npm - @augmenting-integrations/auth - Versions diffs - 6.0.0 → 8.0.0 - Mend

@augmenting-integrations/auth 6.0.0 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/client/tenant.cjs +64 -0
package/dist/client/tenant.cjs.map +1 -0
package/dist/client/tenant.d.ts +9 -0
package/dist/client/tenant.d.ts.map +1 -0
package/dist/client/tenant.js +30 -0
package/dist/client/tenant.js.map +1 -0
package/dist/client.cjs +9 -2
package/dist/client.cjs.map +1 -1
package/dist/client.d.ts +1 -0
package/dist/client.d.ts.map +1 -1
package/dist/client.js +9 -1
package/dist/client.js.map +1 -1
package/dist/server/createAuth.d.ts +18 -31
package/dist/server/createAuth.d.ts.map +1 -1
package/dist/server/tenant.d.ts +26 -0
package/dist/server/tenant.d.ts.map +1 -0
package/dist/server.cjs +110 -56
package/dist/server.cjs.map +1 -1
package/dist/server.d.ts +1 -0
package/dist/server.d.ts.map +1 -1
package/dist/server.js +106 -56
package/dist/server.js.map +1 -1
package/dist/tenant-types.d.ts +63 -0
package/dist/tenant-types.d.ts.map +1 -0
package/package.json +3 -3

package/dist/client/tenant.cjs ADDED Viewed

@@ -0,0 +1,64 @@
+"use strict";
+"use client";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var tenant_exports = {};
+__export(tenant_exports, {
+  TENANT_GLOBAL_KEY: () => import_tenant_types2.TENANT_GLOBAL_KEY,
+  TenantProvider: () => TenantProvider,
+  useTenant: () => useTenant
+});
+module.exports = __toCommonJS(tenant_exports);
+var React = __toESM(require("react"));
+var import_tenant_types = require("../tenant-types.js");
+var import_tenant_types2 = require("../tenant-types.js");
+const TenantContext = React.createContext(null);
+function TenantProvider({
+  tenant,
+  children
+}) {
+  return React.createElement(TenantContext.Provider, { value: tenant }, children);
+}
+function useTenant() {
+  const ctx = React.useContext(TenantContext);
+  if (ctx) return ctx;
+  if (typeof window !== "undefined") {
+    const fromGlobal = window[import_tenant_types.TENANT_GLOBAL_KEY];
+    if (fromGlobal) return fromGlobal;
+  }
+  throw new Error(
+    "useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout."
+  );
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TENANT_GLOBAL_KEY,
+  TenantProvider,
+  useTenant
+});
+//# sourceMappingURL=tenant.cjs.map

package/dist/client/tenant.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/client/tenant.ts"],"sourcesContent":["\"use client\";\n\nimport * as React from \"react\";\nimport { TENANT_GLOBAL_KEY, type TenantPublicConfig } from \"../tenant-types.js\";\n\n// =============================================================================\n// <TenantProvider> + useTenant()\n//\n// Single source of tenant truth on the client. Rendered server-side as part\n// of the root layout; reads the same TenantPublicConfig passed to\n// <TenantBootScript />. The Context value flows through SSR, so server\n// components rendered as children + every client component can call\n// useTenant() without worrying about hydration order.\n//\n// We also accept window.__TENANT__ as a fallback for non-React widgets and\n// for the rare case of a client component rendered outside the Provider\n// tree (a defensive read).\n// =============================================================================\n\nconst TenantContext = React.createContext<TenantPublicConfig | null>(null);\n\nexport function TenantProvider({\n tenant,\n children,\n}: {\n tenant: TenantPublicConfig;\n children: React.ReactNode;\n}) {\n return React.createElement(TenantContext.Provider, { value: tenant }, children);\n}\n\nexport function useTenant(): TenantPublicConfig {\n const ctx = React.useContext(TenantContext);\n if (ctx) return ctx;\n // Defensive fallback: a non-Provider client widget. Only works after\n // <TenantBootScript /> has run.\n if (typeof window !== \"undefined\") {\n const fromGlobal = window[TENANT_GLOBAL_KEY];\n if (fromGlobal) return fromGlobal;\n }\n throw new Error(\n \"useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout.\",\n );\n}\n\nexport {\n TENANT_GLOBAL_KEY,\n type TenantPublicConfig,\n type TenantRole,\n} from \"../tenant-types.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,YAAuB;AACvB,0BAA2D;AA0C3D,IAAAA,uBAIO;AA9BP,MAAM,gBAAgB,MAAM,cAAyC,IAAI;AAElE,SAAS,eAAe;AAAA,EAC7B;AAAA,EACA;AACF,GAGG;AACD,SAAO,MAAM,cAAc,cAAc,UAAU,EAAE,OAAO,OAAO,GAAG,QAAQ;AAChF;AAEO,SAAS,YAAgC;AAC9C,QAAM,MAAM,MAAM,WAAW,aAAa;AAC1C,MAAI,IAAK,QAAO;AAGhB,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,aAAa,OAAO,qCAAiB;AAC3C,QAAI,WAAY,QAAO;AAAA,EACzB;AACA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;","names":["import_tenant_types"]}

package/dist/client/tenant.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import * as React from "react";
+import { type TenantPublicConfig } from "../tenant-types.js";
+export declare function TenantProvider({ tenant, children, }: {
+    tenant: TenantPublicConfig;
+    children: React.ReactNode;
+}): React.FunctionComponentElement<React.ProviderProps<TenantPublicConfig | null>>;
+export declare function useTenant(): TenantPublicConfig;
+export { TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantRole, } from "../tenant-types.js";
+//# sourceMappingURL=tenant.d.ts.map

package/dist/client/tenant.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tenant.d.ts","sourceRoot":"","sources":["../../src/client/tenant.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAqB,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAkBhF,wBAAgB,cAAc,CAAC,EAC7B,MAAM,EACN,QAAQ,GACT,EAAE;IACD,MAAM,EAAE,kBAAkB,CAAC;IAC3B,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B,kFAEA;AAED,wBAAgB,SAAS,IAAI,kBAAkB,CAY9C;AAED,OAAO,EACL,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/client/tenant.js ADDED Viewed

@@ -0,0 +1,30 @@
+"use client";
+import * as React from "react";
+import { TENANT_GLOBAL_KEY } from "../tenant-types.js";
+const TenantContext = React.createContext(null);
+function TenantProvider({
+  tenant,
+  children
+}) {
+  return React.createElement(TenantContext.Provider, { value: tenant }, children);
+}
+function useTenant() {
+  const ctx = React.useContext(TenantContext);
+  if (ctx) return ctx;
+  if (typeof window !== "undefined") {
+    const fromGlobal = window[TENANT_GLOBAL_KEY];
+    if (fromGlobal) return fromGlobal;
+  }
+  throw new Error(
+    "useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout."
+  );
+}
+import {
+  TENANT_GLOBAL_KEY as TENANT_GLOBAL_KEY2
+} from "../tenant-types.js";
+export {
+  TENANT_GLOBAL_KEY2 as TENANT_GLOBAL_KEY,
+  TenantProvider,
+  useTenant
+};
+//# sourceMappingURL=tenant.js.map

package/dist/client/tenant.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/client/tenant.ts"],"sourcesContent":["\"use client\";\n\nimport * as React from \"react\";\nimport { TENANT_GLOBAL_KEY, type TenantPublicConfig } from \"../tenant-types.js\";\n\n// =============================================================================\n// <TenantProvider> + useTenant()\n//\n// Single source of tenant truth on the client. Rendered server-side as part\n// of the root layout; reads the same TenantPublicConfig passed to\n// <TenantBootScript />. The Context value flows through SSR, so server\n// components rendered as children + every client component can call\n// useTenant() without worrying about hydration order.\n//\n// We also accept window.__TENANT__ as a fallback for non-React widgets and\n// for the rare case of a client component rendered outside the Provider\n// tree (a defensive read).\n// =============================================================================\n\nconst TenantContext = React.createContext<TenantPublicConfig | null>(null);\n\nexport function TenantProvider({\n tenant,\n children,\n}: {\n tenant: TenantPublicConfig;\n children: React.ReactNode;\n}) {\n return React.createElement(TenantContext.Provider, { value: tenant }, children);\n}\n\nexport function useTenant(): TenantPublicConfig {\n const ctx = React.useContext(TenantContext);\n if (ctx) return ctx;\n // Defensive fallback: a non-Provider client widget. Only works after\n // <TenantBootScript /> has run.\n if (typeof window !== \"undefined\") {\n const fromGlobal = window[TENANT_GLOBAL_KEY];\n if (fromGlobal) return fromGlobal;\n }\n throw new Error(\n \"useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout.\",\n );\n}\n\nexport {\n TENANT_GLOBAL_KEY,\n type TenantPublicConfig,\n type TenantRole,\n} from \"../tenant-types.js\";\n"],"mappings":";AAEA,YAAY,WAAW;AACvB,SAAS,yBAAkD;AAgB3D,MAAM,gBAAgB,MAAM,cAAyC,IAAI;AAElE,SAAS,eAAe;AAAA,EAC7B;AAAA,EACA;AACF,GAGG;AACD,SAAO,MAAM,cAAc,cAAc,UAAU,EAAE,OAAO,OAAO,GAAG,QAAQ;AAChF;AAEO,SAAS,YAAgC;AAC9C,QAAM,MAAM,MAAM,WAAW,aAAa;AAC1C,MAAI,IAAK,QAAO;AAGhB,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,aAAa,OAAO,iBAAiB;AAC3C,QAAI,WAAY,QAAO;AAAA,EACzB;AACA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;AAEA;AAAA,EACE,qBAAAA;AAAA,OAGK;","names":["TENANT_GLOBAL_KEY"]}

package/dist/client.cjs CHANGED Viewed

@@ -21,11 +21,14 @@ __export(client_exports, {
   AppUserProvider: () => import_AppUserProvider.AppUserProvider,
   ImpersonationBanner: () => import_ImpersonationBanner.ImpersonationBanner,
   SignOutButton: () => import_SignOutButton.SignOutButton,
+  TENANT_GLOBAL_KEY: () => import_tenant.TENANT_GLOBAL_KEY,
+  TenantProvider: () => import_tenant.TenantProvider,
   UserMenu: () => import_UserMenu.UserMenu,
   useAppUser: () => import_AppUserProvider.useAppUser,
   useDbAppUser: () => import_AppUserProvider.useDbAppUser,
   useImpersonation: () => import_use_impersonation.useImpersonation,
-  useRole: () => import_AppUserProvider.useRole
+  useRole: () => import_AppUserProvider.useRole,
+  useTenant: () => import_tenant.useTenant
 });
 module.exports = __toCommonJS(client_exports);
 var import_AppUserProvider = require("./client/AppUserProvider.js");
@@ -33,15 +36,19 @@ var import_UserMenu = require("./client/UserMenu.js");
 var import_SignOutButton = require("./client/SignOutButton.js");
 var import_ImpersonationBanner = require("./client/ImpersonationBanner.js");
 var import_use_impersonation = require("./client/use-impersonation.js");
+var import_tenant = require("./client/tenant.js");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AppUserProvider,
   ImpersonationBanner,
   SignOutButton,
+  TENANT_GLOBAL_KEY,
+  TenantProvider,
   UserMenu,
   useAppUser,
   useDbAppUser,
   useImpersonation,
-  useRole
+  useRole,
+  useTenant
 });
 //# sourceMappingURL=client.cjs.map

package/dist/client.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n AppUserProvider,\n useAppUser,\n useDbAppUser,\n useRole,\n type AppUserState,\n type DbAppUser,\n type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n useImpersonation,\n type EffectiveUser,\n type ImpersonatedBy,\n type MeResponse,\n} from \"./client/use-impersonation.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6BAQO;AACP,sBAAyB;AACzB,2BAA8B;AAC9B,iCAAoC;AACpC,+BAKO;","names":[]}
1	+ {"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n AppUserProvider,\n useAppUser,\n useDbAppUser,\n useRole,\n type AppUserState,\n type DbAppUser,\n type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n useImpersonation,\n type EffectiveUser,\n type ImpersonatedBy,\n type MeResponse,\n} from \"./client/use-impersonation.js\";\nexport {\n TenantProvider,\n useTenant,\n TENANT_GLOBAL_KEY,\n type TenantPublicConfig,\n type TenantRole,\n} from \"./client/tenant.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6BAQO;AACP,sBAAyB;AACzB,2BAA8B;AAC9B,iCAAoC;AACpC,+BAKO;AACP,oBAMO;","names":[]}

package/dist/client.d.ts CHANGED Viewed

@@ -3,4 +3,5 @@ export { UserMenu } from "./client/UserMenu.js";
 export { SignOutButton } from "./client/SignOutButton.js";
 export { ImpersonationBanner } from "./client/ImpersonationBanner.js";
 export { useImpersonation, type EffectiveUser, type ImpersonatedBy, type MeResponse, } from "./client/use-impersonation.js";
+export { TenantProvider, useTenant, TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantRole, } from "./client/tenant.js";
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,UAAU,EACV,YAAY,EACZ,OAAO,EACP,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,cAAc,GACpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,UAAU,GAChB,MAAM,+BAA+B,CAAC"}
1	+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,EACf,UAAU,EACV,YAAY,EACZ,OAAO,EACP,KAAK,YAAY,EACjB,KAAK,SAAS,EACd,KAAK,cAAc,GACpB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,UAAU,GAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EACL,cAAc,EACd,SAAS,EACT,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/client.js CHANGED Viewed

@@ -10,14 +10,22 @@ import { ImpersonationBanner } from "./client/ImpersonationBanner.js";
 import {
   useImpersonation
 } from "./client/use-impersonation.js";
+import {
+  TenantProvider,
+  useTenant,
+  TENANT_GLOBAL_KEY
+} from "./client/tenant.js";
 export {
   AppUserProvider,
   ImpersonationBanner,
   SignOutButton,
+  TENANT_GLOBAL_KEY,
+  TenantProvider,
   UserMenu,
   useAppUser,
   useDbAppUser,
   useImpersonation,
-  useRole
+  useRole,
+  useTenant
 };
 //# sourceMappingURL=client.js.map

package/dist/client.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n AppUserProvider,\n useAppUser,\n useDbAppUser,\n useRole,\n type AppUserState,\n type DbAppUser,\n type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n useImpersonation,\n type EffectiveUser,\n type ImpersonatedBy,\n type MeResponse,\n} from \"./client/use-impersonation.js\";\n"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,gBAAgB;AACzB,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC;AAAA,EACE;AAAA,OAIK;","names":[]}
1	+ {"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n AppUserProvider,\n useAppUser,\n useDbAppUser,\n useRole,\n type AppUserState,\n type DbAppUser,\n type SessionAppUser,\n} from \"./client/AppUserProvider.js\";\nexport { UserMenu } from \"./client/UserMenu.js\";\nexport { SignOutButton } from \"./client/SignOutButton.js\";\nexport { ImpersonationBanner } from \"./client/ImpersonationBanner.js\";\nexport {\n useImpersonation,\n type EffectiveUser,\n type ImpersonatedBy,\n type MeResponse,\n} from \"./client/use-impersonation.js\";\nexport {\n TenantProvider,\n useTenant,\n TENANT_GLOBAL_KEY,\n type TenantPublicConfig,\n type TenantRole,\n} from \"./client/tenant.js\";\n"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,gBAAgB;AACzB,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC;AAAA,EACE;AAAA,OAIK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAGK;","names":[]}

package/dist/server/createAuth.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { type DefaultSession, type Session } from "next-auth";
+import type { TenantServerConfig } from "../tenant-types.js";
 declare module "next-auth" {
     interface Session {
         user: {
@@ -10,47 +11,33 @@ declare module "next-auth" {
     }
 }
 export type CreateAuthOptions = {
-    /** Path prefixes that require an authenticated session. */
-    authedRoutePrefixes: string[];
     /**
-     * Page to redirect to when an unauthed user hits a gated route.
-     * If omitted, derived automatically from appDomain + allowedParentDomain:
-     * apex app gets `/login`; subdomain apps get `https://<apex>/login`.
+     * Full tenant configuration. Provides apex/cookieDomain/parentDomain/
+     * appDomain/role + cognito client id + issuer + allowed admin emails.
+     * Load via `loadTenantConfig()` from `@augmenting-integrations/tenant/server`.
      */
-    signInPage?: string;
+    tenant: TenantServerConfig;
+    /** Path prefixes that require an authenticated session. */
+    authedRoutePrefixes: string[];
     /**
-     * Cookie Domain attribute. In subdomain ecosystems, set to the parent
-     * (e.g. `.agency.aillc.link`). Default: process.env.AUTH_COOKIE_DOMAIN.
-     * In dev (NODE_ENV !== "production") this is ignored — cookies stay
-     * host-only so per-port localhost apps don't collide.
+     * JWT signing secret. Caller fetches from Secrets Manager via
+     * `getSecret(tenant.authSecretArn)` and passes the resolved value here.
+     * The library doesn't bundle AWS SDK reads itself.
      */
-    cookieDomain?: string;
+    authSecret: string;
     /**
-     * The parent domain that all subdomain apps share (e.g.
-     * `.agency.aillc.link`). The redirect callback uses this to allow
-     * post-login redirects back to any subdomain of the parent (apex or
-     * `<sub>.agency.aillc.link`). Default: process.env.AUTH_ALLOWED_PARENT_DOMAIN.
+     * Cognito OAuth client secret. Apex apps only -- spokes never run the
+     * OAuth dance. Caller fetches from Secrets Manager via
+     * `getSecret(tenant.authCognitoSecretArn)`.
      */
-    allowedParentDomain?: string;
+    cognitoClientSecret?: string;
     /**
-     * This app's full FQDN (e.g. `agency.aillc.link` for the apex app, or
-     * `leads.agency.aillc.link` for a subdomain app). Used to derive the
-     * default signInPage. Default: process.env.APP_DOMAIN.
+     * Override the auto-derived sign-in page (rarely needed). Default:
+     * apex apps get `/login`; spoke apps get `https://<apex>/login`.
      */
-    appDomain?: string;
+    signInPage?: string;
     /** Override prod/dev detection. Default reads NODE_ENV. */
     isProd?: boolean;
-    /**
-     * The JWT signing secret. Default: process.env.AUTH_SECRET.
-     * In prod, pass this from a runtime fetch (Secrets Manager) to keep the
-     * secret out of Lambda env vars and to support rotation without redeploy.
-     */
-    secret?: string;
-    cognito?: {
-        clientId?: string;
-        clientSecret?: string;
-        issuer?: string;
-    };
 };
 export declare class AuthError extends Error {
     code: "unauthenticated" | "forbidden";

package/dist/server/createAuth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"createAuth.d.ts","sourceRoot":"","sources":["../../src/server/createAuth.ts"],"names":[],"mappings":"AAkBA,OAAiB,EACf,KAAK,cAAc,EAEnB,KAAK,OAAO,EACb,MAAM,WAAW,CAAC;~~AAQnB~~,OAAO,QAAQ,WAAW,CAAC;IACzB,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,EAAE,CAAC;SAClB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;KAC5B;IACD,UAAU,IAAI;QACZ,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B~~,2DAA2D;IAC3D,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B~~;;;;OAIG;IACH,~~UAAU~~,~~CAAC,~~EAAE,~~MAAM~~,CAAC;~~IACpB;;;;;OAKG~~;~~IACH~~,~~YAAY~~,~~CAAC,~~EAAE,MAAM,~~CAAC;IACtB;;;;;OAKG;IACH,mBAAmB,CAAC,~~EAAE,~~MAAM,~~CAAC;~~IAC7B~~;;;;OAIG;IACH,~~SAAS~~,~~CAAC,~~EAAE,MAAM,CAAC;IACnB~~,2DAA2D;IAC3D,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB~~;;;;OAIG;IACH,~~MAAM~~,CAAC,EAAE,MAAM,CAAC;~~IAChB,OAAO,CAAC,EAAE~~;~~QACR~~,~~QAAQ~~,CAAC,EAAE,MAAM,CAAC;~~QAClB~~,~~YAAY,CAAC,EAAE,MAAM,CAAC~~;~~QACtB~~,MAAM,CAAC,EAAE,~~MAAM~~,CAAC;~~KACjB~~,CAAC;~~CACH,CAAC;~~AAIF,qBAAa,SAAU,SAAQ,KAAK;IACf,IAAI,EAAE,iBAAiB,GAAG,WAAW;gBAArC,IAAI,EAAE,iBAAiB,GAAG,WAAW;CAIzD;AAID,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,EAAE,CAE3E;AAED,+CAA+C;AAC/C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAInF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EACnC,GAAG,KAAK,EAAE,MAAM,EAAE,GACjB,IAAI,CAKN;~~AAkFD~~,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,~~sCA+IjD~~;AAED,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}
1	+ {"version":3,"file":"createAuth.d.ts","sourceRoot":"","sources":["../../src/server/createAuth.ts"],"names":[],"mappings":"AAkBA,OAAiB,EACf,KAAK,cAAc,EAEnB,KAAK,OAAO,EACb,MAAM,WAAW,CAAC;AAGnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAM7D,OAAO,QAAQ,WAAW,CAAC;IACzB,UAAU,OAAO;QACf,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,EAAE,CAAC;SAClB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;KAC5B;IACD,UAAU,IAAI;QACZ,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;KACnB;CACF;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;;;OAIG;IACH,MAAM,EAAE,kBAAkB,CAAC;IAC3B,2DAA2D;IAC3D,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAIF,qBAAa,SAAU,SAAQ,KAAK;IACf,IAAI,EAAE,iBAAiB,GAAG,WAAW;gBAArC,IAAI,EAAE,iBAAiB,GAAG,WAAW;CAIzD;AAID,2EAA2E;AAC3E,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,EAAE,CAE3E;AAED,+CAA+C;AAC/C,wBAAgB,QAAQ,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAInF;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,EACnC,GAAG,KAAK,EAAE,MAAM,EAAE,GACjB,IAAI,CAKN;AA+BD,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,sCAmIjD;AAED,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC"}

package/dist/server/tenant.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import "server-only";
+import * as React from "react";
+import { type TenantPublicConfig, type TenantRole, type TenantServerConfig } from "../tenant-types.js";
+export type LoadOptions = {
+    role: TenantRole;
+    /**
+     * Override env reads with explicit values (useful for tests).
+     */
+    overrides?: Partial<TenantServerConfig>;
+};
+/**
+ * Read tenant configuration from process.env with optional overrides.
+ * Throws a single Error listing every missing required field.
+ */
+export declare function loadTenantConfig(opts: LoadOptions): TenantServerConfig;
+/**
+ * Reduce a TenantServerConfig to the public-safe subset. Strips every
+ * secret-arn so the result is safe to ship to the browser via
+ * <TenantBootScript />.
+ */
+export declare function publicSubset(config: TenantServerConfig): TenantPublicConfig;
+export declare function TenantBootScript({ config }: {
+    config: TenantPublicConfig;
+}): React.DetailedReactHTMLElement<Record<string, unknown>, HTMLElement>;
+export { TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantServerConfig, type TenantRole, } from "../tenant-types.js";
+//# sourceMappingURL=tenant.d.ts.map

package/dist/server/tenant.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"tenant.d.ts","sourceRoot":"","sources":["../../src/server/tenant.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AACrB,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,kBAAkB,EACxB,MAAM,oBAAoB,CAAC;AAoB5B,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,UAAU,CAAC;IACjB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;CACzC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,WAAW,GAAG,kBAAkB,CAwDtE;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,kBAAkB,CAU3E;AAeD,wBAAgB,gBAAgB,CAAC,EAAE,MAAM,EAAE,EAAE;IAAE,MAAM,EAAE,kBAAkB,CAAA;CAAE,wEAM1E;AAED,OAAO,EACL,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/server.cjs CHANGED Viewed

@@ -33,11 +33,15 @@ __export(server_exports, {
   AuthError: () => AuthError,
   IMPERSONATE_COOKIE_NAME: () => IMPERSONATE_COOKIE_NAME,
   IMPERSONATE_TTL_SECONDS: () => IMPERSONATE_TTL_SECONDS,
+  TENANT_GLOBAL_KEY: () => TENANT_GLOBAL_KEY,
+  TenantBootScript: () => TenantBootScript,
   createAuth: () => createAuth,
   createGetOrCreateAppUser: () => createGetOrCreateAppUser,
   getUserGroups: () => getUserGroups,
   hasGroup: () => hasGroup,
+  loadTenantConfig: () => loadTenantConfig,
   mintImpersonationToken: () => mintImpersonationToken,
+  publicSubset: () => publicSubset,
   requireGroup: () => requireGroup,
   verifyImpersonationToken: () => verifyImpersonationToken
 });
@@ -69,37 +73,11 @@ function requireGroup(session, ...names) {
   const ok = names.some((n) => hasGroup(session, n));
   if (!ok) throw new AuthError("forbidden");
 }
-function validateProdEnv(args) {
-  if (!args.isProd) return;
-  if (process.env.NEXT_PHASE === "phase-production-build") return;
-  if (!process.env.AWS_LAMBDA_FUNCTION_NAME) return;
-  const missing = [];
-  if (!args.secret) missing.push("AUTH_SECRET");
-  if (!args.cognitoClientId) missing.push("AUTH_COGNITO_ID");
-  if (!args.cognitoClientSecret) missing.push("AUTH_COGNITO_SECRET");
-  if (!args.cognitoIssuer) missing.push("AUTH_COGNITO_ISSUER");
-  const hasAny = !!(args.cookieDomain || args.allowedParentDomain || args.appDomain);
-  if (hasAny) {
-    if (!args.cookieDomain) missing.push("AUTH_COOKIE_DOMAIN");
-    if (!args.allowedParentDomain) missing.push("AUTH_ALLOWED_PARENT_DOMAIN");
-    if (!args.appDomain) missing.push("APP_DOMAIN");
-  }
-  if (missing.length > 0) {
-    throw new Error(
-      `[@augmenting-integrations/auth] Missing required prod env vars: ${missing.join(
-        ", "
-      )}. Provide via createAuth() opts or process.env.`
-    );
-  }
-}
-function buildRedirectCallback(allowedParentDomain) {
+function buildRedirectCallback(parentDomain) {
   return ({ url, baseUrl }) => {
     try {
       const target = new URL(url, baseUrl);
-      if (!allowedParentDomain) {
-        return target.origin === new URL(baseUrl).origin ? target.toString() : baseUrl;
-      }
-      const apex = allowedParentDomain.replace(/^\./, "").toLowerCase();
+      const apex = parentDomain.replace(/^\./, "").toLowerCase();
       const host = target.hostname.toLowerCase();
       const ok = host === apex || host.endsWith(`.${apex}`);
       return ok ? target.toString() : baseUrl;
@@ -110,38 +88,31 @@ function buildRedirectCallback(allowedParentDomain) {
 }
 function deriveSignInPage(args) {
   if (args.signInPage) return args.signInPage;
-  if (args.appDomain && args.allowedParentDomain) {
-    const apex = args.allowedParentDomain.replace(/^\./, "");
-    return args.appDomain === apex ? "/login" : `https://${apex}/login`;
-  }
-  return "/login";
+  return args.appDomain === args.apex ? "/login" : `https://${args.apex}/login`;
 }
 function createAuth(opts) {
+  const { tenant, authSecret, cognitoClientSecret } = opts;
   const isProd = opts.isProd ?? process.env.NODE_ENV === "production";
-  const cookieDomain = isProd ? opts.cookieDomain ?? process.env.AUTH_COOKIE_DOMAIN : void 0;
-  const allowedParentDomain = opts.allowedParentDomain ?? process.env.AUTH_ALLOWED_PARENT_DOMAIN;
-  const appDomain = opts.appDomain ?? process.env.APP_DOMAIN;
-  const SECRET = opts.secret ?? process.env.AUTH_SECRET ?? (isProd ? void 0 : "dev-only-fallback-not-for-prod");
-  const cognitoClientId = opts.cognito?.clientId ?? process.env.AUTH_COGNITO_ID;
-  const cognitoClientSecret = opts.cognito?.clientSecret ?? process.env.AUTH_COGNITO_SECRET;
-  const cognitoIssuer = opts.cognito?.issuer ?? process.env.AUTH_COGNITO_ISSUER;
-  validateProdEnv({
-    isProd,
-    cookieDomain,
-    allowedParentDomain,
-    appDomain,
-    secret: SECRET,
-    cognitoClientId,
-    cognitoClientSecret,
-    cognitoIssuer
-  });
+  const cookieDomain = isProd ? tenant.cookieDomain : void 0;
+  if (tenant.role === "apex") {
+    if (!tenant.cognitoClientId || !tenant.cognitoIssuer) {
+      throw new Error(
+        "createAuth: tenant.role='apex' requires cognitoClientId + cognitoIssuer. Check loadTenantConfig() inputs."
+      );
+    }
+    if (isProd && !cognitoClientSecret) {
+      throw new Error(
+        "createAuth: tenant.role='apex' in production requires cognitoClientSecret. Fetch via getSecret(tenant.authCognitoSecretArn) and pass it in."
+      );
+    }
+  }
   const signInPage = deriveSignInPage({
     signInPage: opts.signInPage,
-    appDomain,
-    allowedParentDomain
+    appDomain: tenant.appDomain,
+    apex: tenant.apex
   });
   const config = {
-    secret: SECRET,
+    secret: authSecret,
     cookies: cookieDomain ? {
       sessionToken: {
         name: "authjs.session-token",
@@ -156,9 +127,9 @@ function createAuth(opts) {
     } : void 0,
     providers: isProd ? [
       (0, import_cognito.default)({
-        clientId: cognitoClientId,
+        clientId: tenant.cognitoClientId,
         clientSecret: cognitoClientSecret,
-        issuer: cognitoIssuer
+        issuer: tenant.cognitoIssuer
       })
     ] : [
       (0, import_credentials.default)({
@@ -226,7 +197,7 @@ function createAuth(opts) {
         }
         return true;
       },
-      redirect: buildRedirectCallback(allowedParentDomain)
+      redirect: buildRedirectCallback(tenant.parentDomain)
     },
     pages: { signIn: signInPage },
     trustHost: true
@@ -369,16 +340,99 @@ function createGetOrCreateAppUser(opts) {
     });
   };
 }
+// src/server/tenant.ts
+var import_server_only3 = require("server-only");
+var React = __toESM(require("react"));
+// src/tenant-types.ts
+var TENANT_GLOBAL_KEY = "__TENANT__";
+// src/server/tenant.ts
+function loadTenantConfig(opts) {
+  const env = process.env;
+  const o = opts.overrides ?? {};
+  const draft = {
+    role: opts.role,
+    apex: o.apex ?? env.APEX_DOMAIN,
+    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,
+    parentDomain: o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN,
+    region: o.region ?? env.AWS_REGION ?? "us-east-1",
+    appSlug: o.appSlug ?? env.APP_SLUG,
+    appDomain: o.appDomain ?? env.APP_DOMAIN,
+    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,
+    registryTable: o.registryTable ?? env.REGISTRY_TABLE,
+    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,
+    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,
+    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_CLIENT_ID,
+    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,
+    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,
+    dbHost: o.dbHost ?? env.DB_HOST,
+    dbName: o.dbName ?? env.DB_NAME,
+    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,
+    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN
+  };
+  if (opts.role === "apex" && !draft.appDomain) {
+    draft.appDomain = draft.apex;
+  }
+  const required = [
+    { key: "apex", env: "APEX_DOMAIN" },
+    { key: "cookieDomain", env: "AUTH_COOKIE_DOMAIN" },
+    { key: "parentDomain", env: "AUTH_ALLOWED_PARENT_DOMAIN" },
+    { key: "authSecretArn", env: "AUTH_SECRET_ARN" },
+    { key: "registryTable", env: "REGISTRY_TABLE" },
+    { key: "appDomain", env: "APP_DOMAIN" }
+  ];
+  if (opts.role === "apex") {
+    required.push(
+      { key: "authCognitoSecretArn", env: "AUTH_COGNITO_SECRET_ARN" },
+      { key: "cognitoIssuer", env: "AUTH_COGNITO_ISSUER" },
+      { key: "cognitoClientId", env: "AUTH_COGNITO_CLIENT_ID" }
+    );
+  } else {
+    required.push({ key: "appSlug", env: "APP_SLUG" });
+  }
+  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);
+  if (missing.length > 0) {
+    throw new Error(
+      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(", ")}`
+    );
+  }
+  return draft;
+}
+function publicSubset(config) {
+  return {
+    apex: config.apex,
+    cookieDomain: config.cookieDomain,
+    parentDomain: config.parentDomain,
+    region: config.region,
+    appSlug: config.appSlug,
+    appDomain: config.appDomain,
+    role: config.role
+  };
+}
+var INNER_HTML_PROP = "dangerouslySetInnerHTML";
+function TenantBootScript({ config }) {
+  const payload = JSON.stringify(config).replace(/</g, "\\u003c");
+  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;
+  const props = {};
+  props[INNER_HTML_PROP] = { __html: body };
+  return React.createElement("script", props);
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthError,
   IMPERSONATE_COOKIE_NAME,
   IMPERSONATE_TTL_SECONDS,
+  TENANT_GLOBAL_KEY,
+  TenantBootScript,
   createAuth,
   createGetOrCreateAppUser,
   getUserGroups,
   hasGroup,
+  loadTenantConfig,
   mintImpersonationToken,
+  publicSubset,
   requireGroup,
   verifyImpersonationToken
 });