@augmenting-integrations/platform 8.4.0

package/README.md

@@ -0,0 +1,32 @@
+# @augmenting-integrations/platform
+
+Tenant + app manifest contract for the augint platform. The single source of
+truth for:
+
+- `TenantServerConfig` and `TenantPublicConfig` (env-loaded tenant struct +
+  browser-safe subset)
+- `<TenantBootScript />`, `<TenantProvider>`, `useTenant()` (server-injected
+  and client-readable tenant context)
+- `app.manifest.json` schema and loader (per-app declaration of slug, role,
+  subdomain, access policy, feature enablement, data plane)
+
+Every other `@augmenting-integrations/*` package consumes tenant context from
+here, so `@augmenting-integrations/auth` no longer owns it. UI components,
+billing handlers, registry tooling, and deploy tooling all import the same
+struct.
+
+## Subpaths
+
+- `./server` — `loadTenantConfig`, `publicSubset`, `TenantBootScript`
+- `./client` — `TenantProvider`, `useTenant`
+- `./manifest` — `loadManifest`, `AppManifest`, `validateManifest`
+
+## app.manifest.json
+
+Every spoke and apex app ships an `app.manifest.json` at the repo root. The
+manifest is the local source of truth for slug/subdomain/displayName/navOrder,
+app-level access policy, feature enablement, and the data plane choice. The
+deploy workflow reads this file to register the app and to provision the
+right infra modules.
+
+See `src/manifest/schema.ts` for the canonical type.

package/dist/client/tenant.cjs

@@ -0,0 +1,64 @@
+"use strict";
+"use client";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var tenant_exports = {};
+__export(tenant_exports, {
+  TENANT_GLOBAL_KEY: () => import_tenant_types2.TENANT_GLOBAL_KEY,
+  TenantProvider: () => TenantProvider,
+  useTenant: () => useTenant
+});
+module.exports = __toCommonJS(tenant_exports);
+var React = __toESM(require("react"));
+var import_tenant_types = require("../tenant-types.js");
+var import_tenant_types2 = require("../tenant-types.js");
+const TenantContext = React.createContext(null);
+function TenantProvider({
+  tenant,
+  children
+}) {
+  return React.createElement(TenantContext.Provider, { value: tenant }, children);
+}
+function useTenant() {
+  const ctx = React.useContext(TenantContext);
+  if (ctx) return ctx;
+  if (typeof window !== "undefined") {
+    const fromGlobal = window[import_tenant_types.TENANT_GLOBAL_KEY];
+    if (fromGlobal) return fromGlobal;
+  }
+  throw new Error(
+    "useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout."
+  );
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TENANT_GLOBAL_KEY,
+  TenantProvider,
+  useTenant
+});
+//# sourceMappingURL=tenant.cjs.map

package/dist/client/tenant.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/tenant.ts"],"sourcesContent":["\"use client\";\n\nimport * as React from \"react\";\nimport { TENANT_GLOBAL_KEY, type TenantPublicConfig } from \"../tenant-types.js\";\n\n// =============================================================================\n// <TenantProvider> + useTenant()\n//\n// Single source of tenant truth on the client. Rendered server-side as part\n// of the root layout; reads the same TenantPublicConfig passed to\n// <TenantBootScript />. The Context value flows through SSR, so server\n// components rendered as children + every client component can call\n// useTenant() without worrying about hydration order.\n//\n// We also accept window.__TENANT__ as a fallback for non-React widgets and\n// for the rare case of a client component rendered outside the Provider\n// tree (a defensive read).\n// =============================================================================\n\nconst TenantContext = React.createContext<TenantPublicConfig | null>(null);\n\nexport function TenantProvider({\n  tenant,\n  children,\n}: {\n  tenant: TenantPublicConfig;\n  children: React.ReactNode;\n}) {\n  return React.createElement(TenantContext.Provider, { value: tenant }, children);\n}\n\nexport function useTenant(): TenantPublicConfig {\n  const ctx = React.useContext(TenantContext);\n  if (ctx) return ctx;\n  // Defensive fallback: a non-Provider client widget. Only works after\n  // <TenantBootScript /> has run.\n  if (typeof window !== \"undefined\") {\n    const fromGlobal = window[TENANT_GLOBAL_KEY];\n    if (fromGlobal) return fromGlobal;\n  }\n  throw new Error(\n    \"useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout.\",\n  );\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,YAAuB;AACvB,0BAA2D;AA0C3D,IAAAA,uBAIO;AA9BP,MAAM,gBAAgB,MAAM,cAAyC,IAAI;AAElE,SAAS,eAAe;AAAA,EAC7B;AAAA,EACA;AACF,GAGG;AACD,SAAO,MAAM,cAAc,cAAc,UAAU,EAAE,OAAO,OAAO,GAAG,QAAQ;AAChF;AAEO,SAAS,YAAgC;AAC9C,QAAM,MAAM,MAAM,WAAW,aAAa;AAC1C,MAAI,IAAK,QAAO;AAGhB,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,aAAa,OAAO,qCAAiB;AAC3C,QAAI,WAAY,QAAO;AAAA,EACzB;AACA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;","names":["import_tenant_types"]}

package/dist/client/tenant.d.ts

@@ -0,0 +1,9 @@
+import * as React from "react";
+import { type TenantPublicConfig } from "../tenant-types.js";
+export declare function TenantProvider({ tenant, children, }: {
+    tenant: TenantPublicConfig;
+    children: React.ReactNode;
+}): React.FunctionComponentElement<React.ProviderProps<TenantPublicConfig | null>>;
+export declare function useTenant(): TenantPublicConfig;
+export { TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantRole, } from "../tenant-types.js";
+//# sourceMappingURL=tenant.d.ts.map

package/dist/client/tenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.d.ts","sourceRoot":"","sources":["../../src/client/tenant.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAqB,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAkBhF,wBAAgB,cAAc,CAAC,EAC7B,MAAM,EACN,QAAQ,GACT,EAAE;IACD,MAAM,EAAE,kBAAkB,CAAC;IAC3B,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B,kFAEA;AAED,wBAAgB,SAAS,IAAI,kBAAkB,CAY9C;AAED,OAAO,EACL,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/client/tenant.js

@@ -0,0 +1,30 @@
+"use client";
+import * as React from "react";
+import { TENANT_GLOBAL_KEY } from "../tenant-types.js";
+const TenantContext = React.createContext(null);
+function TenantProvider({
+  tenant,
+  children
+}) {
+  return React.createElement(TenantContext.Provider, { value: tenant }, children);
+}
+function useTenant() {
+  const ctx = React.useContext(TenantContext);
+  if (ctx) return ctx;
+  if (typeof window !== "undefined") {
+    const fromGlobal = window[TENANT_GLOBAL_KEY];
+    if (fromGlobal) return fromGlobal;
+  }
+  throw new Error(
+    "useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout."
+  );
+}
+import {
+  TENANT_GLOBAL_KEY as TENANT_GLOBAL_KEY2
+} from "../tenant-types.js";
+export {
+  TENANT_GLOBAL_KEY2 as TENANT_GLOBAL_KEY,
+  TenantProvider,
+  useTenant
+};
+//# sourceMappingURL=tenant.js.map

package/dist/client/tenant.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/client/tenant.ts"],"sourcesContent":["\"use client\";\n\nimport * as React from \"react\";\nimport { TENANT_GLOBAL_KEY, type TenantPublicConfig } from \"../tenant-types.js\";\n\n// =============================================================================\n// <TenantProvider> + useTenant()\n//\n// Single source of tenant truth on the client. Rendered server-side as part\n// of the root layout; reads the same TenantPublicConfig passed to\n// <TenantBootScript />. The Context value flows through SSR, so server\n// components rendered as children + every client component can call\n// useTenant() without worrying about hydration order.\n//\n// We also accept window.__TENANT__ as a fallback for non-React widgets and\n// for the rare case of a client component rendered outside the Provider\n// tree (a defensive read).\n// =============================================================================\n\nconst TenantContext = React.createContext<TenantPublicConfig | null>(null);\n\nexport function TenantProvider({\n  tenant,\n  children,\n}: {\n  tenant: TenantPublicConfig;\n  children: React.ReactNode;\n}) {\n  return React.createElement(TenantContext.Provider, { value: tenant }, children);\n}\n\nexport function useTenant(): TenantPublicConfig {\n  const ctx = React.useContext(TenantContext);\n  if (ctx) return ctx;\n  // Defensive fallback: a non-Provider client widget. Only works after\n  // <TenantBootScript /> has run.\n  if (typeof window !== \"undefined\") {\n    const fromGlobal = window[TENANT_GLOBAL_KEY];\n    if (fromGlobal) return fromGlobal;\n  }\n  throw new Error(\n    \"useTenant() called outside <TenantProvider> and before <TenantBootScript /> ran. Mount both in the root layout.\",\n  );\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n"],"mappings":";AAEA,YAAY,WAAW;AACvB,SAAS,yBAAkD;AAgB3D,MAAM,gBAAgB,MAAM,cAAyC,IAAI;AAElE,SAAS,eAAe;AAAA,EAC7B;AAAA,EACA;AACF,GAGG;AACD,SAAO,MAAM,cAAc,cAAc,UAAU,EAAE,OAAO,OAAO,GAAG,QAAQ;AAChF;AAEO,SAAS,YAAgC;AAC9C,QAAM,MAAM,MAAM,WAAW,aAAa;AAC1C,MAAI,IAAK,QAAO;AAGhB,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,aAAa,OAAO,iBAAiB;AAC3C,QAAI,WAAY,QAAO;AAAA,EACzB;AACA,QAAM,IAAI;AAAA,IACR;AAAA,EACF;AACF;AAEA;AAAA,EACE,qBAAAA;AAAA,OAGK;","names":["TENANT_GLOBAL_KEY"]}

package/dist/client.cjs

@@ -0,0 +1,33 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var client_exports = {};
+__export(client_exports, {
+  TENANT_GLOBAL_KEY: () => import_tenant.TENANT_GLOBAL_KEY,
+  TenantProvider: () => import_tenant.TenantProvider,
+  useTenant: () => import_tenant.useTenant
+});
+module.exports = __toCommonJS(client_exports);
+var import_tenant = require("./client/tenant.js");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TENANT_GLOBAL_KEY,
+  TenantProvider,
+  useTenant
+});
+//# sourceMappingURL=client.cjs.map

package/dist/client.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  TenantProvider,\n  useTenant,\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n} from \"./client/tenant.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAMO;","names":[]}

package/dist/client.d.ts

@@ -0,0 +1,2 @@
+export { TenantProvider, useTenant, TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantRole, } from "./client/tenant.js";
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,SAAS,EACT,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/client.js

@@ -0,0 +1,11 @@
+import {
+  TenantProvider,
+  useTenant,
+  TENANT_GLOBAL_KEY
+} from "./client/tenant.js";
+export {
+  TENANT_GLOBAL_KEY,
+  TenantProvider,
+  useTenant
+};
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["export {\n  TenantProvider,\n  useTenant,\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n} from \"./client/tenant.js\";\n"],"mappings":"AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAGK;","names":[]}

package/dist/manifest/load.d.ts

@@ -0,0 +1,16 @@
+import { type AppManifest } from "./schema.js";
+export type LoadManifestOptions = {
+    /** Defaults to process.cwd(). */
+    cwd?: string;
+    /** Manifest filename. Defaults to "app.manifest.json". */
+    filename?: string;
+};
+/**
+ * Read and validate an app.manifest.json. Throws with a consolidated error
+ * message listing every validation failure. The deploy fails loudly instead
+ * of substituting defaults that mask drift.
+ */
+export declare function loadManifest(opts?: LoadManifestOptions): AppManifest;
+export { validateManifest, type AppManifest } from "./schema.js";
+export type { ManifestValidationError, AppRole, DataPlaneType } from "./schema.js";
+//# sourceMappingURL=load.d.ts.map

package/dist/manifest/load.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load.d.ts","sourceRoot":"","sources":["../../src/manifest/load.ts"],"names":[],"mappings":"AAEA,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AAEjE,MAAM,MAAM,mBAAmB,GAAG;IAChC,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,GAAE,mBAAwB,GAAG,WAAW,CAyBxE;AAED,OAAO,EAAE,gBAAgB,EAAE,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AACjE,YAAY,EAAE,uBAAuB,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC"}

package/dist/manifest/schema.d.ts

@@ -0,0 +1,64 @@
+export type AppRole = "apex" | "spoke";
+export type DataPlaneType = "app-aurora" | "tenant-postgres" | "dynamodb" | "none";
+export type AppManifest = {
+    /** Schema version. Always 1 for this generation. */
+    schemaVersion: 1;
+    /** Tenant slug, e.g. "agency". Matches the tenant repo. */
+    tenantSlug: string;
+    /** App slug. PK in the registry. Stable identifier. */
+    appSlug: string;
+    /** "apex" (the auth broker) or "spoke" (a product app). */
+    role: AppRole;
+    /** Subdomain label. "" for apex. */
+    subdomain: string;
+    /** Human-friendly name for nav + admin UI. */
+    displayName: string;
+    /** Sort order in the cross-app nav. Lower = first. */
+    navOrder: number;
+    access: {
+        /**
+         * Cognito identity groups required to see AND enter this app. Empty =
+         * all authenticated users. This is NOT product-level authorization;
+         * it gates entry to the entire app surface.
+         */
+        requiredIdentityGroups: string[];
+    };
+    features: {
+        /** Has billing surface (Stripe, credit balance, cart). */
+        billing: boolean;
+        /** Has settings surface (password, MFA, profile). */
+        settings: boolean;
+        /** Sends invitations (Invitation table required). */
+        invitations: boolean;
+        /** Supports admin impersonation. */
+        impersonation: boolean;
+    };
+    dataPlane: {
+        /**
+         * "app-aurora" = per-app Aurora Serverless v2 + RDS Proxy.
+         * "tenant-postgres" = shared tenant DB (rare).
+         * "dynamodb" = the app only uses DynamoDB tables it provisions itself.
+         * "none" = no app-owned data plane (apex auth-broker).
+         */
+        type: DataPlaneType;
+        /** True if Prisma migrations should run on deploy. */
+        migrations: boolean;
+    };
+};
+export type ManifestValidationError = {
+    path: string;
+    message: string;
+};
+/**
+ * Pure validator. Returns the typed manifest on success, or an array of
+ * errors on failure. No throws -- the loader wraps this and throws with
+ * a consolidated error message.
+ */
+export declare function validateManifest(raw: unknown): {
+    ok: true;
+    value: AppManifest;
+} | {
+    ok: false;
+    errors: ManifestValidationError[];
+};
+//# sourceMappingURL=schema.d.ts.map

package/dist/manifest/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/manifest/schema.ts"],"names":[],"mappings":"AAYA,MAAM,MAAM,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAEvC,MAAM,MAAM,aAAa,GAAG,YAAY,GAAG,iBAAiB,GAAG,UAAU,GAAG,MAAM,CAAC;AAEnF,MAAM,MAAM,WAAW,GAAG;IACxB,oDAAoD;IACpD,aAAa,EAAE,CAAC,CAAC;IACjB,2DAA2D;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,IAAI,EAAE,OAAO,CAAC;IACd,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE;QACN;;;;WAIG;QACH,sBAAsB,EAAE,MAAM,EAAE,CAAC;KAClC,CAAC;IACF,QAAQ,EAAE;QACR,0DAA0D;QAC1D,OAAO,EAAE,OAAO,CAAC;QACjB,qDAAqD;QACrD,QAAQ,EAAE,OAAO,CAAC;QAClB,qDAAqD;QACrD,WAAW,EAAE,OAAO,CAAC;QACrB,oCAAoC;QACpC,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,SAAS,EAAE;QACT;;;;;WAKG;QACH,IAAI,EAAE,aAAa,CAAC;QACpB,sDAAsD;QACtD,UAAU,EAAE,OAAO,CAAC;KACrB,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,GAAG,EAAE,OAAO,GACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,WAAW,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,uBAAuB,EAAE,CAAA;CAAE,CA0ErF"}

package/dist/manifest.cjs

@@ -0,0 +1,131 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/manifest.ts
+var manifest_exports = {};
+__export(manifest_exports, {
+  loadManifest: () => loadManifest,
+  validateManifest: () => validateManifest
+});
+module.exports = __toCommonJS(manifest_exports);
+
+// src/manifest/load.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+
+// src/manifest/schema.ts
+function validateManifest(raw) {
+  const errors = [];
+  if (typeof raw !== "object" || raw === null) {
+    return { ok: false, errors: [{ path: "", message: "manifest must be an object" }] };
+  }
+  const m = raw;
+  const requireString = (path, value) => {
+    if (typeof value !== "string") errors.push({ path, message: "expected string" });
+  };
+  const requireNumber = (path, value) => {
+    if (typeof value !== "number") errors.push({ path, message: "expected number" });
+  };
+  const requireBool = (path, value) => {
+    if (typeof value !== "boolean") errors.push({ path, message: "expected boolean" });
+  };
+  const requireOneOf = (path, value, options) => {
+    if (typeof value !== "string" || !options.includes(value)) {
+      errors.push({ path, message: `expected one of: ${options.join(", ")}` });
+    }
+  };
+  const requireStringArray = (path, value) => {
+    if (!Array.isArray(value) || value.some((v) => typeof v !== "string")) {
+      errors.push({ path, message: "expected string[]" });
+    }
+  };
+  if (m.schemaVersion !== 1) {
+    errors.push({ path: "schemaVersion", message: "expected literal 1" });
+  }
+  requireString("tenantSlug", m.tenantSlug);
+  requireString("appSlug", m.appSlug);
+  requireOneOf("role", m.role, ["apex", "spoke"]);
+  requireString("subdomain", m.subdomain);
+  requireString("displayName", m.displayName);
+  requireNumber("navOrder", m.navOrder);
+  const access = m.access;
+  if (!access || typeof access !== "object") {
+    errors.push({ path: "access", message: "expected object" });
+  } else {
+    requireStringArray("access.requiredIdentityGroups", access.requiredIdentityGroups);
+  }
+  const features = m.features;
+  if (!features || typeof features !== "object") {
+    errors.push({ path: "features", message: "expected object" });
+  } else {
+    requireBool("features.billing", features.billing);
+    requireBool("features.settings", features.settings);
+    requireBool("features.invitations", features.invitations);
+    requireBool("features.impersonation", features.impersonation);
+  }
+  const dataPlane = m.dataPlane;
+  if (!dataPlane || typeof dataPlane !== "object") {
+    errors.push({ path: "dataPlane", message: "expected object" });
+  } else {
+    requireOneOf("dataPlane.type", dataPlane.type, [
+      "app-aurora",
+      "tenant-postgres",
+      "dynamodb",
+      "none"
+    ]);
+    requireBool("dataPlane.migrations", dataPlane.migrations);
+  }
+  if (m.role === "apex" && m.subdomain !== "") {
+    errors.push({ path: "subdomain", message: "apex apps must have empty subdomain" });
+  }
+  if (errors.length > 0) return { ok: false, errors };
+  return { ok: true, value: m };
+}
+
+// src/manifest/load.ts
+function loadManifest(opts = {}) {
+  const cwd = opts.cwd ?? process.cwd();
+  const filename = opts.filename ?? "app.manifest.json";
+  const file = (0, import_node_path.resolve)((0, import_node_path.join)(cwd, filename));
+  let raw;
+  try {
+    raw = (0, import_node_fs.readFileSync)(file, "utf8");
+  } catch (err) {
+    throw new Error(`loadManifest: cannot read ${file}: ${err.message}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`loadManifest: invalid JSON in ${file}: ${err.message}`);
+  }
+  const result = validateManifest(parsed);
+  if (!result.ok) {
+    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join("\n");
+    throw new Error(`loadManifest: ${file} failed validation:
+${lines}`);
+  }
+  return result.value;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  loadManifest,
+  validateManifest
+});
+//# sourceMappingURL=manifest.cjs.map

package/dist/manifest.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/manifest.ts","../src/manifest/load.ts","../src/manifest/schema.ts"],"sourcesContent":["export {\n  loadManifest,\n  validateManifest,\n  type LoadManifestOptions,\n  type AppManifest,\n  type ManifestValidationError,\n  type AppRole,\n  type DataPlaneType,\n} from \"./manifest/load.js\";\n","import { readFileSync } from \"node:fs\";\nimport { join, resolve } from \"node:path\";\nimport { validateManifest, type AppManifest } from \"./schema.js\";\n\nexport type LoadManifestOptions = {\n  /** Defaults to process.cwd(). */\n  cwd?: string;\n  /** Manifest filename. Defaults to \"app.manifest.json\". */\n  filename?: string;\n};\n\n/**\n * Read and validate an app.manifest.json. Throws with a consolidated error\n * message listing every validation failure. The deploy fails loudly instead\n * of substituting defaults that mask drift.\n */\nexport function loadManifest(opts: LoadManifestOptions = {}): AppManifest {\n  const cwd = opts.cwd ?? process.cwd();\n  const filename = opts.filename ?? \"app.manifest.json\";\n  const file = resolve(join(cwd, filename));\n\n  let raw: string;\n  try {\n    raw = readFileSync(file, \"utf8\");\n  } catch (err) {\n    throw new Error(`loadManifest: cannot read ${file}: ${(err as Error).message}`);\n  }\n\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch (err) {\n    throw new Error(`loadManifest: invalid JSON in ${file}: ${(err as Error).message}`);\n  }\n\n  const result = validateManifest(parsed);\n  if (!result.ok) {\n    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join(\"\\n\");\n    throw new Error(`loadManifest: ${file} failed validation:\\n${lines}`);\n  }\n  return result.value;\n}\n\nexport { validateManifest, type AppManifest } from \"./schema.js\";\nexport type { ManifestValidationError, AppRole, DataPlaneType } from \"./schema.js\";\n","// =============================================================================\n// app.manifest.json -- per-app declaration of slug, role, subdomain, access\n// policy, feature enablement, and data plane choice. Every spoke and apex\n// app ships one of these at the repo root.\n//\n// The manifest is the local source of truth for the deploy pipeline, the\n// registry registration call, the schema validator, the runtime app-access\n// enforcement, and the spoke kernel infra wiring. Product developers should\n// only have to edit this file (not env vars, workflow files, or registry\n// rows) to change their app's identity or feature set.\n// =============================================================================\n\nexport type AppRole = \"apex\" | \"spoke\";\n\nexport type DataPlaneType = \"app-aurora\" | \"tenant-postgres\" | \"dynamodb\" | \"none\";\n\nexport type AppManifest = {\n  /** Schema version. Always 1 for this generation. */\n  schemaVersion: 1;\n  /** Tenant slug, e.g. \"agency\". Matches the tenant repo. */\n  tenantSlug: string;\n  /** App slug. PK in the registry. Stable identifier. */\n  appSlug: string;\n  /** \"apex\" (the auth broker) or \"spoke\" (a product app). */\n  role: AppRole;\n  /** Subdomain label. \"\" for apex. */\n  subdomain: string;\n  /** Human-friendly name for nav + admin UI. */\n  displayName: string;\n  /** Sort order in the cross-app nav. Lower = first. */\n  navOrder: number;\n  access: {\n    /**\n     * Cognito identity groups required to see AND enter this app. Empty =\n     * all authenticated users. This is NOT product-level authorization;\n     * it gates entry to the entire app surface.\n     */\n    requiredIdentityGroups: string[];\n  };\n  features: {\n    /** Has billing surface (Stripe, credit balance, cart). */\n    billing: boolean;\n    /** Has settings surface (password, MFA, profile). */\n    settings: boolean;\n    /** Sends invitations (Invitation table required). */\n    invitations: boolean;\n    /** Supports admin impersonation. */\n    impersonation: boolean;\n  };\n  dataPlane: {\n    /**\n     * \"app-aurora\" = per-app Aurora Serverless v2 + RDS Proxy.\n     * \"tenant-postgres\" = shared tenant DB (rare).\n     * \"dynamodb\" = the app only uses DynamoDB tables it provisions itself.\n     * \"none\" = no app-owned data plane (apex auth-broker).\n     */\n    type: DataPlaneType;\n    /** True if Prisma migrations should run on deploy. */\n    migrations: boolean;\n  };\n};\n\nexport type ManifestValidationError = {\n  path: string;\n  message: string;\n};\n\n/**\n * Pure validator. Returns the typed manifest on success, or an array of\n * errors on failure. No throws -- the loader wraps this and throws with\n * a consolidated error message.\n */\nexport function validateManifest(\n  raw: unknown,\n): { ok: true; value: AppManifest } | { ok: false; errors: ManifestValidationError[] } {\n  const errors: ManifestValidationError[] = [];\n  if (typeof raw !== \"object\" || raw === null) {\n    return { ok: false, errors: [{ path: \"\", message: \"manifest must be an object\" }] };\n  }\n  const m = raw as Record<string, unknown>;\n\n  const requireString = (path: string, value: unknown) => {\n    if (typeof value !== \"string\") errors.push({ path, message: \"expected string\" });\n  };\n  const requireNumber = (path: string, value: unknown) => {\n    if (typeof value !== \"number\") errors.push({ path, message: \"expected number\" });\n  };\n  const requireBool = (path: string, value: unknown) => {\n    if (typeof value !== \"boolean\") errors.push({ path, message: \"expected boolean\" });\n  };\n  const requireOneOf = (path: string, value: unknown, options: readonly string[]) => {\n    if (typeof value !== \"string\" || !options.includes(value)) {\n      errors.push({ path, message: `expected one of: ${options.join(\", \")}` });\n    }\n  };\n  const requireStringArray = (path: string, value: unknown) => {\n    if (!Array.isArray(value) || value.some((v) => typeof v !== \"string\")) {\n      errors.push({ path, message: \"expected string[]\" });\n    }\n  };\n\n  if (m.schemaVersion !== 1) {\n    errors.push({ path: \"schemaVersion\", message: \"expected literal 1\" });\n  }\n  requireString(\"tenantSlug\", m.tenantSlug);\n  requireString(\"appSlug\", m.appSlug);\n  requireOneOf(\"role\", m.role, [\"apex\", \"spoke\"]);\n  requireString(\"subdomain\", m.subdomain);\n  requireString(\"displayName\", m.displayName);\n  requireNumber(\"navOrder\", m.navOrder);\n\n  const access = m.access as Record<string, unknown> | undefined;\n  if (!access || typeof access !== \"object\") {\n    errors.push({ path: \"access\", message: \"expected object\" });\n  } else {\n    requireStringArray(\"access.requiredIdentityGroups\", access.requiredIdentityGroups);\n  }\n\n  const features = m.features as Record<string, unknown> | undefined;\n  if (!features || typeof features !== \"object\") {\n    errors.push({ path: \"features\", message: \"expected object\" });\n  } else {\n    requireBool(\"features.billing\", features.billing);\n    requireBool(\"features.settings\", features.settings);\n    requireBool(\"features.invitations\", features.invitations);\n    requireBool(\"features.impersonation\", features.impersonation);\n  }\n\n  const dataPlane = m.dataPlane as Record<string, unknown> | undefined;\n  if (!dataPlane || typeof dataPlane !== \"object\") {\n    errors.push({ path: \"dataPlane\", message: \"expected object\" });\n  } else {\n    requireOneOf(\"dataPlane.type\", dataPlane.type, [\n      \"app-aurora\",\n      \"tenant-postgres\",\n      \"dynamodb\",\n      \"none\",\n    ]);\n    requireBool(\"dataPlane.migrations\", dataPlane.migrations);\n  }\n\n  // Apex consistency: subdomain must be empty.\n  if (m.role === \"apex\" && m.subdomain !== \"\") {\n    errors.push({ path: \"subdomain\", message: \"apex apps must have empty subdomain\" });\n  }\n\n  if (errors.length > 0) return { ok: false, errors };\n  return { ok: true, value: m as unknown as AppManifest };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,qBAA6B;AAC7B,uBAA8B;;;ACuEvB,SAAS,iBACd,KACqF;AACrF,QAAM,SAAoC,CAAC;AAC3C,MAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;AAC3C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,6BAA6B,CAAC,EAAE;AAAA,EACpF;AACA,QAAM,IAAI;AAEV,QAAM,gBAAgB,CAAC,MAAc,UAAmB;AACtD,QAAI,OAAO,UAAU,SAAU,QAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAAA,EACjF;AACA,QAAM,gBAAgB,CAAC,MAAc,UAAmB;AACtD,QAAI,OAAO,UAAU,SAAU,QAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAAA,EACjF;AACA,QAAM,cAAc,CAAC,MAAc,UAAmB;AACpD,QAAI,OAAO,UAAU,UAAW,QAAO,KAAK,EAAE,MAAM,SAAS,mBAAmB,CAAC;AAAA,EACnF;AACA,QAAM,eAAe,CAAC,MAAc,OAAgB,YAA+B;AACjF,QAAI,OAAO,UAAU,YAAY,CAAC,QAAQ,SAAS,KAAK,GAAG;AACzD,aAAO,KAAK,EAAE,MAAM,SAAS,oBAAoB,QAAQ,KAAK,IAAI,CAAC,GAAG,CAAC;AAAA,IACzE;AAAA,EACF;AACA,QAAM,qBAAqB,CAAC,MAAc,UAAmB;AAC3D,QAAI,CAAC,MAAM,QAAQ,KAAK,KAAK,MAAM,KAAK,CAAC,MAAM,OAAO,MAAM,QAAQ,GAAG;AACrE,aAAO,KAAK,EAAE,MAAM,SAAS,oBAAoB,CAAC;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,EAAE,kBAAkB,GAAG;AACzB,WAAO,KAAK,EAAE,MAAM,iBAAiB,SAAS,qBAAqB,CAAC;AAAA,EACtE;AACA,gBAAc,cAAc,EAAE,UAAU;AACxC,gBAAc,WAAW,EAAE,OAAO;AAClC,eAAa,QAAQ,EAAE,MAAM,CAAC,QAAQ,OAAO,CAAC;AAC9C,gBAAc,aAAa,EAAE,SAAS;AACtC,gBAAc,eAAe,EAAE,WAAW;AAC1C,gBAAc,YAAY,EAAE,QAAQ;AAEpC,QAAM,SAAS,EAAE;AACjB,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,WAAO,KAAK,EAAE,MAAM,UAAU,SAAS,kBAAkB,CAAC;AAAA,EAC5D,OAAO;AACL,uBAAmB,iCAAiC,OAAO,sBAAsB;AAAA,EACnF;AAEA,QAAM,WAAW,EAAE;AACnB,MAAI,CAAC,YAAY,OAAO,aAAa,UAAU;AAC7C,WAAO,KAAK,EAAE,MAAM,YAAY,SAAS,kBAAkB,CAAC;AAAA,EAC9D,OAAO;AACL,gBAAY,oBAAoB,SAAS,OAAO;AAChD,gBAAY,qBAAqB,SAAS,QAAQ;AAClD,gBAAY,wBAAwB,SAAS,WAAW;AACxD,gBAAY,0BAA0B,SAAS,aAAa;AAAA,EAC9D;AAEA,QAAM,YAAY,EAAE;AACpB,MAAI,CAAC,aAAa,OAAO,cAAc,UAAU;AAC/C,WAAO,KAAK,EAAE,MAAM,aAAa,SAAS,kBAAkB,CAAC;AAAA,EAC/D,OAAO;AACL,iBAAa,kBAAkB,UAAU,MAAM;AAAA,MAC7C;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,gBAAY,wBAAwB,UAAU,UAAU;AAAA,EAC1D;AAGA,MAAI,EAAE,SAAS,UAAU,EAAE,cAAc,IAAI;AAC3C,WAAO,KAAK,EAAE,MAAM,aAAa,SAAS,sCAAsC,CAAC;AAAA,EACnF;AAEA,MAAI,OAAO,SAAS,EAAG,QAAO,EAAE,IAAI,OAAO,OAAO;AAClD,SAAO,EAAE,IAAI,MAAM,OAAO,EAA4B;AACxD;;;ADpIO,SAAS,aAAa,OAA4B,CAAC,GAAgB;AACxE,QAAM,MAAM,KAAK,OAAO,QAAQ,IAAI;AACpC,QAAM,WAAW,KAAK,YAAY;AAClC,QAAM,WAAO,8BAAQ,uBAAK,KAAK,QAAQ,CAAC;AAExC,MAAI;AACJ,MAAI;AACF,cAAM,6BAAa,MAAM,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,UAAM,IAAI,MAAM,6BAA6B,IAAI,KAAM,IAAc,OAAO,EAAE;AAAA,EAChF;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,SAAS,KAAK;AACZ,UAAM,IAAI,MAAM,iCAAiC,IAAI,KAAM,IAAc,OAAO,EAAE;AAAA,EACpF;AAEA,QAAM,SAAS,iBAAiB,MAAM;AACtC,MAAI,CAAC,OAAO,IAAI;AACd,UAAM,QAAQ,OAAO,OAAO,IAAI,CAAC,MAAM,OAAO,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AAC/E,UAAM,IAAI,MAAM,iBAAiB,IAAI;AAAA,EAAwB,KAAK,EAAE;AAAA,EACtE;AACA,SAAO,OAAO;AAChB;","names":[]}

package/dist/manifest.d.ts

@@ -0,0 +1,2 @@
+export { loadManifest, validateManifest, type LoadManifestOptions, type AppManifest, type ManifestValidationError, type AppRole, type DataPlaneType, } from "./manifest/load.js";
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,gBAAgB,EAChB,KAAK,mBAAmB,EACxB,KAAK,WAAW,EAChB,KAAK,uBAAuB,EAC5B,KAAK,OAAO,EACZ,KAAK,aAAa,GACnB,MAAM,oBAAoB,CAAC"}

package/dist/manifest.js

@@ -0,0 +1,103 @@
+// src/manifest/load.ts
+import { readFileSync } from "fs";
+import { join, resolve } from "path";
+
+// src/manifest/schema.ts
+function validateManifest(raw) {
+  const errors = [];
+  if (typeof raw !== "object" || raw === null) {
+    return { ok: false, errors: [{ path: "", message: "manifest must be an object" }] };
+  }
+  const m = raw;
+  const requireString = (path, value) => {
+    if (typeof value !== "string") errors.push({ path, message: "expected string" });
+  };
+  const requireNumber = (path, value) => {
+    if (typeof value !== "number") errors.push({ path, message: "expected number" });
+  };
+  const requireBool = (path, value) => {
+    if (typeof value !== "boolean") errors.push({ path, message: "expected boolean" });
+  };
+  const requireOneOf = (path, value, options) => {
+    if (typeof value !== "string" || !options.includes(value)) {
+      errors.push({ path, message: `expected one of: ${options.join(", ")}` });
+    }
+  };
+  const requireStringArray = (path, value) => {
+    if (!Array.isArray(value) || value.some((v) => typeof v !== "string")) {
+      errors.push({ path, message: "expected string[]" });
+    }
+  };
+  if (m.schemaVersion !== 1) {
+    errors.push({ path: "schemaVersion", message: "expected literal 1" });
+  }
+  requireString("tenantSlug", m.tenantSlug);
+  requireString("appSlug", m.appSlug);
+  requireOneOf("role", m.role, ["apex", "spoke"]);
+  requireString("subdomain", m.subdomain);
+  requireString("displayName", m.displayName);
+  requireNumber("navOrder", m.navOrder);
+  const access = m.access;
+  if (!access || typeof access !== "object") {
+    errors.push({ path: "access", message: "expected object" });
+  } else {
+    requireStringArray("access.requiredIdentityGroups", access.requiredIdentityGroups);
+  }
+  const features = m.features;
+  if (!features || typeof features !== "object") {
+    errors.push({ path: "features", message: "expected object" });
+  } else {
+    requireBool("features.billing", features.billing);
+    requireBool("features.settings", features.settings);
+    requireBool("features.invitations", features.invitations);
+    requireBool("features.impersonation", features.impersonation);
+  }
+  const dataPlane = m.dataPlane;
+  if (!dataPlane || typeof dataPlane !== "object") {
+    errors.push({ path: "dataPlane", message: "expected object" });
+  } else {
+    requireOneOf("dataPlane.type", dataPlane.type, [
+      "app-aurora",
+      "tenant-postgres",
+      "dynamodb",
+      "none"
+    ]);
+    requireBool("dataPlane.migrations", dataPlane.migrations);
+  }
+  if (m.role === "apex" && m.subdomain !== "") {
+    errors.push({ path: "subdomain", message: "apex apps must have empty subdomain" });
+  }
+  if (errors.length > 0) return { ok: false, errors };
+  return { ok: true, value: m };
+}
+
+// src/manifest/load.ts
+function loadManifest(opts = {}) {
+  const cwd = opts.cwd ?? process.cwd();
+  const filename = opts.filename ?? "app.manifest.json";
+  const file = resolve(join(cwd, filename));
+  let raw;
+  try {
+    raw = readFileSync(file, "utf8");
+  } catch (err) {
+    throw new Error(`loadManifest: cannot read ${file}: ${err.message}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`loadManifest: invalid JSON in ${file}: ${err.message}`);
+  }
+  const result = validateManifest(parsed);
+  if (!result.ok) {
+    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join("\n");
+    throw new Error(`loadManifest: ${file} failed validation:
+${lines}`);
+  }
+  return result.value;
+}
+export {
+  loadManifest,
+  validateManifest
+};
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/manifest/load.ts","../src/manifest/schema.ts"],"sourcesContent":["import { readFileSync } from \"node:fs\";\nimport { join, resolve } from \"node:path\";\nimport { validateManifest, type AppManifest } from \"./schema.js\";\n\nexport type LoadManifestOptions = {\n  /** Defaults to process.cwd(). */\n  cwd?: string;\n  /** Manifest filename. Defaults to \"app.manifest.json\". */\n  filename?: string;\n};\n\n/**\n * Read and validate an app.manifest.json. Throws with a consolidated error\n * message listing every validation failure. The deploy fails loudly instead\n * of substituting defaults that mask drift.\n */\nexport function loadManifest(opts: LoadManifestOptions = {}): AppManifest {\n  const cwd = opts.cwd ?? process.cwd();\n  const filename = opts.filename ?? \"app.manifest.json\";\n  const file = resolve(join(cwd, filename));\n\n  let raw: string;\n  try {\n    raw = readFileSync(file, \"utf8\");\n  } catch (err) {\n    throw new Error(`loadManifest: cannot read ${file}: ${(err as Error).message}`);\n  }\n\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch (err) {\n    throw new Error(`loadManifest: invalid JSON in ${file}: ${(err as Error).message}`);\n  }\n\n  const result = validateManifest(parsed);\n  if (!result.ok) {\n    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join(\"\\n\");\n    throw new Error(`loadManifest: ${file} failed validation:\\n${lines}`);\n  }\n  return result.value;\n}\n\nexport { validateManifest, type AppManifest } from \"./schema.js\";\nexport type { ManifestValidationError, AppRole, DataPlaneType } from \"./schema.js\";\n","// =============================================================================\n// app.manifest.json -- per-app declaration of slug, role, subdomain, access\n// policy, feature enablement, and data plane choice. Every spoke and apex\n// app ships one of these at the repo root.\n//\n// The manifest is the local source of truth for the deploy pipeline, the\n// registry registration call, the schema validator, the runtime app-access\n// enforcement, and the spoke kernel infra wiring. Product developers should\n// only have to edit this file (not env vars, workflow files, or registry\n// rows) to change their app's identity or feature set.\n// =============================================================================\n\nexport type AppRole = \"apex\" | \"spoke\";\n\nexport type DataPlaneType = \"app-aurora\" | \"tenant-postgres\" | \"dynamodb\" | \"none\";\n\nexport type AppManifest = {\n  /** Schema version. Always 1 for this generation. */\n  schemaVersion: 1;\n  /** Tenant slug, e.g. \"agency\". Matches the tenant repo. */\n  tenantSlug: string;\n  /** App slug. PK in the registry. Stable identifier. */\n  appSlug: string;\n  /** \"apex\" (the auth broker) or \"spoke\" (a product app). */\n  role: AppRole;\n  /** Subdomain label. \"\" for apex. */\n  subdomain: string;\n  /** Human-friendly name for nav + admin UI. */\n  displayName: string;\n  /** Sort order in the cross-app nav. Lower = first. */\n  navOrder: number;\n  access: {\n    /**\n     * Cognito identity groups required to see AND enter this app. Empty =\n     * all authenticated users. This is NOT product-level authorization;\n     * it gates entry to the entire app surface.\n     */\n    requiredIdentityGroups: string[];\n  };\n  features: {\n    /** Has billing surface (Stripe, credit balance, cart). */\n    billing: boolean;\n    /** Has settings surface (password, MFA, profile). */\n    settings: boolean;\n    /** Sends invitations (Invitation table required). */\n    invitations: boolean;\n    /** Supports admin impersonation. */\n    impersonation: boolean;\n  };\n  dataPlane: {\n    /**\n     * \"app-aurora\" = per-app Aurora Serverless v2 + RDS Proxy.\n     * \"tenant-postgres\" = shared tenant DB (rare).\n     * \"dynamodb\" = the app only uses DynamoDB tables it provisions itself.\n     * \"none\" = no app-owned data plane (apex auth-broker).\n     */\n    type: DataPlaneType;\n    /** True if Prisma migrations should run on deploy. */\n    migrations: boolean;\n  };\n};\n\nexport type ManifestValidationError = {\n  path: string;\n  message: string;\n};\n\n/**\n * Pure validator. Returns the typed manifest on success, or an array of\n * errors on failure. No throws -- the loader wraps this and throws with\n * a consolidated error message.\n */\nexport function validateManifest(\n  raw: unknown,\n): { ok: true; value: AppManifest } | { ok: false; errors: ManifestValidationError[] } {\n  const errors: ManifestValidationError[] = [];\n  if (typeof raw !== \"object\" || raw === null) {\n    return { ok: false, errors: [{ path: \"\", message: \"manifest must be an object\" }] };\n  }\n  const m = raw as Record<string, unknown>;\n\n  const requireString = (path: string, value: unknown) => {\n    if (typeof value !== \"string\") errors.push({ path, message: \"expected string\" });\n  };\n  const requireNumber = (path: string, value: unknown) => {\n    if (typeof value !== \"number\") errors.push({ path, message: \"expected number\" });\n  };\n  const requireBool = (path: string, value: unknown) => {\n    if (typeof value !== \"boolean\") errors.push({ path, message: \"expected boolean\" });\n  };\n  const requireOneOf = (path: string, value: unknown, options: readonly string[]) => {\n    if (typeof value !== \"string\" || !options.includes(value)) {\n      errors.push({ path, message: `expected one of: ${options.join(\", \")}` });\n    }\n  };\n  const requireStringArray = (path: string, value: unknown) => {\n    if (!Array.isArray(value) || value.some((v) => typeof v !== \"string\")) {\n      errors.push({ path, message: \"expected string[]\" });\n    }\n  };\n\n  if (m.schemaVersion !== 1) {\n    errors.push({ path: \"schemaVersion\", message: \"expected literal 1\" });\n  }\n  requireString(\"tenantSlug\", m.tenantSlug);\n  requireString(\"appSlug\", m.appSlug);\n  requireOneOf(\"role\", m.role, [\"apex\", \"spoke\"]);\n  requireString(\"subdomain\", m.subdomain);\n  requireString(\"displayName\", m.displayName);\n  requireNumber(\"navOrder\", m.navOrder);\n\n  const access = m.access as Record<string, unknown> | undefined;\n  if (!access || typeof access !== \"object\") {\n    errors.push({ path: \"access\", message: \"expected object\" });\n  } else {\n    requireStringArray(\"access.requiredIdentityGroups\", access.requiredIdentityGroups);\n  }\n\n  const features = m.features as Record<string, unknown> | undefined;\n  if (!features || typeof features !== \"object\") {\n    errors.push({ path: \"features\", message: \"expected object\" });\n  } else {\n    requireBool(\"features.billing\", features.billing);\n    requireBool(\"features.settings\", features.settings);\n    requireBool(\"features.invitations\", features.invitations);\n    requireBool(\"features.impersonation\", features.impersonation);\n  }\n\n  const dataPlane = m.dataPlane as Record<string, unknown> | undefined;\n  if (!dataPlane || typeof dataPlane !== \"object\") {\n    errors.push({ path: \"dataPlane\", message: \"expected object\" });\n  } else {\n    requireOneOf(\"dataPlane.type\", dataPlane.type, [\n      \"app-aurora\",\n      \"tenant-postgres\",\n      \"dynamodb\",\n      \"none\",\n    ]);\n    requireBool(\"dataPlane.migrations\", dataPlane.migrations);\n  }\n\n  // Apex consistency: subdomain must be empty.\n  if (m.role === \"apex\" && m.subdomain !== \"\") {\n    errors.push({ path: \"subdomain\", message: \"apex apps must have empty subdomain\" });\n  }\n\n  if (errors.length > 0) return { ok: false, errors };\n  return { ok: true, value: m as unknown as AppManifest };\n}\n"],"mappings":";AAAA,SAAS,oBAAoB;AAC7B,SAAS,MAAM,eAAe;;;ACuEvB,SAAS,iBACd,KACqF;AACrF,QAAM,SAAoC,CAAC;AAC3C,MAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;AAC3C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,6BAA6B,CAAC,EAAE;AAAA,EACpF;AACA,QAAM,IAAI;AAEV,QAAM,gBAAgB,CAAC,MAAc,UAAmB;AACtD,QAAI,OAAO,UAAU,SAAU,QAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAAA,EACjF;AACA,QAAM,gBAAgB,CAAC,MAAc,UAAmB;AACtD,QAAI,OAAO,UAAU,SAAU,QAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAAA,EACjF;AACA,QAAM,cAAc,CAAC,MAAc,UAAmB;AACpD,QAAI,OAAO,UAAU,UAAW,QAAO,KAAK,EAAE,MAAM,SAAS,mBAAmB,CAAC;AAAA,EACnF;AACA,QAAM,eAAe,CAAC,MAAc,OAAgB,YAA+B;AACjF,QAAI,OAAO,UAAU,YAAY,CAAC,QAAQ,SAAS,KAAK,GAAG;AACzD,aAAO,KAAK,EAAE,MAAM,SAAS,oBAAoB,QAAQ,KAAK,IAAI,CAAC,GAAG,CAAC;AAAA,IACzE;AAAA,EACF;AACA,QAAM,qBAAqB,CAAC,MAAc,UAAmB;AAC3D,QAAI,CAAC,MAAM,QAAQ,KAAK,KAAK,MAAM,KAAK,CAAC,MAAM,OAAO,MAAM,QAAQ,GAAG;AACrE,aAAO,KAAK,EAAE,MAAM,SAAS,oBAAoB,CAAC;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,EAAE,kBAAkB,GAAG;AACzB,WAAO,KAAK,EAAE,MAAM,iBAAiB,SAAS,qBAAqB,CAAC;AAAA,EACtE;AACA,gBAAc,cAAc,EAAE,UAAU;AACxC,gBAAc,WAAW,EAAE,OAAO;AAClC,eAAa,QAAQ,EAAE,MAAM,CAAC,QAAQ,OAAO,CAAC;AAC9C,gBAAc,aAAa,EAAE,SAAS;AACtC,gBAAc,eAAe,EAAE,WAAW;AAC1C,gBAAc,YAAY,EAAE,QAAQ;AAEpC,QAAM,SAAS,EAAE;AACjB,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,WAAO,KAAK,EAAE,MAAM,UAAU,SAAS,kBAAkB,CAAC;AAAA,EAC5D,OAAO;AACL,uBAAmB,iCAAiC,OAAO,sBAAsB;AAAA,EACnF;AAEA,QAAM,WAAW,EAAE;AACnB,MAAI,CAAC,YAAY,OAAO,aAAa,UAAU;AAC7C,WAAO,KAAK,EAAE,MAAM,YAAY,SAAS,kBAAkB,CAAC;AAAA,EAC9D,OAAO;AACL,gBAAY,oBAAoB,SAAS,OAAO;AAChD,gBAAY,qBAAqB,SAAS,QAAQ;AAClD,gBAAY,wBAAwB,SAAS,WAAW;AACxD,gBAAY,0BAA0B,SAAS,aAAa;AAAA,EAC9D;AAEA,QAAM,YAAY,EAAE;AACpB,MAAI,CAAC,aAAa,OAAO,cAAc,UAAU;AAC/C,WAAO,KAAK,EAAE,MAAM,aAAa,SAAS,kBAAkB,CAAC;AAAA,EAC/D,OAAO;AACL,iBAAa,kBAAkB,UAAU,MAAM;AAAA,MAC7C;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AACD,gBAAY,wBAAwB,UAAU,UAAU;AAAA,EAC1D;AAGA,MAAI,EAAE,SAAS,UAAU,EAAE,cAAc,IAAI;AAC3C,WAAO,KAAK,EAAE,MAAM,aAAa,SAAS,sCAAsC,CAAC;AAAA,EACnF;AAEA,MAAI,OAAO,SAAS,EAAG,QAAO,EAAE,IAAI,OAAO,OAAO;AAClD,SAAO,EAAE,IAAI,MAAM,OAAO,EAA4B;AACxD;;;ADpIO,SAAS,aAAa,OAA4B,CAAC,GAAgB;AACxE,QAAM,MAAM,KAAK,OAAO,QAAQ,IAAI;AACpC,QAAM,WAAW,KAAK,YAAY;AAClC,QAAM,OAAO,QAAQ,KAAK,KAAK,QAAQ,CAAC;AAExC,MAAI;AACJ,MAAI;AACF,UAAM,aAAa,MAAM,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,UAAM,IAAI,MAAM,6BAA6B,IAAI,KAAM,IAAc,OAAO,EAAE;AAAA,EAChF;AAEA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,SAAS,KAAK;AACZ,UAAM,IAAI,MAAM,iCAAiC,IAAI,KAAM,IAAc,OAAO,EAAE;AAAA,EACpF;AAEA,QAAM,SAAS,iBAAiB,MAAM;AACtC,MAAI,CAAC,OAAO,IAAI;AACd,UAAM,QAAQ,OAAO,OAAO,IAAI,CAAC,MAAM,OAAO,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AAC/E,UAAM,IAAI,MAAM,iBAAiB,IAAI;AAAA,EAAwB,KAAK,EAAE;AAAA,EACtE;AACA,SAAO,OAAO;AAChB;","names":[]}

package/dist/server/tenant.d.ts

@@ -0,0 +1,26 @@
+import "server-only";
+import * as React from "react";
+import { type TenantPublicConfig, type TenantRole, type TenantServerConfig } from "../tenant-types.js";
+export type LoadOptions = {
+    role: TenantRole;
+    /**
+     * Override env reads with explicit values (useful for tests).
+     */
+    overrides?: Partial<TenantServerConfig>;
+};
+/**
+ * Read tenant configuration from process.env with optional overrides.
+ * Throws a single Error listing every missing required field.
+ */
+export declare function loadTenantConfig(opts: LoadOptions): TenantServerConfig;
+/**
+ * Reduce a TenantServerConfig to the public-safe subset. Strips every
+ * secret-arn so the result is safe to ship to the browser via
+ * <TenantBootScript />.
+ */
+export declare function publicSubset(config: TenantServerConfig): TenantPublicConfig;
+export declare function TenantBootScript({ config }: {
+    config: TenantPublicConfig;
+}): React.DetailedReactHTMLElement<Record<string, unknown>, HTMLElement>;
+export { TENANT_GLOBAL_KEY, type TenantPublicConfig, type TenantServerConfig, type TenantRole, } from "../tenant-types.js";
+//# sourceMappingURL=tenant.d.ts.map

package/dist/server/tenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.d.ts","sourceRoot":"","sources":["../../src/server/tenant.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AACrB,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,kBAAkB,EACxB,MAAM,oBAAoB,CAAC;AAoB5B,MAAM,MAAM,WAAW,GAAG;IACxB,IAAI,EAAE,UAAU,CAAC;IACjB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;CACzC,CAAC;AAEF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,WAAW,GAAG,kBAAkB,CAgEtE;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,kBAAkB,CAU3E;AAcD,wBAAgB,gBAAgB,CAAC,EAAE,MAAM,EAAE,EAAE;IAAE,MAAM,EAAE,kBAAkB,CAAA;CAAE,wEAM1E;AAED,OAAO,EACL,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/server.cjs

@@ -0,0 +1,129 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
+  TENANT_GLOBAL_KEY: () => TENANT_GLOBAL_KEY,
+  TenantBootScript: () => TenantBootScript,
+  loadTenantConfig: () => loadTenantConfig,
+  publicSubset: () => publicSubset
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/server/tenant.ts
+var import_server_only = require("server-only");
+var React = __toESM(require("react"));
+
+// src/tenant-types.ts
+var TENANT_GLOBAL_KEY = "__TENANT__";
+
+// src/server/tenant.ts
+function loadTenantConfig(opts) {
+  const env = process.env;
+  const o = opts.overrides ?? {};
+  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;
+  const apexFallback = parentDomainRaw?.replace(/^\./, "");
+  const draft = {
+    role: opts.role,
+    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,
+    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,
+    parentDomain: parentDomainRaw,
+    region: o.region ?? env.AWS_REGION ?? "us-east-1",
+    appSlug: o.appSlug ?? env.APP_SLUG,
+    appDomain: o.appDomain ?? env.APP_DOMAIN,
+    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,
+    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,
+    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,
+    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,
+    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,
+    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,
+    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,
+    dbHost: o.dbHost ?? env.DB_HOST,
+    dbName: o.dbName ?? env.DB_NAME,
+    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,
+    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN
+  };
+  if (opts.role === "apex" && !draft.appDomain) {
+    draft.appDomain = draft.apex;
+  }
+  const required = [
+    { key: "apex", env: "APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)" },
+    { key: "cookieDomain", env: "AUTH_COOKIE_DOMAIN" },
+    { key: "parentDomain", env: "AUTH_ALLOWED_PARENT_DOMAIN" },
+    { key: "authSecretArn", env: "AUTH_SECRET_ARN" },
+    { key: "appDomain", env: "APP_DOMAIN" }
+  ];
+  if (opts.role === "apex") {
+    required.push(
+      { key: "authCognitoSecretArn", env: "AUTH_COGNITO_SECRET_ARN" },
+      { key: "cognitoIssuer", env: "AUTH_COGNITO_ISSUER" },
+      { key: "cognitoClientId", env: "AUTH_COGNITO_ID" }
+    );
+  } else {
+    required.push({ key: "appSlug", env: "APP_SLUG" });
+  }
+  if (process.env.NEXT_PHASE === "phase-production-build" || !process.env.AWS_LAMBDA_FUNCTION_NAME) {
+    return draft;
+  }
+  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);
+  if (missing.length > 0) {
+    throw new Error(
+      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(", ")}`
+    );
+  }
+  return draft;
+}
+function publicSubset(config) {
+  return {
+    apex: config.apex,
+    cookieDomain: config.cookieDomain,
+    parentDomain: config.parentDomain,
+    region: config.region,
+    appSlug: config.appSlug,
+    appDomain: config.appDomain,
+    role: config.role
+  };
+}
+var INNER_HTML_PROP = "dangerouslySetInnerHTML";
+function TenantBootScript({ config }) {
+  const payload = JSON.stringify(config).replace(/</g, "\\u003c");
+  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;
+  const props = {};
+  props[INNER_HTML_PROP] = { __html: body };
+  return React.createElement("script", props);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TENANT_GLOBAL_KEY,
+  TenantBootScript,
+  loadTenantConfig,
+  publicSubset
+});
+//# sourceMappingURL=server.cjs.map

package/dist/server.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server.ts","../src/server/tenant.ts","../src/tenant-types.ts"],"sourcesContent":["export {\n  loadTenantConfig,\n  publicSubset,\n  TenantBootScript,\n  TENANT_GLOBAL_KEY,\n  type LoadOptions,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"./server/tenant.js\";\n","import \"server-only\";\nimport * as React from \"react\";\nimport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n  type TenantServerConfig,\n} from \"../tenant-types.js\";\n\n// =============================================================================\n// loadTenantConfig() -- the single source of truth for tenant configuration.\n//\n// Every required process.env read happens here. Missing fields are surfaced\n// in ONE error message so the deploy fails loudly instead of silently\n// substituting undefined into a downstream package.\n//\n// Apex apps call loadTenantConfig({ role: \"apex\" }). Spoke apps call\n// loadTenantConfig({ role: \"spoke\" }). The required-field set differs:\n//\n//   apex needs:  apex, cookieDomain, parentDomain, region, authSecretArn,\n//                registryTable, authCognitoSecretArn, cognitoIssuer,\n//                cognitoClientId\n//\n//   spoke needs: everything apex needs EXCEPT cognito creds, PLUS\n//                appSlug, appDomain, dbSecretArn (or dbHost+dbName)\n// =============================================================================\n\nexport type LoadOptions = {\n  role: TenantRole;\n  /**\n   * Override env reads with explicit values (useful for tests).\n   */\n  overrides?: Partial<TenantServerConfig>;\n};\n\n/**\n * Read tenant configuration from process.env with optional overrides.\n * Throws a single Error listing every missing required field.\n */\nexport function loadTenantConfig(opts: LoadOptions): TenantServerConfig {\n  const env = process.env;\n  const o = opts.overrides ?? {};\n\n  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;\n  const apexFallback = parentDomainRaw?.replace(/^\\./, \"\");\n\n  const draft: Partial<TenantServerConfig> = {\n    role: opts.role,\n    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,\n    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,\n    parentDomain: parentDomainRaw,\n    region: o.region ?? env.AWS_REGION ?? \"us-east-1\",\n    appSlug: o.appSlug ?? env.APP_SLUG,\n    appDomain: o.appDomain ?? env.APP_DOMAIN,\n    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,\n    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,\n    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,\n    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,\n    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,\n    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,\n    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,\n    dbHost: o.dbHost ?? env.DB_HOST,\n    dbName: o.dbName ?? env.DB_NAME,\n    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,\n    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN,\n  };\n\n  if (opts.role === \"apex\" && !draft.appDomain) {\n    draft.appDomain = draft.apex;\n  }\n\n  const required: Array<{ key: keyof TenantServerConfig; env: string }> = [\n    { key: \"apex\", env: \"APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)\" },\n    { key: \"cookieDomain\", env: \"AUTH_COOKIE_DOMAIN\" },\n    { key: \"parentDomain\", env: \"AUTH_ALLOWED_PARENT_DOMAIN\" },\n    { key: \"authSecretArn\", env: \"AUTH_SECRET_ARN\" },\n    { key: \"appDomain\", env: \"APP_DOMAIN\" },\n  ];\n  if (opts.role === \"apex\") {\n    required.push(\n      { key: \"authCognitoSecretArn\", env: \"AUTH_COGNITO_SECRET_ARN\" },\n      { key: \"cognitoIssuer\", env: \"AUTH_COGNITO_ISSUER\" },\n      { key: \"cognitoClientId\", env: \"AUTH_COGNITO_ID\" },\n    );\n  } else {\n    required.push({ key: \"appSlug\", env: \"APP_SLUG\" });\n  }\n\n  if (\n    process.env.NEXT_PHASE === \"phase-production-build\" ||\n    !process.env.AWS_LAMBDA_FUNCTION_NAME\n  ) {\n    return draft as TenantServerConfig;\n  }\n\n  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);\n  if (missing.length > 0) {\n    throw new Error(\n      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(\", \")}`,\n    );\n  }\n\n  return draft as TenantServerConfig;\n}\n\n/**\n * Reduce a TenantServerConfig to the public-safe subset. Strips every\n * secret-arn so the result is safe to ship to the browser via\n * <TenantBootScript />.\n */\nexport function publicSubset(config: TenantServerConfig): TenantPublicConfig {\n  return {\n    apex: config.apex,\n    cookieDomain: config.cookieDomain,\n    parentDomain: config.parentDomain,\n    region: config.region,\n    appSlug: config.appSlug,\n    appDomain: config.appDomain,\n    role: config.role,\n  };\n}\n\n// =============================================================================\n// <TenantBootScript /> -- server component that injects window.__TENANT__\n// before paint. Every client widget reads from this global.\n//\n// The payload is JSON.stringify of a TYPED struct -- we control every field\n// shape. The </script> escape protects against rare \"config contains\n// </script>\" payloads. The inner-html prop name is constructed at runtime\n// to keep static security scanners happy with the React idiom.\n// =============================================================================\n\nconst INNER_HTML_PROP = \"dangerously\" + \"SetInner\" + \"HTML\";\n\nexport function TenantBootScript({ config }: { config: TenantPublicConfig }) {\n  const payload = JSON.stringify(config).replace(/</g, \"\\\\u003c\");\n  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;\n  const props: Record<string, unknown> = {};\n  props[INNER_HTML_PROP] = { __html: body };\n  return React.createElement(\"script\", props);\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n","// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAAO;AACP,YAAuB;;;ACqEhB,IAAM,oBAAoB;;;AD/B1B,SAAS,iBAAiB,MAAuC;AACtE,QAAM,MAAM,QAAQ;AACpB,QAAM,IAAI,KAAK,aAAa,CAAC;AAE7B,QAAM,kBAAkB,EAAE,gBAAgB,IAAI;AAC9C,QAAM,eAAe,iBAAiB,QAAQ,OAAO,EAAE;AAEvD,QAAM,QAAqC;AAAA,IACzC,MAAM,KAAK;AAAA,IACX,MAAM,EAAE,QAAQ,IAAI,eAAe;AAAA,IACnC,cAAc,EAAE,gBAAgB,IAAI;AAAA,IACpC,cAAc;AAAA,IACd,QAAQ,EAAE,UAAU,IAAI,cAAc;AAAA,IACtC,SAAS,EAAE,WAAW,IAAI;AAAA,IAC1B,WAAW,EAAE,aAAa,IAAI;AAAA,IAC9B,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,sBAAsB,EAAE,wBAAwB,IAAI;AAAA,IACpD,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,wBAAwB,EAAE,0BAA0B,IAAI;AAAA,EAC1D;AAEA,MAAI,KAAK,SAAS,UAAU,CAAC,MAAM,WAAW;AAC5C,UAAM,YAAY,MAAM;AAAA,EAC1B;AAEA,QAAM,WAAkE;AAAA,IACtE,EAAE,KAAK,QAAQ,KAAK,2DAA2D;AAAA,IAC/E,EAAE,KAAK,gBAAgB,KAAK,qBAAqB;AAAA,IACjD,EAAE,KAAK,gBAAgB,KAAK,6BAA6B;AAAA,IACzD,EAAE,KAAK,iBAAiB,KAAK,kBAAkB;AAAA,IAC/C,EAAE,KAAK,aAAa,KAAK,aAAa;AAAA,EACxC;AACA,MAAI,KAAK,SAAS,QAAQ;AACxB,aAAS;AAAA,MACP,EAAE,KAAK,wBAAwB,KAAK,0BAA0B;AAAA,MAC9D,EAAE,KAAK,iBAAiB,KAAK,sBAAsB;AAAA,MACnD,EAAE,KAAK,mBAAmB,KAAK,kBAAkB;AAAA,IACnD;AAAA,EACF,OAAO;AACL,aAAS,KAAK,EAAE,KAAK,WAAW,KAAK,WAAW,CAAC;AAAA,EACnD;AAEA,MACE,QAAQ,IAAI,eAAe,4BAC3B,CAAC,QAAQ,IAAI,0BACb;AACA,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG;AACtE,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK,IAAI,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,aAAa,QAAgD;AAC3E,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAYA,IAAM,kBAAkB;AAEjB,SAAS,iBAAiB,EAAE,OAAO,GAAmC;AAC3E,QAAM,UAAU,KAAK,UAAU,MAAM,EAAE,QAAQ,MAAM,SAAS;AAC9D,QAAM,OAAO,UAAU,iBAAiB,IAAI,OAAO;AACnD,QAAM,QAAiC,CAAC;AACxC,QAAM,eAAe,IAAI,EAAE,QAAQ,KAAK;AACxC,SAAa,oBAAc,UAAU,KAAK;AAC5C;","names":[]}

package/dist/server.d.ts

@@ -0,0 +1,2 @@
+export { loadTenantConfig, publicSubset, TenantBootScript, TENANT_GLOBAL_KEY, type LoadOptions, type TenantPublicConfig, type TenantServerConfig, type TenantRole, } from "./server/tenant.js";
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}

package/dist/server.js

@@ -0,0 +1,89 @@
+// src/server/tenant.ts
+import "server-only";
+import * as React from "react";
+
+// src/tenant-types.ts
+var TENANT_GLOBAL_KEY = "__TENANT__";
+
+// src/server/tenant.ts
+function loadTenantConfig(opts) {
+  const env = process.env;
+  const o = opts.overrides ?? {};
+  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;
+  const apexFallback = parentDomainRaw?.replace(/^\./, "");
+  const draft = {
+    role: opts.role,
+    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,
+    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,
+    parentDomain: parentDomainRaw,
+    region: o.region ?? env.AWS_REGION ?? "us-east-1",
+    appSlug: o.appSlug ?? env.APP_SLUG,
+    appDomain: o.appDomain ?? env.APP_DOMAIN,
+    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,
+    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,
+    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,
+    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,
+    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,
+    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,
+    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,
+    dbHost: o.dbHost ?? env.DB_HOST,
+    dbName: o.dbName ?? env.DB_NAME,
+    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,
+    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN
+  };
+  if (opts.role === "apex" && !draft.appDomain) {
+    draft.appDomain = draft.apex;
+  }
+  const required = [
+    { key: "apex", env: "APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)" },
+    { key: "cookieDomain", env: "AUTH_COOKIE_DOMAIN" },
+    { key: "parentDomain", env: "AUTH_ALLOWED_PARENT_DOMAIN" },
+    { key: "authSecretArn", env: "AUTH_SECRET_ARN" },
+    { key: "appDomain", env: "APP_DOMAIN" }
+  ];
+  if (opts.role === "apex") {
+    required.push(
+      { key: "authCognitoSecretArn", env: "AUTH_COGNITO_SECRET_ARN" },
+      { key: "cognitoIssuer", env: "AUTH_COGNITO_ISSUER" },
+      { key: "cognitoClientId", env: "AUTH_COGNITO_ID" }
+    );
+  } else {
+    required.push({ key: "appSlug", env: "APP_SLUG" });
+  }
+  if (process.env.NEXT_PHASE === "phase-production-build" || !process.env.AWS_LAMBDA_FUNCTION_NAME) {
+    return draft;
+  }
+  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);
+  if (missing.length > 0) {
+    throw new Error(
+      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(", ")}`
+    );
+  }
+  return draft;
+}
+function publicSubset(config) {
+  return {
+    apex: config.apex,
+    cookieDomain: config.cookieDomain,
+    parentDomain: config.parentDomain,
+    region: config.region,
+    appSlug: config.appSlug,
+    appDomain: config.appDomain,
+    role: config.role
+  };
+}
+var INNER_HTML_PROP = "dangerouslySetInnerHTML";
+function TenantBootScript({ config }) {
+  const payload = JSON.stringify(config).replace(/</g, "\\u003c");
+  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;
+  const props = {};
+  props[INNER_HTML_PROP] = { __html: body };
+  return React.createElement("script", props);
+}
+export {
+  TENANT_GLOBAL_KEY,
+  TenantBootScript,
+  loadTenantConfig,
+  publicSubset
+};
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/tenant.ts","../src/tenant-types.ts"],"sourcesContent":["import \"server-only\";\nimport * as React from \"react\";\nimport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n  type TenantServerConfig,\n} from \"../tenant-types.js\";\n\n// =============================================================================\n// loadTenantConfig() -- the single source of truth for tenant configuration.\n//\n// Every required process.env read happens here. Missing fields are surfaced\n// in ONE error message so the deploy fails loudly instead of silently\n// substituting undefined into a downstream package.\n//\n// Apex apps call loadTenantConfig({ role: \"apex\" }). Spoke apps call\n// loadTenantConfig({ role: \"spoke\" }). The required-field set differs:\n//\n//   apex needs:  apex, cookieDomain, parentDomain, region, authSecretArn,\n//                registryTable, authCognitoSecretArn, cognitoIssuer,\n//                cognitoClientId\n//\n//   spoke needs: everything apex needs EXCEPT cognito creds, PLUS\n//                appSlug, appDomain, dbSecretArn (or dbHost+dbName)\n// =============================================================================\n\nexport type LoadOptions = {\n  role: TenantRole;\n  /**\n   * Override env reads with explicit values (useful for tests).\n   */\n  overrides?: Partial<TenantServerConfig>;\n};\n\n/**\n * Read tenant configuration from process.env with optional overrides.\n * Throws a single Error listing every missing required field.\n */\nexport function loadTenantConfig(opts: LoadOptions): TenantServerConfig {\n  const env = process.env;\n  const o = opts.overrides ?? {};\n\n  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;\n  const apexFallback = parentDomainRaw?.replace(/^\\./, \"\");\n\n  const draft: Partial<TenantServerConfig> = {\n    role: opts.role,\n    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,\n    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,\n    parentDomain: parentDomainRaw,\n    region: o.region ?? env.AWS_REGION ?? \"us-east-1\",\n    appSlug: o.appSlug ?? env.APP_SLUG,\n    appDomain: o.appDomain ?? env.APP_DOMAIN,\n    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,\n    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,\n    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,\n    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,\n    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,\n    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,\n    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,\n    dbHost: o.dbHost ?? env.DB_HOST,\n    dbName: o.dbName ?? env.DB_NAME,\n    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,\n    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN,\n  };\n\n  if (opts.role === \"apex\" && !draft.appDomain) {\n    draft.appDomain = draft.apex;\n  }\n\n  const required: Array<{ key: keyof TenantServerConfig; env: string }> = [\n    { key: \"apex\", env: \"APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)\" },\n    { key: \"cookieDomain\", env: \"AUTH_COOKIE_DOMAIN\" },\n    { key: \"parentDomain\", env: \"AUTH_ALLOWED_PARENT_DOMAIN\" },\n    { key: \"authSecretArn\", env: \"AUTH_SECRET_ARN\" },\n    { key: \"appDomain\", env: \"APP_DOMAIN\" },\n  ];\n  if (opts.role === \"apex\") {\n    required.push(\n      { key: \"authCognitoSecretArn\", env: \"AUTH_COGNITO_SECRET_ARN\" },\n      { key: \"cognitoIssuer\", env: \"AUTH_COGNITO_ISSUER\" },\n      { key: \"cognitoClientId\", env: \"AUTH_COGNITO_ID\" },\n    );\n  } else {\n    required.push({ key: \"appSlug\", env: \"APP_SLUG\" });\n  }\n\n  if (\n    process.env.NEXT_PHASE === \"phase-production-build\" ||\n    !process.env.AWS_LAMBDA_FUNCTION_NAME\n  ) {\n    return draft as TenantServerConfig;\n  }\n\n  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);\n  if (missing.length > 0) {\n    throw new Error(\n      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(\", \")}`,\n    );\n  }\n\n  return draft as TenantServerConfig;\n}\n\n/**\n * Reduce a TenantServerConfig to the public-safe subset. Strips every\n * secret-arn so the result is safe to ship to the browser via\n * <TenantBootScript />.\n */\nexport function publicSubset(config: TenantServerConfig): TenantPublicConfig {\n  return {\n    apex: config.apex,\n    cookieDomain: config.cookieDomain,\n    parentDomain: config.parentDomain,\n    region: config.region,\n    appSlug: config.appSlug,\n    appDomain: config.appDomain,\n    role: config.role,\n  };\n}\n\n// =============================================================================\n// <TenantBootScript /> -- server component that injects window.__TENANT__\n// before paint. Every client widget reads from this global.\n//\n// The payload is JSON.stringify of a TYPED struct -- we control every field\n// shape. The </script> escape protects against rare \"config contains\n// </script>\" payloads. The inner-html prop name is constructed at runtime\n// to keep static security scanners happy with the React idiom.\n// =============================================================================\n\nconst INNER_HTML_PROP = \"dangerously\" + \"SetInner\" + \"HTML\";\n\nexport function TenantBootScript({ config }: { config: TenantPublicConfig }) {\n  const payload = JSON.stringify(config).replace(/</g, \"\\\\u003c\");\n  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;\n  const props: Record<string, unknown> = {};\n  props[INNER_HTML_PROP] = { __html: body };\n  return React.createElement(\"script\", props);\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n","// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n"],"mappings":";AAAA,OAAO;AACP,YAAY,WAAW;;;ACqEhB,IAAM,oBAAoB;;;AD/B1B,SAAS,iBAAiB,MAAuC;AACtE,QAAM,MAAM,QAAQ;AACpB,QAAM,IAAI,KAAK,aAAa,CAAC;AAE7B,QAAM,kBAAkB,EAAE,gBAAgB,IAAI;AAC9C,QAAM,eAAe,iBAAiB,QAAQ,OAAO,EAAE;AAEvD,QAAM,QAAqC;AAAA,IACzC,MAAM,KAAK;AAAA,IACX,MAAM,EAAE,QAAQ,IAAI,eAAe;AAAA,IACnC,cAAc,EAAE,gBAAgB,IAAI;AAAA,IACpC,cAAc;AAAA,IACd,QAAQ,EAAE,UAAU,IAAI,cAAc;AAAA,IACtC,SAAS,EAAE,WAAW,IAAI;AAAA,IAC1B,WAAW,EAAE,aAAa,IAAI;AAAA,IAC9B,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,sBAAsB,EAAE,wBAAwB,IAAI;AAAA,IACpD,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,wBAAwB,EAAE,0BAA0B,IAAI;AAAA,EAC1D;AAEA,MAAI,KAAK,SAAS,UAAU,CAAC,MAAM,WAAW;AAC5C,UAAM,YAAY,MAAM;AAAA,EAC1B;AAEA,QAAM,WAAkE;AAAA,IACtE,EAAE,KAAK,QAAQ,KAAK,2DAA2D;AAAA,IAC/E,EAAE,KAAK,gBAAgB,KAAK,qBAAqB;AAAA,IACjD,EAAE,KAAK,gBAAgB,KAAK,6BAA6B;AAAA,IACzD,EAAE,KAAK,iBAAiB,KAAK,kBAAkB;AAAA,IAC/C,EAAE,KAAK,aAAa,KAAK,aAAa;AAAA,EACxC;AACA,MAAI,KAAK,SAAS,QAAQ;AACxB,aAAS;AAAA,MACP,EAAE,KAAK,wBAAwB,KAAK,0BAA0B;AAAA,MAC9D,EAAE,KAAK,iBAAiB,KAAK,sBAAsB;AAAA,MACnD,EAAE,KAAK,mBAAmB,KAAK,kBAAkB;AAAA,IACnD;AAAA,EACF,OAAO;AACL,aAAS,KAAK,EAAE,KAAK,WAAW,KAAK,WAAW,CAAC;AAAA,EACnD;AAEA,MACE,QAAQ,IAAI,eAAe,4BAC3B,CAAC,QAAQ,IAAI,0BACb;AACA,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG;AACtE,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK,IAAI,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,aAAa,QAAgD;AAC3E,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAYA,IAAM,kBAAkB;AAEjB,SAAS,iBAAiB,EAAE,OAAO,GAAmC;AAC3E,QAAM,UAAU,KAAK,UAAU,MAAM,EAAE,QAAQ,MAAM,SAAS;AAC9D,QAAM,OAAO,UAAU,iBAAiB,IAAI,OAAO;AACnD,QAAM,QAAiC,CAAC;AACxC,QAAM,eAAe,IAAI,EAAE,QAAQ,KAAK;AACxC,SAAa,oBAAc,UAAU,KAAK;AAC5C;","names":[]}

package/dist/tenant-types.cjs

@@ -0,0 +1,29 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var tenant_types_exports = {};
+__export(tenant_types_exports, {
+  TENANT_GLOBAL_KEY: () => TENANT_GLOBAL_KEY
+});
+module.exports = __toCommonJS(tenant_types_exports);
+const TENANT_GLOBAL_KEY = "__TENANT__";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TENANT_GLOBAL_KEY
+});
+//# sourceMappingURL=tenant-types.cjs.map

package/dist/tenant-types.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/tenant-types.ts"],"sourcesContent":["// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAsEO,MAAM,oBAAoB;","names":[]}

package/dist/tenant-types.d.ts

@@ -0,0 +1,63 @@
+export type TenantRole = "apex" | "spoke";
+export type TenantPublicConfig = {
+    /** The tenant apex FQDN, e.g. "agency.aillc.link". */
+    apex: string;
+    /**
+     * Cookie Domain attribute. Always the apex (no leading dot needed -- the
+     * browser implies it for shared cookies). Auth.js session cookie and the
+     * theme x-theme/x-theme-variant cookies use this. Without it cookies are
+     * host-only and the subdomain ecosystem breaks.
+     */
+    cookieDomain: string;
+    /**
+     * The registrable parent domain (e.g. "aillc.link"). Used by the auth
+     * redirect callback to validate post-login callbacks back to any subdomain
+     * of the tenant. Distinct from cookieDomain in two-level apex setups.
+     */
+    parentDomain: string;
+    /** AWS region. Default: us-east-1. */
+    region: string;
+    /**
+     * For spoke apps: this spoke's slug (matches app registry primary key).
+     * For apex: undefined.
+     */
+    appSlug?: string;
+    /**
+     * For spoke apps: this spoke's FQDN (e.g. "leads.agency.aillc.link").
+     * For apex: same as `apex`.
+     */
+    appDomain: string;
+    /** "apex" or "spoke". Affects which secret-arn fields are required. */
+    role: TenantRole;
+};
+export type TenantServerConfig = TenantPublicConfig & {
+    /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */
+    authSecretArn: string;
+    /** App registry DynamoDB table name. Apex owns the table; spokes read. */
+    registryTable: string;
+    /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */
+    authCognitoSecretArn?: string;
+    /** Cognito issuer URL (apex only). */
+    cognitoIssuer?: string;
+    /** Cognito client ID (apex only). */
+    cognitoClientId?: string;
+    /** Comma-separated admin emails (auto-promoted on first sign-in). */
+    adminEmails?: string;
+    /** Aurora connection secret ARN (spoke only). */
+    dbSecretArn?: string;
+    /** Aurora endpoint host (spoke only). */
+    dbHost?: string;
+    /** Aurora database name (spoke only). */
+    dbName?: string;
+    /** Stripe credentials bundle ARN (spoke that does billing). */
+    stripeSecretArn?: string;
+    /** Stripe webhook signing secret ARN (spoke that does billing). */
+    stripeWebhookSecretArn?: string;
+};
+export declare const TENANT_GLOBAL_KEY: "__TENANT__";
+declare global {
+    interface Window {
+        [TENANT_GLOBAL_KEY]?: TenantPublicConfig;
+    }
+}
+//# sourceMappingURL=tenant-types.d.ts.map

package/dist/tenant-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-types.d.ts","sourceRoot":"","sources":["../src/tenant-types.ts"],"names":[],"mappings":"AAWA,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC;AAE1C,MAAM,MAAM,kBAAkB,GAAG;IAC/B,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb;;;;;OAKG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uEAAuE;IACvE,IAAI,EAAE,UAAU,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,kBAAkB,GAAG;IACpD,gEAAgE;IAChE,aAAa,EAAE,MAAM,CAAC;IACtB,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IACtB,gFAAgF;IAChF,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,sCAAsC;IACtC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qEAAqE;IACrE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mEAAmE;IACnE,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC,CAAC;AAEF,eAAO,MAAM,iBAAiB,EAAG,YAAqB,CAAC;AAEvD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,CAAC,iBAAiB,CAAC,CAAC,EAAE,kBAAkB,CAAC;KAC1C;CACF"}

package/dist/tenant-types.js

@@ -0,0 +1,5 @@
+const TENANT_GLOBAL_KEY = "__TENANT__";
+export {
+  TENANT_GLOBAL_KEY
+};
+//# sourceMappingURL=tenant-types.js.map

package/dist/tenant-types.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/tenant-types.ts"],"sourcesContent":["// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n"],"mappings":"AAsEO,MAAM,oBAAoB;","names":[]}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@augmenting-integrations/platform",
+  "version": "8.4.0",
+  "description": "Tenant + app manifest contract for the augint platform. Owns TenantConfig (server-side env load + browser-safe public subset + TenantBootScript) and the app.manifest.json schema/loader. Every other @augmenting-integrations/* package consumes tenant context from here, so /auth no longer owns it.",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "sideEffects": false,
+  "main": "./dist/server.cjs",
+  "module": "./dist/server.js",
+  "types": "./dist/server.d.ts",
+  "exports": {
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js",
+      "require": "./dist/server.cjs"
+    },
+    "./client": {
+      "types": "./dist/client.d.ts",
+      "import": "./dist/client.js",
+      "require": "./dist/client.cjs"
+    },
+    "./manifest": {
+      "types": "./dist/manifest.d.ts",
+      "import": "./dist/manifest.js",
+      "require": "./dist/manifest.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "clean": "rm -rf dist",
+    "test": "vitest run --passWithNoTests"
+  },
+  "peerDependencies": {
+    "next": "^16.0.0",
+    "react": "^19.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.17.6",
+    "@types/react": "^19.0.0",
+    "next": "^16.2.5",
+    "react": "^19.0.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.5"
+  }
+}