@betterportal/framework 0.0.1

package/lib/codegen/validate.js

@@ -0,0 +1,166 @@
+// -- Fragment file-name pattern ---------------------------------------
+/** Matches `_{location}.{id}.tsx` - at least two dot-separated parts after `_`. */
+const FRAGMENT_PATTERN = /^_([a-zA-Z][a-zA-Z0-9]*)\.([a-zA-Z][a-zA-Z0-9]*)\.tsx$/;
+// -- Validation helpers -----------------------------------------------
+function checkHandlerExports(route, errors) {
+    const hasHandler = route.handlerExports.some((e) => e.startsWith("handle"));
+    if (!hasHandler) {
+        errors.push({
+            file: route.relativePath + "/index.ts",
+            message: `Route "${route.viewId}" does not export any handler function (handleGet, handlePost, etc.).`,
+            severity: "error",
+        });
+    }
+}
+function checkResponseSchema(route, errors) {
+    if (route.isRaw) {
+        if (route.handlerExports.includes("ResponseSchema")) {
+            errors.push({
+                file: route.relativePath + "/index.ts",
+                message: `Raw route "${route.viewId}" must not export a ResponseSchema.`,
+                severity: "error",
+            });
+        }
+        return;
+    }
+    // Streaming routes (spec/streaming.md) export ItemSchema instead; the
+    // buffered response schema is derived by createStreamHandler.
+    if (route.hasItemSchema) {
+        if (route.handlerExports.includes("ResponseSchema")) {
+            errors.push({
+                file: route.relativePath + "/index.ts",
+                message: `Route "${route.viewId}" exports both ItemSchema and ResponseSchema. Streaming routes derive their response schema - remove ResponseSchema.`,
+                severity: "error",
+            });
+        }
+        return;
+    }
+    if (!route.handlerExports.includes("ResponseSchema")) {
+        errors.push({
+            file: route.relativePath + "/index.ts",
+            message: `Route "${route.viewId}" does not export a ResponseSchema.`,
+            severity: "error",
+        });
+    }
+}
+function checkRawRenderers(route, errors) {
+    if (!route.isRaw)
+        return;
+    if (route.themeRenderers.length === 0 && route.streamRenderers.length === 0)
+        return;
+    errors.push({
+        file: route.relativePath + "/index.ts",
+        message: `Raw route "${route.viewId}" cannot have theme renderers.`,
+        severity: "error",
+    });
+}
+function checkFragmentFileNames(route, errors) {
+    for (const renderer of route.themeRenderers) {
+        if (renderer.type !== "fragment")
+            continue;
+        // Extract the file name from the relative import path
+        const segments = renderer.relativePath.split("/");
+        const fileName = segments[segments.length - 1];
+        if (fileName && !FRAGMENT_PATTERN.test(fileName)) {
+            errors.push({
+                file: renderer.relativePath,
+                message: `Fragment file "${fileName}" does not match the _{location}.{id}.tsx pattern.`,
+                severity: "error",
+            });
+        }
+    }
+}
+function checkDuplicateViewIds(routes, errors) {
+    const seen = new Map();
+    for (const route of routes) {
+        const existing = seen.get(route.viewId);
+        if (existing) {
+            errors.push({
+                file: route.relativePath + "/index.ts",
+                message: `Duplicate viewId "${route.viewId}". Also defined at "${existing.relativePath}/index.ts".`,
+                severity: "error",
+            });
+        }
+        else {
+            seen.set(route.viewId, route);
+        }
+    }
+}
+function checkConflictingPaths(routes, errors) {
+    const seen = new Map();
+    for (const route of routes) {
+        // Normalize the path for conflict detection: replace each :param with a
+        // placeholder so "/users/:userId" and "/users/:id" are treated as the
+        // same structural path.
+        const normalized = route.path.replace(/:[^/]+/g, ":*");
+        const existing = seen.get(normalized);
+        if (existing && existing.viewId !== route.viewId) {
+            errors.push({
+                file: route.relativePath + "/index.ts",
+                message: `Path "${route.path}" conflicts with "${existing.path}" (route "${existing.viewId}"). Both resolve to the same structural pattern.`,
+                severity: "error",
+            });
+        }
+        else {
+            seen.set(normalized, route);
+        }
+    }
+}
+function checkThemeRendererOrphans(route, errors) {
+    // Theme renderers should belong to a route that has an index.ts.
+    // Since we only create ScannedRoute entries for directories that have
+    // index.ts, any renderer attached to a route is by definition valid.
+    // However, we can warn if a renderer's path suggests it sits outside
+    // the route's own directory tree. In practice the scanner already
+    // constrains this, but we defensively verify.
+    for (const renderer of route.themeRenderers) {
+        if (!renderer.relativePath.includes(route.relativePath.replace(/\/index\.ts$/, ""))) {
+            // The renderer's relative path does not share the route's base
+            // directory - this should never happen with the scanner, but
+            // guard against hand-edited ScanResults.
+            errors.push({
+                file: renderer.relativePath,
+                message: `Theme renderer "${renderer.rendererId}" (theme "${renderer.themeId}") does not appear to belong to route "${route.viewId}".`,
+                severity: "error",
+            });
+        }
+    }
+}
+function checkMissingThemeRenderers(route, errors) {
+    if (route.isRaw)
+        return;
+    if (route.themeRenderers.length === 0) {
+        const hasHandler = route.handlerExports.some((e) => e.startsWith("handle"));
+        if (hasHandler) {
+            errors.push({
+                file: route.relativePath + "/index.ts",
+                message: `Route "${route.viewId}" has handlers but no theme renderers. The route will serve JSON but not HTML.`,
+                severity: "warning",
+            });
+        }
+    }
+}
+// -- Public API -------------------------------------------------------
+/**
+ * Validate a `ScanResult` for convention violations.
+ *
+ * Returns an array of errors and warnings. An empty array means the
+ * scan result is valid.
+ */
+export function validateScanResult(result) {
+    const errors = [];
+    // Cross-route checks
+    checkDuplicateViewIds(result.routes, errors);
+    checkConflictingPaths(result.routes, errors);
+    // Per-route checks
+    for (const route of result.routes) {
+        checkHandlerExports(route, errors);
+        checkResponseSchema(route, errors);
+        checkRawRenderers(route, errors);
+        checkFragmentFileNames(route, errors);
+        checkThemeRendererOrphans(route, errors);
+        checkMissingThemeRenderers(route, errors);
+    }
+    return errors;
+}
+//# sourceMappingURL=validate.js.map

package/lib/codegen/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/codegen/validate.ts"],"names":[],"mappings":"AAUA,wEAAwE;AAExE,mFAAmF;AACnF,MAAM,gBAAgB,GAAG,wDAAwD,CAAC;AAElF,wEAAwE;AAExE,SAAS,mBAAmB,CAAC,KAAmB,EAAE,MAAyB;IACzE,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE5E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;YACtC,OAAO,EAAE,UAAU,KAAK,CAAC,MAAM,uEAAuE;YACtG,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAmB,EAAE,MAAyB;IACzE,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;gBACtC,OAAO,EAAE,cAAc,KAAK,CAAC,MAAM,qCAAqC;gBACxE,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;QACD,OAAO;IACT,CAAC;IAED,sEAAsE;IACtE,8DAA8D;IAC9D,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;QACxB,IAAI,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;gBACtC,OAAO,EAAE,UAAU,KAAK,CAAC,MAAM,sHAAsH;gBACrJ,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;YACtC,OAAO,EAAE,UAAU,KAAK,CAAC,MAAM,qCAAqC;YACpE,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAmB,EAAE,MAAyB;IACvE,IAAI,CAAC,KAAK,CAAC,KAAK;QAAE,OAAO;IACzB,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACpF,MAAM,CAAC,IAAI,CAAC;QACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;QACtC,OAAO,EAAE,cAAc,KAAK,CAAC,MAAM,gCAAgC;QACnE,QAAQ,EAAE,OAAO;KAClB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAmB,EAAE,MAAyB;IAC5E,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;QAC5C,IAAI,QAAQ,CAAC,IAAI,KAAK,UAAU;YAAE,SAAS;QAE3C,sDAAsD;QACtD,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE/C,IAAI,QAAQ,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,QAAQ,CAAC,YAAY;gBAC3B,OAAO,EAAE,kBAAkB,QAAQ,oDAAoD;gBACvF,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAsB,EAAE,MAAyB;IAC9E,MAAM,IAAI,GAAG,IAAI,GAAG,EAAwB,CAAC;IAE7C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;gBACtC,OAAO,EAAE,qBAAqB,KAAK,CAAC,MAAM,uBAAuB,QAAQ,CAAC,YAAY,aAAa;gBACnG,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAsB,EAAE,MAAyB;IAC9E,MAAM,IAAI,GAAG,IAAI,GAAG,EAAwB,CAAC;IAE7C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,wEAAwE;QACxE,sEAAsE;QACtE,wBAAwB;QACxB,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAEtC,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;YACjD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;gBACtC,OAAO,EAAE,SAAS,KAAK,CAAC,IAAI,qBAAqB,QAAQ,CAAC,IAAI,aAAa,QAAQ,CAAC,MAAM,kDAAkD;gBAC5I,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAmB,EAAE,MAAyB;IAC/E,iEAAiE;IACjE,sEAAsE;IACtE,qEAAqE;IACrE,qEAAqE;IACrE,kEAAkE;IAClE,8CAA8C;IAE9C,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;QAC5C,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;YACpF,+DAA+D;YAC/D,6DAA6D;YAC7D,yCAAyC;YACzC,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,QAAQ,CAAC,YAAY;gBAC3B,OAAO,EAAE,mBAAmB,QAAQ,CAAC,UAAU,aAAa,QAAQ,CAAC,OAAO,0CAA0C,KAAK,CAAC,MAAM,IAAI;gBACtI,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAmB,EAAE,MAAyB;IAChF,IAAI,KAAK,CAAC,KAAK;QAAE,OAAO;IACxB,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5E,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,KAAK,CAAC,YAAY,GAAG,WAAW;gBACtC,OAAO,EAAE,UAAU,KAAK,CAAC,MAAM,gFAAgF;gBAC/G,QAAQ,EAAE,SAAS;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAkB;IACnD,MAAM,MAAM,GAAsB,EAAE,CAAC;IAErC,qBAAqB;IACrB,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,qBAAqB,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE7C,mBAAmB;IACnB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,mBAAmB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACnC,mBAAmB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACnC,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACjC,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACtC,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACzC,0BAA0B,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/lib/contracts/auth.d.ts

@@ -0,0 +1,160 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+export declare const TokenTypeSchema: av.EnumSchema<readonly ["access", "refresh", "cp-envelope", "setup", "install"]>;
+export type TokenType = Infer<typeof TokenTypeSchema>;
+export declare const JwtClaimsSchema: av.ObjectSchema<{
+    iss: av.StringSchema;
+    aud: av.UnionSchema<[av.StringSchema, av.ArraySchema<av.StringSchema>]>;
+    sub: av.StringSchema;
+    exp: av.IntSchema;
+    iat: av.IntSchema;
+    nbf: av.OptionalSchema<av.IntSchema>;
+    jti: av.StringSchema;
+    realm: av.EnumSchema<readonly ["runtime", "control-plane"]>;
+    tenantId: av.StringSchema;
+    appId: av.StringSchema;
+    roles: av.ArraySchema<av.StringSchema>;
+    tokenType: av.EnumSchema<readonly ["access", "refresh", "cp-envelope", "setup", "install"]>;
+    authProvider: av.OptionalSchema<av.StringSchema>;
+    providerSubject: av.OptionalSchema<av.StringSchema>;
+    provider: av.OptionalSchema<av.ObjectSchema<{
+        username: av.OptionalSchema<av.StringSchema>;
+        profileUrl: av.OptionalSchema<av.StringSchema>;
+        accountId: av.OptionalSchema<av.UnionSchema<[av.StringSchema, av.NumberSchema]>>;
+        nodeId: av.OptionalSchema<av.StringSchema>;
+        scope: av.OptionalSchema<av.StringSchema>;
+    }>>;
+    name: av.OptionalSchema<av.StringSchema>;
+    email: av.OptionalSchema<av.StringSchema>;
+    picture: av.OptionalSchema<av.StringSchema>;
+}>;
+export type JwtClaims = Infer<typeof JwtClaimsSchema>;
+export declare const TokenLifetimeConfigSchema: av.ObjectSchema<{
+    accessTokenSeconds: av.IntSchema;
+    refreshTokenSeconds: av.IntSchema;
+}>;
+export type TokenLifetimeConfig = Infer<typeof TokenLifetimeConfigSchema>;
+export declare const AuthAudienceRuleSchema: av.ObjectSchema<{
+    realm: av.EnumSchema<readonly ["runtime", "control-plane"]>;
+    audiences: av.ArraySchema<av.StringSchema>;
+}>;
+export type AuthAudienceRule = Infer<typeof AuthAudienceRuleSchema>;
+export declare const AppAuthPermissionActionSchema: av.EnumSchema<readonly ["read", "create", "update", "delete"]>;
+export type AppAuthPermissionAction = Infer<typeof AppAuthPermissionActionSchema>;
+export declare const AppAuthPermissionGrantSchema: av.ObjectSchema<{
+    serviceId: av.StringSchema;
+    viewId: av.StringSchema;
+    permissions: av.ArraySchema<av.EnumSchema<readonly ["read", "create", "update", "delete"]>>;
+}>;
+export type AppAuthPermissionGrant = Infer<typeof AppAuthPermissionGrantSchema>;
+export declare const AppAuthRoleSchema: av.ObjectSchema<{
+    id: av.StringSchema;
+    title: av.StringSchema;
+    description: av.OptionalSchema<av.StringSchema>;
+    permissions: av.ArraySchema<av.ObjectSchema<{
+        serviceId: av.StringSchema;
+        viewId: av.StringSchema;
+        permissions: av.ArraySchema<av.EnumSchema<readonly ["read", "create", "update", "delete"]>>;
+    }>>;
+}>;
+export type AppAuthRole = Infer<typeof AppAuthRoleSchema>;
+export declare const DefaultAuthProviderConfigSchema: av.ObjectSchema<{
+    kind: av.LiteralSchema<"betterportal.default">;
+}>;
+export type DefaultAuthProviderConfig = Infer<typeof DefaultAuthProviderConfigSchema>;
+export declare const AuthressProviderConfigSchema: av.ObjectSchema<{
+    kind: av.LiteralSchema<"authress.io">;
+    roleClaimPath: av.StringSchema;
+    subjectClaimPath: av.StringSchema;
+    nameClaimPath: av.OptionalSchema<av.StringSchema>;
+    emailClaimPath: av.OptionalSchema<av.StringSchema>;
+    pictureClaimPath: av.OptionalSchema<av.StringSchema>;
+}>;
+export type AuthressProviderConfig = Infer<typeof AuthressProviderConfigSchema>;
+export declare const AppAuthProviderConfigSchema: av.UnionSchema<[av.ObjectSchema<{
+    kind: av.LiteralSchema<"betterportal.default">;
+}>, av.ObjectSchema<{
+    kind: av.LiteralSchema<"authress.io">;
+    roleClaimPath: av.StringSchema;
+    subjectClaimPath: av.StringSchema;
+    nameClaimPath: av.OptionalSchema<av.StringSchema>;
+    emailClaimPath: av.OptionalSchema<av.StringSchema>;
+    pictureClaimPath: av.OptionalSchema<av.StringSchema>;
+}>]>;
+export type AppAuthProviderConfig = Infer<typeof AppAuthProviderConfigSchema>;
+export declare const AppAuthConfigSchema: av.ObjectSchema<{
+    serviceId: av.StringSchema;
+    provider: av.OptionalSchema<av.UnionSchema<[av.ObjectSchema<{
+        kind: av.LiteralSchema<"betterportal.default">;
+    }>, av.ObjectSchema<{
+        kind: av.LiteralSchema<"authress.io">;
+        roleClaimPath: av.StringSchema;
+        subjectClaimPath: av.StringSchema;
+        nameClaimPath: av.OptionalSchema<av.StringSchema>;
+        emailClaimPath: av.OptionalSchema<av.StringSchema>;
+        pictureClaimPath: av.OptionalSchema<av.StringSchema>;
+    }>]>>;
+    loginViewId: av.OptionalSchema<av.StringSchema>;
+    logoutViewId: av.OptionalSchema<av.StringSchema>;
+    refreshViewId: av.OptionalSchema<av.StringSchema>;
+    expectedIssuer: av.StringSchema;
+    expectedAudience: av.StringSchema;
+    /** Reference URL only - published by the auth service for clients/browsers.
+     *  Verifiers MUST use publicKeys (pushed at /install) to avoid CM -> service fetch. */
+    jwksUri: av.StringSchema;
+    /** Public JWKS pushed by the auth service at /install and on key rotation.
+     *  CP-side JWT verification uses these static keys, never fetches jwksUri. */
+    publicKeys: av.OptionalSchema<av.ObjectSchema<{
+        keys: av.ArraySchema<av.RecordSchema<av.AnySchema>>;
+    }>>;
+    roles: av.ArraySchema<av.ObjectSchema<{
+        id: av.StringSchema;
+        title: av.StringSchema;
+        description: av.OptionalSchema<av.StringSchema>;
+        permissions: av.ArraySchema<av.ObjectSchema<{
+            serviceId: av.StringSchema;
+            viewId: av.StringSchema;
+            permissions: av.ArraySchema<av.EnumSchema<readonly ["read", "create", "update", "delete"]>>;
+        }>>;
+    }>>;
+}>;
+export type AppAuthConfig = Infer<typeof AppAuthConfigSchema>;
+export declare const TenantAppValidationSchema: av.ObjectSchema<{
+    allowed: av.BoolSchema;
+    reason: av.OptionalSchema<av.StringSchema>;
+    upgradeUrl: av.OptionalSchema<av.StringSchema>;
+    retryAfterSeconds: av.OptionalSchema<av.IntSchema>;
+}>;
+export type TenantAppValidation = Infer<typeof TenantAppValidationSchema>;
+export declare const CpEnvelopeClaimsSchema: av.ObjectSchema<{
+    iss: av.StringSchema;
+    aud: av.StringSchema;
+    exp: av.IntSchema;
+    iat: av.IntSchema;
+    jti: av.StringSchema;
+    tokenType: av.LiteralSchema<"cp-envelope">;
+    tenantId: av.StringSchema;
+    appId: av.StringSchema;
+    originUserJti: av.OptionalSchema<av.StringSchema>;
+    cpId: av.StringSchema;
+    cpJwksUri: av.StringSchema;
+}>;
+export type CpEnvelopeClaims = Infer<typeof CpEnvelopeClaimsSchema>;
+export declare const SetupTokenClaimsSchema: av.ObjectSchema<{
+    iss: av.StringSchema;
+    exp: av.IntSchema;
+    iat: av.IntSchema;
+    jti: av.StringSchema;
+    tokenType: av.LiteralSchema<"setup">;
+    /** UUIDv7 - pre-assigned by CP for this install. Becomes tenant.services[].id. */
+    instanceId: av.StringSchema;
+    serviceUrl: av.StringSchema;
+    cpUrl: av.StringSchema;
+    cpJwksUri: av.StringSchema;
+    scope: av.OptionalSchema<av.ObjectSchema<{
+        tenantId: av.StringSchema;
+        appId: av.OptionalSchema<av.StringSchema>;
+    }>>;
+}>;
+export type SetupTokenClaims = Infer<typeof SetupTokenClaimsSchema>;
+//# sourceMappingURL=auth.d.ts.map

package/lib/contracts/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/contracts/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAMrC,eAAO,MAAM,eAAe,kFAA8E,CAAC;AAC3G,MAAM,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAEtD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;EAyBA,CAAC;AAC7B,MAAM,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAEtD,eAAO,MAAM,yBAAyB;;;EAGV,CAAC;AAC7B,MAAM,MAAM,mBAAmB,GAAG,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE1E,eAAO,MAAM,sBAAsB;;;EAGP,CAAC;AAC7B,MAAM,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEpE,eAAO,MAAM,6BAA6B,gEAA4D,CAAC;AACvG,MAAM,MAAM,uBAAuB,GAAG,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAElF,eAAO,MAAM,4BAA4B;;;;EAIb,CAAC;AAC7B,MAAM,MAAM,sBAAsB,GAAG,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAEhF,eAAO,MAAM,iBAAiB;;;;;;;;;EAKF,CAAC;AAC7B,MAAM,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE1D,eAAO,MAAM,+BAA+B;;EAEhB,CAAC;AAC7B,MAAM,MAAM,yBAAyB,GAAG,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAEtF,eAAO,MAAM,4BAA4B;;;;;;;EAOb,CAAC;AAC7B,MAAM,MAAM,sBAAsB,GAAG,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAEhF,eAAO,MAAM,2BAA2B;;;;;;;;;IAGtC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAE9E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;IAQ9B;2FACuF;;IAEvF;kFAC8E;;;;;;;;;;;;;;EAKpD,CAAC;AAC7B,MAAM,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAI9D,eAAO,MAAM,yBAAyB;;;;;EAKV,CAAC;AAC7B,MAAM,MAAM,mBAAmB,GAAG,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAI1E,eAAO,MAAM,sBAAsB;;;;;;;;;;;;EAYP,CAAC;AAC7B,MAAM,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAIpE,eAAO,MAAM,sBAAsB;;;;;;IAMjC,kFAAkF;;;;;;;;;EASxD,CAAC;AAC7B,MAAM,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/lib/contracts/auth.js

@@ -0,0 +1,123 @@
+import * as av from "anyvali";
+import { IdentityRealmSchema, UuidV7Schema } from "./common.js";
+const NonEmptyStringSchema = av.string().minLength(1);
+const NonEmptyStringArraySchema = av.array(NonEmptyStringSchema).minItems(1);
+export const TokenTypeSchema = av.enum_(["access", "refresh", "cp-envelope", "setup", "install"]);
+export const JwtClaimsSchema = av.object({
+    iss: NonEmptyStringSchema,
+    aud: av.union([NonEmptyStringSchema, NonEmptyStringArraySchema]),
+    sub: NonEmptyStringSchema,
+    exp: av.int().min(1),
+    iat: av.int().min(0),
+    nbf: av.optional(av.int().min(0)),
+    jti: NonEmptyStringSchema,
+    realm: IdentityRealmSchema,
+    tenantId: UuidV7Schema,
+    appId: UuidV7Schema,
+    roles: av.array(NonEmptyStringSchema).default([]),
+    tokenType: TokenTypeSchema,
+    authProvider: av.optional(av.string().minLength(1)),
+    providerSubject: av.optional(av.string().minLength(1)),
+    provider: av.optional(av.object({
+        username: av.optional(av.string()),
+        profileUrl: av.optional(av.string()),
+        accountId: av.optional(av.union([av.string(), av.number()])),
+        nodeId: av.optional(av.string()),
+        scope: av.optional(av.string())
+    }, { unknownKeys: "strip" })),
+    name: av.optional(av.string()),
+    email: av.optional(av.string()),
+    picture: av.optional(av.string())
+}, { unknownKeys: "strip" });
+export const TokenLifetimeConfigSchema = av.object({
+    accessTokenSeconds: av.int().min(1).default(60 * 15),
+    refreshTokenSeconds: av.int().min(1).default(60 * 60 * 24 * 7)
+}, { unknownKeys: "strip" });
+export const AuthAudienceRuleSchema = av.object({
+    realm: IdentityRealmSchema,
+    audiences: NonEmptyStringArraySchema
+}, { unknownKeys: "strip" });
+export const AppAuthPermissionActionSchema = av.enum_(["read", "create", "update", "delete"]);
+export const AppAuthPermissionGrantSchema = av.object({
+    serviceId: UuidV7Schema,
+    viewId: NonEmptyStringSchema,
+    permissions: av.array(AppAuthPermissionActionSchema).minItems(1)
+}, { unknownKeys: "strip" });
+export const AppAuthRoleSchema = av.object({
+    id: NonEmptyStringSchema,
+    title: NonEmptyStringSchema,
+    description: av.optional(av.string()),
+    permissions: av.array(AppAuthPermissionGrantSchema).default([])
+}, { unknownKeys: "strip" });
+export const DefaultAuthProviderConfigSchema = av.object({
+    kind: av.literal("betterportal.default")
+}, { unknownKeys: "strip" });
+export const AuthressProviderConfigSchema = av.object({
+    kind: av.literal("authress.io"),
+    roleClaimPath: av.string().minLength(1).default("roles"),
+    subjectClaimPath: av.string().minLength(1).default("sub"),
+    nameClaimPath: av.optional(av.string().minLength(1)),
+    emailClaimPath: av.optional(av.string().minLength(1)),
+    pictureClaimPath: av.optional(av.string().minLength(1))
+}, { unknownKeys: "strip" });
+export const AppAuthProviderConfigSchema = av.union([
+    DefaultAuthProviderConfigSchema,
+    AuthressProviderConfigSchema
+]);
+export const AppAuthConfigSchema = av.object({
+    serviceId: UuidV7Schema,
+    provider: av.optional(AppAuthProviderConfigSchema),
+    loginViewId: av.optional(NonEmptyStringSchema),
+    logoutViewId: av.optional(NonEmptyStringSchema),
+    refreshViewId: av.optional(NonEmptyStringSchema),
+    expectedIssuer: NonEmptyStringSchema,
+    expectedAudience: NonEmptyStringSchema,
+    /** Reference URL only - published by the auth service for clients/browsers.
+     *  Verifiers MUST use publicKeys (pushed at /install) to avoid CM -> service fetch. */
+    jwksUri: NonEmptyStringSchema,
+    /** Public JWKS pushed by the auth service at /install and on key rotation.
+     *  CP-side JWT verification uses these static keys, never fetches jwksUri. */
+    publicKeys: av.optional(av.object({
+        keys: av.array(av.record(av.any()))
+    }, { unknownKeys: "strip" })),
+    roles: av.array(AppAuthRoleSchema).default([])
+}, { unknownKeys: "strip" });
+// -- Tenant-app validation (validateTenantApp hook return) -----------
+export const TenantAppValidationSchema = av.object({
+    allowed: av.bool(),
+    reason: av.optional(av.string()),
+    upgradeUrl: av.optional(av.string()),
+    retryAfterSeconds: av.optional(av.int().min(0))
+}, { unknownKeys: "strip" });
+// -- CP envelope token claims ----------------------------------------
+export const CpEnvelopeClaimsSchema = av.object({
+    iss: NonEmptyStringSchema,
+    aud: NonEmptyStringSchema,
+    exp: av.int().min(1),
+    iat: av.int().min(0),
+    jti: NonEmptyStringSchema,
+    tokenType: av.literal("cp-envelope"),
+    tenantId: UuidV7Schema,
+    appId: UuidV7Schema,
+    originUserJti: av.optional(NonEmptyStringSchema),
+    cpId: NonEmptyStringSchema,
+    cpJwksUri: NonEmptyStringSchema
+}, { unknownKeys: "strip" });
+// -- Setup token claims (control-plane -> browser) --------------------
+export const SetupTokenClaimsSchema = av.object({
+    iss: NonEmptyStringSchema,
+    exp: av.int().min(1),
+    iat: av.int().min(0),
+    jti: NonEmptyStringSchema,
+    tokenType: av.literal("setup"),
+    /** UUIDv7 - pre-assigned by CP for this install. Becomes tenant.services[].id. */
+    instanceId: UuidV7Schema,
+    serviceUrl: NonEmptyStringSchema,
+    cpUrl: NonEmptyStringSchema,
+    cpJwksUri: NonEmptyStringSchema,
+    scope: av.optional(av.object({
+        tenantId: UuidV7Schema,
+        appId: av.optional(UuidV7Schema)
+    }, { unknownKeys: "strip" }))
+}, { unknownKeys: "strip" });
+//# sourceMappingURL=auth.js.map

package/lib/contracts/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/contracts/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhE,MAAM,oBAAoB,GAAG,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AACtD,MAAM,yBAAyB,GAAG,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAE7E,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,SAAS,CAAU,CAAC,CAAC;AAG3G,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,CAAC,MAAM,CAAC;IACvC,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,oBAAoB,EAAE,yBAAyB,CAAC,CAAC;IAChE,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACjC,GAAG,EAAE,oBAAoB;IACzB,KAAK,EAAE,mBAAmB;IAC1B,QAAQ,EAAE,YAAY;IACtB,KAAK,EAAE,YAAY;IACnB,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACjD,SAAS,EAAE,eAAe;IAC1B,YAAY,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACnD,eAAe,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtD,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC;QAC9B,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;QAClC,UAAU,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;QACpC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC5D,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;QAChC,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;KAChC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7B,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;IAC9B,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;IAC/B,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;CAClC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,yBAAyB,GAAG,EAAE,CAAC,MAAM,CAAC;IACjD,kBAAkB,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;IACpD,mBAAmB,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;CAC/D,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC,MAAM,CAAC;IAC9C,KAAK,EAAE,mBAAmB;IAC1B,SAAS,EAAE,yBAAyB;CACrC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,6BAA6B,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAU,CAAC,CAAC;AAGvG,MAAM,CAAC,MAAM,4BAA4B,GAAG,EAAE,CAAC,MAAM,CAAC;IACpD,SAAS,EAAE,YAAY;IACvB,MAAM,EAAE,oBAAoB;IAC5B,WAAW,EAAE,EAAE,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;CACjE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,iBAAiB,GAAG,EAAE,CAAC,MAAM,CAAC;IACzC,EAAE,EAAE,oBAAoB;IACxB,KAAK,EAAE,oBAAoB;IAC3B,WAAW,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;IACrC,WAAW,EAAE,EAAE,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAChE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,+BAA+B,GAAG,EAAE,CAAC,MAAM,CAAC;IACvD,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,sBAAsB,CAAC;CACzC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,4BAA4B,GAAG,EAAE,CAAC,MAAM,CAAC;IACpD,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC;IAC/B,aAAa,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IACxD,gBAAgB,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACzD,aAAa,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACpD,cAAc,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACrD,gBAAgB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;CACxD,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,2BAA2B,GAAG,EAAE,CAAC,KAAK,CAAC;IAClD,+BAA+B;IAC/B,4BAA4B;CAC7B,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,mBAAmB,GAAG,EAAE,CAAC,MAAM,CAAC;IAC3C,SAAS,EAAE,YAAY;IACvB,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC;IAClD,WAAW,EAAE,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;IAC9C,YAAY,EAAE,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;IAC/C,aAAa,EAAE,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;IAChD,cAAc,EAAE,oBAAoB;IACpC,gBAAgB,EAAE,oBAAoB;IACtC;2FACuF;IACvF,OAAO,EAAE,oBAAoB;IAC7B;kFAC8E;IAC9E,UAAU,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC;QAChC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;KACpC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7B,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/C,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,uEAAuE;AAEvE,MAAM,CAAC,MAAM,yBAAyB,GAAG,EAAE,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,EAAE,CAAC,IAAI,EAAE;IAClB,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;IAChC,UAAU,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC;IACpC,iBAAiB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAChD,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,uEAAuE;AAEvE,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC,MAAM,CAAC;IAC9C,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,GAAG,EAAE,oBAAoB;IACzB,SAAS,EAAE,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC;IACpC,QAAQ,EAAE,YAAY;IACtB,KAAK,EAAE,YAAY;IACnB,aAAa,EAAE,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;IAChD,IAAI,EAAE,oBAAoB;IAC1B,SAAS,EAAE,oBAAoB;CAChC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,wEAAwE;AAExE,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC,MAAM,CAAC;IAC9C,GAAG,EAAE,oBAAoB;IACzB,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,GAAG,EAAE,oBAAoB;IACzB,SAAS,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;IAC9B,kFAAkF;IAClF,UAAU,EAAE,YAAY;IACxB,UAAU,EAAE,oBAAoB;IAChC,KAAK,EAAE,oBAAoB;IAC3B,SAAS,EAAE,oBAAoB;IAC/B,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC;QAC3B,QAAQ,EAAE,YAAY;QACtB,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC;KACjC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;CAC9B,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC"}

package/lib/contracts/binding.d.ts

@@ -0,0 +1,169 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+export declare const AppRouteSchema: av.ObjectSchema<{
+    id: av.StringSchema;
+    title: av.StringSchema;
+    path: av.StringSchema;
+    viewId: av.StringSchema;
+    serviceId: av.StringSchema;
+    enabled: av.BoolSchema;
+}>;
+export type AppRoute = Infer<typeof AppRouteSchema>;
+export declare const TenantSchema: av.ObjectSchema<{
+    id: av.StringSchema;
+    slug: av.StringSchema;
+    title: av.StringSchema;
+    branding: av.ObjectSchema<{
+        logoUrl: av.OptionalSchema<av.StringSchema>;
+        primaryColor: av.OptionalSchema<av.StringSchema>;
+        secondaryColor: av.OptionalSchema<av.StringSchema>;
+    }>;
+}>;
+export type Tenant = Infer<typeof TenantSchema>;
+export declare const FragmentAssignmentSchema: av.ObjectSchema<{
+    serviceId: av.StringSchema;
+    fragmentId: av.StringSchema;
+    enabled: av.BoolSchema;
+}>;
+export type FragmentAssignment = Infer<typeof FragmentAssignmentSchema>;
+export declare const AppSchema: av.ObjectSchema<{
+    id: av.StringSchema;
+    tenantId: av.StringSchema;
+    slug: av.StringSchema;
+    hostname: av.StringSchema;
+    title: av.StringSchema;
+    themeId: av.StringSchema;
+    routes: av.ArraySchema<av.ObjectSchema<{
+        id: av.StringSchema;
+        title: av.StringSchema;
+        path: av.StringSchema;
+        viewId: av.StringSchema;
+        serviceId: av.StringSchema;
+        enabled: av.BoolSchema;
+    }>>;
+    fragments: av.RecordSchema<av.ArraySchema<av.ObjectSchema<{
+        serviceId: av.StringSchema;
+        fragmentId: av.StringSchema;
+        enabled: av.BoolSchema;
+    }>>>;
+}>;
+export type App = Infer<typeof AppSchema>;
+export declare const BindingTrustSchema: av.ObjectSchema<{
+    credentialId: av.StringSchema;
+    issuer: av.StringSchema;
+    audience: av.StringSchema;
+    scopes: av.ArraySchema<av.StringSchema>;
+    rotationVersion: av.StringSchema;
+}>;
+export type BindingTrust = Infer<typeof BindingTrustSchema>;
+export declare const BindingRecordSchema: av.ObjectSchema<{
+    bindingId: av.StringSchema;
+    serviceId: av.StringSchema;
+    tenantId: av.StringSchema;
+    appIds: av.ArraySchema<av.StringSchema>;
+    endpointBaseUrl: av.StringSchema;
+    deploymentMode: av.EnumSchema<readonly ["bp-hosted", "customer-hosted", "third-party-saas", "self-hosted", "saas-managed"]>;
+    enabled: av.BoolSchema;
+    importedManifestVersion: av.StringSchema;
+    lastSyncAtIso: av.OptionalSchema<av.StringSchema>;
+    trust: av.ObjectSchema<{
+        credentialId: av.StringSchema;
+        issuer: av.StringSchema;
+        audience: av.StringSchema;
+        scopes: av.ArraySchema<av.StringSchema>;
+        rotationVersion: av.StringSchema;
+    }>;
+}>;
+export type BindingRecord = Infer<typeof BindingRecordSchema>;
+export declare const ServiceCatalogEntrySchema: av.ObjectSchema<{
+    serviceId: av.StringSchema;
+    title: av.StringSchema;
+    description: av.StringSchema;
+    category: av.EnumSchema<readonly ["utility", "integration", "theme", "auth", "service"]>;
+    manifestUrl: av.StringSchema;
+    defaultEndpointBaseUrl: av.StringSchema;
+    deploymentModes: av.ArraySchema<av.EnumSchema<readonly ["bp-hosted", "customer-hosted", "third-party-saas", "self-hosted", "saas-managed"]>>;
+    tenantConfigSchemas: av.ArraySchema<av.ObjectSchema<{
+        id: av.StringSchema;
+        title: av.StringSchema;
+        description: av.StringSchema;
+        scope: av.EnumSchema<readonly ["tenant", "app"]>;
+        jsonSchema: av.BaseSchema<unknown, import("./json.js").JsonObject>;
+        groups: av.OptionalSchema<av.ArraySchema<av.ObjectSchema<{
+            id: av.StringSchema;
+            title: av.StringSchema;
+            description: av.OptionalSchema<av.StringSchema>;
+            order: av.OptionalSchema<av.IntSchema>;
+            optional: av.OptionalSchema<av.BoolSchema>;
+        }>>>;
+        fields: av.ArraySchema<av.ObjectSchema<{
+            key: av.StringSchema;
+            title: av.StringSchema;
+            description: av.StringSchema;
+            scope: av.EnumSchema<readonly ["tenant", "app"]>;
+            visibility: av.EnumSchema<readonly ["public", "protected", "secret"]>;
+            ownership: av.EnumSchema<readonly ["bp", "plugin", "mixed"]>;
+            sourceOfTruth: av.EnumSchema<readonly ["bp", "plugin", "external"]>;
+            groupId: av.OptionalSchema<av.StringSchema>;
+            order: av.OptionalSchema<av.IntSchema>;
+            defaultValue: av.OptionalSchema<av.BaseSchema<unknown, import("./json.js").JsonValue>>;
+            ui: av.OptionalSchema<av.ObjectSchema<{
+                control: av.OptionalSchema<av.EnumSchema<readonly ["text", "textarea", "password", "number", "checkbox", "select", "multiselect", "color", "date", "time", "datetime-local", "url", "email"]>>;
+                placeholder: av.OptionalSchema<av.StringSchema>;
+                options: av.OptionalSchema<av.ArraySchema<av.ObjectSchema<{
+                    value: av.StringSchema;
+                    label: av.StringSchema;
+                }>>>;
+                optionsSource: av.OptionalSchema<av.EnumSchema<readonly ["app.routes"]>>;
+                min: av.OptionalSchema<av.UnionSchema<[av.NumberSchema, av.StringSchema]>>;
+                max: av.OptionalSchema<av.UnionSchema<[av.NumberSchema, av.StringSchema]>>;
+                step: av.OptionalSchema<av.NumberSchema>;
+                rows: av.OptionalSchema<av.IntSchema>;
+            }>>;
+            required: av.BoolSchema;
+        }>>;
+    }>>;
+    appConfigSchemas: av.ArraySchema<av.ObjectSchema<{
+        id: av.StringSchema;
+        title: av.StringSchema;
+        description: av.StringSchema;
+        scope: av.EnumSchema<readonly ["tenant", "app"]>;
+        jsonSchema: av.BaseSchema<unknown, import("./json.js").JsonObject>;
+        groups: av.OptionalSchema<av.ArraySchema<av.ObjectSchema<{
+            id: av.StringSchema;
+            title: av.StringSchema;
+            description: av.OptionalSchema<av.StringSchema>;
+            order: av.OptionalSchema<av.IntSchema>;
+            optional: av.OptionalSchema<av.BoolSchema>;
+        }>>>;
+        fields: av.ArraySchema<av.ObjectSchema<{
+            key: av.StringSchema;
+            title: av.StringSchema;
+            description: av.StringSchema;
+            scope: av.EnumSchema<readonly ["tenant", "app"]>;
+            visibility: av.EnumSchema<readonly ["public", "protected", "secret"]>;
+            ownership: av.EnumSchema<readonly ["bp", "plugin", "mixed"]>;
+            sourceOfTruth: av.EnumSchema<readonly ["bp", "plugin", "external"]>;
+            groupId: av.OptionalSchema<av.StringSchema>;
+            order: av.OptionalSchema<av.IntSchema>;
+            defaultValue: av.OptionalSchema<av.BaseSchema<unknown, import("./json.js").JsonValue>>;
+            ui: av.OptionalSchema<av.ObjectSchema<{
+                control: av.OptionalSchema<av.EnumSchema<readonly ["text", "textarea", "password", "number", "checkbox", "select", "multiselect", "color", "date", "time", "datetime-local", "url", "email"]>>;
+                placeholder: av.OptionalSchema<av.StringSchema>;
+                options: av.OptionalSchema<av.ArraySchema<av.ObjectSchema<{
+                    value: av.StringSchema;
+                    label: av.StringSchema;
+                }>>>;
+                optionsSource: av.OptionalSchema<av.EnumSchema<readonly ["app.routes"]>>;
+                min: av.OptionalSchema<av.UnionSchema<[av.NumberSchema, av.StringSchema]>>;
+                max: av.OptionalSchema<av.UnionSchema<[av.NumberSchema, av.StringSchema]>>;
+                step: av.OptionalSchema<av.NumberSchema>;
+                rows: av.OptionalSchema<av.IntSchema>;
+            }>>;
+            required: av.BoolSchema;
+        }>>;
+    }>>;
+    hostedByBetterPortal: av.BoolSchema;
+}>;
+export type ServiceCatalogEntry = Infer<typeof ServiceCatalogEntrySchema>;
+//# sourceMappingURL=binding.d.ts.map

package/lib/contracts/binding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"binding.d.ts","sourceRoot":"","sources":["../../src/contracts/binding.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAMrC,eAAO,MAAM,cAAc;;;;;;;EAOC,CAAC;AAC7B,MAAM,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAEpD,eAAO,MAAM,YAAY;;;;;;;;;EASG,CAAC;AAC7B,MAAM,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAEhD,eAAO,MAAM,wBAAwB;;;;EAIT,CAAC;AAC7B,MAAM,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAExE,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;EASM,CAAC;AAC7B,MAAM,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAE1C,eAAO,MAAM,kBAAkB;;;;;;EAMH,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE5D,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;EAWJ,CAAC;AAC7B,MAAM,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAE9D,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWV,CAAC;AAC7B,MAAM,MAAM,mBAAmB,GAAG,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC"}