@aooth/auth-moost 0.1.23 → 0.1.25

package/dist/index.d.mts

@@ -1785,6 +1785,14 @@ interface AuthWfCtx {
   aborted?: boolean;
   isFirstLogin?: boolean;
   newPasswordRequired?: boolean;
+  /**
+   * Idempotency latch for the single `record-login` funnel step. Set true once
+   * a login has been stamped this run — by the `credentials` step (the password
+   * path stamps eagerly via `users.login()`) or by `record-login` itself — so
+   * the funnel never double-writes `account.lastLogin`. Server-only flow
+   * control; never `@wf.context.pass`-ed to the client.
+   */
+  loginRecorded?: boolean;
   autoLogin?: boolean;
   consents?: AuthWfConsentsState;
   pincode?: AuthWfPincodeUiState;
@@ -2124,6 +2132,47 @@ declare class AuthWorkflow {
    * mirrors `notifyNewDevice`'s posture). Never called by the base class.
    */
   protected sendSecurityAlert(ctx: AuthWfCtx, reason: string, context?: Record<string, unknown>): Promise<void>;
+  /**
+   * A user just authenticated and a session is being established — interactive
+   * login, federated (SSO) login, OR invite/signup/recovery auto-login. Fired
+   * from the single `record-login` funnel, AFTER `account.lastLogin` is stamped
+   * and BEFORE the session/code is delivered, so a throw aborts the login
+   * atomically (no half-issued session). `ctx.subject` is set; read
+   * `ctx.isFirstLogin` to distinguish the very first sign-in, `ctx.oauth` for
+   * federated context. Does NOT fire for the no-session "fresh-login" finalize
+   * (where the user is redirected to sign in separately).
+   */
+  protected afterLogin(_ctx: AuthWfCtx): void | Promise<void>;
+  /**
+   * An invitee finished accepting their invite — account activated — whether or
+   * not the flow auto-logged-them-in. Fires once, before the finalize terminal.
+   * (An auto-login invite ALSO fires {@link afterLogin}.)
+   */
+  protected afterInvitationAccepted(_ctx: AuthWfCtx): void | Promise<void>;
+  /**
+   * A self-signup account was created + activated (post password-set, post
+   * activate). Fires once, before the auto-login finalize. (Signup always
+   * auto-logins, so {@link afterLogin} fires too.)
+   */
+  protected afterSignup(_ctx: AuthWfCtx): void | Promise<void>;
+  /**
+   * A recovery password reset completed. Fires once even when an `admin-only`
+   * lock survived the reset (the password DID change) — so it runs ahead of the
+   * still-locked guard. An auto-login recovery ALSO fires {@link afterLogin}.
+   */
+  protected afterPasswordReset(_ctx: AuthWfCtx): void | Promise<void>;
+  /**
+   * An already-authenticated user changed their own password (change-password
+   * flow). NOT a login — the session is rotated, not established — so
+   * {@link afterLogin} does NOT fire.
+   */
+  protected afterPasswordChanged(_ctx: AuthWfCtx): void | Promise<void>;
+  /**
+   * A user added, changed, or removed an MFA factor (add-mfa flow). NOT fired
+   * on a cancel / nothing-to-do finish. The user KEEPS their session (no
+   * re-issue), so {@link afterLogin} does NOT fire.
+   */
+  protected afterMfaChanged(_ctx: AuthWfCtx): void | Promise<void>;
   /**
    * Return the list of selectable role identifiers for the admin invite form.
    * Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
@@ -2994,7 +3043,7 @@ declare class AuthWorkflow {
    * (un-removable operation aborted by `confirm-remove-mfa`) →
    * nothing-available (zero candidates, never had to step-up) → cancelled.
    */
-  finishAddMfa(ctx: AuthWfCtx): undefined;
+  finishAddMfa(ctx: AuthWfCtx): undefined | Promise<undefined>;
   /**
    * `finish-add-mfa`'s envelope construction, extracted pure so the outcome
    * priority (removed → changed → added → blocked → nothing-available →
@@ -3349,6 +3398,52 @@ declare class AuthWorkflow {
    * also zeroes `failedLoginAttempts`, so the next login starts clean.
    */
   unlockAccount(ctx: AuthWfCtx): Promise<undefined>;
+  /**
+   * The SINGLE login-completion funnel. Every flow that establishes an
+   * authenticated session routes through here — placed in each login schema
+   * right after the guards and BEFORE the delivery terminal (`issue` /
+   * `mint-authz-code` / `finalize-auto-login`) — so a login can never be
+   * delivered without passing this point. Two uniform jobs:
+   *   1. Stamp `account.lastLogin` exactly once (the sole workflow writer of it).
+   *   2. Fire the `afterLogin` customer hook.
+   *
+   * Idempotent per run via `ctx.loginRecorded`: the password `credentials` path
+   * already stamped eagerly through `users.login()` and latched the flag, so the
+   * stamp NO-OPS there (no double write) — but `afterLogin` still fires, so the
+   * hook runs exactly once for password logins too. Federated (`sso-callback`)
+   * and auto-login (invite/signup/recovery) paths never call `login()`, so this
+   * is their sole stamp. Self-gates on `ctx.subject`. Runs AFTER
+   * `prepare-semantic-flags` derived `isFirstLogin`, so a genuine first
+   * federated login still observes `isFirstLogin === true`.
+   *
+   * A throw (from the stamp or the hook) aborts the flow BEFORE delivery, so the
+   * login fails atomically — no half-issued session.
+   */
+  recordLogin(ctx: AuthWfCtx): undefined | Promise<undefined>;
+  /**
+   * Recovery-only guard, extracted from the finalize terminals so they stay pure
+   * delivery. An `admin-only` lockout never self-unlocks, so a reset that left
+   * the account frozen must NOT be confirmed-as-success OR auto-logged-in
+   * (minting tokens would defeat the very freeze). When still locked it emits the
+   * warn terminal and sets `ctx.aborted`, so the schema's following `{ break }`
+   * skips BOTH the `record-login` funnel and the finalize terminals — a frozen
+   * account is never stamped or logged in. The schema gates this on
+   * `ctx.lockout?.mode === "admin-only"` (the only mode that can reach finalize
+   * still locked: self-service ran `unlock-account`; temporary auto-expires).
+   */
+  recoveryLockCheck(ctx: AuthWfCtx): Promise<undefined>;
+  /**
+   * Thin dispatcher steps for the flow-specific lifecycle hooks. Each is its own
+   * schema step (rather than an in-terminal call) because its flow's finalize
+   * terminals are SHARED across flows (`finalize-auto-login` serves invite +
+   * recovery + signup; `finalize-fresh-login` serves invite + recovery), so a
+   * dedicated step in the flow-specific schema fires the right hook without
+   * ctx-discrimination inside a shared terminal. Named `fire*` so the overridable
+   * `after*` hooks keep the clean public name.
+   */
+  fireInvitationAccepted(ctx: AuthWfCtx): void | Promise<void>;
+  fireSignup(ctx: AuthWfCtx): void | Promise<void>;
+  firePasswordReset(ctx: AuthWfCtx): void | Promise<void>;
   /**
    * Issue access + refresh tokens via `auth.issue`. Stashes the login
    * response envelope on `useWfFinished` so downstream `redirect` can
@@ -3422,7 +3517,7 @@ declare class AuthWorkflow {
    * confirmation first. Discriminated by ctx-slot presence
    * (`ctx.postReset` → recovery; otherwise invite).
    */
-  finalizeFreshLogin(ctx: AuthWfCtx): undefined | Promise<undefined>;
+  finalizeFreshLogin(ctx: AuthWfCtx): undefined;
   /**
    * Post-reset store read: did an `admin-only` lockout survive the password
    * reset (account still frozen)? Callers MUST first confirm
@@ -3443,10 +3538,17 @@ declare class AuthWorkflow {
    */
   private finishRecoveryReset;
   /**
-   * Auto-login finalize — invite + recovery. Issues access + refresh tokens
-   * and stashes the login response envelope on `useWfFinished`. Invite
-   * preserves any `message` set by an earlier terminal (`confirmation`) so
-   * the SPA paints the confirmation text alongside the tokens (WF-INVITE-020).
+   * Auto-login finalize — invite + recovery + signup. PURE delivery: issues
+   * access + refresh tokens and stashes the login response envelope on
+   * `useWfFinished`. Invite preserves any `message` set by an earlier terminal
+   * (`confirmation`) so the SPA paints the confirmation text alongside the
+   * tokens (WF-INVITE-020).
+   *
+   * It records NOTHING and guards NOTHING: `account.lastLogin` + the
+   * `afterLogin` hook are owned by the upstream `record-login` funnel step, and
+   * the admin-only-survived-lock guard by the upstream `recovery-lock-check`
+   * step — both of which `{ break }`/gate this step out when they apply, so a
+   * still-frozen account never reaches here.
    */
   finalizeAutoLogin(ctx: AuthWfCtx): Promise<undefined>;
   /**

package/dist/index.mjs

@@ -1240,6 +1240,47 @@ let AuthWorkflow = class AuthWorkflow {
 		});
 	}
 	/**
+	* A user just authenticated and a session is being established — interactive
+	* login, federated (SSO) login, OR invite/signup/recovery auto-login. Fired
+	* from the single `record-login` funnel, AFTER `account.lastLogin` is stamped
+	* and BEFORE the session/code is delivered, so a throw aborts the login
+	* atomically (no half-issued session). `ctx.subject` is set; read
+	* `ctx.isFirstLogin` to distinguish the very first sign-in, `ctx.oauth` for
+	* federated context. Does NOT fire for the no-session "fresh-login" finalize
+	* (where the user is redirected to sign in separately).
+	*/
+	afterLogin(_ctx) {}
+	/**
+	* An invitee finished accepting their invite — account activated — whether or
+	* not the flow auto-logged-them-in. Fires once, before the finalize terminal.
+	* (An auto-login invite ALSO fires {@link afterLogin}.)
+	*/
+	afterInvitationAccepted(_ctx) {}
+	/**
+	* A self-signup account was created + activated (post password-set, post
+	* activate). Fires once, before the auto-login finalize. (Signup always
+	* auto-logins, so {@link afterLogin} fires too.)
+	*/
+	afterSignup(_ctx) {}
+	/**
+	* A recovery password reset completed. Fires once even when an `admin-only`
+	* lock survived the reset (the password DID change) — so it runs ahead of the
+	* still-locked guard. An auto-login recovery ALSO fires {@link afterLogin}.
+	*/
+	afterPasswordReset(_ctx) {}
+	/**
+	* An already-authenticated user changed their own password (change-password
+	* flow). NOT a login — the session is rotated, not established — so
+	* {@link afterLogin} does NOT fire.
+	*/
+	afterPasswordChanged(_ctx) {}
+	/**
+	* A user added, changed, or removed an MFA factor (add-mfa flow). NOT fired
+	* on a cancel / nothing-to-do finish. The user KEEPS their session (no
+	* re-issue), so {@link afterLogin} does NOT fire.
+	*/
+	afterMfaChanged(_ctx) {}
+	/**
 	* Return the list of selectable role identifiers for the admin invite form.
 	* Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
 	* `undefined` (default) means no whitelist is enforced. Read by
@@ -2364,6 +2405,7 @@ let AuthWorkflow = class AuthWorkflow {
 		try {
 			const result = await this.users.login(input.username, input.password, this.lockoutOverride(ctx));
 			ctx.subject = result.user.id;
+			ctx.loginRecorded = true;
 			swapStrategy("store");
 			if (ctx.guards?.passwordInitial && result.user.password.isInitial) ctx.isPasswordInitial = true;
 			if (ctx.guards?.passwordExpiry && this.users.isPasswordExpired(result.user)) ctx.isPasswordExpired = true;
@@ -3003,6 +3045,7 @@ let AuthWorkflow = class AuthWorkflow {
 			value: envelope,
 			cookies: auth.buildFinishedCookies(issue)
 		});
+		await this.afterPasswordChanged(ctx);
 	}
 	/**
 	* Terminal for the manage-MFA flow. The user KEEPS their current session (no
@@ -3016,6 +3059,9 @@ let AuthWorkflow = class AuthWorkflow {
 			type: "data",
 			value: this.buildAddMfaFinishEnvelope(ctx)
 		});
+		if (!ctx.addMfa?.removed && !(ctx.mfaEnroll?.done && ctx.mfaEnroll?.method)) return void 0;
+		const hook = this.afterMfaChanged(ctx);
+		return hook instanceof Promise ? hook.then(() => void 0) : void 0;
 	}
 	/**
 	* `finish-add-mfa`'s envelope construction, extracted pure so the outcome
@@ -4077,6 +4123,71 @@ let AuthWorkflow = class AuthWorkflow {
 		await this.users.unlockAccount(ctx.subject);
 	}
 	/**
+	* The SINGLE login-completion funnel. Every flow that establishes an
+	* authenticated session routes through here — placed in each login schema
+	* right after the guards and BEFORE the delivery terminal (`issue` /
+	* `mint-authz-code` / `finalize-auto-login`) — so a login can never be
+	* delivered without passing this point. Two uniform jobs:
+	*   1. Stamp `account.lastLogin` exactly once (the sole workflow writer of it).
+	*   2. Fire the `afterLogin` customer hook.
+	*
+	* Idempotent per run via `ctx.loginRecorded`: the password `credentials` path
+	* already stamped eagerly through `users.login()` and latched the flag, so the
+	* stamp NO-OPS there (no double write) — but `afterLogin` still fires, so the
+	* hook runs exactly once for password logins too. Federated (`sso-callback`)
+	* and auto-login (invite/signup/recovery) paths never call `login()`, so this
+	* is their sole stamp. Self-gates on `ctx.subject`. Runs AFTER
+	* `prepare-semantic-flags` derived `isFirstLogin`, so a genuine first
+	* federated login still observes `isFirstLogin === true`.
+	*
+	* A throw (from the stamp or the hook) aborts the flow BEFORE delivery, so the
+	* login fails atomically — no half-issued session.
+	*/
+	recordLogin(ctx) {
+		if (!ctx.subject) return void 0;
+		if (!ctx.loginRecorded) {
+			ctx.loginRecorded = true;
+			return this.users.recordLogin(ctx.subject).then(() => this.afterLogin(ctx)).then(() => void 0);
+		}
+		const hook = this.afterLogin(ctx);
+		return hook instanceof Promise ? hook.then(() => void 0) : void 0;
+	}
+	/**
+	* Recovery-only guard, extracted from the finalize terminals so they stay pure
+	* delivery. An `admin-only` lockout never self-unlocks, so a reset that left
+	* the account frozen must NOT be confirmed-as-success OR auto-logged-in
+	* (minting tokens would defeat the very freeze). When still locked it emits the
+	* warn terminal and sets `ctx.aborted`, so the schema's following `{ break }`
+	* skips BOTH the `record-login` funnel and the finalize terminals — a frozen
+	* account is never stamped or logged in. The schema gates this on
+	* `ctx.lockout?.mode === "admin-only"` (the only mode that can reach finalize
+	* still locked: self-service ran `unlock-account`; temporary auto-expires).
+	*/
+	async recoveryLockCheck(ctx) {
+		if (await this.recoveryLeftAccountLocked(ctx)) {
+			this.finishRecoveryReset(ctx, true);
+			ctx.aborted = true;
+		}
+	}
+	/**
+	* Thin dispatcher steps for the flow-specific lifecycle hooks. Each is its own
+	* schema step (rather than an in-terminal call) because its flow's finalize
+	* terminals are SHARED across flows (`finalize-auto-login` serves invite +
+	* recovery + signup; `finalize-fresh-login` serves invite + recovery), so a
+	* dedicated step in the flow-specific schema fires the right hook without
+	* ctx-discrimination inside a shared terminal. Named `fire*` so the overridable
+	* `after*` hooks keep the clean public name.
+	*/
+	fireInvitationAccepted(ctx) {
+		return this.afterInvitationAccepted(ctx);
+	}
+	fireSignup(ctx) {
+		return this.afterSignup(ctx);
+	}
+	firePasswordReset(ctx) {
+		return this.afterPasswordReset(ctx);
+	}
+	/**
 	* Issue access + refresh tokens via `auth.issue`. Stashes the login
 	* response envelope on `useWfFinished` so downstream `redirect` can
 	* override with a redirect envelope while preserving the cookies.
@@ -4096,7 +4207,7 @@ let AuthWorkflow = class AuthWorkflow {
 				...cookies,
 				[name]: {
 					value,
-					options: auth.cookieAttrs({ maxAge: ttlMs / 1e3 })
+					options: auth.cookieAttrs({ maxAge: ttlMs })
 				}
 			};
 		};
@@ -4308,9 +4419,6 @@ let AuthWorkflow = class AuthWorkflow {
 			(ctx.completion ??= {}).redirectUrl = target;
 			return;
 		}
-		if (ctx.lockout?.mode === "admin-only") return this.recoveryLeftAccountLocked(ctx).then((locked) => {
-			this.finishRecoveryReset(ctx, locked);
-		});
 		this.finishRecoveryReset(ctx, false);
 	}
 	/**
@@ -4372,17 +4480,20 @@ let AuthWorkflow = class AuthWorkflow {
 		(ctx.completion ??= {}).redirectUrl = target;
 	}
 	/**
-	* Auto-login finalize — invite + recovery. Issues access + refresh tokens
-	* and stashes the login response envelope on `useWfFinished`. Invite
-	* preserves any `message` set by an earlier terminal (`confirmation`) so
-	* the SPA paints the confirmation text alongside the tokens (WF-INVITE-020).
+	* Auto-login finalize — invite + recovery + signup. PURE delivery: issues
+	* access + refresh tokens and stashes the login response envelope on
+	* `useWfFinished`. Invite preserves any `message` set by an earlier terminal
+	* (`confirmation`) so the SPA paints the confirmation text alongside the
+	* tokens (WF-INVITE-020).
+	*
+	* It records NOTHING and guards NOTHING: `account.lastLogin` + the
+	* `afterLogin` hook are owned by the upstream `record-login` funnel step, and
+	* the admin-only-survived-lock guard by the upstream `recovery-lock-check`
+	* step — both of which `{ break }`/gate this step out when they apply, so a
+	* still-frozen account never reaches here.
 	*/
 	async finalizeAutoLogin(ctx) {
 		this.requireSubject(ctx);
-		if (ctx.lockout?.mode === "admin-only" && await this.recoveryLeftAccountLocked(ctx)) {
-			this.finishRecoveryReset(ctx, true);
-			return;
-		}
 		const issue = await this.issueForContext(ctx);
 		const auth = useAuth();
 		const previousMessage = (useWfFinished().get()?.value)?.message;
@@ -5253,7 +5364,7 @@ __decorate([
 	__decorateParam(0, WorkflowParam("context")),
 	__decorateMetadata("design:type", Function),
 	__decorateMetadata("design:paramtypes", [Object]),
-	__decorateMetadata("design:returntype", void 0)
+	__decorateMetadata("design:returntype", Object)
 ], AuthWorkflow.prototype, "finishAddMfa", null);
 __decorate([
 	Step("prepare-locked-mfa-transports"),
@@ -5511,6 +5622,46 @@ __decorate([
 	__decorateMetadata("design:paramtypes", [Object]),
 	__decorateMetadata("design:returntype", Promise)
 ], AuthWorkflow.prototype, "unlockAccount", null);
+__decorate([
+	Step("record-login"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], AuthWorkflow.prototype, "recordLogin", null);
+__decorate([
+	Step("recovery-lock-check"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthWorkflow.prototype, "recoveryLockCheck", null);
+__decorate([
+	Step("after-invitation-accepted"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], AuthWorkflow.prototype, "fireInvitationAccepted", null);
+__decorate([
+	Step("after-signup"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], AuthWorkflow.prototype, "fireSignup", null);
+__decorate([
+	Step("after-password-reset"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Object)
+], AuthWorkflow.prototype, "firePasswordReset", null);
 __decorate([
 	Step("issue"),
 	Public(),
@@ -5557,7 +5708,7 @@ __decorate([
 	__decorateParam(0, WorkflowParam("context")),
 	__decorateMetadata("design:type", Function),
 	__decorateMetadata("design:paramtypes", [Object]),
-	__decorateMetadata("design:returntype", Object)
+	__decorateMetadata("design:returntype", void 0)
 ], AuthWorkflow.prototype, "finalizeFreshLogin", null);
 __decorate([
 	Step("finalize-auto-login"),
@@ -5723,6 +5874,10 @@ __decorate([
 			}]
 		},
 		{ break: (ctx) => !!ctx.aborted },
+		{
+			id: "record-login",
+			condition: (ctx) => !!ctx.subject
+		},
 		{
 			condition: (ctx) => !ctx.authz,
 			steps: [
@@ -5796,6 +5951,7 @@ __decorate([
 				...consentsPersistTailSchema,
 				{ id: "unset-pending-invitation" },
 				{ id: "activate-user" },
+				{ id: "after-invitation-accepted" },
 				{
 					id: "confirmation",
 					condition: (ctx) => !!ctx.accept?.showConfirmation
@@ -5804,6 +5960,10 @@ __decorate([
 					id: "finalize-fresh-login",
 					condition: (ctx) => !ctx.autoLogin
 				},
+				{
+					id: "record-login",
+					condition: (ctx) => !!ctx.autoLogin
+				},
 				{
 					id: "finalize-auto-login",
 					condition: (ctx) => !!ctx.autoLogin
@@ -5846,10 +6006,20 @@ __decorate([
 			condition: (ctx) => ctx.lockout?.mode === "self-service"
 		},
 		...consentsPersistTailSchema,
+		{ id: "after-password-reset" },
+		{
+			id: "recovery-lock-check",
+			condition: (ctx) => ctx.lockout?.mode === "admin-only"
+		},
+		{ break: (ctx) => !!ctx.aborted },
 		{
 			id: "finalize-fresh-login",
 			condition: (ctx) => !ctx.autoLogin
 		},
+		{
+			id: "record-login",
+			condition: (ctx) => !!ctx.autoLogin
+		},
 		{
 			id: "finalize-auto-login",
 			condition: (ctx) => !!ctx.autoLogin
@@ -5946,6 +6116,8 @@ __decorate([
 		{ id: "activate-user" },
 		...consentsPersistTailSchema,
 		{ id: "signup-extra-step" },
+		{ id: "after-signup" },
+		{ id: "record-login" },
 		{ id: "finalize-auto-login" }
 	]),
 	__decorateMetadata("design:type", Function),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.23",
+  "version": "0.1.25",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -57,27 +57,27 @@
     "access": "public"
   },
   "dependencies": {
-    "@atscript/moost-wf": "^0.1.101",
+    "@atscript/moost-wf": "^0.1.102",
     "@wooksjs/http-body": "^0.7.19",
-    "@aooth/arbac-moost": "^0.1.23",
-    "@aooth/idp": "0.1.23",
-    "@aooth/auth": "0.1.23",
-    "@aooth/user": "0.1.23"
+    "@aooth/arbac-moost": "^0.1.25",
+    "@aooth/auth": "0.1.25",
+    "@aooth/idp": "0.1.25",
+    "@aooth/user": "0.1.25"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.76",
-    "@atscript/typescript": "^0.1.76",
-    "@atscript/ui": "^0.1.101",
-    "@atscript/ui-fns": "^0.1.101",
+    "@atscript/core": "^0.1.77",
+    "@atscript/typescript": "^0.1.77",
+    "@atscript/ui": "^0.1.102",
+    "@atscript/ui-fns": "^0.1.102",
     "@moostjs/event-http": "^0.6.27",
     "@moostjs/event-wf": "^0.6.27",
     "moost": "^0.6.27",
-    "unplugin-atscript": "^0.1.76",
+    "unplugin-atscript": "^0.1.77",
     "wooks": "^0.7.19"
   },
   "peerDependencies": {
-    "@atscript/moost-wf": "^0.1.101",
-    "@atscript/typescript": "^0.1.76",
+    "@atscript/moost-wf": "^0.1.102",
+    "@atscript/typescript": "^0.1.77",
     "@moostjs/event-http": "^0.6.27",
     "@moostjs/event-wf": "^0.6.27",
     "@wooksjs/event-core": "^0.7.19",