@camstack/addon-admin-ui 0.1.33 → 0.1.35

package/dist/server/addon.js

@@ -8502,10 +8502,30 @@ const StatusSchema = object({
   }
 });
 const LinkStateSchema = _enum(["unlinked", "linked", "error"]);
+const ExportSetupFieldSchema = object({
+  label: string(),
+  value: string(),
+  /** Mask the value by default + render a reveal toggle (client id, secrets). */
+  secret: boolean().optional()
+});
+const ExportSetupSchema = object({
+  /** A string to render as a scannable QR — HAP `X-HM://…` URI, a pairing URL, etc. Omitted when there's nothing to scan. */
+  qr: string().optional(),
+  /** Label/value rows shown with a copy button (HAP setup code, OAuth URLs, client id, linked-account count, …). */
+  fields: array(ExportSetupFieldSchema).readonly().optional(),
+  /** Free-form operator instructions rendered above the fields. */
+  note: string().optional()
+});
 const DeviceExportStatusSchema = object({
   linkState: LinkStateSchema,
   exposedDeviceCount: number(),
-  error: string().optional()
+  error: string().optional(),
+  /**
+   * Optional pairing/account info the panel renders in a generic
+   * "Setup" section. Addon-agnostic — the addon id identifies the
+   * export target, never an `ecosystem` key here.
+   */
+  setup: ExportSetupSchema.optional()
 });
 const DeviceKindSchema = string();
 const ExposedDeviceSchema = object({
@@ -10175,51 +10195,6 @@ const AuthResultSchema = object({
     validateToken: method(object({ token: string() }), AuthResultSchema.nullable())
   }
 });
-const AuthProviderInfoSchema = object({
-  /** Stable id matching the addon id (used for `getLoginUrl({addonId,…})`). */
-  addonId: string(),
-  /**
-   * Per-instance id when one addon registers multiple "logical"
-   * providers (e.g. OIDC with Google + Microsoft + custom). The login
-   * URL becomes `/addon/${addonId}/${instanceId}/start` — handler reads
-   * `:instanceId` from the route. Empty/unset means the addon is a
-   * single-instance provider; the URL is `/addon/${addonId}/start`.
-   */
-  instanceId: string().optional(),
-  /** Display label shown on the login button + admin row. */
-  displayName: string(),
-  /** Optional iconography hint (lucide-react icon name OR emoji). */
-  icon: string().optional(),
-  /** When true, the provider exposes a redirect-based login flow
-   *  (`getLoginUrl` returns a URL the browser navigates to). */
-  hasRedirectFlow: boolean(),
-  /** When true, the provider exposes a credential-form login flow
-   *  (`validateCredentials` accepts username + password). */
-  hasCredentialFlow: boolean(),
-  /** Provider kind, drives admin-UI hint dispatch (oidc / saml / totp / …). */
-  kind: string().optional(),
-  /** Operator-facing status string (e.g. "Connected to https://login.acme.com"). */
-  status: string().optional(),
-  /** When false, the provider is registered but disabled by config; the
-   *  UI surfaces it as inactive without enumerating it for login. */
-  enabled: boolean()
-});
-({
-  methods: {
-    /** All registered auth providers, both enabled and disabled. */
-    listProviders: method(_void(), array(AuthProviderInfoSchema).readonly()),
-    /**
-     * Toggle a provider's enabled flag. Disabled providers stay
-     * registered but aren't surfaced on the login page. The orchestrator
-     * persists the state in `addon-settings` so it survives restarts.
-     */
-    setProviderEnabled: method(
-      object({ addonId: string(), enabled: boolean() }),
-      object({ success: literal(true) }),
-      { kind: "mutation", auth: "admin" }
-    )
-  }
-});
 const NetworkEndpointSchema = object({
   url: string(),
   hostname: string(),
@@ -10251,55 +10226,13 @@ const NetworkEndpointEntrySchema = NetworkEndpointSchema.extend({
     getEndpoint: method(_void(), NetworkEndpointSchema.nullable()),
     getStatus: method(_void(), NetworkAccessStatusSchema),
     /**
-     * Enumerate every active ingress entry. Default implementation (when
-     * the provider omits this method) is derived from `getEndpoint()` —
-     * see the remote-access orchestrator for the fallback path.
+     * Enumerate every active ingress entry. Providers that expose only a
+     * single endpoint may omit this method; callers fall back to
+     * `getEndpoint()` in that case.
      */
     listEndpoints: method(_void(), array(NetworkEndpointEntrySchema).readonly())
   }
 });
-const RemoteAccessEndpointSchema = object({
-  url: string(),
-  hostname: string(),
-  port: number(),
-  protocol: _enum(["http", "https"])
-});
-const RemoteAccessProviderInfoSchema = object({
-  /** Stable id matching the addon id. */
-  addonId: string(),
-  /** Display label shown on the admin row — sourced from the addon manifest. */
-  displayName: string(),
-  /** When false, the provider is registered but disabled. */
-  enabled: boolean(),
-  /** True when the underlying tunnel/connection is up. */
-  connected: boolean(),
-  /** Public-facing endpoint, when connected. Null otherwise. */
-  endpoint: RemoteAccessEndpointSchema.nullable(),
-  /** Last error message (when connected=false), if available. */
-  error: string().optional()
-});
-({
-  methods: {
-    /** All registered remote-access providers + their live status. */
-    listProviders: method(_void(), array(RemoteAccessProviderInfoSchema).readonly()),
-    /**
-     * Start a specific provider's tunnel. Per-provider config still
-     * lives on the addon's settings panel; this is just the on/off
-     * trigger so the admin UI can manage the lifecycle from one place.
-     */
-    startProvider: method(
-      object({ addonId: string() }),
-      RemoteAccessEndpointSchema,
-      { kind: "mutation", auth: "admin" }
-    ),
-    /** Stop a specific provider's tunnel (idempotent on already-stopped). */
-    stopProvider: method(
-      object({ addonId: string() }),
-      object({ success: literal(true) }),
-      { kind: "mutation", auth: "admin" }
-    )
-  }
-});
 const TurnServerSchema = object({
   /** Single URL or list of URLs (e.g. "turn:turn.example.com:3478?transport=udp"). */
   urls: union([string(), array(string())]),
@@ -10319,45 +10252,6 @@ const TurnServerSchema = object({
     )
   }
 });
-const TurnProviderInfoSchema = object({
-  /** Stable id matching the addon id. */
-  addonId: string(),
-  /** Display label shown on the admin row — sourced from the addon manifest. */
-  displayName: string(),
-  /** When false, the provider is registered but disabled. */
-  enabled: boolean(),
-  /** Number of servers this provider is currently exposing. */
-  serverCount: number(),
-  /**
-   * Flat list of every TURN/STUN URL this provider currently exposes.
-   * One row per URL (multi-URL ICE server entries are flattened). The
-   * admin UI shows this in a compact per-provider list so operators
-   * can verify what's actually being negotiated without having to dig
-   * into the combined `getAllServers` output.
-   */
-  urls: array(string()).readonly(),
-  /** Last fetch error (when serverCount=0 due to API failure), if any. */
-  error: string().optional()
-});
-({
-  methods: {
-    /** All registered TURN providers + per-provider stats. */
-    listProviders: method(_void(), array(TurnProviderInfoSchema).readonly()),
-    /**
-     * Combined list of TURN/STUN servers from all ENABLED providers.
-     * Consumed by the WebRTC layer at session-creation time —
-     * implementations may fetch fresh short-lived credentials each
-     * call (e.g. Cloudflare API), so consumers SHOULD call per-session.
-     */
-    getAllServers: method(_void(), array(TurnServerSchema).readonly()),
-    /** Toggle a provider's enabled flag. */
-    setProviderEnabled: method(
-      object({ addonId: string(), enabled: boolean() }),
-      object({ success: literal(true) }),
-      { kind: "mutation", auth: "admin" }
-    )
-  }
-});
 const SnapshotImageSchema = object({
   base64: string(),
   contentType: string()
@@ -11825,7 +11719,7 @@ const AllowedAddressesSchema = object({
     )
   }
 });
-const MeshEndpointSchema$1 = object({
+const MeshEndpointSchema = object({
   /** Stable identifier within the provider (e.g. `mesh-ipv4`, `magicdns`, `funnel`). */
   id: string(),
   /** Operator-facing label (e.g. "Mesh IPv4", "MagicDNS"). */
@@ -11898,7 +11792,7 @@ const MeshStatusSchema = object({
   /** Number of peers visible to this host (excluding self). */
   peerCount: number(),
   /** Every endpoint this provider exposes for the current host. */
-  endpoints: array(MeshEndpointSchema$1).readonly(),
+  endpoints: array(MeshEndpointSchema).readonly(),
   /** Last error from the daemon, when not joined. */
   error: string().optional(),
   // ── Account / tenant identity (generic across providers) ────────
@@ -11931,7 +11825,25 @@ const MeshStatusSchema = object({
    * doesn't rotate keys for the bound host. Operator-facing surface
    * for "your access expires on …" banners.
    */
-  keyExpiry: number().nullable()
+  keyExpiry: number().nullable(),
+  // ── Onboard-daemon handoff (Tailscale, generic slot) ────────────
+  /**
+   * When the provider runs its OWN mesh daemon (e.g. the Tailscale
+   * client addon in `onboard` mode spawns a private `tailscaled`),
+   * this carries the local control-socket path. Companion addons that
+   * must drive the SAME daemon — chiefly `tailscale-ingress` for
+   * Serve/Funnel — read it to point their CLI at the right socket
+   * instead of the system default. Empty when the provider uses the
+   * host's system daemon (or doesn't have the concept).
+   */
+  daemonSocket: string().optional(),
+  /**
+   * Path to the mesh CLI binary the provider downloaded for onboard
+   * mode. Companion addons reuse it so they don't need a system
+   * install when the operator chose a fully self-contained mesh.
+   * Empty in host mode.
+   */
+  daemonCliPath: string().optional()
 });
 ({
   methods: {
@@ -12043,105 +11955,6 @@ const MeshStatusSchema = object({
     // tabs driven by this cap.
   }
 });
-const MeshEndpointSchema = object({
-  id: string(),
-  label: string(),
-  scope: _enum(["mesh", "public"]),
-  url: string(),
-  hostname: string(),
-  port: number(),
-  protocol: _enum(["http", "https"])
-});
-const MeshProviderInfoSchema = object({
-  /** Stable id matching the addon id. */
-  addonId: string(),
-  /** Display label shown on the admin row — sourced from the addon manifest. */
-  displayName: string(),
-  /** True when the host is joined to this provider's mesh. */
-  joined: boolean(),
-  /** Local mesh IP (empty when not joined). */
-  meshIp: string(),
-  /** MagicDNS / mesh hostname (empty when not configured). */
-  magicDnsHostname: string(),
-  /** Peer count (excluding self). */
-  peerCount: number(),
-  /** Active endpoints (mesh IP + MagicDNS + optional public Funnel). */
-  endpoints: array(MeshEndpointSchema).readonly(),
-  /** Last error reported by the provider. */
-  error: string().optional(),
-  // ── Generic identity fields mirrored from MeshStatus ─────────────
-  /** Tenant / tailnet / network display name. Empty pre-join. */
-  tenantName: string(),
-  /** Mesh DNS suffix (e.g. tailXXXX.ts.net). Empty when not configured. */
-  magicDnsSuffix: string(),
-  /** Authenticated user / account login. Null for token-only providers. */
-  userLogin: string().nullable(),
-  /** Provider control-plane URL. */
-  controlPlaneUrl: string(),
-  /** Machine-key expiry (epoch ms). Null when keys don't rotate. */
-  keyExpiry: number().nullable()
-});
-({
-  methods: {
-    /** All registered mesh-network providers + live status. */
-    listProviders: method(_void(), array(MeshProviderInfoSchema).readonly()),
-    /**
-     * Join the mesh of a specific provider. Per-provider config still
-     * lives on its settings panel; the orchestrator forwards.
-     */
-    joinProvider: method(
-      object({
-        addonId: string(),
-        authKey: string().min(8),
-        hostname: string().optional()
-      }),
-      object({ joined: literal(true) }),
-      { kind: "mutation" }
-    ),
-    leaveProvider: method(
-      object({ addonId: string() }),
-      object({ success: literal(true) }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Browser-redirect login flow. Forwards to the named provider's
-     * `mesh-network.startLogin` and returns the URL the daemon
-     * prints. UI opens it in a new tab, then polls `listProviders`
-     * for `joined: true`.
-     */
-    startLoginProvider: method(
-      object({
-        addonId: string(),
-        hostname: string().optional()
-      }),
-      object({ loginUrl: string() }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Sign out of the provider's account entirely (`mesh-network.logout`).
-     * Distinct from `leaveProvider` which only takes the host off-mesh;
-     * `logoutProvider` wipes credentials so the next start requires a
-     * fresh login.
-     */
-    logoutProvider: method(
-      object({ addonId: string() }),
-      object({ loggedOut: literal(true) }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Per-provider peer list. Forwards to `mesh-network.listPeers` on
-     * the addressed provider. Separate from `listProviders` because
-     * peer payloads can be large on a heavily-populated tailnet —
-     * fetch only when the operator opens the Peers tab.
-     */
-    listProviderPeers: method(
-      object({ addonId: string() }),
-      object({
-        peers: array(MeshPeerSchema).readonly()
-      })
-    )
-  }
-});
 const MethodAccessSchema = _enum(["view", "create", "delete"]);
 const AllowedProviderSchema = union([literal("*"), array(string())]);
 const AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
@@ -12817,6 +12630,21 @@ const AddonAutoUpdateSchema = ChannelWithInheritSchema;
 const RestartAddonResultSchema = unknown();
 const InstallPackageResultSchema = unknown();
 const ReloadPackagesResultSchema = unknown();
+const UpdateFrameworkPackageResultSchema = object({
+  packageName: string(),
+  fromVersion: string(),
+  toVersion: string(),
+  /** Ms-epoch the server scheduled its self-restart. */
+  restartingAt: number()
+});
+const FrameworkPackageStatusSchema = object({
+  packageName: string(),
+  currentVersion: string(),
+  latestVersion: string().nullable(),
+  hasUpdate: boolean(),
+  /** Optional manifest description for the row tooltip. */
+  description: string().optional()
+});
 const LogStreamEntrySchema = object({
   timestamp: string(),
   level: string(),
@@ -12876,13 +12704,29 @@ const CustomActionInputSchema = object({
       object({ query: string().optional() }),
       array(SearchResultSchema)
     ),
+    /**
+     * Available package updates for a node. `nodeId` omitted (or
+     * `'hub'`) checks the hub's own installed packages; an agent
+     * `nodeId` checks that agent's installed roster against npm
+     * (the hub does the npm lookups + diff — agents stay npm-free).
+     */
     listUpdates: method(
-      _void(),
+      object({ nodeId: string().optional() }),
       array(PackageUpdateSchema).readonly(),
       { auth: "admin" }
     ),
+    /**
+     * Update one package on a node. `nodeId` omitted (or `'hub'`)
+     * installs on the hub via npm; an agent `nodeId` makes the hub
+     * pack the resolved version and push the tarball to that agent
+     * (`$agent.deploy` + `$agent.reload`) — agents need no npm runtime.
+     */
     updatePackage: method(
-      object({ name: string().min(1), version: string().optional() }),
+      object({
+        name: string().min(1),
+        version: string().optional(),
+        nodeId: string().optional()
+      }),
       unknown(),
       { kind: "mutation", auth: "admin" }
     ),
@@ -12903,12 +12747,128 @@ const CustomActionInputSchema = object({
       object({ rolledBackTo: string().nullable() }),
       { kind: "mutation", auth: "admin" }
     ),
-    forceRefresh: method(_void(), unknown(), { kind: "mutation", auth: "admin" }),
+    /** Re-check updates for a node, bypassing any cache. `nodeId`
+     *  omitted (or `'hub'`) refreshes the hub; an agent `nodeId`
+     *  re-checks that agent's roster. */
+    forceRefresh: method(
+      object({ nodeId: string().optional() }),
+      unknown(),
+      { kind: "mutation", auth: "admin" }
+    ),
     restartServer: method(
       object({ confirm: literal(true) }),
       unknown(),
       { kind: "mutation", auth: "admin" }
     ),
+    /**
+     * Most-recent restart marker (kind / packageName / from→to versions
+     * / requestedBy / requestedAt). Returns `null` when this process
+     * didn't boot from a tracked restart, or when the
+     * post-boot retention window (5 min) has elapsed.
+     *
+     * Drives the admin-UI reconnect overlay's success toast — the
+     * `system.restart-completed` event itself is fired before the
+     * client has time to re-subscribe, so the client queries this on
+     * first reconnect instead.
+     */
+    getLastRestart: method(
+      _void(),
+      object({
+        kind: _enum(["framework-update", "manual", "system"]),
+        packageName: string().optional(),
+        fromVersion: string().optional(),
+        toVersion: string().optional(),
+        requestedBy: string().optional(),
+        requestedAt: number()
+      }).nullable(),
+      { auth: "admin" }
+    ),
+    /**
+     * Snapshot of the framework packages installed under the hub's
+     * `<appRoot>/node_modules/`. Each row carries the currently
+     * installed version and (best-effort) the latest version
+     * available on npm. Drives the admin-UI "System packages" panel.
+     *
+     * Spec: docs/superpowers/specs/2026-05-14-framework-live-update-design.md
+     */
+    listFrameworkPackages: method(
+      _void(),
+      array(FrameworkPackageStatusSchema).readonly(),
+      { auth: "admin" }
+    ),
+    /**
+     * Cluster-wide capability-provider discovery. Returns the list of
+     * `{ addonId, mode, isActive }` tuples for whatever addon(s)
+     * currently provide the requested capability across the cluster.
+     *
+     * Why this lives on `addons` (and not on a `capabilities` cap of
+     * its own): the hub's main-process `CapabilityRegistry` already
+     * aggregates registrations from every forked group-runner and
+     * remote agent via Moleculer event propagation — there's no
+     * cross-process registry mirror to build, just an introspection
+     * shim.
+     *
+     * Use this from addon code when you need to know whether another
+     * addon has registered a specific cap (e.g. `tailscale-ingress`
+     * checking `tailscale-client` is up before calling `tailscale
+     * serve`). Don't reach for `ctx.capabilities.getCollectionEntries`
+     * — that reads the LOCAL registry of the calling addon's group
+     * runner and never sees providers in other processes. See
+     * `CLAUDE.md` → Critical rules → ctx.api vs ctx.capabilities.
+     */
+    listCapabilityProviders: method(
+      object({ capName: string().min(1) }),
+      array(object({
+        addonId: string(),
+        mode: _enum(["singleton", "collection"]),
+        isActive: boolean()
+      })).readonly()
+    ),
+    /**
+     * Toggle a single collection-cap provider on/off. Generic write-side
+     * counterpart of `listCapabilityProviders` — drives the per-provider
+     * Enable/Disable affordance in admin pages (TURN servers, etc.)
+     * without needing a bespoke orchestrator cap.
+     *
+     * Reaches the hub's `CapabilityRegistry` directly:
+     * `enableCollectionProvider` / `disableCollectionProvider` flip the
+     * registry-level `disabledProviders` set. `getCollectionEntries`
+     * already filters disabled providers out, so a disabled provider
+     * drops out of every collection aggregate immediately. Only valid
+     * for `mode: 'collection'` caps — the registry no-ops + warns for
+     * singletons.
+     */
+    setCapabilityProviderEnabled: method(
+      object({
+        capName: string().min(1),
+        addonId: string().min(1),
+        enabled: boolean()
+      }),
+      object({ success: literal(true) }),
+      { kind: "mutation", auth: "admin" }
+    ),
+    /**
+     * Live-update one of the framework packages marked
+     * `camstack.system: true` (`@camstack/types|kernel|core|sdk|ui-library`).
+     * Runs `npm install --prefix <appRoot> <name>@<version> --no-save`,
+     * writes a `.restart-pending` marker, emits `system.restarting`
+     * and schedules a graceful process exit. The supervisor (Docker /
+     * Electron / systemd) brings the hub back up; on first boot after
+     * the restart the marker fires `system.restart-completed`.
+     *
+     * `version` defaults to `'latest'`. The allow-list of valid
+     * `packageName` values is enforced server-side.
+     *
+     * Spec: docs/superpowers/specs/2026-05-14-framework-live-update-design.md
+     */
+    updateFrameworkPackage: method(
+      object({
+        packageName: string().min(1),
+        version: string().optional()
+      }),
+      UpdateFrameworkPackageResultSchema,
+      { kind: "mutation", auth: "admin" }
+    ),
     getVersions: method(
       object({ name: string() }),
       array(PackageVersionInfoSchema).readonly()
@@ -12979,6 +12939,7 @@ var EventCategory = /* @__PURE__ */ ((EventCategory2) => {
   EventCategory2["SystemBoot"] = "system.boot";
   EventCategory2["SystemAddonsReady"] = "system.addons-ready";
   EventCategory2["SystemRestarting"] = "system.restarting";
+  EventCategory2["SystemRestartCompleted"] = "system.restart-completed";
   EventCategory2["SystemReadyState"] = "system.ready-state";
   EventCategory2["AddonStarted"] = "addon.started";
   EventCategory2["AddonStopped"] = "addon.stopped";