@camstack/core 0.1.33 → 0.1.35

package/dist/auth/api-key-manager.d.ts

@@ -1,9 +1,9 @@
 import { AuthManager } from './auth-manager.js';
-import { ApiKeyRecord, UserRole, SettingsStoreClient } from '@camstack/types';
+import { ApiKeyRecord, SettingsStoreClient } from '@camstack/types';
 export type { ApiKeyRecord };
 interface CreateApiKeyInput {
     label: string;
-    role: UserRole;
+    isAdmin?: boolean;
     allowedProviders?: string[] | '*';
     allowedDevices?: Record<string, string[] | '*'>;
 }

package/dist/auth/api-key-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"api-key-manager.d.ts","sourceRoot":"","sources":["../../src/auth/api-key-manager.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAEpD,OAAO,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAGlF,YAAY,EAAE,YAAY,EAAE,CAAA;AAE5B,UAAU,iBAAiB;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,QAAQ,CAAA;IACd,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAA;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,CAAA;CAChD;AAID,MAAM,WAAW,mBAAmB;IAClC,QAAQ,IAAI,mBAAmB,CAAA;CAChC;AAMD,qBAAa,aAAa;IAEtB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,IAAI;gBADJ,aAAa,EAAE,mBAAmB,EAClC,IAAI,EAAE,WAAW;IAGpC,OAAO,KAAK,KAAK,GAEhB;IAEK,MAAM,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,YAAY,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAkBlF,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAa1D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;IASrD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;CAKzD"}
+{"version":3,"file":"api-key-manager.d.ts","sourceRoot":"","sources":["../../src/auth/api-key-manager.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAEpD,OAAO,KAAK,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAGxE,YAAY,EAAE,YAAY,EAAE,CAAA;AAE5B,UAAU,iBAAiB;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAA;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,CAAA;CAChD;AAID,MAAM,WAAW,mBAAmB;IAClC,QAAQ,IAAI,mBAAmB,CAAA;CAChC;AAMD,qBAAa,aAAa;IAEtB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,IAAI;gBADJ,aAAa,EAAE,mBAAmB,EAClC,IAAI,EAAE,WAAW;IAGpC,OAAO,KAAK,KAAK,GAEhB;IAEK,MAAM,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,YAAY,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAkBlF,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAa1D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;IASrD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;CAKzD"}

package/dist/auth/auth-manager.d.ts

@@ -1,5 +1,5 @@
-import { UserRole, TokenPayload, IScopedLogger } from '@camstack/types';
-export type { UserRole, TokenPayload };
+import { TokenPayload, IScopedLogger } from '@camstack/types';
+export type { TokenPayload };
 export type AuthConfigReader = {
     get<T>(path: string): T;
     update(section: string, data: Record<string, unknown>): void;
@@ -25,8 +25,75 @@ export declare class AuthManager {
      */
     createServiceToken(opts: {
         readonly agentId: string;
-        readonly role?: string;
         readonly expiresIn?: string;
     }): string;
+    /**
+     * Mint a short-lived HMAC-signed bridge token used by SSO-style auth
+     * providers (OIDC, SAML, magic-link, …) to hand the post-callback
+     * claims to `/api/auth/sso/finish` without trusting unsigned query
+     * parameters. The endpoint verifies the token signature with the same
+     * `jwtSecret` and only then mints the user session JWT. This closes
+     * the privilege-escalation gap where any client could craft a
+     * `?isAdmin=1` link to `/sso/finish` and become admin.
+     *
+     * The payload carries `kind: 'sso-bridge'` so `verifySsoBridgeToken`
+     * can reject session tokens reused as bridge tokens (and vice versa).
+     * TTL defaults to 5 minutes — long enough to survive the IdP
+     * redirect bounce, short enough that a leaked URL stops being useful
+     * before the operator notices.
+     */
+    signSsoBridgeToken(payload: SsoBridgeClaims, ttlSec?: number): string;
+    /**
+     * Verify + decode a bridge token minted by `signSsoBridgeToken`.
+     * Returns `null` for invalid signature, expired token, or wrong
+     * `kind` claim. Never throws — the consumer ( `/sso/finish`) treats
+     * `null` as 400 Bad Request.
+     */
+    verifySsoBridgeToken(token: string): SsoBridgeClaims | null;
+    /**
+     * Mint a TOTP challenge token bridging the two-step login flow:
+     *
+     *   1. POST /login → password OK + user has 2FA  →  returns
+     *      `{requiresTotp: true, challengeToken: '...'}` (this token).
+     *   2. POST /login/totp-verify → operator types 6-digit code →
+     *      server verifies challenge token + code → mints the real
+     *      session JWT.
+     *
+     * The token carries `kind: 'totp-challenge'` so it can't be confused
+     * with a regular session token, plus the `userId` + `username` +
+     * `isAdmin` claims that will end up in the final session if the code
+     * verifies. TTL defaults to 5 minutes — long enough to type the code,
+     * short enough that an abandoned login can't be picked up later.
+     */
+    signTotpChallengeToken(payload: TotpChallengeClaims, ttlSec?: number): string;
+    /**
+     * Verify + decode a TOTP challenge token. Returns `null` for any
+     * failure (invalid signature, expired, wrong `kind`, missing
+     * claims). The caller MUST also verify the 6-digit code against
+     * `totpManager.verify(userId, code)` before minting the real
+     * session — this method validates the bridge transport only.
+     */
+    verifyTotpChallengeToken(token: string): TotpChallengeClaims | null;
+}
+export interface SsoBridgeClaims {
+    readonly userId: string;
+    readonly username: string;
+    readonly isAdmin: boolean;
+    readonly provider: string;
+    readonly email?: string;
+    readonly displayName?: string;
+    /**
+     * Public HTTPS URL of the hub that minted the token. Carried verbatim
+     * through sign/verify; consumed by cloud-mode OAuth proxies (e.g. the
+     * Alexa Lambda) which need to know which hub to forward to without
+     * keeping per-user routing state. Optional — only the cloud-mode
+     * issuers set it.
+     */
+    readonly hubUrl?: string;
+}
+export interface TotpChallengeClaims {
+    readonly userId: string;
+    readonly username: string;
+    readonly isAdmin: boolean;
 }
 //# sourceMappingURL=auth-manager.d.ts.map

package/dist/auth/auth-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-manager.d.ts","sourceRoot":"","sources":["../../src/auth/auth-manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAY5E,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AAEtC,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAAA;IACvB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAC7D,CAAA;AAED,qBAAa,WAAW;IAIV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAQ;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;gBAET,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAE,aAA0B;IAczF,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG,MAAM;IAI7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAIlC,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI/C,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIvE,cAAc,IAAI;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAOjE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;IAK1D;;;OAGG;IACH,kBAAkB,CAAC,IAAI,EAAE;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;QACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;QACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAC5B,GAAG,MAAM;CAmBX"}
+{"version":3,"file":"auth-manager.d.ts","sourceRoot":"","sources":["../../src/auth/auth-manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAYlE,YAAY,EAAE,YAAY,EAAE,CAAA;AAE5B,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAAA;IACvB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAC7D,CAAA;AAED,qBAAa,WAAW;IAIV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAQ;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;gBAET,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAE,aAA0B;IAczF,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG,MAAM;IAI7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAIlC,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI/C,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIvE,cAAc,IAAI;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAOjE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;IAK1D;;;OAGG;IACH,kBAAkB,CAAC,IAAI,EAAE;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;QACxB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAC5B,GAAG,MAAM;IAuBV;;;;;;;;;;;;;;OAcG;IACH,kBAAkB,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,GAAE,MAAY,GAAG,MAAM;IAc1E;;;;;OAKG;IACH,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI;IA4B3D;;;;;;;;;;;;;;OAcG;IACH,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,EAAE,MAAM,GAAE,MAAY,GAAG,MAAM;IAalF;;;;;;OAMG;IACH,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,mBAAmB,GAAG,IAAI;CAepE;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B;;;;;;OAMG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;CAC1B"}

package/dist/auth/totp-manager.d.ts

@@ -0,0 +1,53 @@
+import { SettingsStoreClient } from '@camstack/types';
+export interface TotpSetupResult {
+    readonly secret: string;
+    readonly otpauthUrl: string;
+}
+export interface TotpStatus {
+    readonly enabled: boolean;
+    readonly confirmedAt: number | null;
+}
+export declare class TotpManager {
+    private readonly store;
+    private readonly opts;
+    constructor(store: SettingsStoreClient, opts?: {
+        /** ±N 30-second windows tolerated. Default 1 = ±30 s clock skew. */
+        readonly window?: number;
+    });
+    /**
+     * Begin enrollment. Always generates a fresh secret — calling `setup`
+     * a second time on the same user replaces any pending half-enrollment
+     * (the user must rescan the QR / re-enter the secret).
+     *
+     * The user identity (`label`) is what an authenticator displays as
+     * the account name; we use the supplied `username` for human-readable
+     * recognition. `ISSUER` is the CamStack brand.
+     */
+    setup(userId: string, username: string): Promise<TotpSetupResult>;
+    /**
+     * Confirm enrollment by checking a code from the authenticator
+     * against the pending secret. On success, flips `confirmedAt` so
+     * `verify()` starts accepting codes. Idempotent on already-confirmed
+     * rows: re-confirming a valid code just succeeds with no state
+     * change.
+     */
+    confirm(userId: string, code: string): Promise<boolean>;
+    /**
+     * Remove enrollment. Idempotent — no error if the user had no row.
+     */
+    disable(userId: string): Promise<void>;
+    /**
+     * Verify a code against the confirmed secret. Returns `false` when:
+     *   - The user has no row (not set up).
+     *   - The row is pending (`confirmedAt === null`).
+     *   - The code doesn't match within the configured window.
+     */
+    verify(userId: string, code: string): Promise<boolean>;
+    /**
+     * Read the user's enrollment status. Pending half-enrollments are
+     * reported as `enabled: false` — only a confirmed row counts.
+     */
+    getStatus(userId: string): Promise<TotpStatus>;
+    private find;
+}
+//# sourceMappingURL=totp-manager.d.ts.map

package/dist/auth/totp-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp-manager.d.ts","sourceRoot":"","sources":["../../src/auth/totp-manager.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAoD1D,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;CACpC;AAED,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI;gBADJ,KAAK,EAAE,mBAAmB,EAC1B,IAAI,GAAE;QACrB,oEAAoE;QACpE,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KACpB;IAOR;;;;;;;;OAQG;IACG,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAoBvE;;;;;;OAMG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAe7D;;OAEG;IACG,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5C;;;;;OAKG;IACG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO5D;;;OAGG;IACG,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;YAStC,IAAI;CAQnB"}

package/dist/auth/user-manager.d.ts

@@ -1,15 +1,15 @@
 import { AuthManager } from './auth-manager.js';
-import { UserRecord, UserRole, TokenScope, SettingsStoreClient } from '@camstack/types';
+import { UserRecord, TokenScope, SettingsStoreClient } from '@camstack/types';
 export type { UserRecord };
 interface CreateUserInput {
     username: string;
     password: string;
-    role: UserRole;
+    isAdmin?: boolean;
     allowedProviders?: string[] | '*';
     allowedDevices?: Record<string, string[] | '*'>;
     scopes?: TokenScope[];
 }
-type UpdatableUserFields = Partial<Pick<UserRecord, 'role' | 'allowedProviders' | 'allowedDevices' | 'scopes'>>;
+type UpdatableUserFields = Partial<Pick<UserRecord, 'isAdmin' | 'allowedProviders' | 'allowedDevices' | 'scopes'>>;
 export interface UserStorageAccess {
     getStore(): SettingsStoreClient;
 }

package/dist/auth/user-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user-manager.d.ts","sourceRoot":"","sources":["../../src/auth/user-manager.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAEpD,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAG5F,YAAY,EAAE,UAAU,EAAE,CAAA;AAE1B,UAAU,eAAe;IACvB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,QAAQ,CAAA;IACd,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAA;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,CAAA;IAC/C,MAAM,CAAC,EAAE,UAAU,EAAE,CAAA;CACtB;AAED,KAAK,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,kBAAkB,GAAG,gBAAgB,GAAG,QAAQ,CAAC,CAAC,CAAA;AAI/G,MAAM,WAAW,iBAAiB;IAChC,QAAQ,IAAI,mBAAmB,CAAA;CAChC;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAAA;CACxB;AAMD,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,aAAa,EAAE,iBAAiB,EAChC,IAAI,EAAE,WAAW,EACjB,MAAM,EAAE,gBAAgB;IAG3C,OAAO,KAAK,KAAK,GAEhB;IAEK,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAsBnD,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAM5D,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAMhD,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAOnF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,EAAE,CAAC;IAStD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC;IAM5D,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO7D,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;CAqBzC"}
+{"version":3,"file":"user-manager.d.ts","sourceRoot":"","sources":["../../src/auth/user-manager.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAEpD,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAGlF,YAAY,EAAE,UAAU,EAAE,CAAA;AAE1B,UAAU,eAAe;IACvB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAA;IACjC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,CAAA;IAC/C,MAAM,CAAC,EAAE,UAAU,EAAE,CAAA;CACtB;AAED,KAAK,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,GAAG,kBAAkB,GAAG,gBAAgB,GAAG,QAAQ,CAAC,CAAC,CAAA;AAIlH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,IAAI,mBAAmB,CAAA;CAChC;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAAA;CACxB;AAMD,qBAAa,WAAW;IAEpB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAC9B,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFN,aAAa,EAAE,iBAAiB,EAChC,IAAI,EAAE,WAAW,EACjB,MAAM,EAAE,gBAAgB;IAG3C,OAAO,KAAK,KAAK,GAEhB;IAEK,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC;IAsBnD,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAM5D,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAMhD,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAOnF,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,EAAE,CAAC;IAStD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC;IAM5D,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO7D,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;CAsBzC"}

package/dist/builtins/auth-orchestrator/auth-orchestrator.addon.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-orchestrator.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/auth-orchestrator/auth-orchestrator.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EACL,SAAS,EAIT,KAAK,oBAAoB,EAC1B,MAAM,iBAAiB,CAAA;AAWxB,qBAAa,qBAAsB,SAAQ,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;;cAKzD,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAgBjD,aAAa;CAY5B;AAED,eAAe,qBAAqB,CAAA"}
+{"version":3,"file":"auth-orchestrator.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/auth-orchestrator/auth-orchestrator.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EACL,SAAS,EAIT,KAAK,oBAAoB,EAC1B,MAAM,iBAAiB,CAAA;AA4BxB,qBAAa,qBAAsB,SAAQ,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;;cAKzD,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAgBjD,aAAa;CAoC5B;AAED,eAAe,qBAAqB,CAAA"}

package/dist/builtins/auth-orchestrator/auth-orchestrator.addon.js

@@ -37,15 +37,35 @@ var AuthOrchestratorAddon = class extends _camstack_types.BaseAddon {
 		}];
 	}
 	async listProviders() {
-		return (this.capabilities?.getCollectionEntries("auth-provider") ?? []).map(([addonId, raw]) => ({
-			addonId: raw?.addonId ?? addonId,
-			displayName: raw?.displayName ?? addonId,
-			...raw?.icon !== void 0 ? { icon: raw.icon } : {},
-			hasRedirectFlow: raw?.hasRedirectFlow ?? false,
-			hasCredentialFlow: raw?.hasCredentialFlow ?? addonId === "local-auth",
-			...raw?.status !== void 0 ? { status: raw.status } : {},
-			enabled: true
-		}));
+		const entries = this.capabilities?.getCollectionEntries("auth-provider") ?? [];
+		const out = [];
+		for (const [addonId, raw] of entries) {
+			if (raw?.instances && raw.instances.length > 0) {
+				for (const inst of raw.instances) out.push({
+					addonId: raw.addonId ?? addonId,
+					instanceId: inst.instanceId,
+					displayName: inst.displayName,
+					...inst.icon !== void 0 ? { icon: inst.icon } : {},
+					hasRedirectFlow: inst.hasRedirectFlow,
+					hasCredentialFlow: inst.hasCredentialFlow,
+					...inst.kind !== void 0 ? { kind: inst.kind } : {},
+					...inst.status !== void 0 ? { status: inst.status } : {},
+					enabled: true
+				});
+				continue;
+			}
+			out.push({
+				addonId: raw?.addonId ?? addonId,
+				displayName: raw?.displayName ?? addonId,
+				...raw?.icon !== void 0 ? { icon: raw.icon } : {},
+				hasRedirectFlow: raw?.hasRedirectFlow ?? false,
+				hasCredentialFlow: raw?.hasCredentialFlow ?? addonId === "local-auth",
+				...raw?.kind !== void 0 ? { kind: raw.kind } : {},
+				...raw?.status !== void 0 ? { status: raw.status } : {},
+				enabled: true
+			});
+		}
+		return out;
 	}
 };
 //#endregion

package/dist/builtins/auth-orchestrator/auth-orchestrator.addon.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth-orchestrator.addon.js","names":[],"sources":["../../../src/builtins/auth-orchestrator/auth-orchestrator.addon.ts"],"sourcesContent":["/**\n * Authentication orchestrator — singleton facade over the\n * `auth-provider` collection. Mirrors the backup-orchestrator pattern:\n * UI consumers go through this builtin, which walks the\n * `auth-provider` collection registered by `local-auth` and any\n * additional `auth-*` addons (OIDC, SAML, LDAP, …) and returns a\n * curated view.\n *\n * The actual login flow still goes through `auth-provider`\n * collection methods (validateCredentials / getLoginUrl / …); this\n * cap exists so the admin UI's \"Authentication\" page and the login\n * screen's provider picker have ONE place to query instead of\n * walking the collection themselves.\n */\nimport {\n  BaseAddon,\n  authenticationCapability,\n  type AuthProviderInfo,\n  type IAuthenticationProvider,\n  type ProviderRegistration,\n} from '@camstack/types'\n\ninterface AuthProviderRegistrationLike {\n  readonly addonId?: string\n  readonly displayName?: string\n  readonly icon?: string\n  readonly hasRedirectFlow?: boolean\n  readonly hasCredentialFlow?: boolean\n  readonly status?: string\n}\n\nexport class AuthOrchestratorAddon extends BaseAddon<Record<string, never>> {\n  constructor() {\n    super({})\n  }\n\n  protected async onInitialize(): Promise<ProviderRegistration[]> {\n    const provider: IAuthenticationProvider = {\n      listProviders: async () => this.listProviders(),\n      setProviderEnabled: async () => {\n        // Persistence is per-addon today — operators toggle enabled\n        // via the provider addon's own settings panel. The orchestrator\n        // exposes the affordance for forward-compat (UI may move the\n        // enabled toggle into the Authentication page later) but\n        // currently no-ops the persistence side.\n        return { success: true as const }\n      },\n    }\n    this.ctx.logger.info('Authentication orchestrator initialized')\n    return [{ capability: authenticationCapability, provider }]\n  }\n\n  private async listProviders(): Promise<readonly AuthProviderInfo[]> {\n    const entries = this.capabilities?.getCollectionEntries<AuthProviderRegistrationLike>('auth-provider') ?? []\n    return entries.map(([addonId, raw]) => ({\n      addonId: raw?.addonId ?? addonId,\n      displayName: raw?.displayName ?? addonId,\n      ...(raw?.icon !== undefined ? { icon: raw.icon } : {}),\n      hasRedirectFlow: raw?.hasRedirectFlow ?? false,\n      hasCredentialFlow: raw?.hasCredentialFlow ?? (addonId === 'local-auth'),\n      ...(raw?.status !== undefined ? { status: raw.status } : {}),\n      enabled: true,\n    }))\n  }\n}\n\nexport default AuthOrchestratorAddon\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA+BA,IAAa,wBAAb,cAA2C,gBAAA,UAAiC;CAC1E,cAAc;EACZ,MAAM,EAAE,CAAC;;CAGX,MAAgB,eAAgD;EAC9D,MAAM,WAAoC;GACxC,eAAe,YAAY,KAAK,eAAe;GAC/C,oBAAoB,YAAY;IAM9B,OAAO,EAAE,SAAS,MAAe;;GAEpC;EACD,KAAK,IAAI,OAAO,KAAK,0CAA0C;EAC/D,OAAO,CAAC;GAAE,YAAY,gBAAA;GAA0B;GAAU,CAAC;;CAG7D,MAAc,gBAAsD;EAElE,QADgB,KAAK,cAAc,qBAAmD,gBAAgB,IAAI,EAAE,EAC7F,KAAK,CAAC,SAAS,UAAU;GACtC,SAAS,KAAK,WAAW;GACzB,aAAa,KAAK,eAAe;GACjC,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,IAAI,MAAM,GAAG,EAAE;GACrD,iBAAiB,KAAK,mBAAmB;GACzC,mBAAmB,KAAK,qBAAsB,YAAY;GAC1D,GAAI,KAAK,WAAW,KAAA,IAAY,EAAE,QAAQ,IAAI,QAAQ,GAAG,EAAE;GAC3D,SAAS;GACV,EAAE"}
+{"version":3,"file":"auth-orchestrator.addon.js","names":[],"sources":["../../../src/builtins/auth-orchestrator/auth-orchestrator.addon.ts"],"sourcesContent":["/**\n * Authentication orchestrator — singleton facade over the\n * `auth-provider` collection. Mirrors the backup-orchestrator pattern:\n * UI consumers go through this builtin, which walks the\n * `auth-provider` collection registered by `local-auth` and any\n * additional `auth-*` addons (OIDC, SAML, LDAP, …) and returns a\n * curated view.\n *\n * The actual login flow still goes through `auth-provider`\n * collection methods (validateCredentials / getLoginUrl / …); this\n * cap exists so the admin UI's \"Authentication\" page and the login\n * screen's provider picker have ONE place to query instead of\n * walking the collection themselves.\n */\nimport {\n  BaseAddon,\n  authenticationCapability,\n  type AuthProviderInfo,\n  type IAuthenticationProvider,\n  type ProviderRegistration,\n} from '@camstack/types'\n\ninterface AuthProviderRegistrationLike {\n  readonly addonId?: string\n  readonly displayName?: string\n  readonly icon?: string\n  readonly hasRedirectFlow?: boolean\n  readonly hasCredentialFlow?: boolean\n  readonly kind?: string\n  readonly status?: string\n  /**\n   * Multi-instance fan-out. When set, the orchestrator emits ONE\n   * AuthProviderInfo per entry instead of a single one for the\n   * collection entry. Used by addons that host multiple logical IdPs\n   * within a single install (the OIDC addon supports Google +\n   * Microsoft + custom from one installation).\n   */\n  readonly instances?: ReadonlyArray<{\n    readonly instanceId: string\n    readonly displayName: string\n    readonly icon?: string\n    readonly hasRedirectFlow: boolean\n    readonly hasCredentialFlow: boolean\n    readonly kind?: string\n    readonly status?: string\n  }>\n}\n\nexport class AuthOrchestratorAddon extends BaseAddon<Record<string, never>> {\n  constructor() {\n    super({})\n  }\n\n  protected async onInitialize(): Promise<ProviderRegistration[]> {\n    const provider: IAuthenticationProvider = {\n      listProviders: async () => this.listProviders(),\n      setProviderEnabled: async () => {\n        // Persistence is per-addon today — operators toggle enabled\n        // via the provider addon's own settings panel. The orchestrator\n        // exposes the affordance for forward-compat (UI may move the\n        // enabled toggle into the Authentication page later) but\n        // currently no-ops the persistence side.\n        return { success: true as const }\n      },\n    }\n    this.ctx.logger.info('Authentication orchestrator initialized')\n    return [{ capability: authenticationCapability, provider }]\n  }\n\n  private async listProviders(): Promise<readonly AuthProviderInfo[]> {\n    const entries = this.capabilities?.getCollectionEntries<AuthProviderRegistrationLike>('auth-provider') ?? []\n    const out: AuthProviderInfo[] = []\n    for (const [addonId, raw] of entries) {\n      // Multi-instance: emit one entry per declared instance, preserving\n      // the parent `addonId` so the login URL keeps `/addon/<addonId>/...`\n      // while adding the `instanceId` path segment downstream.\n      if (raw?.instances && raw.instances.length > 0) {\n        for (const inst of raw.instances) {\n          out.push({\n            addonId: raw.addonId ?? addonId,\n            instanceId: inst.instanceId,\n            displayName: inst.displayName,\n            ...(inst.icon !== undefined ? { icon: inst.icon } : {}),\n            hasRedirectFlow: inst.hasRedirectFlow,\n            hasCredentialFlow: inst.hasCredentialFlow,\n            ...(inst.kind !== undefined ? { kind: inst.kind } : {}),\n            ...(inst.status !== undefined ? { status: inst.status } : {}),\n            enabled: true,\n          })\n        }\n        continue\n      }\n      out.push({\n        addonId: raw?.addonId ?? addonId,\n        displayName: raw?.displayName ?? addonId,\n        ...(raw?.icon !== undefined ? { icon: raw.icon } : {}),\n        hasRedirectFlow: raw?.hasRedirectFlow ?? false,\n        hasCredentialFlow: raw?.hasCredentialFlow ?? (addonId === 'local-auth'),\n        ...(raw?.kind !== undefined ? { kind: raw.kind } : {}),\n        ...(raw?.status !== undefined ? { status: raw.status } : {}),\n        enabled: true,\n      })\n    }\n    return out\n  }\n}\n\nexport default AuthOrchestratorAddon\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAgDA,IAAa,wBAAb,cAA2C,gBAAA,UAAiC;CAC1E,cAAc;EACZ,MAAM,EAAE,CAAC;;CAGX,MAAgB,eAAgD;EAC9D,MAAM,WAAoC;GACxC,eAAe,YAAY,KAAK,eAAe;GAC/C,oBAAoB,YAAY;IAM9B,OAAO,EAAE,SAAS,MAAe;;GAEpC;EACD,KAAK,IAAI,OAAO,KAAK,0CAA0C;EAC/D,OAAO,CAAC;GAAE,YAAY,gBAAA;GAA0B;GAAU,CAAC;;CAG7D,MAAc,gBAAsD;EAClE,MAAM,UAAU,KAAK,cAAc,qBAAmD,gBAAgB,IAAI,EAAE;EAC5G,MAAM,MAA0B,EAAE;EAClC,KAAK,MAAM,CAAC,SAAS,QAAQ,SAAS;GAIpC,IAAI,KAAK,aAAa,IAAI,UAAU,SAAS,GAAG;IAC9C,KAAK,MAAM,QAAQ,IAAI,WACrB,IAAI,KAAK;KACP,SAAS,IAAI,WAAW;KACxB,YAAY,KAAK;KACjB,aAAa,KAAK;KAClB,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,KAAK,MAAM,GAAG,EAAE;KACtD,iBAAiB,KAAK;KACtB,mBAAmB,KAAK;KACxB,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,KAAK,MAAM,GAAG,EAAE;KACtD,GAAI,KAAK,WAAW,KAAA,IAAY,EAAE,QAAQ,KAAK,QAAQ,GAAG,EAAE;KAC5D,SAAS;KACV,CAAC;IAEJ;;GAEF,IAAI,KAAK;IACP,SAAS,KAAK,WAAW;IACzB,aAAa,KAAK,eAAe;IACjC,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,IAAI,MAAM,GAAG,EAAE;IACrD,iBAAiB,KAAK,mBAAmB;IACzC,mBAAmB,KAAK,qBAAsB,YAAY;IAC1D,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,IAAI,MAAM,GAAG,EAAE;IACrD,GAAI,KAAK,WAAW,KAAA,IAAY,EAAE,QAAQ,IAAI,QAAQ,GAAG,EAAE;IAC3D,SAAS;IACV,CAAC;;EAEJ,OAAO"}

package/dist/builtins/auth-orchestrator/auth-orchestrator.addon.mjs

@@ -32,15 +32,35 @@ var AuthOrchestratorAddon = class extends BaseAddon {
 		}];
 	}
 	async listProviders() {
-		return (this.capabilities?.getCollectionEntries("auth-provider") ?? []).map(([addonId, raw]) => ({
-			addonId: raw?.addonId ?? addonId,
-			displayName: raw?.displayName ?? addonId,
-			...raw?.icon !== void 0 ? { icon: raw.icon } : {},
-			hasRedirectFlow: raw?.hasRedirectFlow ?? false,
-			hasCredentialFlow: raw?.hasCredentialFlow ?? addonId === "local-auth",
-			...raw?.status !== void 0 ? { status: raw.status } : {},
-			enabled: true
-		}));
+		const entries = this.capabilities?.getCollectionEntries("auth-provider") ?? [];
+		const out = [];
+		for (const [addonId, raw] of entries) {
+			if (raw?.instances && raw.instances.length > 0) {
+				for (const inst of raw.instances) out.push({
+					addonId: raw.addonId ?? addonId,
+					instanceId: inst.instanceId,
+					displayName: inst.displayName,
+					...inst.icon !== void 0 ? { icon: inst.icon } : {},
+					hasRedirectFlow: inst.hasRedirectFlow,
+					hasCredentialFlow: inst.hasCredentialFlow,
+					...inst.kind !== void 0 ? { kind: inst.kind } : {},
+					...inst.status !== void 0 ? { status: inst.status } : {},
+					enabled: true
+				});
+				continue;
+			}
+			out.push({
+				addonId: raw?.addonId ?? addonId,
+				displayName: raw?.displayName ?? addonId,
+				...raw?.icon !== void 0 ? { icon: raw.icon } : {},
+				hasRedirectFlow: raw?.hasRedirectFlow ?? false,
+				hasCredentialFlow: raw?.hasCredentialFlow ?? addonId === "local-auth",
+				...raw?.kind !== void 0 ? { kind: raw.kind } : {},
+				...raw?.status !== void 0 ? { status: raw.status } : {},
+				enabled: true
+			});
+		}
+		return out;
 	}
 };
 //#endregion

package/dist/builtins/auth-orchestrator/auth-orchestrator.addon.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"auth-orchestrator.addon.mjs","names":[],"sources":["../../../src/builtins/auth-orchestrator/auth-orchestrator.addon.ts"],"sourcesContent":["/**\n * Authentication orchestrator — singleton facade over the\n * `auth-provider` collection. Mirrors the backup-orchestrator pattern:\n * UI consumers go through this builtin, which walks the\n * `auth-provider` collection registered by `local-auth` and any\n * additional `auth-*` addons (OIDC, SAML, LDAP, …) and returns a\n * curated view.\n *\n * The actual login flow still goes through `auth-provider`\n * collection methods (validateCredentials / getLoginUrl / …); this\n * cap exists so the admin UI's \"Authentication\" page and the login\n * screen's provider picker have ONE place to query instead of\n * walking the collection themselves.\n */\nimport {\n  BaseAddon,\n  authenticationCapability,\n  type AuthProviderInfo,\n  type IAuthenticationProvider,\n  type ProviderRegistration,\n} from '@camstack/types'\n\ninterface AuthProviderRegistrationLike {\n  readonly addonId?: string\n  readonly displayName?: string\n  readonly icon?: string\n  readonly hasRedirectFlow?: boolean\n  readonly hasCredentialFlow?: boolean\n  readonly status?: string\n}\n\nexport class AuthOrchestratorAddon extends BaseAddon<Record<string, never>> {\n  constructor() {\n    super({})\n  }\n\n  protected async onInitialize(): Promise<ProviderRegistration[]> {\n    const provider: IAuthenticationProvider = {\n      listProviders: async () => this.listProviders(),\n      setProviderEnabled: async () => {\n        // Persistence is per-addon today — operators toggle enabled\n        // via the provider addon's own settings panel. The orchestrator\n        // exposes the affordance for forward-compat (UI may move the\n        // enabled toggle into the Authentication page later) but\n        // currently no-ops the persistence side.\n        return { success: true as const }\n      },\n    }\n    this.ctx.logger.info('Authentication orchestrator initialized')\n    return [{ capability: authenticationCapability, provider }]\n  }\n\n  private async listProviders(): Promise<readonly AuthProviderInfo[]> {\n    const entries = this.capabilities?.getCollectionEntries<AuthProviderRegistrationLike>('auth-provider') ?? []\n    return entries.map(([addonId, raw]) => ({\n      addonId: raw?.addonId ?? addonId,\n      displayName: raw?.displayName ?? addonId,\n      ...(raw?.icon !== undefined ? { icon: raw.icon } : {}),\n      hasRedirectFlow: raw?.hasRedirectFlow ?? false,\n      hasCredentialFlow: raw?.hasCredentialFlow ?? (addonId === 'local-auth'),\n      ...(raw?.status !== undefined ? { status: raw.status } : {}),\n      enabled: true,\n    }))\n  }\n}\n\nexport default AuthOrchestratorAddon\n"],"mappings":";;;;;;;;;;;;;;;;AA+BA,IAAa,wBAAb,cAA2C,UAAiC;CAC1E,cAAc;EACZ,MAAM,EAAE,CAAC;;CAGX,MAAgB,eAAgD;EAC9D,MAAM,WAAoC;GACxC,eAAe,YAAY,KAAK,eAAe;GAC/C,oBAAoB,YAAY;IAM9B,OAAO,EAAE,SAAS,MAAe;;GAEpC;EACD,KAAK,IAAI,OAAO,KAAK,0CAA0C;EAC/D,OAAO,CAAC;GAAE,YAAY;GAA0B;GAAU,CAAC;;CAG7D,MAAc,gBAAsD;EAElE,QADgB,KAAK,cAAc,qBAAmD,gBAAgB,IAAI,EAAE,EAC7F,KAAK,CAAC,SAAS,UAAU;GACtC,SAAS,KAAK,WAAW;GACzB,aAAa,KAAK,eAAe;GACjC,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,IAAI,MAAM,GAAG,EAAE;GACrD,iBAAiB,KAAK,mBAAmB;GACzC,mBAAmB,KAAK,qBAAsB,YAAY;GAC1D,GAAI,KAAK,WAAW,KAAA,IAAY,EAAE,QAAQ,IAAI,QAAQ,GAAG,EAAE;GAC3D,SAAS;GACV,EAAE"}
+{"version":3,"file":"auth-orchestrator.addon.mjs","names":[],"sources":["../../../src/builtins/auth-orchestrator/auth-orchestrator.addon.ts"],"sourcesContent":["/**\n * Authentication orchestrator — singleton facade over the\n * `auth-provider` collection. Mirrors the backup-orchestrator pattern:\n * UI consumers go through this builtin, which walks the\n * `auth-provider` collection registered by `local-auth` and any\n * additional `auth-*` addons (OIDC, SAML, LDAP, …) and returns a\n * curated view.\n *\n * The actual login flow still goes through `auth-provider`\n * collection methods (validateCredentials / getLoginUrl / …); this\n * cap exists so the admin UI's \"Authentication\" page and the login\n * screen's provider picker have ONE place to query instead of\n * walking the collection themselves.\n */\nimport {\n  BaseAddon,\n  authenticationCapability,\n  type AuthProviderInfo,\n  type IAuthenticationProvider,\n  type ProviderRegistration,\n} from '@camstack/types'\n\ninterface AuthProviderRegistrationLike {\n  readonly addonId?: string\n  readonly displayName?: string\n  readonly icon?: string\n  readonly hasRedirectFlow?: boolean\n  readonly hasCredentialFlow?: boolean\n  readonly kind?: string\n  readonly status?: string\n  /**\n   * Multi-instance fan-out. When set, the orchestrator emits ONE\n   * AuthProviderInfo per entry instead of a single one for the\n   * collection entry. Used by addons that host multiple logical IdPs\n   * within a single install (the OIDC addon supports Google +\n   * Microsoft + custom from one installation).\n   */\n  readonly instances?: ReadonlyArray<{\n    readonly instanceId: string\n    readonly displayName: string\n    readonly icon?: string\n    readonly hasRedirectFlow: boolean\n    readonly hasCredentialFlow: boolean\n    readonly kind?: string\n    readonly status?: string\n  }>\n}\n\nexport class AuthOrchestratorAddon extends BaseAddon<Record<string, never>> {\n  constructor() {\n    super({})\n  }\n\n  protected async onInitialize(): Promise<ProviderRegistration[]> {\n    const provider: IAuthenticationProvider = {\n      listProviders: async () => this.listProviders(),\n      setProviderEnabled: async () => {\n        // Persistence is per-addon today — operators toggle enabled\n        // via the provider addon's own settings panel. The orchestrator\n        // exposes the affordance for forward-compat (UI may move the\n        // enabled toggle into the Authentication page later) but\n        // currently no-ops the persistence side.\n        return { success: true as const }\n      },\n    }\n    this.ctx.logger.info('Authentication orchestrator initialized')\n    return [{ capability: authenticationCapability, provider }]\n  }\n\n  private async listProviders(): Promise<readonly AuthProviderInfo[]> {\n    const entries = this.capabilities?.getCollectionEntries<AuthProviderRegistrationLike>('auth-provider') ?? []\n    const out: AuthProviderInfo[] = []\n    for (const [addonId, raw] of entries) {\n      // Multi-instance: emit one entry per declared instance, preserving\n      // the parent `addonId` so the login URL keeps `/addon/<addonId>/...`\n      // while adding the `instanceId` path segment downstream.\n      if (raw?.instances && raw.instances.length > 0) {\n        for (const inst of raw.instances) {\n          out.push({\n            addonId: raw.addonId ?? addonId,\n            instanceId: inst.instanceId,\n            displayName: inst.displayName,\n            ...(inst.icon !== undefined ? { icon: inst.icon } : {}),\n            hasRedirectFlow: inst.hasRedirectFlow,\n            hasCredentialFlow: inst.hasCredentialFlow,\n            ...(inst.kind !== undefined ? { kind: inst.kind } : {}),\n            ...(inst.status !== undefined ? { status: inst.status } : {}),\n            enabled: true,\n          })\n        }\n        continue\n      }\n      out.push({\n        addonId: raw?.addonId ?? addonId,\n        displayName: raw?.displayName ?? addonId,\n        ...(raw?.icon !== undefined ? { icon: raw.icon } : {}),\n        hasRedirectFlow: raw?.hasRedirectFlow ?? false,\n        hasCredentialFlow: raw?.hasCredentialFlow ?? (addonId === 'local-auth'),\n        ...(raw?.kind !== undefined ? { kind: raw.kind } : {}),\n        ...(raw?.status !== undefined ? { status: raw.status } : {}),\n        enabled: true,\n      })\n    }\n    return out\n  }\n}\n\nexport default AuthOrchestratorAddon\n"],"mappings":";;;;;;;;;;;;;;;;AAgDA,IAAa,wBAAb,cAA2C,UAAiC;CAC1E,cAAc;EACZ,MAAM,EAAE,CAAC;;CAGX,MAAgB,eAAgD;EAC9D,MAAM,WAAoC;GACxC,eAAe,YAAY,KAAK,eAAe;GAC/C,oBAAoB,YAAY;IAM9B,OAAO,EAAE,SAAS,MAAe;;GAEpC;EACD,KAAK,IAAI,OAAO,KAAK,0CAA0C;EAC/D,OAAO,CAAC;GAAE,YAAY;GAA0B;GAAU,CAAC;;CAG7D,MAAc,gBAAsD;EAClE,MAAM,UAAU,KAAK,cAAc,qBAAmD,gBAAgB,IAAI,EAAE;EAC5G,MAAM,MAA0B,EAAE;EAClC,KAAK,MAAM,CAAC,SAAS,QAAQ,SAAS;GAIpC,IAAI,KAAK,aAAa,IAAI,UAAU,SAAS,GAAG;IAC9C,KAAK,MAAM,QAAQ,IAAI,WACrB,IAAI,KAAK;KACP,SAAS,IAAI,WAAW;KACxB,YAAY,KAAK;KACjB,aAAa,KAAK;KAClB,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,KAAK,MAAM,GAAG,EAAE;KACtD,iBAAiB,KAAK;KACtB,mBAAmB,KAAK;KACxB,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,KAAK,MAAM,GAAG,EAAE;KACtD,GAAI,KAAK,WAAW,KAAA,IAAY,EAAE,QAAQ,KAAK,QAAQ,GAAG,EAAE;KAC5D,SAAS;KACV,CAAC;IAEJ;;GAEF,IAAI,KAAK;IACP,SAAS,KAAK,WAAW;IACzB,aAAa,KAAK,eAAe;IACjC,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,IAAI,MAAM,GAAG,EAAE;IACrD,iBAAiB,KAAK,mBAAmB;IACzC,mBAAmB,KAAK,qBAAsB,YAAY;IAC1D,GAAI,KAAK,SAAS,KAAA,IAAY,EAAE,MAAM,IAAI,MAAM,GAAG,EAAE;IACrD,GAAI,KAAK,WAAW,KAAA,IAAY,EAAE,QAAQ,IAAI,QAAQ,GAAG,EAAE;IAC3D,SAAS;IACV,CAAC;;EAEJ,OAAO"}

package/dist/builtins/local-auth/auth-schema.d.ts

@@ -2,6 +2,20 @@ import { SettingsStoreClient } from '@camstack/types';
 export declare const USERS_COLLECTION = "users";
 export declare const API_KEYS_COLLECTION = "api_keys";
 export declare const SCOPED_TOKENS_COLLECTION = "scoped_tokens";
+/**
+ * TOTP enrollment table — split off from `users` to avoid the
+ * destructive drop-+-recreate migration `ensureTable` performs when a
+ * new column is added to a typed schema (see `sqlite-settings-backend.ts`).
+ *
+ * Lifecycle:
+ *   - Setup: row inserted with `confirmedAt = null` and a fresh secret.
+ *   - Confirm: a valid code from the secret flips `confirmedAt` to now().
+ *   - Disable: the row is deleted (next setup starts fresh).
+ *
+ * "Enabled" means `confirmedAt != null`. A half-enrolled row (`confirmedAt
+ * = null`) is INACTIVE — `verifyTotp` returns false until confirmation.
+ */
+export declare const USER_TOTP_COLLECTION = "user_totp";
 /**
  * Declare every auth collection with the typed schema. Called by
  * `LocalAuthAddon.onInitialize` before constructing the per-collection

package/dist/builtins/local-auth/auth-schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-schema.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/auth-schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAE1D,eAAO,MAAM,gBAAgB,UAAU,CAAA;AACvC,eAAO,MAAM,mBAAmB,aAAa,CAAA;AAC7C,eAAO,MAAM,wBAAwB,kBAAkB,CAAA;AA4CvD;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBjF"}
+{"version":3,"file":"auth-schema.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/auth-schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAE1D,eAAO,MAAM,gBAAgB,UAAU,CAAA;AACvC,eAAO,MAAM,mBAAmB,aAAa,CAAA;AAC7C,eAAO,MAAM,wBAAwB,kBAAkB,CAAA;AACvD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oBAAoB,cAAc,CAAA;AAwD/C;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBjF"}

package/dist/builtins/local-auth/local-auth.addon.d.ts

@@ -9,6 +9,7 @@ export declare class LocalAuthAddon extends BaseAddon<LocalAuthConfig> {
     private userManager;
     private apiKeyManager;
     private scopedTokenManager;
+    private totpManager;
     constructor();
     protected onInitialize(): Promise<ProviderRegistration[]>;
     protected onShutdown(): Promise<void>;

package/dist/builtins/local-auth/local-auth.addon.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"local-auth.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/local-auth.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAA2B,oBAAoB,EAAE,MAAM,iBAAiB,CAAA;AACpF,OAAO,EAAE,SAAS,EAAoD,MAAM,iBAAiB,CAAA;AA4B7F,UAAU,eAAe;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,qBAAa,cAAe,SAAQ,SAAS,CAAC,eAAe,CAAC;IAC5D,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,kBAAkB,CAAkC;;cAI5C,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;cAoO/C,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAO5C;AAED,eAAe,cAAc,CAAA"}
+{"version":3,"file":"local-auth.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/local-auth.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAA2B,oBAAoB,EAAE,MAAM,iBAAiB,CAAA;AACpF,OAAO,EAAE,SAAS,EAAoD,MAAM,iBAAiB,CAAA;AA6B7F,UAAU,eAAe;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,qBAAa,cAAe,SAAQ,SAAS,CAAC,eAAe,CAAC;IAC5D,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,kBAAkB,CAAkC;IAC5D,OAAO,CAAC,WAAW,CAA2B;;cAI9B,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;cAiQ/C,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAO5C;AAED,eAAe,cAAc,CAAA"}