@augmenting-integrations/platform 8.5.0 → 8.6.0

package/dist/apps-roster/load.d.ts

@@ -0,0 +1,15 @@
+import { type AppsRoster } from "./schema.js";
+export type LoadAppsRosterOptions = {
+    /** Absolute path to a JSON apps-roster file. */
+    path: string;
+};
+/**
+ * Read + validate a JSON apps-roster file. Throws with a consolidated error
+ * message listing every validation failure.
+ *
+ * YAML parsing is intentionally not bundled in this package; use
+ * @augmenting-integrations/deploy-tools `augint validate-app-roster` for the
+ * cross-format check between the infra YAML source and the apex JSON mirror.
+ */
+export declare function loadAppsRosterJson(opts: LoadAppsRosterOptions): AppsRoster;
+//# sourceMappingURL=load.d.ts.map

package/dist/apps-roster/load.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load.d.ts","sourceRoot":"","sources":["../../src/apps-roster/load.ts"],"names":[],"mappings":"AAGA,OAAO,EAAsB,KAAK,UAAU,EAAE,MAAM,aAAa,CAAC;AAElE,MAAM,MAAM,qBAAqB,GAAG;IAClC,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,qBAAqB,GAAG,UAAU,CA0B1E"}

package/dist/apps-roster/schema.d.ts

@@ -0,0 +1,53 @@
+export type TenantAppRole = "apex" | "spoke";
+export type TenantApp = {
+    /** Stable identifier. Matches the spoke's app.manifest.json#appSlug. */
+    slug: string;
+    /** "apex" (auth broker) or "spoke" (product app). */
+    role: TenantAppRole;
+    /** DNS label. Empty string for apex. */
+    subdomain: string;
+    /** Human-friendly name. Drives the shared nav. */
+    displayName: string;
+    /** Sort order. Lower comes first. */
+    navOrder: number;
+    /**
+     * Cognito identity groups required to see this app in cross-app nav
+     * AND to enter its routes (when the spoke's createAuth is wired to its
+     * own manifest's access policy). Empty = all authenticated users.
+     */
+    requiredIdentityGroups: string[];
+    /**
+     * Static feature toggle. Default true. Set false to hide an app from
+     * cross-app nav without removing the entry. Editing this requires a
+     * PR + redeploy -- this is NOT mutable runtime state.
+     */
+    enabled?: boolean;
+};
+export type AppsRoster = {
+    apps: TenantApp[];
+};
+export type RosterValidationError = {
+    path: string;
+    message: string;
+};
+/**
+ * Pure validator for the roster object (parsed from YAML or JSON). Returns
+ * the typed roster on success, or an array of errors on failure. No throws.
+ */
+export declare function validateAppsRoster(raw: unknown): {
+    ok: true;
+    value: AppsRoster;
+} | {
+    ok: false;
+    errors: RosterValidationError[];
+};
+/**
+ * Filter the roster by user identity groups. Apps with empty
+ * `requiredIdentityGroups` are visible to all authenticated users; otherwise
+ * the user must be in at least one of the listed groups. `enabled: false`
+ * apps are always filtered out.
+ */
+export declare function filterAppsByIdentityGroups(apps: TenantApp[], userGroups: string[]): TenantApp[];
+/** Sort apps by navOrder ASC, then slug. Mutates a copy, returns it. */
+export declare function sortAppsByNavOrder<T extends Pick<TenantApp, "navOrder" | "slug">>(apps: T[]): T[];
+//# sourceMappingURL=schema.d.ts.map

package/dist/apps-roster/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/apps-roster/schema.ts"],"names":[],"mappings":"AAaA,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,CAAC;AAE7C,MAAM,MAAM,SAAS,GAAG;IACtB,wEAAwE;IACxE,IAAI,EAAE,MAAM,CAAC;IACb,qDAAqD;IACrD,IAAI,EAAE,aAAa,CAAC;IACpB,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,WAAW,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACvB,IAAI,EAAE,SAAS,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAIF;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,OAAO,GACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,qBAAqB,EAAE,CAAA;CAAE,CAoHlF;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,SAAS,EAAE,EACjB,UAAU,EAAE,MAAM,EAAE,GACnB,SAAS,EAAE,CAOb;AAED,wEAAwE;AACxE,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,UAAU,GAAG,MAAM,CAAC,EAC/E,IAAI,EAAE,CAAC,EAAE,GACR,CAAC,EAAE,CAIL"}

package/dist/apps-roster.cjs

@@ -0,0 +1,187 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/apps-roster.ts
+var apps_roster_exports = {};
+__export(apps_roster_exports, {
+  filterAppsByIdentityGroups: () => filterAppsByIdentityGroups,
+  loadAppsRosterJson: () => loadAppsRosterJson,
+  sortAppsByNavOrder: () => sortAppsByNavOrder,
+  validateAppsRoster: () => validateAppsRoster
+});
+module.exports = __toCommonJS(apps_roster_exports);
+
+// src/apps-roster/schema.ts
+var ROLES = ["apex", "spoke"];
+function validateAppsRoster(raw) {
+  const errors = [];
+  if (typeof raw !== "object" || raw === null) {
+    return { ok: false, errors: [{ path: "", message: "roster must be an object" }] };
+  }
+  const m = raw;
+  if (!Array.isArray(m.apps)) {
+    return { ok: false, errors: [{ path: "apps", message: "expected array" }] };
+  }
+  const apps = m.apps;
+  const seenSlugs = /* @__PURE__ */ new Map();
+  const seenSubdomains = /* @__PURE__ */ new Map();
+  const seenNavOrder = /* @__PURE__ */ new Map();
+  let apexCount = 0;
+  apps.forEach((entryUnknown, i) => {
+    const path = `apps[${i}]`;
+    if (typeof entryUnknown !== "object" || entryUnknown === null) {
+      errors.push({ path, message: "expected object" });
+      return;
+    }
+    const entry = entryUnknown;
+    if (typeof entry.slug !== "string" || entry.slug === "") {
+      errors.push({ path: `${path}.slug`, message: "expected non-empty string" });
+    } else {
+      const prior = seenSlugs.get(entry.slug);
+      if (prior !== void 0) {
+        errors.push({
+          path: `${path}.slug`,
+          message: `duplicate slug ${JSON.stringify(entry.slug)} (also at apps[${prior}])`
+        });
+      } else {
+        seenSlugs.set(entry.slug, i);
+      }
+    }
+    if (typeof entry.role !== "string" || !ROLES.includes(entry.role)) {
+      errors.push({
+        path: `${path}.role`,
+        message: `expected one of: ${ROLES.join(", ")}`
+      });
+    } else if (entry.role === "apex") {
+      apexCount++;
+    }
+    if (typeof entry.subdomain !== "string") {
+      errors.push({ path: `${path}.subdomain`, message: "expected string" });
+    } else {
+      if (entry.role === "apex" && entry.subdomain !== "") {
+        errors.push({
+          path: `${path}.subdomain`,
+          message: "apex apps must have empty subdomain"
+        });
+      }
+      if (entry.subdomain !== "") {
+        const prior = seenSubdomains.get(entry.subdomain);
+        if (prior !== void 0) {
+          errors.push({
+            path: `${path}.subdomain`,
+            message: `duplicate subdomain ${JSON.stringify(entry.subdomain)} (also at apps[${prior}])`
+          });
+        } else {
+          seenSubdomains.set(entry.subdomain, i);
+        }
+      }
+    }
+    if (typeof entry.displayName !== "string" || entry.displayName === "") {
+      errors.push({
+        path: `${path}.displayName`,
+        message: "expected non-empty string"
+      });
+    }
+    if (typeof entry.navOrder !== "number" || !Number.isFinite(entry.navOrder)) {
+      errors.push({ path: `${path}.navOrder`, message: "expected number" });
+    } else {
+      const prior = seenNavOrder.get(entry.navOrder);
+      if (prior !== void 0) {
+        errors.push({
+          path: `${path}.navOrder`,
+          message: `duplicate navOrder ${entry.navOrder} (also at apps[${prior}])`
+        });
+      } else {
+        seenNavOrder.set(entry.navOrder, i);
+      }
+    }
+    if (!Array.isArray(entry.requiredIdentityGroups) || entry.requiredIdentityGroups.some((g) => typeof g !== "string")) {
+      errors.push({
+        path: `${path}.requiredIdentityGroups`,
+        message: "expected string[]"
+      });
+    }
+    if (entry.enabled !== void 0 && typeof entry.enabled !== "boolean") {
+      errors.push({ path: `${path}.enabled`, message: "expected boolean" });
+    }
+  });
+  if (apexCount === 0) {
+    errors.push({ path: "apps", message: "roster must contain exactly one apex entry" });
+  } else if (apexCount > 1) {
+    errors.push({
+      path: "apps",
+      message: `roster must contain exactly one apex entry, found ${apexCount}`
+    });
+  }
+  if (errors.length > 0) return { ok: false, errors };
+  return { ok: true, value: m };
+}
+function filterAppsByIdentityGroups(apps, userGroups) {
+  const lower = userGroups.map((g) => g.toLowerCase());
+  return apps.filter((a) => {
+    if (a.enabled === false) return false;
+    if (!a.requiredIdentityGroups || a.requiredIdentityGroups.length === 0) return true;
+    return a.requiredIdentityGroups.some((g) => lower.includes(g.toLowerCase()));
+  });
+}
+function sortAppsByNavOrder(apps) {
+  return [...apps].sort(
+    (a, b) => (a.navOrder ?? 0) - (b.navOrder ?? 0) || a.slug.localeCompare(b.slug)
+  );
+}
+
+// src/apps-roster/load.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+function loadAppsRosterJson(opts) {
+  const file = (0, import_node_path.resolve)(opts.path);
+  let raw;
+  try {
+    raw = (0, import_node_fs.readFileSync)(file, "utf8");
+  } catch (err) {
+    throw new Error(
+      `loadAppsRosterJson: cannot read ${file}: ${err.message}`,
+      { cause: err }
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `loadAppsRosterJson: invalid JSON in ${file}: ${err.message}`,
+      { cause: err }
+    );
+  }
+  const result = validateAppsRoster(parsed);
+  if (!result.ok) {
+    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join("\n");
+    throw new Error(`loadAppsRosterJson: ${file} failed validation:
+${lines}`);
+  }
+  return result.value;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  filterAppsByIdentityGroups,
+  loadAppsRosterJson,
+  sortAppsByNavOrder,
+  validateAppsRoster
+});
+//# sourceMappingURL=apps-roster.cjs.map

package/dist/apps-roster.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/apps-roster.ts","../src/apps-roster/schema.ts","../src/apps-roster/load.ts"],"sourcesContent":["export {\n  validateAppsRoster,\n  filterAppsByIdentityGroups,\n  sortAppsByNavOrder,\n  type TenantApp,\n  type TenantAppRole,\n  type AppsRoster,\n  type RosterValidationError,\n} from \"./apps-roster/schema.js\";\nexport { loadAppsRosterJson, type LoadAppsRosterOptions } from \"./apps-roster/load.js\";\n","// =============================================================================\n// Tenant app roster.\n//\n// One file per tenant that lists every app (apex + spokes) the tenant\n// ecosystem contains. Replaces the runtime DynamoDB registry. Stored as\n// YAML in <tenant>-infra/config/apps.yaml (canonical) and mirrored to\n// <tenant>-apex/config/apps.json for runtime serving by /api/apps.\n//\n// Adding a new spoke = a PR to the spoke repo (its app.manifest.json) +\n// a PR to <tenant>-infra/config/apps.yaml + a PR to <tenant>-apex/config/\n// apps.json. Validation catches drift.\n// =============================================================================\n\nexport type TenantAppRole = \"apex\" | \"spoke\";\n\nexport type TenantApp = {\n  /** Stable identifier. Matches the spoke's app.manifest.json#appSlug. */\n  slug: string;\n  /** \"apex\" (auth broker) or \"spoke\" (product app). */\n  role: TenantAppRole;\n  /** DNS label. Empty string for apex. */\n  subdomain: string;\n  /** Human-friendly name. Drives the shared nav. */\n  displayName: string;\n  /** Sort order. Lower comes first. */\n  navOrder: number;\n  /**\n   * Cognito identity groups required to see this app in cross-app nav\n   * AND to enter its routes (when the spoke's createAuth is wired to its\n   * own manifest's access policy). Empty = all authenticated users.\n   */\n  requiredIdentityGroups: string[];\n  /**\n   * Static feature toggle. Default true. Set false to hide an app from\n   * cross-app nav without removing the entry. Editing this requires a\n   * PR + redeploy -- this is NOT mutable runtime state.\n   */\n  enabled?: boolean;\n};\n\nexport type AppsRoster = {\n  apps: TenantApp[];\n};\n\nexport type RosterValidationError = {\n  path: string;\n  message: string;\n};\n\nconst ROLES: readonly string[] = [\"apex\", \"spoke\"];\n\n/**\n * Pure validator for the roster object (parsed from YAML or JSON). Returns\n * the typed roster on success, or an array of errors on failure. No throws.\n */\nexport function validateAppsRoster(\n  raw: unknown,\n): { ok: true; value: AppsRoster } | { ok: false; errors: RosterValidationError[] } {\n  const errors: RosterValidationError[] = [];\n  if (typeof raw !== \"object\" || raw === null) {\n    return { ok: false, errors: [{ path: \"\", message: \"roster must be an object\" }] };\n  }\n  const m = raw as Record<string, unknown>;\n  if (!Array.isArray(m.apps)) {\n    return { ok: false, errors: [{ path: \"apps\", message: \"expected array\" }] };\n  }\n  const apps = m.apps as unknown[];\n\n  const seenSlugs = new Map<string, number>();\n  const seenSubdomains = new Map<string, number>();\n  const seenNavOrder = new Map<number, number>();\n  let apexCount = 0;\n\n  apps.forEach((entryUnknown, i) => {\n    const path = `apps[${i}]`;\n    if (typeof entryUnknown !== \"object\" || entryUnknown === null) {\n      errors.push({ path, message: \"expected object\" });\n      return;\n    }\n    const entry = entryUnknown as Record<string, unknown>;\n\n    if (typeof entry.slug !== \"string\" || entry.slug === \"\") {\n      errors.push({ path: `${path}.slug`, message: \"expected non-empty string\" });\n    } else {\n      const prior = seenSlugs.get(entry.slug);\n      if (prior !== undefined) {\n        errors.push({\n          path: `${path}.slug`,\n          message: `duplicate slug ${JSON.stringify(entry.slug)} (also at apps[${prior}])`,\n        });\n      } else {\n        seenSlugs.set(entry.slug, i);\n      }\n    }\n\n    if (typeof entry.role !== \"string\" || !ROLES.includes(entry.role)) {\n      errors.push({\n        path: `${path}.role`,\n        message: `expected one of: ${ROLES.join(\", \")}`,\n      });\n    } else if (entry.role === \"apex\") {\n      apexCount++;\n    }\n\n    if (typeof entry.subdomain !== \"string\") {\n      errors.push({ path: `${path}.subdomain`, message: \"expected string\" });\n    } else {\n      if (entry.role === \"apex\" && entry.subdomain !== \"\") {\n        errors.push({\n          path: `${path}.subdomain`,\n          message: \"apex apps must have empty subdomain\",\n        });\n      }\n      if (entry.subdomain !== \"\") {\n        const prior = seenSubdomains.get(entry.subdomain);\n        if (prior !== undefined) {\n          errors.push({\n            path: `${path}.subdomain`,\n            message: `duplicate subdomain ${JSON.stringify(entry.subdomain)} (also at apps[${prior}])`,\n          });\n        } else {\n          seenSubdomains.set(entry.subdomain, i);\n        }\n      }\n    }\n\n    if (typeof entry.displayName !== \"string\" || entry.displayName === \"\") {\n      errors.push({\n        path: `${path}.displayName`,\n        message: \"expected non-empty string\",\n      });\n    }\n\n    if (typeof entry.navOrder !== \"number\" || !Number.isFinite(entry.navOrder)) {\n      errors.push({ path: `${path}.navOrder`, message: \"expected number\" });\n    } else {\n      const prior = seenNavOrder.get(entry.navOrder);\n      if (prior !== undefined) {\n        errors.push({\n          path: `${path}.navOrder`,\n          message: `duplicate navOrder ${entry.navOrder} (also at apps[${prior}])`,\n        });\n      } else {\n        seenNavOrder.set(entry.navOrder, i);\n      }\n    }\n\n    if (\n      !Array.isArray(entry.requiredIdentityGroups) ||\n      entry.requiredIdentityGroups.some((g) => typeof g !== \"string\")\n    ) {\n      errors.push({\n        path: `${path}.requiredIdentityGroups`,\n        message: \"expected string[]\",\n      });\n    }\n\n    if (entry.enabled !== undefined && typeof entry.enabled !== \"boolean\") {\n      errors.push({ path: `${path}.enabled`, message: \"expected boolean\" });\n    }\n  });\n\n  if (apexCount === 0) {\n    errors.push({ path: \"apps\", message: \"roster must contain exactly one apex entry\" });\n  } else if (apexCount > 1) {\n    errors.push({\n      path: \"apps\",\n      message: `roster must contain exactly one apex entry, found ${apexCount}`,\n    });\n  }\n\n  if (errors.length > 0) return { ok: false, errors };\n  return { ok: true, value: m as unknown as AppsRoster };\n}\n\n/**\n * Filter the roster by user identity groups. Apps with empty\n * `requiredIdentityGroups` are visible to all authenticated users; otherwise\n * the user must be in at least one of the listed groups. `enabled: false`\n * apps are always filtered out.\n */\nexport function filterAppsByIdentityGroups(\n  apps: TenantApp[],\n  userGroups: string[],\n): TenantApp[] {\n  const lower = userGroups.map((g) => g.toLowerCase());\n  return apps.filter((a) => {\n    if (a.enabled === false) return false;\n    if (!a.requiredIdentityGroups || a.requiredIdentityGroups.length === 0) return true;\n    return a.requiredIdentityGroups.some((g) => lower.includes(g.toLowerCase()));\n  });\n}\n\n/** Sort apps by navOrder ASC, then slug. Mutates a copy, returns it. */\nexport function sortAppsByNavOrder<T extends Pick<TenantApp, \"navOrder\" | \"slug\">>(\n  apps: T[],\n): T[] {\n  return [...apps].sort(\n    (a, b) => (a.navOrder ?? 0) - (b.navOrder ?? 0) || a.slug.localeCompare(b.slug),\n  );\n}\n","import { readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\n\nimport { validateAppsRoster, type AppsRoster } from \"./schema.js\";\n\nexport type LoadAppsRosterOptions = {\n  /** Absolute path to a JSON apps-roster file. */\n  path: string;\n};\n\n/**\n * Read + validate a JSON apps-roster file. Throws with a consolidated error\n * message listing every validation failure.\n *\n * YAML parsing is intentionally not bundled in this package; use\n * @augmenting-integrations/deploy-tools `augint validate-app-roster` for the\n * cross-format check between the infra YAML source and the apex JSON mirror.\n */\nexport function loadAppsRosterJson(opts: LoadAppsRosterOptions): AppsRoster {\n  const file = resolve(opts.path);\n  let raw: string;\n  try {\n    raw = readFileSync(file, \"utf8\");\n  } catch (err) {\n    throw new Error(\n      `loadAppsRosterJson: cannot read ${file}: ${(err as Error).message}`,\n      { cause: err },\n    );\n  }\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch (err) {\n    throw new Error(\n      `loadAppsRosterJson: invalid JSON in ${file}: ${(err as Error).message}`,\n      { cause: err },\n    );\n  }\n  const result = validateAppsRoster(parsed);\n  if (!result.ok) {\n    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join(\"\\n\");\n    throw new Error(`loadAppsRosterJson: ${file} failed validation:\\n${lines}`);\n  }\n  return result.value;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiDA,IAAM,QAA2B,CAAC,QAAQ,OAAO;AAM1C,SAAS,mBACd,KACkF;AAClF,QAAM,SAAkC,CAAC;AACzC,MAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;AAC3C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,2BAA2B,CAAC,EAAE;AAAA,EAClF;AACA,QAAM,IAAI;AACV,MAAI,CAAC,MAAM,QAAQ,EAAE,IAAI,GAAG;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,QAAQ,SAAS,iBAAiB,CAAC,EAAE;AAAA,EAC5E;AACA,QAAM,OAAO,EAAE;AAEf,QAAM,YAAY,oBAAI,IAAoB;AAC1C,QAAM,iBAAiB,oBAAI,IAAoB;AAC/C,QAAM,eAAe,oBAAI,IAAoB;AAC7C,MAAI,YAAY;AAEhB,OAAK,QAAQ,CAAC,cAAc,MAAM;AAChC,UAAM,OAAO,QAAQ,CAAC;AACtB,QAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,aAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAChD;AAAA,IACF;AACA,UAAM,QAAQ;AAEd,QAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,IAAI;AACvD,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,SAAS,SAAS,4BAA4B,CAAC;AAAA,IAC5E,OAAO;AACL,YAAM,QAAQ,UAAU,IAAI,MAAM,IAAI;AACtC,UAAI,UAAU,QAAW;AACvB,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS,kBAAkB,KAAK,UAAU,MAAM,IAAI,CAAC,kBAAkB,KAAK;AAAA,QAC9E,CAAC;AAAA,MACH,OAAO;AACL,kBAAU,IAAI,MAAM,MAAM,CAAC;AAAA,MAC7B;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,SAAS,YAAY,CAAC,MAAM,SAAS,MAAM,IAAI,GAAG;AACjE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,oBAAoB,MAAM,KAAK,IAAI,CAAC;AAAA,MAC/C,CAAC;AAAA,IACH,WAAW,MAAM,SAAS,QAAQ;AAChC;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,cAAc,UAAU;AACvC,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,cAAc,SAAS,kBAAkB,CAAC;AAAA,IACvE,OAAO;AACL,UAAI,MAAM,SAAS,UAAU,MAAM,cAAc,IAAI;AACnD,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,UAAI,MAAM,cAAc,IAAI;AAC1B,cAAM,QAAQ,eAAe,IAAI,MAAM,SAAS;AAChD,YAAI,UAAU,QAAW;AACvB,iBAAO,KAAK;AAAA,YACV,MAAM,GAAG,IAAI;AAAA,YACb,SAAS,uBAAuB,KAAK,UAAU,MAAM,SAAS,CAAC,kBAAkB,KAAK;AAAA,UACxF,CAAC;AAAA,QACH,OAAO;AACL,yBAAe,IAAI,MAAM,WAAW,CAAC;AAAA,QACvC;AAAA,MACF;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,gBAAgB,YAAY,MAAM,gBAAgB,IAAI;AACrE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,MAAM,aAAa,YAAY,CAAC,OAAO,SAAS,MAAM,QAAQ,GAAG;AAC1E,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,aAAa,SAAS,kBAAkB,CAAC;AAAA,IACtE,OAAO;AACL,YAAM,QAAQ,aAAa,IAAI,MAAM,QAAQ;AAC7C,UAAI,UAAU,QAAW;AACvB,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS,sBAAsB,MAAM,QAAQ,kBAAkB,KAAK;AAAA,QACtE,CAAC;AAAA,MACH,OAAO;AACL,qBAAa,IAAI,MAAM,UAAU,CAAC;AAAA,MACpC;AAAA,IACF;AAEA,QACE,CAAC,MAAM,QAAQ,MAAM,sBAAsB,KAC3C,MAAM,uBAAuB,KAAK,CAAC,MAAM,OAAO,MAAM,QAAQ,GAC9D;AACA,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,MAAM,YAAY,UAAa,OAAO,MAAM,YAAY,WAAW;AACrE,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,mBAAmB,CAAC;AAAA,IACtE;AAAA,EACF,CAAC;AAED,MAAI,cAAc,GAAG;AACnB,WAAO,KAAK,EAAE,MAAM,QAAQ,SAAS,6CAA6C,CAAC;AAAA,EACrF,WAAW,YAAY,GAAG;AACxB,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,qDAAqD,SAAS;AAAA,IACzE,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,SAAS,EAAG,QAAO,EAAE,IAAI,OAAO,OAAO;AAClD,SAAO,EAAE,IAAI,MAAM,OAAO,EAA2B;AACvD;AAQO,SAAS,2BACd,MACA,YACa;AACb,QAAM,QAAQ,WAAW,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC;AACnD,SAAO,KAAK,OAAO,CAAC,MAAM;AACxB,QAAI,EAAE,YAAY,MAAO,QAAO;AAChC,QAAI,CAAC,EAAE,0BAA0B,EAAE,uBAAuB,WAAW,EAAG,QAAO;AAC/E,WAAO,EAAE,uBAAuB,KAAK,CAAC,MAAM,MAAM,SAAS,EAAE,YAAY,CAAC,CAAC;AAAA,EAC7E,CAAC;AACH;AAGO,SAAS,mBACd,MACK;AACL,SAAO,CAAC,GAAG,IAAI,EAAE;AAAA,IACf,CAAC,GAAG,OAAO,EAAE,YAAY,MAAM,EAAE,YAAY,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI;AAAA,EAChF;AACF;;;ACxMA,qBAA6B;AAC7B,uBAAwB;AAiBjB,SAAS,mBAAmB,MAAyC;AAC1E,QAAM,WAAO,0BAAQ,KAAK,IAAI;AAC9B,MAAI;AACJ,MAAI;AACF,cAAM,6BAAa,MAAM,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,mCAAmC,IAAI,KAAM,IAAc,OAAO;AAAA,MAClE,EAAE,OAAO,IAAI;AAAA,IACf;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,uCAAuC,IAAI,KAAM,IAAc,OAAO;AAAA,MACtE,EAAE,OAAO,IAAI;AAAA,IACf;AAAA,EACF;AACA,QAAM,SAAS,mBAAmB,MAAM;AACxC,MAAI,CAAC,OAAO,IAAI;AACd,UAAM,QAAQ,OAAO,OAAO,IAAI,CAAC,MAAM,OAAO,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AAC/E,UAAM,IAAI,MAAM,uBAAuB,IAAI;AAAA,EAAwB,KAAK,EAAE;AAAA,EAC5E;AACA,SAAO,OAAO;AAChB;","names":[]}

package/dist/apps-roster.d.ts

@@ -0,0 +1,3 @@
+export { validateAppsRoster, filterAppsByIdentityGroups, sortAppsByNavOrder, type TenantApp, type TenantAppRole, type AppsRoster, type RosterValidationError, } from "./apps-roster/schema.js";
+export { loadAppsRosterJson, type LoadAppsRosterOptions } from "./apps-roster/load.js";
+//# sourceMappingURL=apps-roster.d.ts.map

package/dist/apps-roster.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apps-roster.d.ts","sourceRoot":"","sources":["../src/apps-roster.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,0BAA0B,EAC1B,kBAAkB,EAClB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,UAAU,EACf,KAAK,qBAAqB,GAC3B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,kBAAkB,EAAE,KAAK,qBAAqB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/apps-roster.js

@@ -0,0 +1,44 @@
+import {
+  filterAppsByIdentityGroups,
+  sortAppsByNavOrder,
+  validateAppsRoster
+} from "./chunk-ZJFI7R4O.js";
+
+// src/apps-roster/load.ts
+import { readFileSync } from "fs";
+import { resolve } from "path";
+function loadAppsRosterJson(opts) {
+  const file = resolve(opts.path);
+  let raw;
+  try {
+    raw = readFileSync(file, "utf8");
+  } catch (err) {
+    throw new Error(
+      `loadAppsRosterJson: cannot read ${file}: ${err.message}`,
+      { cause: err }
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `loadAppsRosterJson: invalid JSON in ${file}: ${err.message}`,
+      { cause: err }
+    );
+  }
+  const result = validateAppsRoster(parsed);
+  if (!result.ok) {
+    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join("\n");
+    throw new Error(`loadAppsRosterJson: ${file} failed validation:
+${lines}`);
+  }
+  return result.value;
+}
+export {
+  filterAppsByIdentityGroups,
+  loadAppsRosterJson,
+  sortAppsByNavOrder,
+  validateAppsRoster
+};
+//# sourceMappingURL=apps-roster.js.map

package/dist/apps-roster.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/apps-roster/load.ts"],"sourcesContent":["import { readFileSync } from \"node:fs\";\nimport { resolve } from \"node:path\";\n\nimport { validateAppsRoster, type AppsRoster } from \"./schema.js\";\n\nexport type LoadAppsRosterOptions = {\n  /** Absolute path to a JSON apps-roster file. */\n  path: string;\n};\n\n/**\n * Read + validate a JSON apps-roster file. Throws with a consolidated error\n * message listing every validation failure.\n *\n * YAML parsing is intentionally not bundled in this package; use\n * @augmenting-integrations/deploy-tools `augint validate-app-roster` for the\n * cross-format check between the infra YAML source and the apex JSON mirror.\n */\nexport function loadAppsRosterJson(opts: LoadAppsRosterOptions): AppsRoster {\n  const file = resolve(opts.path);\n  let raw: string;\n  try {\n    raw = readFileSync(file, \"utf8\");\n  } catch (err) {\n    throw new Error(\n      `loadAppsRosterJson: cannot read ${file}: ${(err as Error).message}`,\n      { cause: err },\n    );\n  }\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch (err) {\n    throw new Error(\n      `loadAppsRosterJson: invalid JSON in ${file}: ${(err as Error).message}`,\n      { cause: err },\n    );\n  }\n  const result = validateAppsRoster(parsed);\n  if (!result.ok) {\n    const lines = result.errors.map((e) => `  - ${e.path}: ${e.message}`).join(\"\\n\");\n    throw new Error(`loadAppsRosterJson: ${file} failed validation:\\n${lines}`);\n  }\n  return result.value;\n}\n"],"mappings":";;;;;;;AAAA,SAAS,oBAAoB;AAC7B,SAAS,eAAe;AAiBjB,SAAS,mBAAmB,MAAyC;AAC1E,QAAM,OAAO,QAAQ,KAAK,IAAI;AAC9B,MAAI;AACJ,MAAI;AACF,UAAM,aAAa,MAAM,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,mCAAmC,IAAI,KAAM,IAAc,OAAO;AAAA,MAClE,EAAE,OAAO,IAAI;AAAA,IACf;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,uCAAuC,IAAI,KAAM,IAAc,OAAO;AAAA,MACtE,EAAE,OAAO,IAAI;AAAA,IACf;AAAA,EACF;AACA,QAAM,SAAS,mBAAmB,MAAM;AACxC,MAAI,CAAC,OAAO,IAAI;AACd,UAAM,QAAQ,OAAO,OAAO,IAAI,CAAC,MAAM,OAAO,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AAC/E,UAAM,IAAI,MAAM,uBAAuB,IAAI;AAAA,EAAwB,KAAK,EAAE;AAAA,EAC5E;AACA,SAAO,OAAO;AAChB;","names":[]}

package/dist/chunk-ZJFI7R4O.js

@@ -0,0 +1,125 @@
+// src/apps-roster/schema.ts
+var ROLES = ["apex", "spoke"];
+function validateAppsRoster(raw) {
+  const errors = [];
+  if (typeof raw !== "object" || raw === null) {
+    return { ok: false, errors: [{ path: "", message: "roster must be an object" }] };
+  }
+  const m = raw;
+  if (!Array.isArray(m.apps)) {
+    return { ok: false, errors: [{ path: "apps", message: "expected array" }] };
+  }
+  const apps = m.apps;
+  const seenSlugs = /* @__PURE__ */ new Map();
+  const seenSubdomains = /* @__PURE__ */ new Map();
+  const seenNavOrder = /* @__PURE__ */ new Map();
+  let apexCount = 0;
+  apps.forEach((entryUnknown, i) => {
+    const path = `apps[${i}]`;
+    if (typeof entryUnknown !== "object" || entryUnknown === null) {
+      errors.push({ path, message: "expected object" });
+      return;
+    }
+    const entry = entryUnknown;
+    if (typeof entry.slug !== "string" || entry.slug === "") {
+      errors.push({ path: `${path}.slug`, message: "expected non-empty string" });
+    } else {
+      const prior = seenSlugs.get(entry.slug);
+      if (prior !== void 0) {
+        errors.push({
+          path: `${path}.slug`,
+          message: `duplicate slug ${JSON.stringify(entry.slug)} (also at apps[${prior}])`
+        });
+      } else {
+        seenSlugs.set(entry.slug, i);
+      }
+    }
+    if (typeof entry.role !== "string" || !ROLES.includes(entry.role)) {
+      errors.push({
+        path: `${path}.role`,
+        message: `expected one of: ${ROLES.join(", ")}`
+      });
+    } else if (entry.role === "apex") {
+      apexCount++;
+    }
+    if (typeof entry.subdomain !== "string") {
+      errors.push({ path: `${path}.subdomain`, message: "expected string" });
+    } else {
+      if (entry.role === "apex" && entry.subdomain !== "") {
+        errors.push({
+          path: `${path}.subdomain`,
+          message: "apex apps must have empty subdomain"
+        });
+      }
+      if (entry.subdomain !== "") {
+        const prior = seenSubdomains.get(entry.subdomain);
+        if (prior !== void 0) {
+          errors.push({
+            path: `${path}.subdomain`,
+            message: `duplicate subdomain ${JSON.stringify(entry.subdomain)} (also at apps[${prior}])`
+          });
+        } else {
+          seenSubdomains.set(entry.subdomain, i);
+        }
+      }
+    }
+    if (typeof entry.displayName !== "string" || entry.displayName === "") {
+      errors.push({
+        path: `${path}.displayName`,
+        message: "expected non-empty string"
+      });
+    }
+    if (typeof entry.navOrder !== "number" || !Number.isFinite(entry.navOrder)) {
+      errors.push({ path: `${path}.navOrder`, message: "expected number" });
+    } else {
+      const prior = seenNavOrder.get(entry.navOrder);
+      if (prior !== void 0) {
+        errors.push({
+          path: `${path}.navOrder`,
+          message: `duplicate navOrder ${entry.navOrder} (also at apps[${prior}])`
+        });
+      } else {
+        seenNavOrder.set(entry.navOrder, i);
+      }
+    }
+    if (!Array.isArray(entry.requiredIdentityGroups) || entry.requiredIdentityGroups.some((g) => typeof g !== "string")) {
+      errors.push({
+        path: `${path}.requiredIdentityGroups`,
+        message: "expected string[]"
+      });
+    }
+    if (entry.enabled !== void 0 && typeof entry.enabled !== "boolean") {
+      errors.push({ path: `${path}.enabled`, message: "expected boolean" });
+    }
+  });
+  if (apexCount === 0) {
+    errors.push({ path: "apps", message: "roster must contain exactly one apex entry" });
+  } else if (apexCount > 1) {
+    errors.push({
+      path: "apps",
+      message: `roster must contain exactly one apex entry, found ${apexCount}`
+    });
+  }
+  if (errors.length > 0) return { ok: false, errors };
+  return { ok: true, value: m };
+}
+function filterAppsByIdentityGroups(apps, userGroups) {
+  const lower = userGroups.map((g) => g.toLowerCase());
+  return apps.filter((a) => {
+    if (a.enabled === false) return false;
+    if (!a.requiredIdentityGroups || a.requiredIdentityGroups.length === 0) return true;
+    return a.requiredIdentityGroups.some((g) => lower.includes(g.toLowerCase()));
+  });
+}
+function sortAppsByNavOrder(apps) {
+  return [...apps].sort(
+    (a, b) => (a.navOrder ?? 0) - (b.navOrder ?? 0) || a.slug.localeCompare(b.slug)
+  );
+}
+
+export {
+  validateAppsRoster,
+  filterAppsByIdentityGroups,
+  sortAppsByNavOrder
+};
+//# sourceMappingURL=chunk-ZJFI7R4O.js.map

package/dist/chunk-ZJFI7R4O.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/apps-roster/schema.ts"],"sourcesContent":["// =============================================================================\n// Tenant app roster.\n//\n// One file per tenant that lists every app (apex + spokes) the tenant\n// ecosystem contains. Replaces the runtime DynamoDB registry. Stored as\n// YAML in <tenant>-infra/config/apps.yaml (canonical) and mirrored to\n// <tenant>-apex/config/apps.json for runtime serving by /api/apps.\n//\n// Adding a new spoke = a PR to the spoke repo (its app.manifest.json) +\n// a PR to <tenant>-infra/config/apps.yaml + a PR to <tenant>-apex/config/\n// apps.json. Validation catches drift.\n// =============================================================================\n\nexport type TenantAppRole = \"apex\" | \"spoke\";\n\nexport type TenantApp = {\n  /** Stable identifier. Matches the spoke's app.manifest.json#appSlug. */\n  slug: string;\n  /** \"apex\" (auth broker) or \"spoke\" (product app). */\n  role: TenantAppRole;\n  /** DNS label. Empty string for apex. */\n  subdomain: string;\n  /** Human-friendly name. Drives the shared nav. */\n  displayName: string;\n  /** Sort order. Lower comes first. */\n  navOrder: number;\n  /**\n   * Cognito identity groups required to see this app in cross-app nav\n   * AND to enter its routes (when the spoke's createAuth is wired to its\n   * own manifest's access policy). Empty = all authenticated users.\n   */\n  requiredIdentityGroups: string[];\n  /**\n   * Static feature toggle. Default true. Set false to hide an app from\n   * cross-app nav without removing the entry. Editing this requires a\n   * PR + redeploy -- this is NOT mutable runtime state.\n   */\n  enabled?: boolean;\n};\n\nexport type AppsRoster = {\n  apps: TenantApp[];\n};\n\nexport type RosterValidationError = {\n  path: string;\n  message: string;\n};\n\nconst ROLES: readonly string[] = [\"apex\", \"spoke\"];\n\n/**\n * Pure validator for the roster object (parsed from YAML or JSON). Returns\n * the typed roster on success, or an array of errors on failure. No throws.\n */\nexport function validateAppsRoster(\n  raw: unknown,\n): { ok: true; value: AppsRoster } | { ok: false; errors: RosterValidationError[] } {\n  const errors: RosterValidationError[] = [];\n  if (typeof raw !== \"object\" || raw === null) {\n    return { ok: false, errors: [{ path: \"\", message: \"roster must be an object\" }] };\n  }\n  const m = raw as Record<string, unknown>;\n  if (!Array.isArray(m.apps)) {\n    return { ok: false, errors: [{ path: \"apps\", message: \"expected array\" }] };\n  }\n  const apps = m.apps as unknown[];\n\n  const seenSlugs = new Map<string, number>();\n  const seenSubdomains = new Map<string, number>();\n  const seenNavOrder = new Map<number, number>();\n  let apexCount = 0;\n\n  apps.forEach((entryUnknown, i) => {\n    const path = `apps[${i}]`;\n    if (typeof entryUnknown !== \"object\" || entryUnknown === null) {\n      errors.push({ path, message: \"expected object\" });\n      return;\n    }\n    const entry = entryUnknown as Record<string, unknown>;\n\n    if (typeof entry.slug !== \"string\" || entry.slug === \"\") {\n      errors.push({ path: `${path}.slug`, message: \"expected non-empty string\" });\n    } else {\n      const prior = seenSlugs.get(entry.slug);\n      if (prior !== undefined) {\n        errors.push({\n          path: `${path}.slug`,\n          message: `duplicate slug ${JSON.stringify(entry.slug)} (also at apps[${prior}])`,\n        });\n      } else {\n        seenSlugs.set(entry.slug, i);\n      }\n    }\n\n    if (typeof entry.role !== \"string\" || !ROLES.includes(entry.role)) {\n      errors.push({\n        path: `${path}.role`,\n        message: `expected one of: ${ROLES.join(\", \")}`,\n      });\n    } else if (entry.role === \"apex\") {\n      apexCount++;\n    }\n\n    if (typeof entry.subdomain !== \"string\") {\n      errors.push({ path: `${path}.subdomain`, message: \"expected string\" });\n    } else {\n      if (entry.role === \"apex\" && entry.subdomain !== \"\") {\n        errors.push({\n          path: `${path}.subdomain`,\n          message: \"apex apps must have empty subdomain\",\n        });\n      }\n      if (entry.subdomain !== \"\") {\n        const prior = seenSubdomains.get(entry.subdomain);\n        if (prior !== undefined) {\n          errors.push({\n            path: `${path}.subdomain`,\n            message: `duplicate subdomain ${JSON.stringify(entry.subdomain)} (also at apps[${prior}])`,\n          });\n        } else {\n          seenSubdomains.set(entry.subdomain, i);\n        }\n      }\n    }\n\n    if (typeof entry.displayName !== \"string\" || entry.displayName === \"\") {\n      errors.push({\n        path: `${path}.displayName`,\n        message: \"expected non-empty string\",\n      });\n    }\n\n    if (typeof entry.navOrder !== \"number\" || !Number.isFinite(entry.navOrder)) {\n      errors.push({ path: `${path}.navOrder`, message: \"expected number\" });\n    } else {\n      const prior = seenNavOrder.get(entry.navOrder);\n      if (prior !== undefined) {\n        errors.push({\n          path: `${path}.navOrder`,\n          message: `duplicate navOrder ${entry.navOrder} (also at apps[${prior}])`,\n        });\n      } else {\n        seenNavOrder.set(entry.navOrder, i);\n      }\n    }\n\n    if (\n      !Array.isArray(entry.requiredIdentityGroups) ||\n      entry.requiredIdentityGroups.some((g) => typeof g !== \"string\")\n    ) {\n      errors.push({\n        path: `${path}.requiredIdentityGroups`,\n        message: \"expected string[]\",\n      });\n    }\n\n    if (entry.enabled !== undefined && typeof entry.enabled !== \"boolean\") {\n      errors.push({ path: `${path}.enabled`, message: \"expected boolean\" });\n    }\n  });\n\n  if (apexCount === 0) {\n    errors.push({ path: \"apps\", message: \"roster must contain exactly one apex entry\" });\n  } else if (apexCount > 1) {\n    errors.push({\n      path: \"apps\",\n      message: `roster must contain exactly one apex entry, found ${apexCount}`,\n    });\n  }\n\n  if (errors.length > 0) return { ok: false, errors };\n  return { ok: true, value: m as unknown as AppsRoster };\n}\n\n/**\n * Filter the roster by user identity groups. Apps with empty\n * `requiredIdentityGroups` are visible to all authenticated users; otherwise\n * the user must be in at least one of the listed groups. `enabled: false`\n * apps are always filtered out.\n */\nexport function filterAppsByIdentityGroups(\n  apps: TenantApp[],\n  userGroups: string[],\n): TenantApp[] {\n  const lower = userGroups.map((g) => g.toLowerCase());\n  return apps.filter((a) => {\n    if (a.enabled === false) return false;\n    if (!a.requiredIdentityGroups || a.requiredIdentityGroups.length === 0) return true;\n    return a.requiredIdentityGroups.some((g) => lower.includes(g.toLowerCase()));\n  });\n}\n\n/** Sort apps by navOrder ASC, then slug. Mutates a copy, returns it. */\nexport function sortAppsByNavOrder<T extends Pick<TenantApp, \"navOrder\" | \"slug\">>(\n  apps: T[],\n): T[] {\n  return [...apps].sort(\n    (a, b) => (a.navOrder ?? 0) - (b.navOrder ?? 0) || a.slug.localeCompare(b.slug),\n  );\n}\n"],"mappings":";AAiDA,IAAM,QAA2B,CAAC,QAAQ,OAAO;AAM1C,SAAS,mBACd,KACkF;AAClF,QAAM,SAAkC,CAAC;AACzC,MAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;AAC3C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,2BAA2B,CAAC,EAAE;AAAA,EAClF;AACA,QAAM,IAAI;AACV,MAAI,CAAC,MAAM,QAAQ,EAAE,IAAI,GAAG;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,QAAQ,SAAS,iBAAiB,CAAC,EAAE;AAAA,EAC5E;AACA,QAAM,OAAO,EAAE;AAEf,QAAM,YAAY,oBAAI,IAAoB;AAC1C,QAAM,iBAAiB,oBAAI,IAAoB;AAC/C,QAAM,eAAe,oBAAI,IAAoB;AAC7C,MAAI,YAAY;AAEhB,OAAK,QAAQ,CAAC,cAAc,MAAM;AAChC,UAAM,OAAO,QAAQ,CAAC;AACtB,QAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,aAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAChD;AAAA,IACF;AACA,UAAM,QAAQ;AAEd,QAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,IAAI;AACvD,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,SAAS,SAAS,4BAA4B,CAAC;AAAA,IAC5E,OAAO;AACL,YAAM,QAAQ,UAAU,IAAI,MAAM,IAAI;AACtC,UAAI,UAAU,QAAW;AACvB,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS,kBAAkB,KAAK,UAAU,MAAM,IAAI,CAAC,kBAAkB,KAAK;AAAA,QAC9E,CAAC;AAAA,MACH,OAAO;AACL,kBAAU,IAAI,MAAM,MAAM,CAAC;AAAA,MAC7B;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,SAAS,YAAY,CAAC,MAAM,SAAS,MAAM,IAAI,GAAG;AACjE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,oBAAoB,MAAM,KAAK,IAAI,CAAC;AAAA,MAC/C,CAAC;AAAA,IACH,WAAW,MAAM,SAAS,QAAQ;AAChC;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,cAAc,UAAU;AACvC,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,cAAc,SAAS,kBAAkB,CAAC;AAAA,IACvE,OAAO;AACL,UAAI,MAAM,SAAS,UAAU,MAAM,cAAc,IAAI;AACnD,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,UAAI,MAAM,cAAc,IAAI;AAC1B,cAAM,QAAQ,eAAe,IAAI,MAAM,SAAS;AAChD,YAAI,UAAU,QAAW;AACvB,iBAAO,KAAK;AAAA,YACV,MAAM,GAAG,IAAI;AAAA,YACb,SAAS,uBAAuB,KAAK,UAAU,MAAM,SAAS,CAAC,kBAAkB,KAAK;AAAA,UACxF,CAAC;AAAA,QACH,OAAO;AACL,yBAAe,IAAI,MAAM,WAAW,CAAC;AAAA,QACvC;AAAA,MACF;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,gBAAgB,YAAY,MAAM,gBAAgB,IAAI;AACrE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,MAAM,aAAa,YAAY,CAAC,OAAO,SAAS,MAAM,QAAQ,GAAG;AAC1E,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,aAAa,SAAS,kBAAkB,CAAC;AAAA,IACtE,OAAO;AACL,YAAM,QAAQ,aAAa,IAAI,MAAM,QAAQ;AAC7C,UAAI,UAAU,QAAW;AACvB,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS,sBAAsB,MAAM,QAAQ,kBAAkB,KAAK;AAAA,QACtE,CAAC;AAAA,MACH,OAAO;AACL,qBAAa,IAAI,MAAM,UAAU,CAAC;AAAA,MACpC;AAAA,IACF;AAEA,QACE,CAAC,MAAM,QAAQ,MAAM,sBAAsB,KAC3C,MAAM,uBAAuB,KAAK,CAAC,MAAM,OAAO,MAAM,QAAQ,GAC9D;AACA,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,MAAM,YAAY,UAAa,OAAO,MAAM,YAAY,WAAW;AACrE,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,mBAAmB,CAAC;AAAA,IACtE;AAAA,EACF,CAAC;AAED,MAAI,cAAc,GAAG;AACnB,WAAO,KAAK,EAAE,MAAM,QAAQ,SAAS,6CAA6C,CAAC;AAAA,EACrF,WAAW,YAAY,GAAG;AACxB,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,qDAAqD,SAAS;AAAA,IACzE,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,SAAS,EAAG,QAAO,EAAE,IAAI,OAAO,OAAO;AAClD,SAAO,EAAE,IAAI,MAAM,OAAO,EAA2B;AACvD;AAQO,SAAS,2BACd,MACA,YACa;AACb,QAAM,QAAQ,WAAW,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC;AACnD,SAAO,KAAK,OAAO,CAAC,MAAM;AACxB,QAAI,EAAE,YAAY,MAAO,QAAO;AAChC,QAAI,CAAC,EAAE,0BAA0B,EAAE,uBAAuB,WAAW,EAAG,QAAO;AAC/E,WAAO,EAAE,uBAAuB,KAAK,CAAC,MAAM,MAAM,SAAS,EAAE,YAAY,CAAC,CAAC;AAAA,EAC7E,CAAC;AACH;AAGO,SAAS,mBACd,MACK;AACL,SAAO,CAAC,GAAG,IAAI,EAAE;AAAA,IACf,CAAC,GAAG,OAAO,EAAE,YAAY,MAAM,EAAE,YAAY,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI;AAAA,EAChF;AACF;","names":[]}

package/dist/server/apps-route.d.ts

@@ -0,0 +1,28 @@
+import "server-only";
+import { type AppsRoster } from "../apps-roster/schema.js";
+import type { TenantPublicConfig, TenantServerConfig } from "../tenant-types.js";
+type SessionLike = {
+    user?: {
+        groups?: string[] | null;
+    } | null;
+} | null;
+type AuthFn = () => Promise<SessionLike>;
+export type CreateAppsRouteHandlerOptions = {
+    /** Roster shape, typically `import appsJson from "../../config/apps.json"`. */
+    roster: AppsRoster | unknown;
+    /** Consuming app's `auth()` function. */
+    auth: AuthFn;
+    /**
+     * Tenant config (apex + optional appDomain). Used to derive each app's
+     * absolute `appUrl` from its subdomain. Typically the same struct passed
+     * to createAuth.
+     */
+    tenant: Pick<TenantServerConfig, "apex"> | Pick<TenantPublicConfig, "apex">;
+    /** Set false to make the endpoint public (NOT recommended). Default true. */
+    requireAuth?: boolean;
+};
+export declare function createAppsRouteHandler(opts: CreateAppsRouteHandlerOptions): {
+    GET: () => Promise<Response>;
+};
+export {};
+//# sourceMappingURL=apps-route.d.ts.map

package/dist/server/apps-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apps-route.d.ts","sourceRoot":"","sources":["../../src/server/apps-route.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAcjF,KAAK,WAAW,GAAG;IACjB,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,CAAC;CAC5C,GAAG,IAAI,CAAC;AAET,KAAK,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;AAEzC,MAAM,MAAM,6BAA6B,GAAG;IAC1C,+EAA+E;IAC/E,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC;IAC7B,yCAAyC;IACzC,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,MAAM,EAAE,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;IAC5E,6EAA6E;IAC7E,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB,CAAC;AAOF,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,6BAA6B;eAavD,OAAO,CAAC,QAAQ,CAAC;EA2BnC"}

package/dist/server.cjs

@@ -32,6 +32,7 @@ var server_exports = {};
 __export(server_exports, {
   TENANT_GLOBAL_KEY: () => TENANT_GLOBAL_KEY,
   TenantBootScript: () => TenantBootScript,
+  createAppsRouteHandler: () => createAppsRouteHandler,
   loadTenantConfig: () => loadTenantConfig,
   publicSubset: () => publicSubset
 });
@@ -119,10 +120,177 @@ function TenantBootScript({ config }) {
   props[INNER_HTML_PROP] = { __html: body };
   return React.createElement("script", props);
 }
+
+// src/server/apps-route.ts
+var import_server_only2 = require("server-only");
+
+// src/apps-roster/schema.ts
+var ROLES = ["apex", "spoke"];
+function validateAppsRoster(raw) {
+  const errors = [];
+  if (typeof raw !== "object" || raw === null) {
+    return { ok: false, errors: [{ path: "", message: "roster must be an object" }] };
+  }
+  const m = raw;
+  if (!Array.isArray(m.apps)) {
+    return { ok: false, errors: [{ path: "apps", message: "expected array" }] };
+  }
+  const apps = m.apps;
+  const seenSlugs = /* @__PURE__ */ new Map();
+  const seenSubdomains = /* @__PURE__ */ new Map();
+  const seenNavOrder = /* @__PURE__ */ new Map();
+  let apexCount = 0;
+  apps.forEach((entryUnknown, i) => {
+    const path = `apps[${i}]`;
+    if (typeof entryUnknown !== "object" || entryUnknown === null) {
+      errors.push({ path, message: "expected object" });
+      return;
+    }
+    const entry = entryUnknown;
+    if (typeof entry.slug !== "string" || entry.slug === "") {
+      errors.push({ path: `${path}.slug`, message: "expected non-empty string" });
+    } else {
+      const prior = seenSlugs.get(entry.slug);
+      if (prior !== void 0) {
+        errors.push({
+          path: `${path}.slug`,
+          message: `duplicate slug ${JSON.stringify(entry.slug)} (also at apps[${prior}])`
+        });
+      } else {
+        seenSlugs.set(entry.slug, i);
+      }
+    }
+    if (typeof entry.role !== "string" || !ROLES.includes(entry.role)) {
+      errors.push({
+        path: `${path}.role`,
+        message: `expected one of: ${ROLES.join(", ")}`
+      });
+    } else if (entry.role === "apex") {
+      apexCount++;
+    }
+    if (typeof entry.subdomain !== "string") {
+      errors.push({ path: `${path}.subdomain`, message: "expected string" });
+    } else {
+      if (entry.role === "apex" && entry.subdomain !== "") {
+        errors.push({
+          path: `${path}.subdomain`,
+          message: "apex apps must have empty subdomain"
+        });
+      }
+      if (entry.subdomain !== "") {
+        const prior = seenSubdomains.get(entry.subdomain);
+        if (prior !== void 0) {
+          errors.push({
+            path: `${path}.subdomain`,
+            message: `duplicate subdomain ${JSON.stringify(entry.subdomain)} (also at apps[${prior}])`
+          });
+        } else {
+          seenSubdomains.set(entry.subdomain, i);
+        }
+      }
+    }
+    if (typeof entry.displayName !== "string" || entry.displayName === "") {
+      errors.push({
+        path: `${path}.displayName`,
+        message: "expected non-empty string"
+      });
+    }
+    if (typeof entry.navOrder !== "number" || !Number.isFinite(entry.navOrder)) {
+      errors.push({ path: `${path}.navOrder`, message: "expected number" });
+    } else {
+      const prior = seenNavOrder.get(entry.navOrder);
+      if (prior !== void 0) {
+        errors.push({
+          path: `${path}.navOrder`,
+          message: `duplicate navOrder ${entry.navOrder} (also at apps[${prior}])`
+        });
+      } else {
+        seenNavOrder.set(entry.navOrder, i);
+      }
+    }
+    if (!Array.isArray(entry.requiredIdentityGroups) || entry.requiredIdentityGroups.some((g) => typeof g !== "string")) {
+      errors.push({
+        path: `${path}.requiredIdentityGroups`,
+        message: "expected string[]"
+      });
+    }
+    if (entry.enabled !== void 0 && typeof entry.enabled !== "boolean") {
+      errors.push({ path: `${path}.enabled`, message: "expected boolean" });
+    }
+  });
+  if (apexCount === 0) {
+    errors.push({ path: "apps", message: "roster must contain exactly one apex entry" });
+  } else if (apexCount > 1) {
+    errors.push({
+      path: "apps",
+      message: `roster must contain exactly one apex entry, found ${apexCount}`
+    });
+  }
+  if (errors.length > 0) return { ok: false, errors };
+  return { ok: true, value: m };
+}
+function filterAppsByIdentityGroups(apps, userGroups) {
+  const lower = userGroups.map((g) => g.toLowerCase());
+  return apps.filter((a) => {
+    if (a.enabled === false) return false;
+    if (!a.requiredIdentityGroups || a.requiredIdentityGroups.length === 0) return true;
+    return a.requiredIdentityGroups.some((g) => lower.includes(g.toLowerCase()));
+  });
+}
+function sortAppsByNavOrder(apps) {
+  return [...apps].sort(
+    (a, b) => (a.navOrder ?? 0) - (b.navOrder ?? 0) || a.slug.localeCompare(b.slug)
+  );
+}
+
+// src/server/apps-route.ts
+function deriveAppUrl(app, apex) {
+  if (app.subdomain === "") return `https://${apex}`;
+  return `https://${app.subdomain}.${apex}`;
+}
+function createAppsRouteHandler(opts) {
+  const validated = validateAppsRoster(opts.roster);
+  if (!validated.ok) {
+    throw new Error(
+      `createAppsRouteHandler: roster failed validation: ${validated.errors.map((e) => `${e.path}: ${e.message}`).join("; ")}`
+    );
+  }
+  const apps = validated.value.apps;
+  const requireAuth = opts.requireAuth ?? true;
+  return {
+    GET: async () => {
+      let session = null;
+      if (requireAuth) {
+        session = await opts.auth();
+        if (!session) {
+          return Response.json({ error: "unauthenticated" }, { status: 401 });
+        }
+      }
+      const userGroups = session?.user?.groups ?? [];
+      const visible = filterAppsByIdentityGroups(apps, userGroups);
+      const sorted = sortAppsByNavOrder(visible);
+      const withUrl = sorted.map((a) => ({
+        slug: a.slug,
+        role: a.role,
+        subdomain: a.subdomain,
+        displayName: a.displayName,
+        navOrder: a.navOrder,
+        requiredIdentityGroups: a.requiredIdentityGroups,
+        appUrl: deriveAppUrl(a, opts.tenant.apex)
+      }));
+      return Response.json(withUrl, {
+        headers: {
+          "Cache-Control": "private, s-maxage=300, stale-while-revalidate=600"
+        }
+      });
+    }
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   TENANT_GLOBAL_KEY,
   TenantBootScript,
+  createAppsRouteHandler,
   loadTenantConfig,
   publicSubset
 });

package/dist/server.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/server.ts","../src/server/tenant.ts","../src/tenant-types.ts"],"sourcesContent":["export {\n  loadTenantConfig,\n  publicSubset,\n  TenantBootScript,\n  TENANT_GLOBAL_KEY,\n  type LoadOptions,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"./server/tenant.js\";\n","import \"server-only\";\nimport * as React from \"react\";\nimport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n  type TenantServerConfig,\n} from \"../tenant-types.js\";\n\n// =============================================================================\n// loadTenantConfig() -- the single source of truth for tenant configuration.\n//\n// Every required process.env read happens here. Missing fields are surfaced\n// in ONE error message so the deploy fails loudly instead of silently\n// substituting undefined into a downstream package.\n//\n// Apex apps call loadTenantConfig({ role: \"apex\" }). Spoke apps call\n// loadTenantConfig({ role: \"spoke\" }). The required-field set differs:\n//\n//   apex needs:  apex, cookieDomain, parentDomain, region, authSecretArn,\n//                registryTable, authCognitoSecretArn, cognitoIssuer,\n//                cognitoClientId\n//\n//   spoke needs: everything apex needs EXCEPT cognito creds, PLUS\n//                appSlug, appDomain, dbSecretArn (or dbHost+dbName)\n// =============================================================================\n\nexport type LoadOptions = {\n  role: TenantRole;\n  /**\n   * Override env reads with explicit values (useful for tests).\n   */\n  overrides?: Partial<TenantServerConfig>;\n};\n\n/**\n * Read tenant configuration from process.env with optional overrides.\n * Throws a single Error listing every missing required field.\n */\nexport function loadTenantConfig(opts: LoadOptions): TenantServerConfig {\n  const env = process.env;\n  const o = opts.overrides ?? {};\n\n  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;\n  const apexFallback = parentDomainRaw?.replace(/^\\./, \"\");\n\n  const draft: Partial<TenantServerConfig> = {\n    role: opts.role,\n    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,\n    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,\n    parentDomain: parentDomainRaw,\n    region: o.region ?? env.AWS_REGION ?? \"us-east-1\",\n    appSlug: o.appSlug ?? env.APP_SLUG,\n    appDomain: o.appDomain ?? env.APP_DOMAIN,\n    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,\n    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,\n    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,\n    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,\n    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,\n    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,\n    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,\n    dbHost: o.dbHost ?? env.DB_HOST,\n    dbName: o.dbName ?? env.DB_NAME,\n    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,\n    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN,\n  };\n\n  if (opts.role === \"apex\" && !draft.appDomain) {\n    draft.appDomain = draft.apex;\n  }\n\n  const required: Array<{ key: keyof TenantServerConfig; env: string }> = [\n    { key: \"apex\", env: \"APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)\" },\n    { key: \"cookieDomain\", env: \"AUTH_COOKIE_DOMAIN\" },\n    { key: \"parentDomain\", env: \"AUTH_ALLOWED_PARENT_DOMAIN\" },\n    { key: \"authSecretArn\", env: \"AUTH_SECRET_ARN\" },\n    { key: \"appDomain\", env: \"APP_DOMAIN\" },\n  ];\n  if (opts.role === \"apex\") {\n    required.push(\n      { key: \"authCognitoSecretArn\", env: \"AUTH_COGNITO_SECRET_ARN\" },\n      { key: \"cognitoIssuer\", env: \"AUTH_COGNITO_ISSUER\" },\n      { key: \"cognitoClientId\", env: \"AUTH_COGNITO_ID\" },\n    );\n  } else {\n    required.push({ key: \"appSlug\", env: \"APP_SLUG\" });\n  }\n\n  if (\n    process.env.NEXT_PHASE === \"phase-production-build\" ||\n    !process.env.AWS_LAMBDA_FUNCTION_NAME\n  ) {\n    return draft as TenantServerConfig;\n  }\n\n  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);\n  if (missing.length > 0) {\n    throw new Error(\n      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(\", \")}`,\n    );\n  }\n\n  return draft as TenantServerConfig;\n}\n\n/**\n * Reduce a TenantServerConfig to the public-safe subset. Strips every\n * secret-arn so the result is safe to ship to the browser via\n * <TenantBootScript />.\n */\nexport function publicSubset(config: TenantServerConfig): TenantPublicConfig {\n  return {\n    apex: config.apex,\n    cookieDomain: config.cookieDomain,\n    parentDomain: config.parentDomain,\n    region: config.region,\n    appSlug: config.appSlug,\n    appDomain: config.appDomain,\n    role: config.role,\n  };\n}\n\n// =============================================================================\n// <TenantBootScript /> -- server component that injects window.__TENANT__\n// before paint. Every client widget reads from this global.\n//\n// The payload is JSON.stringify of a TYPED struct -- we control every field\n// shape. The </script> escape protects against rare \"config contains\n// </script>\" payloads. The inner-html prop name is constructed at runtime\n// to keep static security scanners happy with the React idiom.\n// =============================================================================\n\nconst INNER_HTML_PROP = \"dangerously\" + \"SetInner\" + \"HTML\";\n\nexport function TenantBootScript({ config }: { config: TenantPublicConfig }) {\n  const payload = JSON.stringify(config).replace(/</g, \"\\\\u003c\");\n  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;\n  const props: Record<string, unknown> = {};\n  props[INNER_HTML_PROP] = { __html: body };\n  return React.createElement(\"script\", props);\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n","// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAAO;AACP,YAAuB;;;ACqEhB,IAAM,oBAAoB;;;AD/B1B,SAAS,iBAAiB,MAAuC;AACtE,QAAM,MAAM,QAAQ;AACpB,QAAM,IAAI,KAAK,aAAa,CAAC;AAE7B,QAAM,kBAAkB,EAAE,gBAAgB,IAAI;AAC9C,QAAM,eAAe,iBAAiB,QAAQ,OAAO,EAAE;AAEvD,QAAM,QAAqC;AAAA,IACzC,MAAM,KAAK;AAAA,IACX,MAAM,EAAE,QAAQ,IAAI,eAAe;AAAA,IACnC,cAAc,EAAE,gBAAgB,IAAI;AAAA,IACpC,cAAc;AAAA,IACd,QAAQ,EAAE,UAAU,IAAI,cAAc;AAAA,IACtC,SAAS,EAAE,WAAW,IAAI;AAAA,IAC1B,WAAW,EAAE,aAAa,IAAI;AAAA,IAC9B,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,sBAAsB,EAAE,wBAAwB,IAAI;AAAA,IACpD,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,wBAAwB,EAAE,0BAA0B,IAAI;AAAA,EAC1D;AAEA,MAAI,KAAK,SAAS,UAAU,CAAC,MAAM,WAAW;AAC5C,UAAM,YAAY,MAAM;AAAA,EAC1B;AAEA,QAAM,WAAkE;AAAA,IACtE,EAAE,KAAK,QAAQ,KAAK,2DAA2D;AAAA,IAC/E,EAAE,KAAK,gBAAgB,KAAK,qBAAqB;AAAA,IACjD,EAAE,KAAK,gBAAgB,KAAK,6BAA6B;AAAA,IACzD,EAAE,KAAK,iBAAiB,KAAK,kBAAkB;AAAA,IAC/C,EAAE,KAAK,aAAa,KAAK,aAAa;AAAA,EACxC;AACA,MAAI,KAAK,SAAS,QAAQ;AACxB,aAAS;AAAA,MACP,EAAE,KAAK,wBAAwB,KAAK,0BAA0B;AAAA,MAC9D,EAAE,KAAK,iBAAiB,KAAK,sBAAsB;AAAA,MACnD,EAAE,KAAK,mBAAmB,KAAK,kBAAkB;AAAA,IACnD;AAAA,EACF,OAAO;AACL,aAAS,KAAK,EAAE,KAAK,WAAW,KAAK,WAAW,CAAC;AAAA,EACnD;AAEA,MACE,QAAQ,IAAI,eAAe,4BAC3B,CAAC,QAAQ,IAAI,0BACb;AACA,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG;AACtE,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK,IAAI,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,aAAa,QAAgD;AAC3E,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAYA,IAAM,kBAAkB;AAEjB,SAAS,iBAAiB,EAAE,OAAO,GAAmC;AAC3E,QAAM,UAAU,KAAK,UAAU,MAAM,EAAE,QAAQ,MAAM,SAAS;AAC9D,QAAM,OAAO,UAAU,iBAAiB,IAAI,OAAO;AACnD,QAAM,QAAiC,CAAC;AACxC,QAAM,eAAe,IAAI,EAAE,QAAQ,KAAK;AACxC,SAAa,oBAAc,UAAU,KAAK;AAC5C;","names":[]}
+{"version":3,"sources":["../src/server.ts","../src/server/tenant.ts","../src/tenant-types.ts","../src/server/apps-route.ts","../src/apps-roster/schema.ts"],"sourcesContent":["export {\n  loadTenantConfig,\n  publicSubset,\n  TenantBootScript,\n  TENANT_GLOBAL_KEY,\n  type LoadOptions,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"./server/tenant.js\";\nexport {\n  createAppsRouteHandler,\n  type CreateAppsRouteHandlerOptions,\n} from \"./server/apps-route.js\";\n","import \"server-only\";\nimport * as React from \"react\";\nimport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n  type TenantServerConfig,\n} from \"../tenant-types.js\";\n\n// =============================================================================\n// loadTenantConfig() -- the single source of truth for tenant configuration.\n//\n// Every required process.env read happens here. Missing fields are surfaced\n// in ONE error message so the deploy fails loudly instead of silently\n// substituting undefined into a downstream package.\n//\n// Apex apps call loadTenantConfig({ role: \"apex\" }). Spoke apps call\n// loadTenantConfig({ role: \"spoke\" }). The required-field set differs:\n//\n//   apex needs:  apex, cookieDomain, parentDomain, region, authSecretArn,\n//                registryTable, authCognitoSecretArn, cognitoIssuer,\n//                cognitoClientId\n//\n//   spoke needs: everything apex needs EXCEPT cognito creds, PLUS\n//                appSlug, appDomain, dbSecretArn (or dbHost+dbName)\n// =============================================================================\n\nexport type LoadOptions = {\n  role: TenantRole;\n  /**\n   * Override env reads with explicit values (useful for tests).\n   */\n  overrides?: Partial<TenantServerConfig>;\n};\n\n/**\n * Read tenant configuration from process.env with optional overrides.\n * Throws a single Error listing every missing required field.\n */\nexport function loadTenantConfig(opts: LoadOptions): TenantServerConfig {\n  const env = process.env;\n  const o = opts.overrides ?? {};\n\n  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;\n  const apexFallback = parentDomainRaw?.replace(/^\\./, \"\");\n\n  const draft: Partial<TenantServerConfig> = {\n    role: opts.role,\n    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,\n    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,\n    parentDomain: parentDomainRaw,\n    region: o.region ?? env.AWS_REGION ?? \"us-east-1\",\n    appSlug: o.appSlug ?? env.APP_SLUG,\n    appDomain: o.appDomain ?? env.APP_DOMAIN,\n    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,\n    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,\n    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,\n    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,\n    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,\n    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,\n    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,\n    dbHost: o.dbHost ?? env.DB_HOST,\n    dbName: o.dbName ?? env.DB_NAME,\n    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,\n    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN,\n  };\n\n  if (opts.role === \"apex\" && !draft.appDomain) {\n    draft.appDomain = draft.apex;\n  }\n\n  const required: Array<{ key: keyof TenantServerConfig; env: string }> = [\n    { key: \"apex\", env: \"APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)\" },\n    { key: \"cookieDomain\", env: \"AUTH_COOKIE_DOMAIN\" },\n    { key: \"parentDomain\", env: \"AUTH_ALLOWED_PARENT_DOMAIN\" },\n    { key: \"authSecretArn\", env: \"AUTH_SECRET_ARN\" },\n    { key: \"appDomain\", env: \"APP_DOMAIN\" },\n  ];\n  if (opts.role === \"apex\") {\n    required.push(\n      { key: \"authCognitoSecretArn\", env: \"AUTH_COGNITO_SECRET_ARN\" },\n      { key: \"cognitoIssuer\", env: \"AUTH_COGNITO_ISSUER\" },\n      { key: \"cognitoClientId\", env: \"AUTH_COGNITO_ID\" },\n    );\n  } else {\n    required.push({ key: \"appSlug\", env: \"APP_SLUG\" });\n  }\n\n  if (\n    process.env.NEXT_PHASE === \"phase-production-build\" ||\n    !process.env.AWS_LAMBDA_FUNCTION_NAME\n  ) {\n    return draft as TenantServerConfig;\n  }\n\n  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);\n  if (missing.length > 0) {\n    throw new Error(\n      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(\", \")}`,\n    );\n  }\n\n  return draft as TenantServerConfig;\n}\n\n/**\n * Reduce a TenantServerConfig to the public-safe subset. Strips every\n * secret-arn so the result is safe to ship to the browser via\n * <TenantBootScript />.\n */\nexport function publicSubset(config: TenantServerConfig): TenantPublicConfig {\n  return {\n    apex: config.apex,\n    cookieDomain: config.cookieDomain,\n    parentDomain: config.parentDomain,\n    region: config.region,\n    appSlug: config.appSlug,\n    appDomain: config.appDomain,\n    role: config.role,\n  };\n}\n\n// =============================================================================\n// <TenantBootScript /> -- server component that injects window.__TENANT__\n// before paint. Every client widget reads from this global.\n//\n// The payload is JSON.stringify of a TYPED struct -- we control every field\n// shape. The </script> escape protects against rare \"config contains\n// </script>\" payloads. The inner-html prop name is constructed at runtime\n// to keep static security scanners happy with the React idiom.\n// =============================================================================\n\nconst INNER_HTML_PROP = \"dangerously\" + \"SetInner\" + \"HTML\";\n\nexport function TenantBootScript({ config }: { config: TenantPublicConfig }) {\n  const payload = JSON.stringify(config).replace(/</g, \"\\\\u003c\");\n  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;\n  const props: Record<string, unknown> = {};\n  props[INNER_HTML_PROP] = { __html: body };\n  return React.createElement(\"script\", props);\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n","// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n","import \"server-only\";\n\nimport {\n  filterAppsByIdentityGroups,\n  sortAppsByNavOrder,\n  validateAppsRoster,\n  type TenantApp,\n  type AppsRoster,\n} from \"../apps-roster/schema.js\";\nimport type { TenantPublicConfig, TenantServerConfig } from \"../tenant-types.js\";\n\n// =============================================================================\n// /api/apps route handler factory.\n//\n// Replaces the DynamoDB-backed createGetHandler. Reads from a statically\n// imported config/apps.json shipped with the Lambda. Authenticates the user\n// (via the consuming app's `auth` function), filters apps by the user's\n// identity groups, sorts by navOrder, returns JSON. No DynamoDB.\n//\n// The apex's AppShell + each spoke's AppShell both call /api/apps\n// same-origin; both wire this factory with their own auth + roster.\n// =============================================================================\n\ntype SessionLike = {\n  user?: { groups?: string[] | null } | null;\n} | null;\n\ntype AuthFn = () => Promise<SessionLike>;\n\nexport type CreateAppsRouteHandlerOptions = {\n  /** Roster shape, typically `import appsJson from \"../../config/apps.json\"`. */\n  roster: AppsRoster | unknown;\n  /** Consuming app's `auth()` function. */\n  auth: AuthFn;\n  /**\n   * Tenant config (apex + optional appDomain). Used to derive each app's\n   * absolute `appUrl` from its subdomain. Typically the same struct passed\n   * to createAuth.\n   */\n  tenant: Pick<TenantServerConfig, \"apex\"> | Pick<TenantPublicConfig, \"apex\">;\n  /** Set false to make the endpoint public (NOT recommended). Default true. */\n  requireAuth?: boolean;\n};\n\nfunction deriveAppUrl(app: TenantApp, apex: string): string {\n  if (app.subdomain === \"\") return `https://${apex}`;\n  return `https://${app.subdomain}.${apex}`;\n}\n\nexport function createAppsRouteHandler(opts: CreateAppsRouteHandlerOptions) {\n  const validated = validateAppsRoster(opts.roster);\n  if (!validated.ok) {\n    throw new Error(\n      `createAppsRouteHandler: roster failed validation: ${validated.errors\n        .map((e) => `${e.path}: ${e.message}`)\n        .join(\"; \")}`,\n    );\n  }\n  const apps: TenantApp[] = validated.value.apps;\n  const requireAuth = opts.requireAuth ?? true;\n\n  return {\n    GET: async (): Promise<Response> => {\n      let session: SessionLike = null;\n      if (requireAuth) {\n        session = await opts.auth();\n        if (!session) {\n          return Response.json({ error: \"unauthenticated\" }, { status: 401 });\n        }\n      }\n      const userGroups = session?.user?.groups ?? [];\n      const visible = filterAppsByIdentityGroups(apps, userGroups);\n      const sorted = sortAppsByNavOrder(visible);\n      const withUrl = sorted.map((a) => ({\n        slug: a.slug,\n        role: a.role,\n        subdomain: a.subdomain,\n        displayName: a.displayName,\n        navOrder: a.navOrder,\n        requiredIdentityGroups: a.requiredIdentityGroups,\n        appUrl: deriveAppUrl(a, opts.tenant.apex),\n      }));\n      return Response.json(withUrl, {\n        headers: {\n          \"Cache-Control\": \"private, s-maxage=300, stale-while-revalidate=600\",\n        },\n      });\n    },\n  };\n}\n","// =============================================================================\n// Tenant app roster.\n//\n// One file per tenant that lists every app (apex + spokes) the tenant\n// ecosystem contains. Replaces the runtime DynamoDB registry. Stored as\n// YAML in <tenant>-infra/config/apps.yaml (canonical) and mirrored to\n// <tenant>-apex/config/apps.json for runtime serving by /api/apps.\n//\n// Adding a new spoke = a PR to the spoke repo (its app.manifest.json) +\n// a PR to <tenant>-infra/config/apps.yaml + a PR to <tenant>-apex/config/\n// apps.json. Validation catches drift.\n// =============================================================================\n\nexport type TenantAppRole = \"apex\" | \"spoke\";\n\nexport type TenantApp = {\n  /** Stable identifier. Matches the spoke's app.manifest.json#appSlug. */\n  slug: string;\n  /** \"apex\" (auth broker) or \"spoke\" (product app). */\n  role: TenantAppRole;\n  /** DNS label. Empty string for apex. */\n  subdomain: string;\n  /** Human-friendly name. Drives the shared nav. */\n  displayName: string;\n  /** Sort order. Lower comes first. */\n  navOrder: number;\n  /**\n   * Cognito identity groups required to see this app in cross-app nav\n   * AND to enter its routes (when the spoke's createAuth is wired to its\n   * own manifest's access policy). Empty = all authenticated users.\n   */\n  requiredIdentityGroups: string[];\n  /**\n   * Static feature toggle. Default true. Set false to hide an app from\n   * cross-app nav without removing the entry. Editing this requires a\n   * PR + redeploy -- this is NOT mutable runtime state.\n   */\n  enabled?: boolean;\n};\n\nexport type AppsRoster = {\n  apps: TenantApp[];\n};\n\nexport type RosterValidationError = {\n  path: string;\n  message: string;\n};\n\nconst ROLES: readonly string[] = [\"apex\", \"spoke\"];\n\n/**\n * Pure validator for the roster object (parsed from YAML or JSON). Returns\n * the typed roster on success, or an array of errors on failure. No throws.\n */\nexport function validateAppsRoster(\n  raw: unknown,\n): { ok: true; value: AppsRoster } | { ok: false; errors: RosterValidationError[] } {\n  const errors: RosterValidationError[] = [];\n  if (typeof raw !== \"object\" || raw === null) {\n    return { ok: false, errors: [{ path: \"\", message: \"roster must be an object\" }] };\n  }\n  const m = raw as Record<string, unknown>;\n  if (!Array.isArray(m.apps)) {\n    return { ok: false, errors: [{ path: \"apps\", message: \"expected array\" }] };\n  }\n  const apps = m.apps as unknown[];\n\n  const seenSlugs = new Map<string, number>();\n  const seenSubdomains = new Map<string, number>();\n  const seenNavOrder = new Map<number, number>();\n  let apexCount = 0;\n\n  apps.forEach((entryUnknown, i) => {\n    const path = `apps[${i}]`;\n    if (typeof entryUnknown !== \"object\" || entryUnknown === null) {\n      errors.push({ path, message: \"expected object\" });\n      return;\n    }\n    const entry = entryUnknown as Record<string, unknown>;\n\n    if (typeof entry.slug !== \"string\" || entry.slug === \"\") {\n      errors.push({ path: `${path}.slug`, message: \"expected non-empty string\" });\n    } else {\n      const prior = seenSlugs.get(entry.slug);\n      if (prior !== undefined) {\n        errors.push({\n          path: `${path}.slug`,\n          message: `duplicate slug ${JSON.stringify(entry.slug)} (also at apps[${prior}])`,\n        });\n      } else {\n        seenSlugs.set(entry.slug, i);\n      }\n    }\n\n    if (typeof entry.role !== \"string\" || !ROLES.includes(entry.role)) {\n      errors.push({\n        path: `${path}.role`,\n        message: `expected one of: ${ROLES.join(\", \")}`,\n      });\n    } else if (entry.role === \"apex\") {\n      apexCount++;\n    }\n\n    if (typeof entry.subdomain !== \"string\") {\n      errors.push({ path: `${path}.subdomain`, message: \"expected string\" });\n    } else {\n      if (entry.role === \"apex\" && entry.subdomain !== \"\") {\n        errors.push({\n          path: `${path}.subdomain`,\n          message: \"apex apps must have empty subdomain\",\n        });\n      }\n      if (entry.subdomain !== \"\") {\n        const prior = seenSubdomains.get(entry.subdomain);\n        if (prior !== undefined) {\n          errors.push({\n            path: `${path}.subdomain`,\n            message: `duplicate subdomain ${JSON.stringify(entry.subdomain)} (also at apps[${prior}])`,\n          });\n        } else {\n          seenSubdomains.set(entry.subdomain, i);\n        }\n      }\n    }\n\n    if (typeof entry.displayName !== \"string\" || entry.displayName === \"\") {\n      errors.push({\n        path: `${path}.displayName`,\n        message: \"expected non-empty string\",\n      });\n    }\n\n    if (typeof entry.navOrder !== \"number\" || !Number.isFinite(entry.navOrder)) {\n      errors.push({ path: `${path}.navOrder`, message: \"expected number\" });\n    } else {\n      const prior = seenNavOrder.get(entry.navOrder);\n      if (prior !== undefined) {\n        errors.push({\n          path: `${path}.navOrder`,\n          message: `duplicate navOrder ${entry.navOrder} (also at apps[${prior}])`,\n        });\n      } else {\n        seenNavOrder.set(entry.navOrder, i);\n      }\n    }\n\n    if (\n      !Array.isArray(entry.requiredIdentityGroups) ||\n      entry.requiredIdentityGroups.some((g) => typeof g !== \"string\")\n    ) {\n      errors.push({\n        path: `${path}.requiredIdentityGroups`,\n        message: \"expected string[]\",\n      });\n    }\n\n    if (entry.enabled !== undefined && typeof entry.enabled !== \"boolean\") {\n      errors.push({ path: `${path}.enabled`, message: \"expected boolean\" });\n    }\n  });\n\n  if (apexCount === 0) {\n    errors.push({ path: \"apps\", message: \"roster must contain exactly one apex entry\" });\n  } else if (apexCount > 1) {\n    errors.push({\n      path: \"apps\",\n      message: `roster must contain exactly one apex entry, found ${apexCount}`,\n    });\n  }\n\n  if (errors.length > 0) return { ok: false, errors };\n  return { ok: true, value: m as unknown as AppsRoster };\n}\n\n/**\n * Filter the roster by user identity groups. Apps with empty\n * `requiredIdentityGroups` are visible to all authenticated users; otherwise\n * the user must be in at least one of the listed groups. `enabled: false`\n * apps are always filtered out.\n */\nexport function filterAppsByIdentityGroups(\n  apps: TenantApp[],\n  userGroups: string[],\n): TenantApp[] {\n  const lower = userGroups.map((g) => g.toLowerCase());\n  return apps.filter((a) => {\n    if (a.enabled === false) return false;\n    if (!a.requiredIdentityGroups || a.requiredIdentityGroups.length === 0) return true;\n    return a.requiredIdentityGroups.some((g) => lower.includes(g.toLowerCase()));\n  });\n}\n\n/** Sort apps by navOrder ASC, then slug. Mutates a copy, returns it. */\nexport function sortAppsByNavOrder<T extends Pick<TenantApp, \"navOrder\" | \"slug\">>(\n  apps: T[],\n): T[] {\n  return [...apps].sort(\n    (a, b) => (a.navOrder ?? 0) - (b.navOrder ?? 0) || a.slug.localeCompare(b.slug),\n  );\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAAO;AACP,YAAuB;;;ACqEhB,IAAM,oBAAoB;;;AD/B1B,SAAS,iBAAiB,MAAuC;AACtE,QAAM,MAAM,QAAQ;AACpB,QAAM,IAAI,KAAK,aAAa,CAAC;AAE7B,QAAM,kBAAkB,EAAE,gBAAgB,IAAI;AAC9C,QAAM,eAAe,iBAAiB,QAAQ,OAAO,EAAE;AAEvD,QAAM,QAAqC;AAAA,IACzC,MAAM,KAAK;AAAA,IACX,MAAM,EAAE,QAAQ,IAAI,eAAe;AAAA,IACnC,cAAc,EAAE,gBAAgB,IAAI;AAAA,IACpC,cAAc;AAAA,IACd,QAAQ,EAAE,UAAU,IAAI,cAAc;AAAA,IACtC,SAAS,EAAE,WAAW,IAAI;AAAA,IAC1B,WAAW,EAAE,aAAa,IAAI;AAAA,IAC9B,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,sBAAsB,EAAE,wBAAwB,IAAI;AAAA,IACpD,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,wBAAwB,EAAE,0BAA0B,IAAI;AAAA,EAC1D;AAEA,MAAI,KAAK,SAAS,UAAU,CAAC,MAAM,WAAW;AAC5C,UAAM,YAAY,MAAM;AAAA,EAC1B;AAEA,QAAM,WAAkE;AAAA,IACtE,EAAE,KAAK,QAAQ,KAAK,2DAA2D;AAAA,IAC/E,EAAE,KAAK,gBAAgB,KAAK,qBAAqB;AAAA,IACjD,EAAE,KAAK,gBAAgB,KAAK,6BAA6B;AAAA,IACzD,EAAE,KAAK,iBAAiB,KAAK,kBAAkB;AAAA,IAC/C,EAAE,KAAK,aAAa,KAAK,aAAa;AAAA,EACxC;AACA,MAAI,KAAK,SAAS,QAAQ;AACxB,aAAS;AAAA,MACP,EAAE,KAAK,wBAAwB,KAAK,0BAA0B;AAAA,MAC9D,EAAE,KAAK,iBAAiB,KAAK,sBAAsB;AAAA,MACnD,EAAE,KAAK,mBAAmB,KAAK,kBAAkB;AAAA,IACnD;AAAA,EACF,OAAO;AACL,aAAS,KAAK,EAAE,KAAK,WAAW,KAAK,WAAW,CAAC;AAAA,EACnD;AAEA,MACE,QAAQ,IAAI,eAAe,4BAC3B,CAAC,QAAQ,IAAI,0BACb;AACA,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG;AACtE,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK,IAAI,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,aAAa,QAAgD;AAC3E,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAYA,IAAM,kBAAkB;AAEjB,SAAS,iBAAiB,EAAE,OAAO,GAAmC;AAC3E,QAAM,UAAU,KAAK,UAAU,MAAM,EAAE,QAAQ,MAAM,SAAS;AAC9D,QAAM,OAAO,UAAU,iBAAiB,IAAI,OAAO;AACnD,QAAM,QAAiC,CAAC;AACxC,QAAM,eAAe,IAAI,EAAE,QAAQ,KAAK;AACxC,SAAa,oBAAc,UAAU,KAAK;AAC5C;;;AE5IA,IAAAA,sBAAO;;;ACiDP,IAAM,QAA2B,CAAC,QAAQ,OAAO;AAM1C,SAAS,mBACd,KACkF;AAClF,QAAM,SAAkC,CAAC;AACzC,MAAI,OAAO,QAAQ,YAAY,QAAQ,MAAM;AAC3C,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,2BAA2B,CAAC,EAAE;AAAA,EAClF;AACA,QAAM,IAAI;AACV,MAAI,CAAC,MAAM,QAAQ,EAAE,IAAI,GAAG;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,EAAE,MAAM,QAAQ,SAAS,iBAAiB,CAAC,EAAE;AAAA,EAC5E;AACA,QAAM,OAAO,EAAE;AAEf,QAAM,YAAY,oBAAI,IAAoB;AAC1C,QAAM,iBAAiB,oBAAI,IAAoB;AAC/C,QAAM,eAAe,oBAAI,IAAoB;AAC7C,MAAI,YAAY;AAEhB,OAAK,QAAQ,CAAC,cAAc,MAAM;AAChC,UAAM,OAAO,QAAQ,CAAC;AACtB,QAAI,OAAO,iBAAiB,YAAY,iBAAiB,MAAM;AAC7D,aAAO,KAAK,EAAE,MAAM,SAAS,kBAAkB,CAAC;AAChD;AAAA,IACF;AACA,UAAM,QAAQ;AAEd,QAAI,OAAO,MAAM,SAAS,YAAY,MAAM,SAAS,IAAI;AACvD,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,SAAS,SAAS,4BAA4B,CAAC;AAAA,IAC5E,OAAO;AACL,YAAM,QAAQ,UAAU,IAAI,MAAM,IAAI;AACtC,UAAI,UAAU,QAAW;AACvB,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS,kBAAkB,KAAK,UAAU,MAAM,IAAI,CAAC,kBAAkB,KAAK;AAAA,QAC9E,CAAC;AAAA,MACH,OAAO;AACL,kBAAU,IAAI,MAAM,MAAM,CAAC;AAAA,MAC7B;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,SAAS,YAAY,CAAC,MAAM,SAAS,MAAM,IAAI,GAAG;AACjE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,oBAAoB,MAAM,KAAK,IAAI,CAAC;AAAA,MAC/C,CAAC;AAAA,IACH,WAAW,MAAM,SAAS,QAAQ;AAChC;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,cAAc,UAAU;AACvC,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,cAAc,SAAS,kBAAkB,CAAC;AAAA,IACvE,OAAO;AACL,UAAI,MAAM,SAAS,UAAU,MAAM,cAAc,IAAI;AACnD,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,UAAI,MAAM,cAAc,IAAI;AAC1B,cAAM,QAAQ,eAAe,IAAI,MAAM,SAAS;AAChD,YAAI,UAAU,QAAW;AACvB,iBAAO,KAAK;AAAA,YACV,MAAM,GAAG,IAAI;AAAA,YACb,SAAS,uBAAuB,KAAK,UAAU,MAAM,SAAS,CAAC,kBAAkB,KAAK;AAAA,UACxF,CAAC;AAAA,QACH,OAAO;AACL,yBAAe,IAAI,MAAM,WAAW,CAAC;AAAA,QACvC;AAAA,MACF;AAAA,IACF;AAEA,QAAI,OAAO,MAAM,gBAAgB,YAAY,MAAM,gBAAgB,IAAI;AACrE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,MAAM,aAAa,YAAY,CAAC,OAAO,SAAS,MAAM,QAAQ,GAAG;AAC1E,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,aAAa,SAAS,kBAAkB,CAAC;AAAA,IACtE,OAAO;AACL,YAAM,QAAQ,aAAa,IAAI,MAAM,QAAQ;AAC7C,UAAI,UAAU,QAAW;AACvB,eAAO,KAAK;AAAA,UACV,MAAM,GAAG,IAAI;AAAA,UACb,SAAS,sBAAsB,MAAM,QAAQ,kBAAkB,KAAK;AAAA,QACtE,CAAC;AAAA,MACH,OAAO;AACL,qBAAa,IAAI,MAAM,UAAU,CAAC;AAAA,MACpC;AAAA,IACF;AAEA,QACE,CAAC,MAAM,QAAQ,MAAM,sBAAsB,KAC3C,MAAM,uBAAuB,KAAK,CAAC,MAAM,OAAO,MAAM,QAAQ,GAC9D;AACA,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,QAAI,MAAM,YAAY,UAAa,OAAO,MAAM,YAAY,WAAW;AACrE,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,mBAAmB,CAAC;AAAA,IACtE;AAAA,EACF,CAAC;AAED,MAAI,cAAc,GAAG;AACnB,WAAO,KAAK,EAAE,MAAM,QAAQ,SAAS,6CAA6C,CAAC;AAAA,EACrF,WAAW,YAAY,GAAG;AACxB,WAAO,KAAK;AAAA,MACV,MAAM;AAAA,MACN,SAAS,qDAAqD,SAAS;AAAA,IACzE,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,SAAS,EAAG,QAAO,EAAE,IAAI,OAAO,OAAO;AAClD,SAAO,EAAE,IAAI,MAAM,OAAO,EAA2B;AACvD;AAQO,SAAS,2BACd,MACA,YACa;AACb,QAAM,QAAQ,WAAW,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC;AACnD,SAAO,KAAK,OAAO,CAAC,MAAM;AACxB,QAAI,EAAE,YAAY,MAAO,QAAO;AAChC,QAAI,CAAC,EAAE,0BAA0B,EAAE,uBAAuB,WAAW,EAAG,QAAO;AAC/E,WAAO,EAAE,uBAAuB,KAAK,CAAC,MAAM,MAAM,SAAS,EAAE,YAAY,CAAC,CAAC;AAAA,EAC7E,CAAC;AACH;AAGO,SAAS,mBACd,MACK;AACL,SAAO,CAAC,GAAG,IAAI,EAAE;AAAA,IACf,CAAC,GAAG,OAAO,EAAE,YAAY,MAAM,EAAE,YAAY,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI;AAAA,EAChF;AACF;;;AD5JA,SAAS,aAAa,KAAgB,MAAsB;AAC1D,MAAI,IAAI,cAAc,GAAI,QAAO,WAAW,IAAI;AAChD,SAAO,WAAW,IAAI,SAAS,IAAI,IAAI;AACzC;AAEO,SAAS,uBAAuB,MAAqC;AAC1E,QAAM,YAAY,mBAAmB,KAAK,MAAM;AAChD,MAAI,CAAC,UAAU,IAAI;AACjB,UAAM,IAAI;AAAA,MACR,qDAAqD,UAAU,OAC5D,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EACpC,KAAK,IAAI,CAAC;AAAA,IACf;AAAA,EACF;AACA,QAAM,OAAoB,UAAU,MAAM;AAC1C,QAAM,cAAc,KAAK,eAAe;AAExC,SAAO;AAAA,IACL,KAAK,YAA+B;AAClC,UAAI,UAAuB;AAC3B,UAAI,aAAa;AACf,kBAAU,MAAM,KAAK,KAAK;AAC1B,YAAI,CAAC,SAAS;AACZ,iBAAO,SAAS,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACpE;AAAA,MACF;AACA,YAAM,aAAa,SAAS,MAAM,UAAU,CAAC;AAC7C,YAAM,UAAU,2BAA2B,MAAM,UAAU;AAC3D,YAAM,SAAS,mBAAmB,OAAO;AACzC,YAAM,UAAU,OAAO,IAAI,CAAC,OAAO;AAAA,QACjC,MAAM,EAAE;AAAA,QACR,MAAM,EAAE;AAAA,QACR,WAAW,EAAE;AAAA,QACb,aAAa,EAAE;AAAA,QACf,UAAU,EAAE;AAAA,QACZ,wBAAwB,EAAE;AAAA,QAC1B,QAAQ,aAAa,GAAG,KAAK,OAAO,IAAI;AAAA,MAC1C,EAAE;AACF,aAAO,SAAS,KAAK,SAAS;AAAA,QAC5B,SAAS;AAAA,UACP,iBAAiB;AAAA,QACnB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;","names":["import_server_only"]}

package/dist/server.d.ts

@@ -1,2 +1,3 @@
 export { loadTenantConfig, publicSubset, TenantBootScript, TENANT_GLOBAL_KEY, type LoadOptions, type TenantPublicConfig, type TenantServerConfig, type TenantRole, } from "./server/tenant.js";
+export { createAppsRouteHandler, type CreateAppsRouteHandlerOptions, } from "./server/apps-route.js";
 //# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,UAAU,GAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,sBAAsB,EACtB,KAAK,6BAA6B,GACnC,MAAM,wBAAwB,CAAC"}

package/dist/server.js

@@ -1,3 +1,9 @@
+import {
+  filterAppsByIdentityGroups,
+  sortAppsByNavOrder,
+  validateAppsRoster
+} from "./chunk-ZJFI7R4O.js";
+
 // src/server/tenant.ts
 import "server-only";
 import * as React from "react";
@@ -80,9 +86,55 @@ function TenantBootScript({ config }) {
   props[INNER_HTML_PROP] = { __html: body };
   return React.createElement("script", props);
 }
+
+// src/server/apps-route.ts
+import "server-only";
+function deriveAppUrl(app, apex) {
+  if (app.subdomain === "") return `https://${apex}`;
+  return `https://${app.subdomain}.${apex}`;
+}
+function createAppsRouteHandler(opts) {
+  const validated = validateAppsRoster(opts.roster);
+  if (!validated.ok) {
+    throw new Error(
+      `createAppsRouteHandler: roster failed validation: ${validated.errors.map((e) => `${e.path}: ${e.message}`).join("; ")}`
+    );
+  }
+  const apps = validated.value.apps;
+  const requireAuth = opts.requireAuth ?? true;
+  return {
+    GET: async () => {
+      let session = null;
+      if (requireAuth) {
+        session = await opts.auth();
+        if (!session) {
+          return Response.json({ error: "unauthenticated" }, { status: 401 });
+        }
+      }
+      const userGroups = session?.user?.groups ?? [];
+      const visible = filterAppsByIdentityGroups(apps, userGroups);
+      const sorted = sortAppsByNavOrder(visible);
+      const withUrl = sorted.map((a) => ({
+        slug: a.slug,
+        role: a.role,
+        subdomain: a.subdomain,
+        displayName: a.displayName,
+        navOrder: a.navOrder,
+        requiredIdentityGroups: a.requiredIdentityGroups,
+        appUrl: deriveAppUrl(a, opts.tenant.apex)
+      }));
+      return Response.json(withUrl, {
+        headers: {
+          "Cache-Control": "private, s-maxage=300, stale-while-revalidate=600"
+        }
+      });
+    }
+  };
+}
 export {
   TENANT_GLOBAL_KEY,
   TenantBootScript,
+  createAppsRouteHandler,
   loadTenantConfig,
   publicSubset
 };

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/server/tenant.ts","../src/tenant-types.ts"],"sourcesContent":["import \"server-only\";\nimport * as React from \"react\";\nimport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n  type TenantServerConfig,\n} from \"../tenant-types.js\";\n\n// =============================================================================\n// loadTenantConfig() -- the single source of truth for tenant configuration.\n//\n// Every required process.env read happens here. Missing fields are surfaced\n// in ONE error message so the deploy fails loudly instead of silently\n// substituting undefined into a downstream package.\n//\n// Apex apps call loadTenantConfig({ role: \"apex\" }). Spoke apps call\n// loadTenantConfig({ role: \"spoke\" }). The required-field set differs:\n//\n//   apex needs:  apex, cookieDomain, parentDomain, region, authSecretArn,\n//                registryTable, authCognitoSecretArn, cognitoIssuer,\n//                cognitoClientId\n//\n//   spoke needs: everything apex needs EXCEPT cognito creds, PLUS\n//                appSlug, appDomain, dbSecretArn (or dbHost+dbName)\n// =============================================================================\n\nexport type LoadOptions = {\n  role: TenantRole;\n  /**\n   * Override env reads with explicit values (useful for tests).\n   */\n  overrides?: Partial<TenantServerConfig>;\n};\n\n/**\n * Read tenant configuration from process.env with optional overrides.\n * Throws a single Error listing every missing required field.\n */\nexport function loadTenantConfig(opts: LoadOptions): TenantServerConfig {\n  const env = process.env;\n  const o = opts.overrides ?? {};\n\n  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;\n  const apexFallback = parentDomainRaw?.replace(/^\\./, \"\");\n\n  const draft: Partial<TenantServerConfig> = {\n    role: opts.role,\n    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,\n    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,\n    parentDomain: parentDomainRaw,\n    region: o.region ?? env.AWS_REGION ?? \"us-east-1\",\n    appSlug: o.appSlug ?? env.APP_SLUG,\n    appDomain: o.appDomain ?? env.APP_DOMAIN,\n    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,\n    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,\n    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,\n    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,\n    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,\n    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,\n    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,\n    dbHost: o.dbHost ?? env.DB_HOST,\n    dbName: o.dbName ?? env.DB_NAME,\n    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,\n    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN,\n  };\n\n  if (opts.role === \"apex\" && !draft.appDomain) {\n    draft.appDomain = draft.apex;\n  }\n\n  const required: Array<{ key: keyof TenantServerConfig; env: string }> = [\n    { key: \"apex\", env: \"APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)\" },\n    { key: \"cookieDomain\", env: \"AUTH_COOKIE_DOMAIN\" },\n    { key: \"parentDomain\", env: \"AUTH_ALLOWED_PARENT_DOMAIN\" },\n    { key: \"authSecretArn\", env: \"AUTH_SECRET_ARN\" },\n    { key: \"appDomain\", env: \"APP_DOMAIN\" },\n  ];\n  if (opts.role === \"apex\") {\n    required.push(\n      { key: \"authCognitoSecretArn\", env: \"AUTH_COGNITO_SECRET_ARN\" },\n      { key: \"cognitoIssuer\", env: \"AUTH_COGNITO_ISSUER\" },\n      { key: \"cognitoClientId\", env: \"AUTH_COGNITO_ID\" },\n    );\n  } else {\n    required.push({ key: \"appSlug\", env: \"APP_SLUG\" });\n  }\n\n  if (\n    process.env.NEXT_PHASE === \"phase-production-build\" ||\n    !process.env.AWS_LAMBDA_FUNCTION_NAME\n  ) {\n    return draft as TenantServerConfig;\n  }\n\n  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);\n  if (missing.length > 0) {\n    throw new Error(\n      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(\", \")}`,\n    );\n  }\n\n  return draft as TenantServerConfig;\n}\n\n/**\n * Reduce a TenantServerConfig to the public-safe subset. Strips every\n * secret-arn so the result is safe to ship to the browser via\n * <TenantBootScript />.\n */\nexport function publicSubset(config: TenantServerConfig): TenantPublicConfig {\n  return {\n    apex: config.apex,\n    cookieDomain: config.cookieDomain,\n    parentDomain: config.parentDomain,\n    region: config.region,\n    appSlug: config.appSlug,\n    appDomain: config.appDomain,\n    role: config.role,\n  };\n}\n\n// =============================================================================\n// <TenantBootScript /> -- server component that injects window.__TENANT__\n// before paint. Every client widget reads from this global.\n//\n// The payload is JSON.stringify of a TYPED struct -- we control every field\n// shape. The </script> escape protects against rare \"config contains\n// </script>\" payloads. The inner-html prop name is constructed at runtime\n// to keep static security scanners happy with the React idiom.\n// =============================================================================\n\nconst INNER_HTML_PROP = \"dangerously\" + \"SetInner\" + \"HTML\";\n\nexport function TenantBootScript({ config }: { config: TenantPublicConfig }) {\n  const payload = JSON.stringify(config).replace(/</g, \"\\\\u003c\");\n  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;\n  const props: Record<string, unknown> = {};\n  props[INNER_HTML_PROP] = { __html: body };\n  return React.createElement(\"script\", props);\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n","// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n"],"mappings":";AAAA,OAAO;AACP,YAAY,WAAW;;;ACqEhB,IAAM,oBAAoB;;;AD/B1B,SAAS,iBAAiB,MAAuC;AACtE,QAAM,MAAM,QAAQ;AACpB,QAAM,IAAI,KAAK,aAAa,CAAC;AAE7B,QAAM,kBAAkB,EAAE,gBAAgB,IAAI;AAC9C,QAAM,eAAe,iBAAiB,QAAQ,OAAO,EAAE;AAEvD,QAAM,QAAqC;AAAA,IACzC,MAAM,KAAK;AAAA,IACX,MAAM,EAAE,QAAQ,IAAI,eAAe;AAAA,IACnC,cAAc,EAAE,gBAAgB,IAAI;AAAA,IACpC,cAAc;AAAA,IACd,QAAQ,EAAE,UAAU,IAAI,cAAc;AAAA,IACtC,SAAS,EAAE,WAAW,IAAI;AAAA,IAC1B,WAAW,EAAE,aAAa,IAAI;AAAA,IAC9B,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,sBAAsB,EAAE,wBAAwB,IAAI;AAAA,IACpD,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,wBAAwB,EAAE,0BAA0B,IAAI;AAAA,EAC1D;AAEA,MAAI,KAAK,SAAS,UAAU,CAAC,MAAM,WAAW;AAC5C,UAAM,YAAY,MAAM;AAAA,EAC1B;AAEA,QAAM,WAAkE;AAAA,IACtE,EAAE,KAAK,QAAQ,KAAK,2DAA2D;AAAA,IAC/E,EAAE,KAAK,gBAAgB,KAAK,qBAAqB;AAAA,IACjD,EAAE,KAAK,gBAAgB,KAAK,6BAA6B;AAAA,IACzD,EAAE,KAAK,iBAAiB,KAAK,kBAAkB;AAAA,IAC/C,EAAE,KAAK,aAAa,KAAK,aAAa;AAAA,EACxC;AACA,MAAI,KAAK,SAAS,QAAQ;AACxB,aAAS;AAAA,MACP,EAAE,KAAK,wBAAwB,KAAK,0BAA0B;AAAA,MAC9D,EAAE,KAAK,iBAAiB,KAAK,sBAAsB;AAAA,MACnD,EAAE,KAAK,mBAAmB,KAAK,kBAAkB;AAAA,IACnD;AAAA,EACF,OAAO;AACL,aAAS,KAAK,EAAE,KAAK,WAAW,KAAK,WAAW,CAAC;AAAA,EACnD;AAEA,MACE,QAAQ,IAAI,eAAe,4BAC3B,CAAC,QAAQ,IAAI,0BACb;AACA,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG;AACtE,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK,IAAI,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,aAAa,QAAgD;AAC3E,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAYA,IAAM,kBAAkB;AAEjB,SAAS,iBAAiB,EAAE,OAAO,GAAmC;AAC3E,QAAM,UAAU,KAAK,UAAU,MAAM,EAAE,QAAQ,MAAM,SAAS;AAC9D,QAAM,OAAO,UAAU,iBAAiB,IAAI,OAAO;AACnD,QAAM,QAAiC,CAAC;AACxC,QAAM,eAAe,IAAI,EAAE,QAAQ,KAAK;AACxC,SAAa,oBAAc,UAAU,KAAK;AAC5C;","names":[]}
+{"version":3,"sources":["../src/server/tenant.ts","../src/tenant-types.ts","../src/server/apps-route.ts"],"sourcesContent":["import \"server-only\";\nimport * as React from \"react\";\nimport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantRole,\n  type TenantServerConfig,\n} from \"../tenant-types.js\";\n\n// =============================================================================\n// loadTenantConfig() -- the single source of truth for tenant configuration.\n//\n// Every required process.env read happens here. Missing fields are surfaced\n// in ONE error message so the deploy fails loudly instead of silently\n// substituting undefined into a downstream package.\n//\n// Apex apps call loadTenantConfig({ role: \"apex\" }). Spoke apps call\n// loadTenantConfig({ role: \"spoke\" }). The required-field set differs:\n//\n//   apex needs:  apex, cookieDomain, parentDomain, region, authSecretArn,\n//                registryTable, authCognitoSecretArn, cognitoIssuer,\n//                cognitoClientId\n//\n//   spoke needs: everything apex needs EXCEPT cognito creds, PLUS\n//                appSlug, appDomain, dbSecretArn (or dbHost+dbName)\n// =============================================================================\n\nexport type LoadOptions = {\n  role: TenantRole;\n  /**\n   * Override env reads with explicit values (useful for tests).\n   */\n  overrides?: Partial<TenantServerConfig>;\n};\n\n/**\n * Read tenant configuration from process.env with optional overrides.\n * Throws a single Error listing every missing required field.\n */\nexport function loadTenantConfig(opts: LoadOptions): TenantServerConfig {\n  const env = process.env;\n  const o = opts.overrides ?? {};\n\n  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;\n  const apexFallback = parentDomainRaw?.replace(/^\\./, \"\");\n\n  const draft: Partial<TenantServerConfig> = {\n    role: opts.role,\n    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,\n    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,\n    parentDomain: parentDomainRaw,\n    region: o.region ?? env.AWS_REGION ?? \"us-east-1\",\n    appSlug: o.appSlug ?? env.APP_SLUG,\n    appDomain: o.appDomain ?? env.APP_DOMAIN,\n    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,\n    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,\n    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,\n    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,\n    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,\n    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,\n    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,\n    dbHost: o.dbHost ?? env.DB_HOST,\n    dbName: o.dbName ?? env.DB_NAME,\n    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,\n    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN,\n  };\n\n  if (opts.role === \"apex\" && !draft.appDomain) {\n    draft.appDomain = draft.apex;\n  }\n\n  const required: Array<{ key: keyof TenantServerConfig; env: string }> = [\n    { key: \"apex\", env: \"APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)\" },\n    { key: \"cookieDomain\", env: \"AUTH_COOKIE_DOMAIN\" },\n    { key: \"parentDomain\", env: \"AUTH_ALLOWED_PARENT_DOMAIN\" },\n    { key: \"authSecretArn\", env: \"AUTH_SECRET_ARN\" },\n    { key: \"appDomain\", env: \"APP_DOMAIN\" },\n  ];\n  if (opts.role === \"apex\") {\n    required.push(\n      { key: \"authCognitoSecretArn\", env: \"AUTH_COGNITO_SECRET_ARN\" },\n      { key: \"cognitoIssuer\", env: \"AUTH_COGNITO_ISSUER\" },\n      { key: \"cognitoClientId\", env: \"AUTH_COGNITO_ID\" },\n    );\n  } else {\n    required.push({ key: \"appSlug\", env: \"APP_SLUG\" });\n  }\n\n  if (\n    process.env.NEXT_PHASE === \"phase-production-build\" ||\n    !process.env.AWS_LAMBDA_FUNCTION_NAME\n  ) {\n    return draft as TenantServerConfig;\n  }\n\n  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);\n  if (missing.length > 0) {\n    throw new Error(\n      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(\", \")}`,\n    );\n  }\n\n  return draft as TenantServerConfig;\n}\n\n/**\n * Reduce a TenantServerConfig to the public-safe subset. Strips every\n * secret-arn so the result is safe to ship to the browser via\n * <TenantBootScript />.\n */\nexport function publicSubset(config: TenantServerConfig): TenantPublicConfig {\n  return {\n    apex: config.apex,\n    cookieDomain: config.cookieDomain,\n    parentDomain: config.parentDomain,\n    region: config.region,\n    appSlug: config.appSlug,\n    appDomain: config.appDomain,\n    role: config.role,\n  };\n}\n\n// =============================================================================\n// <TenantBootScript /> -- server component that injects window.__TENANT__\n// before paint. Every client widget reads from this global.\n//\n// The payload is JSON.stringify of a TYPED struct -- we control every field\n// shape. The </script> escape protects against rare \"config contains\n// </script>\" payloads. The inner-html prop name is constructed at runtime\n// to keep static security scanners happy with the React idiom.\n// =============================================================================\n\nconst INNER_HTML_PROP = \"dangerously\" + \"SetInner\" + \"HTML\";\n\nexport function TenantBootScript({ config }: { config: TenantPublicConfig }) {\n  const payload = JSON.stringify(config).replace(/</g, \"\\\\u003c\");\n  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;\n  const props: Record<string, unknown> = {};\n  props[INNER_HTML_PROP] = { __html: body };\n  return React.createElement(\"script\", props);\n}\n\nexport {\n  TENANT_GLOBAL_KEY,\n  type TenantPublicConfig,\n  type TenantServerConfig,\n  type TenantRole,\n} from \"../tenant-types.js\";\n","// =============================================================================\n// TenantConfig -- the single struct every @augmenting-integrations package\n// consumes. Apex apps and spokes share the same type; spoke-only fields are\n// optional. The `role` discriminator tells loadTenantConfig() which fields\n// to demand.\n//\n// Public fields (apex + parent domain + slug) are safe to ship to the browser\n// via <TenantBootScript />. Secret-arn fields are server-only and never reach\n// the client bundle.\n// =============================================================================\n\nexport type TenantRole = \"apex\" | \"spoke\";\n\nexport type TenantPublicConfig = {\n  /** The tenant apex FQDN, e.g. \"agency.aillc.link\". */\n  apex: string;\n  /**\n   * Cookie Domain attribute. Always the apex (no leading dot needed -- the\n   * browser implies it for shared cookies). Auth.js session cookie and the\n   * theme x-theme/x-theme-variant cookies use this. Without it cookies are\n   * host-only and the subdomain ecosystem breaks.\n   */\n  cookieDomain: string;\n  /**\n   * The registrable parent domain (e.g. \"aillc.link\"). Used by the auth\n   * redirect callback to validate post-login callbacks back to any subdomain\n   * of the tenant. Distinct from cookieDomain in two-level apex setups.\n   */\n  parentDomain: string;\n  /** AWS region. Default: us-east-1. */\n  region: string;\n  /**\n   * For spoke apps: this spoke's slug (matches app registry primary key).\n   * For apex: undefined.\n   */\n  appSlug?: string;\n  /**\n   * For spoke apps: this spoke's FQDN (e.g. \"leads.agency.aillc.link\").\n   * For apex: same as `apex`.\n   */\n  appDomain: string;\n  /** \"apex\" or \"spoke\". Affects which secret-arn fields are required. */\n  role: TenantRole;\n};\n\nexport type TenantServerConfig = TenantPublicConfig & {\n  /** AUTH_SECRET ARN in Secrets Manager. Used by createAuth(). */\n  authSecretArn: string;\n  /** App registry DynamoDB table name. Apex owns the table; spokes read. */\n  registryTable: string;\n  /** Cognito client secret ARN. Apex only -- spokes don't run the OAuth dance. */\n  authCognitoSecretArn?: string;\n  /** Cognito issuer URL (apex only). */\n  cognitoIssuer?: string;\n  /** Cognito client ID (apex only). */\n  cognitoClientId?: string;\n  /** Comma-separated admin emails (auto-promoted on first sign-in). */\n  adminEmails?: string;\n  /** Aurora connection secret ARN (spoke only). */\n  dbSecretArn?: string;\n  /** Aurora endpoint host (spoke only). */\n  dbHost?: string;\n  /** Aurora database name (spoke only). */\n  dbName?: string;\n  /** Stripe credentials bundle ARN (spoke that does billing). */\n  stripeSecretArn?: string;\n  /** Stripe webhook signing secret ARN (spoke that does billing). */\n  stripeWebhookSecretArn?: string;\n};\n\nexport const TENANT_GLOBAL_KEY = \"__TENANT__\" as const;\n\ndeclare global {\n  interface Window {\n    [TENANT_GLOBAL_KEY]?: TenantPublicConfig;\n  }\n}\n","import \"server-only\";\n\nimport {\n  filterAppsByIdentityGroups,\n  sortAppsByNavOrder,\n  validateAppsRoster,\n  type TenantApp,\n  type AppsRoster,\n} from \"../apps-roster/schema.js\";\nimport type { TenantPublicConfig, TenantServerConfig } from \"../tenant-types.js\";\n\n// =============================================================================\n// /api/apps route handler factory.\n//\n// Replaces the DynamoDB-backed createGetHandler. Reads from a statically\n// imported config/apps.json shipped with the Lambda. Authenticates the user\n// (via the consuming app's `auth` function), filters apps by the user's\n// identity groups, sorts by navOrder, returns JSON. No DynamoDB.\n//\n// The apex's AppShell + each spoke's AppShell both call /api/apps\n// same-origin; both wire this factory with their own auth + roster.\n// =============================================================================\n\ntype SessionLike = {\n  user?: { groups?: string[] | null } | null;\n} | null;\n\ntype AuthFn = () => Promise<SessionLike>;\n\nexport type CreateAppsRouteHandlerOptions = {\n  /** Roster shape, typically `import appsJson from \"../../config/apps.json\"`. */\n  roster: AppsRoster | unknown;\n  /** Consuming app's `auth()` function. */\n  auth: AuthFn;\n  /**\n   * Tenant config (apex + optional appDomain). Used to derive each app's\n   * absolute `appUrl` from its subdomain. Typically the same struct passed\n   * to createAuth.\n   */\n  tenant: Pick<TenantServerConfig, \"apex\"> | Pick<TenantPublicConfig, \"apex\">;\n  /** Set false to make the endpoint public (NOT recommended). Default true. */\n  requireAuth?: boolean;\n};\n\nfunction deriveAppUrl(app: TenantApp, apex: string): string {\n  if (app.subdomain === \"\") return `https://${apex}`;\n  return `https://${app.subdomain}.${apex}`;\n}\n\nexport function createAppsRouteHandler(opts: CreateAppsRouteHandlerOptions) {\n  const validated = validateAppsRoster(opts.roster);\n  if (!validated.ok) {\n    throw new Error(\n      `createAppsRouteHandler: roster failed validation: ${validated.errors\n        .map((e) => `${e.path}: ${e.message}`)\n        .join(\"; \")}`,\n    );\n  }\n  const apps: TenantApp[] = validated.value.apps;\n  const requireAuth = opts.requireAuth ?? true;\n\n  return {\n    GET: async (): Promise<Response> => {\n      let session: SessionLike = null;\n      if (requireAuth) {\n        session = await opts.auth();\n        if (!session) {\n          return Response.json({ error: \"unauthenticated\" }, { status: 401 });\n        }\n      }\n      const userGroups = session?.user?.groups ?? [];\n      const visible = filterAppsByIdentityGroups(apps, userGroups);\n      const sorted = sortAppsByNavOrder(visible);\n      const withUrl = sorted.map((a) => ({\n        slug: a.slug,\n        role: a.role,\n        subdomain: a.subdomain,\n        displayName: a.displayName,\n        navOrder: a.navOrder,\n        requiredIdentityGroups: a.requiredIdentityGroups,\n        appUrl: deriveAppUrl(a, opts.tenant.apex),\n      }));\n      return Response.json(withUrl, {\n        headers: {\n          \"Cache-Control\": \"private, s-maxage=300, stale-while-revalidate=600\",\n        },\n      });\n    },\n  };\n}\n"],"mappings":";;;;;;;AAAA,OAAO;AACP,YAAY,WAAW;;;ACqEhB,IAAM,oBAAoB;;;AD/B1B,SAAS,iBAAiB,MAAuC;AACtE,QAAM,MAAM,QAAQ;AACpB,QAAM,IAAI,KAAK,aAAa,CAAC;AAE7B,QAAM,kBAAkB,EAAE,gBAAgB,IAAI;AAC9C,QAAM,eAAe,iBAAiB,QAAQ,OAAO,EAAE;AAEvD,QAAM,QAAqC;AAAA,IACzC,MAAM,KAAK;AAAA,IACX,MAAM,EAAE,QAAQ,IAAI,eAAe;AAAA,IACnC,cAAc,EAAE,gBAAgB,IAAI;AAAA,IACpC,cAAc;AAAA,IACd,QAAQ,EAAE,UAAU,IAAI,cAAc;AAAA,IACtC,SAAS,EAAE,WAAW,IAAI;AAAA,IAC1B,WAAW,EAAE,aAAa,IAAI;AAAA,IAC9B,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,sBAAsB,EAAE,wBAAwB,IAAI;AAAA,IACpD,eAAe,EAAE,iBAAiB,IAAI;AAAA,IACtC,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,aAAa,EAAE,eAAe,IAAI;AAAA,IAClC,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,QAAQ,EAAE,UAAU,IAAI;AAAA,IACxB,iBAAiB,EAAE,mBAAmB,IAAI;AAAA,IAC1C,wBAAwB,EAAE,0BAA0B,IAAI;AAAA,EAC1D;AAEA,MAAI,KAAK,SAAS,UAAU,CAAC,MAAM,WAAW;AAC5C,UAAM,YAAY,MAAM;AAAA,EAC1B;AAEA,QAAM,WAAkE;AAAA,IACtE,EAAE,KAAK,QAAQ,KAAK,2DAA2D;AAAA,IAC/E,EAAE,KAAK,gBAAgB,KAAK,qBAAqB;AAAA,IACjD,EAAE,KAAK,gBAAgB,KAAK,6BAA6B;AAAA,IACzD,EAAE,KAAK,iBAAiB,KAAK,kBAAkB;AAAA,IAC/C,EAAE,KAAK,aAAa,KAAK,aAAa;AAAA,EACxC;AACA,MAAI,KAAK,SAAS,QAAQ;AACxB,aAAS;AAAA,MACP,EAAE,KAAK,wBAAwB,KAAK,0BAA0B;AAAA,MAC9D,EAAE,KAAK,iBAAiB,KAAK,sBAAsB;AAAA,MACnD,EAAE,KAAK,mBAAmB,KAAK,kBAAkB;AAAA,IACnD;AAAA,EACF,OAAO;AACL,aAAS,KAAK,EAAE,KAAK,WAAW,KAAK,WAAW,CAAC;AAAA,EACnD;AAEA,MACE,QAAQ,IAAI,eAAe,4BAC3B,CAAC,QAAQ,IAAI,0BACb;AACA,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,SAAS,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG;AACtE,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,IAAI;AAAA,MACR,oBAAoB,KAAK,IAAI,iCAAiC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAClF;AAAA,EACF;AAEA,SAAO;AACT;AAOO,SAAS,aAAa,QAAgD;AAC3E,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,WAAW,OAAO;AAAA,IAClB,MAAM,OAAO;AAAA,EACf;AACF;AAYA,IAAM,kBAAkB;AAEjB,SAAS,iBAAiB,EAAE,OAAO,GAAmC;AAC3E,QAAM,UAAU,KAAK,UAAU,MAAM,EAAE,QAAQ,MAAM,SAAS;AAC9D,QAAM,OAAO,UAAU,iBAAiB,IAAI,OAAO;AACnD,QAAM,QAAiC,CAAC;AACxC,QAAM,eAAe,IAAI,EAAE,QAAQ,KAAK;AACxC,SAAa,oBAAc,UAAU,KAAK;AAC5C;;;AE5IA,OAAO;AA4CP,SAAS,aAAa,KAAgB,MAAsB;AAC1D,MAAI,IAAI,cAAc,GAAI,QAAO,WAAW,IAAI;AAChD,SAAO,WAAW,IAAI,SAAS,IAAI,IAAI;AACzC;AAEO,SAAS,uBAAuB,MAAqC;AAC1E,QAAM,YAAY,mBAAmB,KAAK,MAAM;AAChD,MAAI,CAAC,UAAU,IAAI;AACjB,UAAM,IAAI;AAAA,MACR,qDAAqD,UAAU,OAC5D,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EACpC,KAAK,IAAI,CAAC;AAAA,IACf;AAAA,EACF;AACA,QAAM,OAAoB,UAAU,MAAM;AAC1C,QAAM,cAAc,KAAK,eAAe;AAExC,SAAO;AAAA,IACL,KAAK,YAA+B;AAClC,UAAI,UAAuB;AAC3B,UAAI,aAAa;AACf,kBAAU,MAAM,KAAK,KAAK;AAC1B,YAAI,CAAC,SAAS;AACZ,iBAAO,SAAS,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,QACpE;AAAA,MACF;AACA,YAAM,aAAa,SAAS,MAAM,UAAU,CAAC;AAC7C,YAAM,UAAU,2BAA2B,MAAM,UAAU;AAC3D,YAAM,SAAS,mBAAmB,OAAO;AACzC,YAAM,UAAU,OAAO,IAAI,CAAC,OAAO;AAAA,QACjC,MAAM,EAAE;AAAA,QACR,MAAM,EAAE;AAAA,QACR,WAAW,EAAE;AAAA,QACb,aAAa,EAAE;AAAA,QACf,UAAU,EAAE;AAAA,QACZ,wBAAwB,EAAE;AAAA,QAC1B,QAAQ,aAAa,GAAG,KAAK,OAAO,IAAI;AAAA,MAC1C,EAAE;AACF,aAAO,SAAS,KAAK,SAAS;AAAA,QAC5B,SAAS;AAAA,UACP,iBAAiB;AAAA,QACnB;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@augmenting-integrations/platform",
-  "version": "8.5.0",
+  "version": "8.6.0",
   "description": "Tenant + app manifest contract for the augint platform. Owns TenantConfig (server-side env load + browser-safe public subset + TenantBootScript) and the app.manifest.json schema/loader. Every other @augmenting-integrations/* package consumes tenant context from here, so /auth no longer owns it.",
   "license": "MIT",
   "publishConfig": {
@@ -25,6 +25,11 @@
       "types": "./dist/manifest.d.ts",
       "import": "./dist/manifest.js",
       "require": "./dist/manifest.cjs"
+    },
+    "./apps-roster": {
+      "types": "./dist/apps-roster.d.ts",
+      "import": "./dist/apps-roster.js",
+      "require": "./dist/apps-roster.cjs"
     }
   },
   "files": [