrollPreConfirmed(_ctx: AuthWfCtx, _method: MfaTransport, _address: string): boolean | Promise<boolean>;
+  /**
+   * Pin the enrolment address for an sms/email transport — the policy seam
+   * for deployments whose factor must be BOUND to an account record (e.g.
+   * staff MFA locked to the work mailbox so portal access dies with it at
+   * offboarding; a free-text form would let a self-service swap to a personal
+   * inbox defeat that control entirely). Asked by `enroll-address` BEFORE its
+   * form renders, with the staged transport (ctx-first, extra positional arg —
+   * same convention as `resolveEnrollPreConfirmed`).
+   *
+   * Returning a string stages it as the enrolment address (normalized via
+   * `normalizeMfaAddress`; the free-text form is SKIPPED — the same staging
+   * seam consumer pre-seeding uses, so the user is never shown a form whose
+   * only valid input is one known string). `'collect'` (the default) keeps
+   * the free-text form. A pinned address composes with the rest of the trio
+   * machinery untouched: `enroll-send` dispatches the pincode to it, and
+   * `resolveEnrollPreConfirmed` may vouch it (a deployment pinning to a
+   * verified-by-construction address gets the no-code path for free).
+   *
+   * ```ts
+   * protected async resolveEnrollAddress(ctx: AuthWfCtx, method: MfaTransport) {
+   *   if (method !== "email") return "collect";
+   *   const user = await this.users.getUser(ctx.subject!);
+   *   return (user as { email?: string }).email ?? "collect";
+   * }
+   * ```
+   *
+   * The returned address is trusted as-is (no `validateMfaAddress` pass) —
+   * the deployment is authoritative for its own records. An empty/blank
+   * return falls back to `'collect'`. For nuanced RULES on a user-typed
+   * address (domain allowlists, record comparisons) override the ctx-first
+   * {@link validateMfaAddress} instead.
+   */
+  protected resolveEnrollAddress(_ctx: AuthWfCtx, _method: MfaTransport): string | "collect" | Promise<string | "collect">;
   /**
    * Resolve the finalize policy. Reached from login.flow. `auditLogin` is
    * dropped from the shape per §2 — audit moved out of the workflow layer.
@@ -2315,6 +2381,33 @@ declare class AuthWorkflow {
    * ```
    */
   protected resolveLockedMfaTransports(_ctx: AuthWfCtx): MfaTransport[] | Promise<MfaTransport[]>;
+  /**
+   * Whether the manage-MFA step-up must collect explicit consent BEFORE
+   * dispatching its sms/email pincode (the `manage-stepup-confirm` pause:
+   * "To continue, we will send a verification code to ma•••@x"). Default
+   * `true` — nothing should email/text the user as a side effect of opening
+   * a manage dialog: a user who opened it by mistake (or just to look)
+   * closes it with zero codes consumed, no resend cooldown burnt. Override
+   * to `false` to restore the zero-click dispatch (the code is already in
+   * flight when the first form renders). Never asked for TOTP step-up
+   * (nothing is dispatched) and not consulted by the login flow (its
+   * challenge is mid-authentication, where zero-click is the norm).
+   */
+  protected resolveStepUpConfirmBeforeSend(_ctx: AuthWfCtx): boolean | Promise<boolean>;
+  /**
+   * What the user's authenticator app shows as the ACCOUNT half of
+   * "issuer: account" for a TOTP enrolment (the issuer half is
+   * `resolveMfaPolicy().issuer` / `opts.totpIssuer`). Cosmetic only — never
+   * used for lookup — but it is how a user with several entries tells
+   * accounts apart, and it is encoded into the `otpauth://` URI at
+   * secret-provisioning time, so it lives in the authenticator FOREVER
+   * (re-labeling requires re-enrolment). Default prefers a human-readable
+   * identifier the flow already carries (`ctx.email` — invite/recovery/
+   * signup) and otherwise loads the user's `username`; the stable-uuid
+   * `ctx.subject` is the last resort. Override for a richer label (display
+   * name, tenant-qualified email, …).
+   */
+  protected resolveTotpAccountLabel(ctx: AuthWfCtx): string | Promise<string>;
   /**
    * Resolve the channel-OTP disclosure copy rendered beneath the email/phone
    * input on `AskEmailForm` / `AskPhoneForm`. Reached from login.flow Phase 3.
@@ -2583,6 +2676,18 @@ declare class AuthWorkflow {
    * and resend.
    */
   private mintAndSendEnrollPincode;
+  /**
+   * Idempotent TOTP secret provisioning into wf-state ONLY (the QR renders
+   * from `public.mfaEnroll.secret/uri`; the user record is written on confirm
+   * — write-on-confirm). The single implementation behind BOTH provisioning
+   * sites — `enroll-pick-method`'s auto-pick/picker tail and `enroll-totp-qr`
+   * (covers the manage add/change path where the picker is skipped) — so the
+   * account label baked into the `otpauth://` URI cannot drift between them.
+   * The label comes from {@link resolveTotpAccountLabel} (human-readable
+   * default); blank falls back to the subject uuid so the URI always carries
+   * SOME account discriminator.
+   */
+  private provisionTotpSecret;
   /**
    * Drop the per-enrolment scratch fields (the `mfaEnroll` provisioning fields +
    * the pincode timers/`sentTo`) off ctx — the shared teardown used by the
@@ -2600,8 +2705,24 @@ declare class AuthWorkflow {
    * or `undefined` when valid. Email must look like an email; SMS is permissive
    * E.164-ish (normalized by {@link normalizeMfaAddress}). Override for stricter
    * (e.g. libphonenumber) validation.
+   *
+   * Ctx-first and async-capable, so record-based rules need no ctx-stash
+   * workaround — an override can load the account and compare directly
+   * (e.g. domain-allowlist the typed inbox, or require it to match a
+   * record field). To PIN the address outright — never show the free-text
+   * form at all — use {@link resolveEnrollAddress} instead; this hook is for
+   * nuanced rules on what the user typed.
+   *
+   * ```ts
+   * protected async validateMfaAddress(ctx: AuthWfCtx, method: MfaTransport, value: string) {
+   *   if (method === "email" && !value.trim().toLowerCase().endsWith("@corp.example")) {
+   *     return "Use your corporate email address";
+   *   }
+   *   return super.validateMfaAddress(ctx, method, value);
+   * }
+   * ```
    */
-  protected validateMfaAddress(method: MfaTransport, value: string): string | undefined;
+  protected validateMfaAddress(_ctx: AuthWfCtx, method: MfaTransport, value: string): string | undefined | Promise<string | undefined>;
   /**
    * Light normalization of a validated MFA address before it is stored. Default:
    * trims, and strips spacing/punctuation from SMS numbers while KEEPING the
@@ -2869,10 +2990,17 @@ declare class AuthWorkflow {
   /**
    * Terminal for the manage-MFA flow. The user KEEPS their current session (no
    * re-issue, no cookies) — a plain data finish. Outcomes, in priority order:
-   * removed → changed (`replace` + done) → added (done) → nothing-available
-   * (zero candidates, never had to step-up) → cancelled.
+   * removed → changed (`replace` + done) → added (done) → blocked
+   * (un-removable operation aborted by `confirm-remove-mfa`) →
+   * nothing-available (zero candidates, never had to step-up) → cancelled.
    */
   finishAddMfa(ctx: AuthWfCtx): undefined;
+  /**
+   * `finish-add-mfa`'s envelope construction, extracted pure so the outcome
+   * priority (removed → changed → added → blocked → nothing-available →
+   * cancelled) is unit-testable without a wf event context.
+   */
+  protected buildAddMfaFinishEnvelope(ctx: AuthWfCtx): WfFinished;
   /**
    * Resolve which transports the user may NOT change/remove via the manage flow
    * (calls {@link resolveLockedMfaTransports}) and write them to
@@ -2887,6 +3015,22 @@ declare class AuthWorkflow {
    * encapsulated when no durable store is wired (the registry default).
    */
   manageStepUpDone(ctx: AuthWfCtx): undefined;
+  /**
+   * Manage-MFA step-up consent — pauses on `StepUpConfirmForm` ("To continue,
+   * we will send a verification code to ma•••@x") BEFORE `pincode-send`
+   * dispatches the step-up code, so opening the manage dialog never consumes
+   * a code send as a side effect. Fires only on the auto-picked paths (single
+   * factor, or default factor) — an explicit `select-2fa` pick already
+   * counts as consent (`select2fa` sets `stepUpConfirmed`). `Continue`
+   * consents and the SAME engine pass mints + sends; `useDifferentMethod`
+   * re-opens the picker; `cancel` aborts with nothing dispatched (the
+   * schema's `{ break: aborted }` right after this step keeps the pair from
+   * sending the declined code). Gated by {@link resolveStepUpConfirmBeforeSend}
+   * (default on) — an opt-out marks consent and falls straight through.
+   */
+  manageStepUpConfirm(ctx: AuthWfCtx): undefined | Promise<undefined>;
+  /** `manage-stepup-confirm` tail — opt-out fall-through or the consent pause. */
+  private applyStepUpConfirm;
   /**
    * Manage-MFA password re-auth — the step-up FALLBACK when the user's only
    * confirmed factor(s) are of kinds the policy no longer allows, so nothing is
@@ -2900,6 +3044,15 @@ declare class AuthWorkflow {
    * subject), and `verifyPassword` is the same check `changePassword` enforces.
    */
   managePasswordReauth(ctx: AuthWfCtx): Promise<undefined>;
+  /**
+   * The keep-at-least-one rule: removing the user's LAST confirmed factor under
+   * a `required` policy can never succeed. The single source for the predicate
+   * `manage-menu` mirrors into `addMfa.removeBlocked` (to drop the Remove option)
+   * AND `confirm-remove-mfa` re-checks before its pause (defence in depth) — so
+   * a policy change (e.g. "keep at least two", or a backup-codes exception)
+   * lands in one place, not two copies that can drift.
+   */
+  private isLastRequiredFactor;
   /**
    * Manage-MFA menu — pauses on `ManageMfaForm` and routes the chosen
    * `operation` (`add:<t>` / `replace:<t>` / `remove:<t>`). Only reached when
@@ -2912,8 +3065,13 @@ declare class AuthWorkflow {
   /**
    * Manage-MFA remove confirmation. Pauses on `RemoveMfaConfirmForm`; the
    * 'Remove' submit performs the removal, 'Cancel' aborts. Re-checks the locked
-   * set (defence in depth) and blocks removing the LAST confirmed factor when
-   * the policy mode is `required` (you must keep at least one).
+   * set and the keep-at-least-one rule (LAST confirmed factor under a
+   * `required` policy) BEFORE the pause — and an un-removable state aborts to
+   * the `finish-add-mfa` terminal (reason on `addMfa.blocked`) instead of
+   * pausing: `manage-menu` filters these operations out, so arriving here
+   * blocked means a stale/crafted route, and a retryable form whose only
+   * submit re-throws the same guard would be a dead-end loop (the manage
+   * forms hide their built-in cancel — the host owns it).
    */
   confirmRemoveMfa(ctx: AuthWfCtx): Promise<undefined>;
   askChannel(ctx: AuthWfCtx, channel: "email" | "phone"): Promise<unknown>;
@@ -2996,17 +3154,30 @@ declare class AuthWorkflow {
   enrollPickMethod(ctx: AuthWfCtx): undefined | Promise<undefined>;
   /**
    * Unified MFA-enrol phase 2 (collect sms/email address). Not invoked for
-   * totp. Handles `skip` (opt-in) / `cancel` (manage) / `useDifferentMethod`.
-   * Validates the address server-side (the client `@ui.form.validate` hint is
-   * advisory), then STAGES the candidate value in wf-state (`m.address`) — the
-   * user record is written only on confirm (write-on-confirm), so an ADD
-   * leaves no partial row and a REPLACE keeps the old confirmed value live
-   * until the new code verifies in `enroll-confirm`. Collection ONLY: the
-   * pincode dispatch lives in `enroll-send` (same engine pass, no extra
-   * round-trip), so a consumer pre-seeding `mfaEnroll.address` — which skips
-   * this whole step via its schema condition — still gets exactly one code.
-   */
-  enrollAddress(ctx: AuthWfCtx): undefined;
+   * totp. Asks {@link resolveEnrollAddress} FIRST — a deployment that pins
+   * the address (factor bound to an account record) stages it here and the
+   * free-text form never renders; this single call site covers every trio
+   * path (picker, auto-pick, manage add/replace pre-seed), and `enroll-send`
+   * dispatches to the pinned address in the same engine pass. Otherwise
+   * (`'collect'`) handles `skip` (opt-in) / `cancel` (manage) /
+   * `useDifferentMethod`, validates the typed address server-side via the
+   * ctx-first {@link validateMfaAddress} (the client `@ui.form.validate`
+   * hint is advisory), then STAGES the candidate value in wf-state
+   * (`m.address`) — the user record is written only on confirm
+   * (write-on-confirm), so an ADD leaves no partial row and a REPLACE keeps
+   * the old confirmed value live until the new code verifies in
+   * `enroll-confirm`. Collection ONLY: the pincode dispatch lives in
+   * `enroll-send` (same engine pass, no extra round-trip), so a consumer
+   * pre-seeding `mfaEnroll.address` — which skips this whole step via its
+   * schema condition — still gets exactly one code.
+   */
+  enrollAddress(ctx: AuthWfCtx): undefined | Promise<undefined>;
+  /**
+   * `enroll-address` tail — stage a pinned address, or run the free-text
+   * collect pause (skip/cancel/useDifferentMethod triage + ctx-first
+   * validation + write-on-confirm staging).
+   */
+  private collectEnrollAddress;
   /**
    * Unified MFA-enrol dispatch (sms/email only) — the trio's ONLY pincode
    * send. A separate step (the canonical "send if no pin" gate, mirroring
@@ -3476,12 +3647,19 @@ declare class AuthWorkflow {
    * 3. STEP-UP (only when `stepUpRequired`): re-verify identity before any
    *    change — `mfaStepUpLoop` challenges an EXISTING factor when one is still
    *    challengeable (`stepUpMode==='mfa'`), else `manage-password-reauth` falls
-   *    back to the account password (`stepUpMode==='password'`). On success
+   *    back to the account password (`stepUpMode==='password'`). The sms/email
+   *    challenge collects explicit consent (`manage-stepup-confirm`) BEFORE
+   *    dispatching its pincode — opening the dialog never sends a code as a
+   *    side effect (see `resolveStepUpConfirmBeforeSend`). On success
    *    `manage-stepup-done` swaps off the encapsulated start onto the durable
    *    `store` strategy (server-anchored, replay-resistant; mirrors login's
    *    swap-after-credentials).
    * 4. `manage-menu` (only when `stepUpRequired`) — pick add / change / remove +
-   *    target; pre-seeds `mfaEnroll.method` for add/change.
+   *    target; pre-seeds `mfaEnroll.method` for add/change. Un-offerable
+   *    operations never render: locked transports drop their Change/Remove
+   *    options, and the LAST factor under a `required` policy drops Remove
+   *    (`removeBlocked`) — `confirm-remove-mfa` aborts to the finish terminal
+   *    if a blocked remove arrives anyway (no retryable dead-end form).
    * 5. Route: `confirm-remove-mfa` for remove; otherwise the REUSED enrol trio
    *    (`enroll-pick-method` → `enroll-address` / `enroll-totp-qr` →
    *    `enroll-confirm`). A zero-MFA user skips step-up + menu and lands on the