@book.dev/ui 1.60.0 → 1.64.0

package/dist/providers/AccountProvider.d.ts

@@ -12,23 +12,47 @@ import React, { PropsWithChildren } from 'react';
  *
  * Sync: pull on connect / app open (remote wins), then push the
  * `{preferences, workspaces}` blob on local change (debounced, last-writer-wins).
+ *
+ * Multi-account (OB-194): the client holds a **list** of connected accounts and
+ * an **active** one. Sign-in *adds* an account rather than replacing the current
+ * one; the active account is the identity presented to the data server and the
+ * one whose settings sync. Each account's device token is stored separately and
+ * namespaced (OS keychain on desktop, namespaced `localStorage` on web/dev) —
+ * no cross-account leakage. The single-account fields below keep reflecting the
+ * ACTIVE account, so a lone account behaves exactly as it did before.
  */
 export type AccountStatus = 'disconnected' | 'connecting' | 'syncing' | 'connected' | 'error';
+/** One connected account in the multi-account list. Carries only non-secret
+ *  metadata — the device token lives in the per-account secret store. */
+export interface ConnectedAccount {
+    /** Stable local id for this account slot (namespaces its token + index row). */
+    id: string;
+    /** Display label — the active-persona email, else the name/account host. */
+    name: string;
+    /** The active-persona email (lowercased) when the identity JWS asserts one. */
+    email: string | null;
+    /** The account service base URL this account signed in to. */
+    accountUrl: string;
+    /** Connection status. The ACTIVE account tracks the live status; the others are
+     *  dormant (reported as `connected` until they are made active). */
+    status: AccountStatus;
+}
 interface AccountContextValue {
     status: AccountStatus;
     connected: boolean;
-    /** The device bearer token, for same-app account API calls (e.g. forwarding's
-     *  POST /api/sites). Null when disconnected. Treat as a secret. */
+    /** The device bearer token of the ACTIVE account, for same-app account API
+     *  calls (e.g. forwarding's POST /api/sites). Null when disconnected. Treat as
+     *  a secret. */
     token: string | null;
     /** The label this device registers under (shown in the account dashboard). */
     deviceName: string;
-    /** ISO timestamp of the last successful server sync, or null. */
+    /** ISO timestamp of the active account's last successful server sync, or null. */
     lastSyncedAt: string | null;
     /** A human-readable error from the last failed action, or null. */
     error: string | null;
-    /** The account service base URL (for an "open dashboard" link). */
+    /** The active account's service base URL (for an "open dashboard" link). */
     accountUrl: string;
-    /** Start the deep-link sign-in flow. */
+    /** Start the deep-link sign-in flow (additive — see {@link addAccount}). */
     signIn: () => void;
     /** Complete sign-in from a manually pasted code — the dev/fallback path for when
      *  the `openbook://` deep link can't fire (the user dismisses the "open app?"
@@ -37,10 +61,26 @@ interface AccountContextValue {
     submitCode: (raw: string) => void;
     /** Abandon a pending sign-in (returns to disconnected when not yet connected). */
     cancel: () => void;
-    /** Forget the local token (does not revoke it server-side — do that in the dashboard). */
+    /** Forget the ACTIVE account's token (does not revoke it server-side — do that in
+     *  the dashboard). If other accounts remain, switches to one of them. */
     signOut: () => void;
-    /** Pull-then-push a reconciliation now. */
+    /** Pull-then-push a reconciliation now (for the active account). */
     syncNow: () => void;
+    /** Every connected account, in connection order. */
+    accounts: ConnectedAccount[];
+    /** The id of the active account, or null when none is connected. */
+    activeAccountId: string | null;
+    /** Make `id` the active account: presents its identity, syncs its settings. */
+    setActiveAccount: (id: string) => void;
+    /** Start the sign-in flow to ADD an account (alias of {@link signIn}; the flow
+     *  is additive — a new sign-in never evicts the accounts already connected). */
+    addAccount: () => void;
+    /** Forget account `id` locally (token + metadata). Switches active away from it. */
+    removeAccount: (id: string) => void;
+    /** Re-mint the active identity JWS now (e.g. after forwarding on/off changes the
+     *  required audience, OB-202). Resolves to the audience the issuer scoped the new
+     *  token to, or null when unscoped / nothing minted / disconnected. */
+    remintIdentity: () => Promise<string | null>;
 }
 /** Cross-window handoff (web): the callback page hands the minted token to the
  *  running app over this BroadcastChannel (popup case) or localStorage key

package/dist/providers/ForwardingProvider.d.ts

@@ -1,5 +1,6 @@
 import React, { PropsWithChildren } from 'react';
 import { type TunnelStatus } from '@book.dev/sdk';
+import { type AudienceNoticeCode } from './forwardingAudience';
 /** Combined provisioning/tunnel status. `idle` = never started this session. */
 export type ForwardingStatus = TunnelStatus | 'idle';
 interface ForwardingContextValue {
@@ -13,6 +14,24 @@ interface ForwardingContextValue {
     host: string | null;
     busy: boolean;
     error: string | null;
+    /**
+     * A localizable audience-bind/unbind notice (OB-202), shown when the tunnel is up
+     * but the audience hardening is incomplete (`partialUnscoped`/`ensureRescope`), a
+     * bind step threw (`bindFailed`), or a disable couldn't confirm the relax
+     * (`unbindHeld`). The view maps `code` to a `forwarding.*` string; `detail` is the
+     * raw error for the `{error}` codes. `null` when there's nothing to show.
+     */
+    audienceNotice: {
+        code: AudienceNoticeCode;
+        detail?: string;
+    } | null;
+    /**
+     * Why a publish was refused before the tunnel opened, for localized + severity-aware
+     * display: `unverified` is a precondition (the signed-in owner just needs a verified
+     * identity — render it muted, like {@link signInHint}); `claim-failed` is a genuine
+     * failure (render it as an error). `null` when there's nothing to show.
+     */
+    claimRefusal: 'unverified' | 'claim-failed' | null;
     /** Turn forwarding on: claim the address (sign-in first if needed) + dial out. */
     enable: () => Promise<void>;
     /** Turn forwarding off: drop the tunnel but keep the site key (stable address). */

package/dist/providers/PlatformLibraryProvider.d.ts

@@ -30,6 +30,23 @@ export interface WindowControls {
      */
     watchMaximized?: (cb: (maximized: boolean) => void) => () => void;
 }
+/**
+ * Per-account device-token storage, namespaced by a local account id (OB-194).
+ * The client can hold several account.book.pub accounts at once (work + personal),
+ * so each account's bearer token gets its own slot — no shared key, no
+ * cross-account leakage. The desktop backs this with the OS keychain (one entry
+ * per account id, like {@link ForwardingPlatform.keyStore}); the web shell — and
+ * unsigned desktop *dev* builds, whose per-relink cdhash loses keychain access —
+ * leave it undefined and the UI falls back to a namespaced-`localStorage` store.
+ */
+export interface AccountSecretStore {
+    /** Read account `id`'s device token, or `null` when none is stored. */
+    get(id: string): Promise<string | null>;
+    /** Store (overwrite) account `id`'s device token. */
+    set(id: string, token: string): Promise<void>;
+    /** Forget account `id`'s device token. */
+    delete(id: string): Promise<void>;
+}
 /**
  * How the host completes account.book.pub's deep-link sign-in. The desktop sets
  * a custom-scheme `redirectUri` (`openbook://auth-callback`), opens the browser
@@ -49,6 +66,9 @@ export interface AccountPlatform {
         token: string;
         state: string;
     }) => void) => () => void;
+    /** Secure, per-account device-token storage (OB-194). Omit on web / desktop dev;
+     *  the UI then falls back to a namespaced-`localStorage` store. */
+    secretStore?: AccountSecretStore;
 }
 /**
  * How the host reads/writes an on-disk book folder (the human-readable

package/dist/providers/__tests__/AccountProvider.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/providers/__tests__/forwardingAudience.test.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Audience-bind orchestration (OB-202) — the failure-safe choreography that turns
+ * forwarding on/off without ever stranding the loopback owner. Exercised entirely
+ * through the `setInstancePolicy` / `getInstanceInfo` seams (i.e. `PUT/GET
+ * /api/instance`) over a fake instance, NOT by poking the store: these prove the
+ * three-phase ORDER, the mid-sequence rollback, the disable cleanup, and the
+ * relaunch ensure-scoped short-circuit.
+ */
+export {};

package/dist/providers/forwardingAudience.d.ts

@@ -0,0 +1,165 @@
+/**
+ * Audience-bind orchestration for forwarding (OB-202).
+ *
+ * Enabling the tunnel binds the instance's identity `audience` to its canonical
+ * `<prefix>.book.cloud` host with `requireAudience` (OB-177), so the edge's
+ * aud-scoped viewer tokens verify and a token minted for a *different* site is
+ * rejected. The catch: the local owner reaches the SAME server over loopback with
+ * their OWN token, so requiring the audience while that token is still unscoped
+ * would lock the owner out — yet the owner's token can't be scoped to the host
+ * until the server already accepts it.
+ *
+ * This module is the failure-safe choreography that resolves that chicken-and-egg
+ * WITHOUT ever stranding the owner. It is pure (all side effects injected) so the
+ * three-phase sequence, the mid-sequence rollback, the disable cleanup, and the
+ * relaunch short-circuit are all exercised against `setInstancePolicy` /
+ * `PUT /api/instance` in tests — never by poking the store directly.
+ */
+import { type InstanceConfig, type InstanceInfo } from '@book.dev/sdk';
+/** Side effects the audience-bind drives, injected so the logic stays testable. */
+export interface AudienceBindDeps {
+    /** `PUT /api/instance` — the audience-policy write (gated server-side). */
+    setInstancePolicy(patch: Partial<InstanceConfig>): Promise<InstanceConfig>;
+    /** `GET /api/instance` — to read the persisted `audience` + `requireAudience`. */
+    getInstanceInfo(): Promise<InstanceInfo>;
+    /**
+     * Re-mint the owner's own identity token, scoped to whatever
+     * {@link setLocalAudience} last recorded. Resolves to the audience the issuer
+     * ACTUALLY scoped the minted token to — `null` when it returned an unscoped
+     * token (the issuer scopes only when it runs an audience allowlist) or when
+     * nothing could be minted. The bind decision turns on this REAL value, never on
+     * the audience we merely *asked* for.
+     */
+    remintIdentity(): Promise<string | null>;
+    /** Record (or clear, with `null`) the host the owner's token is scoped to. */
+    setLocalAudience(host: string | null): void;
+}
+/**
+ * A stable, localizable code for every non-clean audience outcome (OB-202). The UI
+ * maps each to a `forwarding.*` message via `t()`; the English `reason` carried
+ * alongside stays for logging and is the `{error}` detail for the failure codes.
+ */
+export type AudienceNoticeCode = 'partialUnscoped' | 'ensureRescope' | 'bindFailed' | 'unbindHeld';
+/** The result of binding (or ensuring) the forwarded audience. */
+export type AudienceBindOutcome = 
+/** Phase 3 reached: `requireAudience` is on and the owner's token is host-scoped. */
+{
+    status: 'bound';
+}
+/**
+ * The `audience` is set but `requireAudience` stays OFF, because no host-scoped
+ * owner token exists (the issuer doesn't scope, or the mint failed) — `partialUnscoped`
+ * — or a resumed session couldn't re-scope this launch (`ensureRescope`). A token for
+ * a *different* site is still rejected; only unscoped tokens stay accepted — no
+ * strict isolation, but crucially no loopback lockout.
+ */
+ | {
+    status: 'partial';
+    code: 'partialUnscoped' | 'ensureRescope';
+    reason: string;
+}
+/** A phase threw; the binding was relaxed back so loopback stays open. */
+ | {
+    status: 'failed';
+    code: 'bindFailed';
+    reason: string;
+};
+/** User-facing reason for the `partial` outcome (issuer returned an unscoped token). */
+export declare const PARTIAL_UNSCOPED_REASON: string;
+/** User-facing reason when a resumed session can't (yet) re-scope the owner token. */
+export declare const ENSURE_RESCOPE_REASON: string;
+/**
+ * Bind the forwarded `host` as this instance's required audience via the seamless
+ * three-phase switch — and never leave the instance requiring an audience the
+ * owner's own token can't satisfy:
+ *
+ *  1. **accept** the host audience but don't REQUIRE it (the owner's still-unscoped
+ *     loopback token keeps verifying);
+ *  2. **scope** the owner's own token to the host AND confirm the issuer really
+ *     scoped it — phase 3 proceeds ONLY on a confirmed host-scoped credential;
+ *  3. **require** the audience: owner (scoped) + edge tokens carry it, others fail.
+ *
+ * If phase 2 can't confirm a host-scoped token, hold at `requireAudience:false`
+ * (a `partial` outcome) rather than lock the owner out. If any phase throws, relax
+ * back to `requireAudience:false` (best-effort) so loopback stays open — the
+ * server's loopback-owner recovery still relaxes it even if that PUT is itself
+ * rejected.
+ */
+export declare function bindForwardingAudience(host: string, deps: AudienceBindDeps): Promise<AudienceBindOutcome>;
+/**
+ * Resume the audience binding on launch WITHOUT relaxing it every time. When the
+ * server already persisted `audience==host && requireAudience` (a previous session
+ * reached phase 3), only re-scope THIS session's owner token — don't transiently
+ * drop `requireAudience` (which would reopen the unscoped-token window on every
+ * relaunch). Otherwise (fresh enable, or a prior `partial`), run the full bind.
+ */
+export declare function ensureForwardingAudience(host: string, deps: AudienceBindDeps): Promise<AudienceBindOutcome>;
+/** The result of ensuring the instance is claimed before it is exposed. */
+export type ForwardingClaimOutcome = 
+/** We atomically claimed ownership to the enabling account's verified subject. */
+{
+    status: 'claimed';
+}
+/** Already claimed (by this owner or anyone) — nothing to do; safe to expose. */
+ | {
+    status: 'already';
+}
+/**
+ * Couldn't claim, so we won't expose. `code` is the stable discriminant the surface
+ * localizes + styles by severity: `unverified` is a precondition the signed-in owner
+ * clears by verifying their identity (NOT a crash); `claim-failed` is a genuine
+ * failure. `reason` is the English fallback for logs / non-UI callers — the UI routes
+ * `code` through `t()` (`forwarding.claimRefusedUnverified` / `forwarding.claimFailed`).
+ */
+ | {
+    status: 'refused';
+    code: 'unverified' | 'claim-failed';
+    reason: string;
+};
+/**
+ * English fallback when forwarding is refused because the account identity is not
+ * JWS-verified yet (on desktop the default owner is `verifiedVia:'local'`). The owner
+ * IS already signed in on this path — what's missing is a verified identity, not an
+ * account — so this guides verifying, not signing in. UI: `forwarding.claimRefusedUnverified`.
+ */
+export declare const UNVERIFIED_CLAIM_REASON = "To publish, your account identity needs to be verified first.";
+/** English fallback when the claim write did not land. UI: `forwarding.claimFailed`. */
+export declare const CLAIM_FAILED_REASON = "Couldn\u2019t claim this device for your account, so it wasn\u2019t published. Try again.";
+/**
+ * Publish-implies-claim (OB-209). Forwarding turns the local instance into a public
+ * ingress that BYPASSES the boot exposure backstop (`assertExposureSafe` only guards
+ * a listener bind; the tunnel reaches the loopback server). An UNCLAIMED instance
+ * short-circuits `authorize()` rule-0 to the legacy guest gate (default
+ * `guestAccess:'write'`) — so exposing it unclaimed = anonymous world-write. We
+ * therefore CLAIM before we expose: atomically bind ownership to the enabling
+ * account's OWN verified subject (the server routes this through the OB-191 CAS and
+ * only ever binds the verified principal — never a client-supplied value), and refuse
+ * to dial out when there is no verified identity to claim with. Idempotent: a
+ * re-enable on an already-claimed instance is a no-op.
+ */
+export declare function ensureClaimedForForwarding(deps: AudienceBindDeps): Promise<ForwardingClaimOutcome>;
+/** The result of unwinding the audience binding on disable. */
+export type AudienceUnbindOutcome = 
+/** `requireAudience` was relaxed and the owner token re-minted unscoped. */
+{
+    status: 'relaxed';
+}
+/** The relax was NOT confirmed; scoping was LEFT INTACT to avoid a lockout. */
+ | {
+    status: 'held';
+    code: 'unbindHeld';
+    reason: string;
+};
+/**
+ * Unwind the binding on disable in the SAFE order: relax `requireAudience` FIRST —
+ * while the owner's token is still scoped to the host, so the PUT verifies — and
+ * ONLY drop the local scoping + re-mint an unscoped owner token once the relax is
+ * CONFIRMED. If the relax fails (the owner is already audience-locked, or the
+ * server is unreachable), DON'T unscope: that would strand the owner behind a
+ * requirement their token no longer satisfies — a permanent loopback lockout.
+ * Leave the scoping intact (`held`) so the owner stays verified and can retry.
+ *
+ * The instance keeps its `audience` for address stability — a later re-enable just
+ * re-asserts `requireAudience`.
+ */
+export declare function unbindForwardingAudience(deps: AudienceBindDeps): Promise<AudienceUnbindOutcome>;

package/dist/screens/pageChrome.d.ts

@@ -36,11 +36,22 @@ export interface PageDocumentProps {
      *  under the header instead of being pushed down by a big gap. */
     hasDatabase?: boolean;
 }
+/** Imperative handle the host uses to hand the caret back from the editor. */
+export interface PageTitleHandle {
+    /** Focus the title and place the caret at the end (editor → title hand-off). */
+    focusEnd(): void;
+}
 export declare const PageHeader: React.FC<{
     title: string;
     icon: string;
     pageId?: string;
+    /** Read-only (a viewer who can't write the page): the title + icon lock down. */
+    readOnly?: boolean;
     onTitleChange?: (title: string) => void;
     onIconChange?: (emoji: string) => void;
     onTitleActiveChange?: (active: boolean) => void;
+    /** Hand the caret down to the editor (Enter, or ↓ on the title's last line). */
+    onLeaveToEditor?: () => void;
+    /** Lets the host (BlockPageDocument) drive focus back here from the editor. */
+    focusRef?: React.Ref<PageTitleHandle>;
 }>;