@avora-labs/meta-forge 1.4.0 → 1.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@avora-labs/meta-forge",
-  "version": "1.4.0",
+  "version": "1.6.0",
   "description": "AvoraMetaForge — A meta-driven Angular framework. Define entire applications through structured TypeScript metadata.",
   "keywords": [
     "angular",

package/types/avora-labs-meta-forge.d.ts

@@ -1421,6 +1421,12 @@ interface GlobalAuthMeta {
     headerName?: string;
     /** Token prefix (default: 'Bearer ') */
     tokenPrefix?: string;
+    /**
+     * Enable development mock-login mode.
+     * When true, AuthService skips real API calls and generates a fake JWT locally.
+     * Set this only in dev/demo configs — never in production AppMeta.
+     */
+    mock?: boolean;
     /**
      * AvoraMetaForge Built-in Native Auth UI
      * Let the framework handle auth screens for you using the AmfAuthShell.
@@ -1433,6 +1439,8 @@ interface GlobalAuthMeta {
         brandName?: string;
         /** Custom tagline for auth pages */
         brandTagline?: string;
+        /** Enable OTP two-step verification flow on login */
+        requireOtp?: boolean;
     };
 }
 interface AppBrandingMeta {
@@ -1968,56 +1976,6 @@ declare class MetaStateService {
     static ɵprov: i0.ɵɵInjectableDeclaration<MetaStateService>;
 }
 
-interface AuthUser {
-    id?: string;
-    email?: string;
-    name?: string;
-    roles?: string[];
-    permissions?: string[];
-    avatar?: string;
-    [key: string]: any;
-}
-declare class MetaAuthService {
-    private readonly state;
-    private readonly apiService;
-    private config;
-    private refreshTimer;
-    /** Initialize auth from AppMeta config */
-    configure(authConfig: GlobalAuthMeta): void;
-    /** Store auth token and update state */
-    setToken(token: string, refreshToken?: string): void;
-    /** Get current token */
-    getToken(): string | null;
-    /** Get current refresh token */
-    getRefreshToken(): string | null;
-    /** Check if user is authenticated */
-    isAuthenticated(): boolean;
-    /** Set the current user */
-    setUser(user: AuthUser): void;
-    /** Get current user */
-    getUser(): AuthUser | null;
-    /** Check if user has a specific role */
-    hasRole(role: string): boolean;
-    /** Check if user has ANY of the specified roles */
-    hasAnyRole(roles: string[]): boolean;
-    /** Check if user has a specific permission */
-    hasPermission(permission: string): boolean;
-    /** Check if user has ALL specified permissions */
-    hasAllPermissions(permissions: string[]): boolean;
-    /** Perform login via configured endpoint */
-    login(credentials: Record<string, any>): Promise<any>;
-    /** Perform logout */
-    logout(): Promise<void>;
-    /** Refresh the auth token */
-    refreshAuthToken(): Promise<string | null>;
-    private scheduleTokenRefresh;
-    private getStorage;
-    private getStoredToken;
-    private getFromStorage;
-    static ɵfac: i0.ɵɵFactoryDeclaration<MetaAuthService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<MetaAuthService>;
-}
-
 declare class PluginRegistryService {
     private plugins;
     register(plugin: AvoraMetaForgePlugin): void;
@@ -2216,6 +2174,49 @@ declare class PageHeaderSectionComponent implements MetaSectionComponent<PageHea
     static ɵcmp: i0.ɵɵComponentDeclaration<PageHeaderSectionComponent, "amf-page-header", never, { "config": { "alias": "config"; "required": false; }; "context": { "alias": "context"; "required": false; }; }, {}, never, never, true, never>;
 }
 
+interface AuthUser {
+    id?: string;
+    email?: string;
+    name?: string;
+    roles?: string[];
+    permissions?: string[];
+    avatar?: string;
+    role?: string;
+    [key: string]: any;
+}
+declare class AuthService {
+    private readonly state;
+    private readonly apiService;
+    private readonly router;
+    private config;
+    private refreshTimer;
+    private isDevMode;
+    private readonly REDIRECT_KEY;
+    readonly user: Signal<AuthUser | null>;
+    readonly isAuthenticated: Signal<boolean>;
+    configure(authConfig: GlobalAuthMeta, isDevMode?: boolean): void;
+    setToken(token: string, refreshToken?: string): void;
+    getToken(): string | null;
+    getRefreshToken(): string | null;
+    setUser(user: AuthUser): void;
+    getUserProfile(): AuthUser | null;
+    hasRole(role: string | string[]): boolean;
+    hasPermission(permission: string): boolean;
+    login(credentials: Record<string, any>, preventRedirect?: boolean): Promise<any>;
+    logout(): Promise<void>;
+    private _mockLogin;
+    storeRedirectUrl(url: string): void;
+    private handleRedirect;
+    isTokenExpired(token?: string | null): boolean;
+    refreshAuthToken(): Promise<string | null>;
+    private scheduleTokenRefresh;
+    private getStorage;
+    private getStoredToken;
+    private getFromStorage;
+    static ɵfac: i0.ɵɵFactoryDeclaration<AuthService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<AuthService>;
+}
+
 interface NavItem {
     label: string;
     icon?: string;
@@ -2334,7 +2335,7 @@ declare const APP_META_CONFIG_TOKEN: InjectionToken<AppMeta>;
  * Returns a synchronous function — Angular waits for it to complete
  * before performing the initial navigation.
  */
-declare function initializeAvoraMetaForge(registry: ComponentRegistryService, routerService: MetaRouterService, apiService: MetaApiService, stateService: MetaStateService, authService: MetaAuthService, actionDispatcher: ActionDispatcherService, conditionEvaluator: ConditionEvaluatorService, pluginRegistry: PluginRegistryService, navService: NavigationService, appConfigService: AppConfigService, config: AppMeta): () => void;
+declare function initializeAvoraMetaForge(registry: ComponentRegistryService, routerService: MetaRouterService, apiService: MetaApiService, stateService: MetaStateService, authService: AuthService, actionDispatcher: ActionDispatcherService, conditionEvaluator: ConditionEvaluatorService, pluginRegistry: PluginRegistryService, navService: NavigationService, appConfigService: AppConfigService, config: AppMeta): () => void;
 /**
  * Call this in app.config.ts to wire up AvoraMetaForge:
  *
@@ -2342,133 +2343,16 @@ declare function initializeAvoraMetaForge(registry: ComponentRegistryService, ro
  */
 declare function provideAvoraMetaForge(config: AppMeta): Provider[];
 
-interface UserProfile {
-    id: string;
-    name: string;
-    email: string;
-    avatar: string;
-    role: string;
-    company: string;
-}
-/**
- * ╔══════════════════════════════════════════════════════════════════╗
- * ║          DEMO / PROTOTYPE AUTH SERVICE — NOT FOR PRODUCTION      ║
- * ╠══════════════════════════════════════════════════════════════════╣
- * ║  This service simulates authentication entirely on the client.   ║
- * ║  The login() method accepts ANY email and password and creates    ║
- * ║  a fake JWT-shaped token. There is NO real credential check.      ║
- * ║                                                                  ║
- * ║  Purpose: let framework developers demo the full auth UI flow     ║
- * ║  (login → guard → interceptor → logout) without a live backend.  ║
- * ║                                                                  ║
- * ║  ── TO SWITCH TO REAL AUTH ─────────────────────────────────── ║
- * ║  Option A (recommended): Use MetaAuthService directly.           ║
- * ║    • Configure `auth.loginEndpoint` in AppMeta to a real endpoint ║
- * ║    • Remove mock:true from that endpoint definition              ║
- * ║    • MetaAuthService handles token storage + auto-refresh        ║
- * ║                                                                  ║
- * ║  Option B: Keep this service but replace _mockLogin() body with  ║
- * ║    a real HTTP call (e.g. via HttpClient or MetaApiService).     ║
- * ║                                                                  ║
- * ║  See FRAMEWORK_GUIDE.md §3 for a step-by-step migration guide.   ║
- * ╚══════════════════════════════════════════════════════════════════╝
- */
-declare class AuthService {
-    private router;
-    /**
-     * Sentinel flag — always `true` on this demo implementation.
-     * Production code can check `AuthService.IS_MOCK_AUTH` to detect
-     * whether real authentication is wired up.
-     */
-    static readonly IS_MOCK_AUTH = true;
-    private readonly TOKEN_KEY;
-    private readonly USER_KEY;
-    private readonly REDIRECT_KEY;
-    private readonly _user;
-    readonly user: i0.Signal<UserProfile | null>;
-    readonly isAuthenticated: i0.Signal<boolean>;
-    constructor(router: Router);
-    private getInitialUser;
-    /**
-     * Authenticate a user.
-     *
-     * ⚠️  DEMO IMPLEMENTATION — accepts any credentials.
-     * Internally delegates to `_mockLogin()` which fabricates a JWT-shaped
-     * token without contacting any server.
-     *
-     * To use real auth, replace the body of `_mockLogin()` (or this method)
-     * with an actual API call. See FRAMEWORK_GUIDE.md §3.
-     */
-    login(email: string, password: string): boolean;
-    /**
-     * ── MOCK IMPLEMENTATION ──────────────────────────────────────────
-     * Generates a fake JWT-shaped token and stores a fabricated user profile.
-     * This method has NO security — it accepts any email/password pair.
-     * It exists purely to allow testing the auth UI flow without a backend.
-     * ─────────────────────────────────────────────────────────────────
-     */
-    private _mockLogin;
-    /** Clear session and navigate to login */
-    logout(): void;
-    /** Get the raw token string */
-    getToken(): string | null;
-    /** Get the current user profile */
-    getUserProfile(): UserProfile | null;
-    /** Check if the current user has a specific role */
-    hasRole(role: string | string[]): boolean;
-    /** Store the URL the user was trying to access before being redirected to login */
-    storeRedirectUrl(url: string): void;
-    /** Check if the mock token is expired */
-    isTokenExpired(token?: string | null): boolean;
-    static ɵfac: i0.ɵɵFactoryDeclaration<AuthService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<AuthService>;
-}
-
 /**
  * Functional auth guard (CanActivateFn).
  * - Checks if a valid (non-expired) token exists via AuthService.
  * - Stores the attempted URL for post-login redirect.
  * - Redirects unauthenticated users to /login.
- *
- * \u2500\u2500 CURRENT (DEMO) BEHAVIOUR \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
- * Delegates to `AuthService` (the demo/mock auth service).
- * The token it checks is a locally-generated fake JWT \u2014 no server
- * validation occurs. The guard correctly protects routes in the demo
- * but will let any fabricated token through.
- *
- * \u2500\u2500 PRODUCTION MIGRATION PATH \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
- * Option A \u2014 Use the framework\u2019s built-in MetaGuard:
- *   Set `guard: { requireAuth: true, redirectTo: '/login' }` on any
- *   PageMeta definition. MetaGuard already reads from MetaAuthService
- *   and handles role/permission checks declaratively.
- *
- * Option B \u2014 Keep this guard but swap the auth service:
- *   Replace `inject(AuthService)` with `inject(MetaAuthService)` and
- *   call `.isAuthenticated()` on it once real tokens are in flight.
- *
- * See FRAMEWORK_GUIDE.md \u00a73 for step-by-step migration instructions.
  */
 declare const authGuard: CanActivateFn;
 
 /**
  * HTTP Interceptor — Bearer token injection + 401 global logout.
- *
- * ── CURRENT (DEMO) BEHAVIOUR ──────────────────────────────────────────────
- * Reads the Bearer token from `AuthService` (the demo/mock service).
- * The token is a fake JWT-shaped string generated locally — it will be
- * rejected by any real API server that validates JWT signatures.
- *
- * ── PRODUCTION MIGRATION PATH ────────────────────────────────────────────
- * Option A — Swap the token source (minimal change):
- *   Replace `authService.getToken()` with a call to `MetaAuthService.getToken()`
- *   once you have a real login endpoint producing real JWTs.
- *
- * Option B — Remove this interceptor entirely:
- *   Use AvoraMetaForge’s built-in auth injection via `ApiEndpointMeta.auth`.
- *   Set `auth: { type: 'bearer', token: 'state:auth.token' }` on each endpoint
- *   and MetaApiService will inject it automatically. No interceptor needed.
- *
- * See FRAMEWORK_GUIDE.md §3 for step-by-step instructions.
  */
 declare const authInterceptor: HttpInterceptorFn;
 
@@ -2527,5 +2411,5 @@ declare class LayoutComponent {
     static ɵcmp: i0.ɵɵComponentDeclaration<LayoutComponent, "app-layout", never, {}, {}, never, never, true, never>;
 }
 
-export { APP_META_CONFIG_TOKEN, AccordionSectionComponent, ActionDispatcherService, AmfDialogHostComponent, AmfDrawerHostComponent, AppConfigService, AuthService, CardSectionComponent, ComponentRegistryService, ConditionEvaluatorService, FormRendererComponent, LayoutComponent, LayoutType, META_SECTION_CONFIG, META_SECTION_CONTEXT, MetaApiService, MetaAuthService, MetaModalHostComponent, MetaPageComponent, MetaRendererComponent, MetaRouterService, MetaStateService, NotificationService, PageHeaderSectionComponent, PluginRegistryService, RepeaterFieldComponent, StatsGridSectionComponent, StepperFormRendererComponent, TableRendererComponent, ThemeService, authGuard, authInterceptor, getAmfRoutes, initializeAvoraMetaForge, metaCanDeactivateGuard, metaGuard, provideAvoraMetaForge };
-export type { AccordionMeta, AccordionPanelMeta, ActionMeta, ActionType, AggregateRowMeta, AlertMeta, ApiActionConfig, ApiAuthMeta, ApiEndpointMeta, ApiPaginationMeta, AppBrandingMeta, AppMeta, AuthUser, AutosaveMeta, AvoraMetaForgePlugin, BreadcrumbMeta, CacheMeta, CardMeta, CellType, ClearStateActionConfig, ColumnEditValidatorMeta, ColumnMeta, ComputeFieldMeta, ConditionMeta, ConditionOperator, ConditionalActionConfig, ConfirmActionConfig, CopyToClipboardActionConfig, CrossFieldValidatorMeta, CustomComponentMeta, DelayActionConfig, DialogConfig, DispatchMultipleActionConfig, DividerMeta, DownloadFileActionConfig, DrawerActionConfig, EmitActionConfig, EmptyStateMeta, EnvironmentConfig, FieldMeta, FieldType, FocusActionConfig, FooterLinkMeta, ForEachActionConfig, FormLayout, FormMeta, FormStepMeta, GlobalAuthMeta, GuardMeta, HtmlMeta, HttpMethod$1 as HttpMethod, IframeMeta, LayoutConfigMeta, LayoutMeta, LayoutTypeKey, LoadingActionConfig, LogActionConfig, MetaSectionComponent, ModalActionConfig, NavGroupMeta, NavItemMeta, NavigateActionConfig, Notification, NotificationType, NotifyActionConfig, OpenUrlActionConfig, OptionMeta, PageHeaderActionMeta, PageHeaderMeta, PageMeta, PaginationMeta, PatchFormActionConfig, PrintActionConfig, ReloadTableActionConfig, ResetFormActionConfig, ResolverMeta, RetryMeta, RowClassMeta, ScrollToActionConfig, SectionMeta, ServerPaginationConfig, SetStateActionConfig, SetTitleActionConfig, SpacerMeta, StatCardMeta, StateChange, StatsGridMeta, StorageActionConfig, SubmitFormActionConfig, TabMeta, TableActionMeta, TableFilterMeta, TableMeta, TabsMeta, ThemeMeta, TimelineItemMeta, TimelineMeta, ToggleClassActionConfig, TransformContextActionConfig, TransformMeta, UserProfile, ValidatorMeta };
+export { APP_META_CONFIG_TOKEN, AccordionSectionComponent, ActionDispatcherService, AmfDialogHostComponent, AmfDrawerHostComponent, AppConfigService, AuthService, CardSectionComponent, ComponentRegistryService, ConditionEvaluatorService, FormRendererComponent, LayoutComponent, LayoutType, META_SECTION_CONFIG, META_SECTION_CONTEXT, MetaApiService, MetaModalHostComponent, MetaPageComponent, MetaRendererComponent, MetaRouterService, MetaStateService, NotificationService, PageHeaderSectionComponent, PluginRegistryService, RepeaterFieldComponent, StatsGridSectionComponent, StepperFormRendererComponent, TableRendererComponent, ThemeService, authGuard, authInterceptor, getAmfRoutes, initializeAvoraMetaForge, metaCanDeactivateGuard, metaGuard, provideAvoraMetaForge };
+export type { AccordionMeta, AccordionPanelMeta, ActionMeta, ActionType, AggregateRowMeta, AlertMeta, ApiActionConfig, ApiAuthMeta, ApiEndpointMeta, ApiPaginationMeta, AppBrandingMeta, AppMeta, AuthUser, AutosaveMeta, AvoraMetaForgePlugin, BreadcrumbMeta, CacheMeta, CardMeta, CellType, ClearStateActionConfig, ColumnEditValidatorMeta, ColumnMeta, ComputeFieldMeta, ConditionMeta, ConditionOperator, ConditionalActionConfig, ConfirmActionConfig, CopyToClipboardActionConfig, CrossFieldValidatorMeta, CustomComponentMeta, DelayActionConfig, DialogConfig, DispatchMultipleActionConfig, DividerMeta, DownloadFileActionConfig, DrawerActionConfig, EmitActionConfig, EmptyStateMeta, EnvironmentConfig, FieldMeta, FieldType, FocusActionConfig, FooterLinkMeta, ForEachActionConfig, FormLayout, FormMeta, FormStepMeta, GlobalAuthMeta, GuardMeta, HtmlMeta, HttpMethod$1 as HttpMethod, IframeMeta, LayoutConfigMeta, LayoutMeta, LayoutTypeKey, LoadingActionConfig, LogActionConfig, MetaSectionComponent, ModalActionConfig, NavGroupMeta, NavItemMeta, NavigateActionConfig, Notification, NotificationType, NotifyActionConfig, OpenUrlActionConfig, OptionMeta, PageHeaderActionMeta, PageHeaderMeta, PageMeta, PaginationMeta, PatchFormActionConfig, PrintActionConfig, ReloadTableActionConfig, ResetFormActionConfig, ResolverMeta, RetryMeta, RowClassMeta, ScrollToActionConfig, SectionMeta, ServerPaginationConfig, SetStateActionConfig, SetTitleActionConfig, SpacerMeta, StatCardMeta, StateChange, StatsGridMeta, StorageActionConfig, SubmitFormActionConfig, TabMeta, TableActionMeta, TableFilterMeta, TableMeta, TabsMeta, ThemeMeta, TimelineItemMeta, TimelineMeta, ToggleClassActionConfig, TransformContextActionConfig, TransformMeta, ValidatorMeta };