@cat-factory/workspaces 0.7.46 → 0.8.0

package/dist/index.d.ts

@@ -2,4 +2,5 @@ export { WorkspaceService, type WorkspaceServiceDependencies, } from './modules/
 export { AccountService, type AccountServiceDependencies, type AccountUser, } from './modules/accounts/AccountService.js';
 export { UserService, type UserServiceDependencies, type IdentityProfile, } from './modules/users/UserService.js';
 export { InvitationService, type InvitationServiceDependencies, type CreatedInvitation, } from './modules/invitations/InvitationService.js';
+export { PasswordResetService, type PasswordResetServiceDependencies, type ResetLogger, } from './modules/auth/PasswordResetService.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,gBAAgB,EAChB,KAAK,4BAA4B,GAClC,MAAM,0CAA0C,CAAA;AACjD,OAAO,EACL,cAAc,EACd,KAAK,0BAA0B,EAC/B,KAAK,WAAW,GACjB,MAAM,sCAAsC,CAAA;AAC7C,OAAO,EACL,WAAW,EACX,KAAK,uBAAuB,EAC5B,KAAK,eAAe,GACrB,MAAM,gCAAgC,CAAA;AACvC,OAAO,EACL,iBAAiB,EACjB,KAAK,6BAA6B,EAClC,KAAK,iBAAiB,GACvB,MAAM,4CAA4C,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,gBAAgB,EAChB,KAAK,4BAA4B,GAClC,MAAM,0CAA0C,CAAA;AACjD,OAAO,EACL,cAAc,EACd,KAAK,0BAA0B,EAC/B,KAAK,WAAW,GACjB,MAAM,sCAAsC,CAAA;AAC7C,OAAO,EACL,WAAW,EACX,KAAK,uBAAuB,EAC5B,KAAK,eAAe,GACrB,MAAM,gCAAgC,CAAA;AACvC,OAAO,EACL,iBAAiB,EACjB,KAAK,6BAA6B,EAClC,KAAK,iBAAiB,GACvB,MAAM,4CAA4C,CAAA;AACnD,OAAO,EACL,oBAAoB,EACpB,KAAK,gCAAgC,EACrC,KAAK,WAAW,GACjB,MAAM,wCAAwC,CAAA"}

package/dist/index.js

@@ -3,4 +3,5 @@ export { WorkspaceService, } from './modules/workspaces/WorkspaceService.js';
 export { AccountService, } from './modules/accounts/AccountService.js';
 export { UserService, } from './modules/users/UserService.js';
 export { InvitationService, } from './modules/invitations/InvitationService.js';
+export { PasswordResetService, } from './modules/auth/PasswordResetService.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAE5C,OAAO,EACL,gBAAgB,GAEjB,MAAM,0CAA0C,CAAA;AACjD,OAAO,EACL,cAAc,GAGf,MAAM,sCAAsC,CAAA;AAC7C,OAAO,EACL,WAAW,GAGZ,MAAM,gCAAgC,CAAA;AACvC,OAAO,EACL,iBAAiB,GAGlB,MAAM,4CAA4C,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAE5C,OAAO,EACL,gBAAgB,GAEjB,MAAM,0CAA0C,CAAA;AACjD,OAAO,EACL,cAAc,GAGf,MAAM,sCAAsC,CAAA;AAC7C,OAAO,EACL,WAAW,GAGZ,MAAM,gCAAgC,CAAA;AACvC,OAAO,EACL,iBAAiB,GAGlB,MAAM,4CAA4C,CAAA;AACnD,OAAO,EACL,oBAAoB,GAGrB,MAAM,wCAAwC,CAAA"}

package/dist/modules/auth/PasswordResetService.d.ts

@@ -0,0 +1,48 @@
+import type { Clock, EmailSender, IdGenerator, PasswordHasher, PasswordResetTokenRepository, UserRepository } from '@cat-factory/kernel';
+/** Minimal structural logger (satisfied by the facade's pino logger) — kept local so
+ * this base-layer package doesn't depend on the server layer. */
+export interface ResetLogger {
+    info(obj: Record<string, unknown>, msg?: string): void;
+}
+export interface PasswordResetServiceDependencies {
+    passwordResetTokenRepository: PasswordResetTokenRepository;
+    userRepository: UserRepository;
+    passwordHasher: PasswordHasher;
+    idGenerator: IdGenerator;
+    clock: Clock;
+    /**
+     * Resolve the deployment's system email sender at send time. Absent / returning null
+     * ⇒ no email is sent; the reset link is logged (dev convenience) instead, never
+     * returned to the caller.
+     */
+    resolveSystemEmailSender?: () => Promise<EmailSender | null>;
+    /** Public base URL the reset link points at (the SPA origin). */
+    appBaseUrl?: string;
+    logger?: ResetLogger;
+}
+export declare class PasswordResetService {
+    private readonly deps;
+    constructor(deps: PasswordResetServiceDependencies);
+    /**
+     * Request a password reset for `email`. No-op (silent) when no password identity owns
+     * the email — the caller must respond identically regardless so the endpoint can't be
+     * used to enumerate registered emails. Mints a single-use token (superseding any prior
+     * pending ones) and emails the reset link; when no sender is configured the link is
+     * logged for local/dev testing rather than returned.
+     */
+    request(email: string): Promise<void>;
+    /**
+     * Redeem a reset token and set the user's new password. Throws on a missing / already-
+     * used / expired token (the controller maps these to a generic 400). On success the
+     * password identity's secret is replaced, the token is consumed, and every other
+     * pending token for the user is superseded.
+     *
+     * NOTE: sessions are stateless (signed, self-expiring tokens with no server-side
+     * store), so a reset does NOT retroactively revoke a session already issued to this
+     * user — any live session stays valid until its own TTL lapses. Revoking on reset would
+     * require a per-user session epoch checked on every request, i.e. trading away the
+     * stateless model; that is a separate, deliberate decision, not handled here.
+     */
+    reset(token: string, newPassword: string): Promise<void>;
+}
+//# sourceMappingURL=PasswordResetService.d.ts.map

package/dist/modules/auth/PasswordResetService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PasswordResetService.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/PasswordResetService.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,KAAK,EACL,WAAW,EACX,WAAW,EACX,cAAc,EAEd,4BAA4B,EAC5B,cAAc,EACf,MAAM,qBAAqB,CAAA;AAiB5B;iEACiE;AACjE,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACvD;AAED,MAAM,WAAW,gCAAgC;IAC/C,4BAA4B,EAAE,4BAA4B,CAAA;IAC1D,cAAc,EAAE,cAAc,CAAA;IAC9B,cAAc,EAAE,cAAc,CAAA;IAC9B,WAAW,EAAE,WAAW,CAAA;IACxB,KAAK,EAAE,KAAK,CAAA;IACZ;;;;OAIG;IACH,wBAAwB,CAAC,EAAE,MAAM,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IAC5D,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB;AAQD,qBAAa,oBAAoB;IACnB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAAjC,YAA6B,IAAI,EAAE,gCAAgC,EAAI;IAEvE;;;;;;OAMG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA+D1C;IAED;;;;;;;;;;;OAWG;IACG,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAwC7D;CACF"}

package/dist/modules/auth/PasswordResetService.js

@@ -0,0 +1,147 @@
+import { ConflictError, NotFoundError, ValidationError } from '@cat-factory/kernel';
+// ---------------------------------------------------------------------------
+// PasswordResetService: the "forgot my password" flow for password-based logins.
+// A user requests a reset by email; an opaque token (delivered by email) is redeemed
+// to set a new password. Only the token's SHA-256 hash is stored — the raw token lives
+// only in the emailed link. Mirrors InvitationService (token minting + hash storage +
+// EmailSender delivery), and reuses the PasswordHasher exactly as UserService does.
+//
+// Security: the request path never reveals whether an email is registered (it returns
+// the same way for a hit and a miss — the controller always responds generically), the
+// raw token is never returned over HTTP, tokens are single-use + short-lived, and a
+// successful reset (or a fresh request) supersedes every other pending token.
+// ---------------------------------------------------------------------------
+const RESET_TTL_MS = 60 * 60 * 1000;
+/** SHA-256 hex digest — Web Crypto, runs on both runtimes. */
+async function sha256Hex(input) {
+    const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(input));
+    return [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, '0')).join('');
+}
+export class PasswordResetService {
+    deps;
+    constructor(deps) {
+        this.deps = deps;
+    }
+    /**
+     * Request a password reset for `email`. No-op (silent) when no password identity owns
+     * the email — the caller must respond identically regardless so the endpoint can't be
+     * used to enumerate registered emails. Mints a single-use token (superseding any prior
+     * pending ones) and emails the reset link; when no sender is configured the link is
+     * logged for local/dev testing rather than returned.
+     */
+    async request(email) {
+        const normalizedEmail = email.toLowerCase().trim();
+        if (!normalizedEmail)
+            return;
+        // Only password-based logins can reset a password (OAuth-only users have no secret).
+        const identity = await this.deps.userRepository.getIdentity('password', normalizedEmail);
+        if (!identity?.secret)
+            return;
+        // Supersede any still-pending token so only the freshly-minted one stays live.
+        const pending = await this.deps.passwordResetTokenRepository.listPendingByUser(identity.userId);
+        for (const prior of pending) {
+            await this.deps.passwordResetTokenRepository.setStatus(prior.id, 'used');
+        }
+        const token = `${crypto.randomUUID()}${crypto.randomUUID()}`.replace(/-/g, '');
+        const record = {
+            id: this.deps.idGenerator.next('prt'),
+            userId: identity.userId,
+            tokenHash: await sha256Hex(token),
+            status: 'pending',
+            expiresAt: this.deps.clock.now() + RESET_TTL_MS,
+            createdAt: this.deps.clock.now(),
+        };
+        await this.deps.passwordResetTokenRepository.create(record);
+        const resetUrl = this.deps.appBaseUrl
+            ? `${this.deps.appBaseUrl.replace(/\/$/, '')}/reset-password?token=${token}`
+            : null;
+        const sender = this.deps.resolveSystemEmailSender
+            ? await this.deps.resolveSystemEmailSender()
+            : null;
+        if (sender && resetUrl) {
+            // Best-effort: a provider/transport failure must NOT propagate. The controller
+            // answers identically (204) for a registered and an unregistered email so the
+            // endpoint can't enumerate accounts — letting a send error bubble to a 500 would
+            // turn a flaky provider into exactly that registration oracle. Log and move on.
+            try {
+                await sender.send({
+                    to: normalizedEmail,
+                    subject: 'Reset your Cat Factory password',
+                    text: `Reset your password using this link (valid for 1 hour): ${resetUrl}`,
+                    html: resetEmailHtml(resetUrl),
+                });
+            }
+            catch (err) {
+                this.deps.logger?.info({ userId: identity.userId, err: String(err) }, 'Password reset email failed to send');
+            }
+        }
+        else if (resetUrl) {
+            // No system sender configured: surface the link in the logs so local/dev can test.
+            // It is NEVER returned to the unauthenticated caller.
+            this.deps.logger?.info({ resetUrl, userId: identity.userId }, 'Password reset requested but no email sender configured; link logged for dev');
+        }
+        else {
+            // A token was minted but there is no app base URL to build a link from, so the user
+            // can never receive it. Flag the misconfiguration rather than failing silently.
+            this.deps.logger?.info({ userId: identity.userId }, 'Password reset requested but appBaseUrl is not configured; no reset link could be built');
+        }
+    }
+    /**
+     * Redeem a reset token and set the user's new password. Throws on a missing / already-
+     * used / expired token (the controller maps these to a generic 400). On success the
+     * password identity's secret is replaced, the token is consumed, and every other
+     * pending token for the user is superseded.
+     *
+     * NOTE: sessions are stateless (signed, self-expiring tokens with no server-side
+     * store), so a reset does NOT retroactively revoke a session already issued to this
+     * user — any live session stays valid until its own TTL lapses. Revoking on reset would
+     * require a per-user session epoch checked on every request, i.e. trading away the
+     * stateless model; that is a separate, deliberate decision, not handled here.
+     */
+    async reset(token, newPassword) {
+        if (newPassword.length < 8) {
+            throw new ValidationError('Password must be at least 8 characters');
+        }
+        const record = await this.deps.passwordResetTokenRepository.findByTokenHash(await sha256Hex(token));
+        if (!record || record.status !== 'pending') {
+            throw new NotFoundError('PasswordResetToken', 'token');
+        }
+        if (record.expiresAt < this.deps.clock.now()) {
+            throw new ConflictError('This password reset link has expired');
+        }
+        // Resolve the password identity straight from the token's user — not by round-tripping
+        // through `users.email` — so the lookup can't drift from how the identity subject was
+        // stored. A user with no password identity (e.g. OAuth-only) has nothing to reset.
+        const identity = (await this.deps.userRepository.listIdentities(record.userId)).find((i) => i.provider === 'password');
+        if (!identity)
+            throw new NotFoundError('PasswordResetToken', 'token');
+        // Atomically consume the token BEFORE touching the password: only the call that flips
+        // `pending` → `used` proceeds, so two concurrent redemptions can't both reset.
+        if (!(await this.deps.passwordResetTokenRepository.consume(record.id))) {
+            throw new NotFoundError('PasswordResetToken', 'token');
+        }
+        // Replace the secret in place (idempotent on `(provider, subject)`, exactly like the
+        // rehash-on-login path in UserService).
+        await this.deps.userRepository.linkIdentity({
+            ...identity,
+            secret: await this.deps.passwordHasher.hash(newPassword),
+        });
+        // Invalidate any other live tokens for this user — the password is now changed.
+        const pending = await this.deps.passwordResetTokenRepository.listPendingByUser(record.userId);
+        for (const other of pending) {
+            if (other.id !== record.id) {
+                await this.deps.passwordResetTokenRepository.setStatus(other.id, 'used');
+            }
+        }
+    }
+}
+function resetEmailHtml(resetUrl) {
+    return `<!doctype html><html><body style="font-family:sans-serif">
+<h2>Reset your password</h2>
+<p>We received a request to reset your Cat Factory password. This link is valid for 1 hour.</p>
+<p><a href="${resetUrl}" style="display:inline-block;padding:10px 18px;background:#111;color:#fff;border-radius:6px;text-decoration:none">Reset password</a></p>
+<p>Or paste this link into your browser:<br>${resetUrl}</p>
+<p>If you didn't request this, you can safely ignore this email.</p>
+</body></html>`;
+}
+//# sourceMappingURL=PasswordResetService.js.map

package/dist/modules/auth/PasswordResetService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PasswordResetService.js","sourceRoot":"","sources":["../../../src/modules/auth/PasswordResetService.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAA;AAWnF,8EAA8E;AAC9E,iFAAiF;AACjF,qFAAqF;AACrF,uFAAuF;AACvF,sFAAsF;AACtF,oFAAoF;AACpF,EAAE;AACF,sFAAsF;AACtF,uFAAuF;AACvF,oFAAoF;AACpF,8EAA8E;AAC9E,8EAA8E;AAE9E,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAyBnC,8DAA8D;AAC9D,KAAK,UAAU,SAAS,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAA;IACrF,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;AACzF,CAAC;AAED,MAAM,OAAO,oBAAoB;IACF,IAAI;IAAjC,YAA6B,IAAsC;oBAAtC,IAAI;IAAqC,CAAC;IAEvE;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;QAClD,IAAI,CAAC,eAAe;YAAE,OAAM;QAC5B,qFAAqF;QACrF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,UAAU,EAAE,eAAe,CAAC,CAAA;QACxF,IAAI,CAAC,QAAQ,EAAE,MAAM;YAAE,OAAM;QAE7B,+EAA+E;QAC/E,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAC/F,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;QAC1E,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QAC9E,MAAM,MAAM,GAA6B;YACvC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;YACrC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,SAAS,EAAE,MAAM,SAAS,CAAC,KAAK,CAAC;YACjC,MAAM,EAAE,SAAS;YACjB,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,YAAY;YAC/C,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE;SACjC,CAAA;QACD,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAE3D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU;YACnC,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,yBAAyB,KAAK,EAAE;YAC5E,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,wBAAwB;YAC/C,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,wBAAwB,EAAE;YAC5C,CAAC,CAAC,IAAI,CAAA;QACR,IAAI,MAAM,IAAI,QAAQ,EAAE,CAAC;YACvB,+EAA+E;YAC/E,8EAA8E;YAC9E,iFAAiF;YACjF,gFAAgF;YAChF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,CAAC;oBAChB,EAAE,EAAE,eAAe;oBACnB,OAAO,EAAE,iCAAiC;oBAC1C,IAAI,EAAE,2DAA2D,QAAQ,EAAE;oBAC3E,IAAI,EAAE,cAAc,CAAC,QAAQ,CAAC;iBAC/B,CAAC,CAAA;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CACpB,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,EAC7C,qCAAqC,CACtC,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,EAAE,CAAC;YACpB,mFAAmF;YACnF,sDAAsD;YACtD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CACpB,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,EACrC,8EAA8E,CAC/E,CAAA;QACH,CAAC;aAAM,CAAC;YACN,oFAAoF;YACpF,gFAAgF;YAChF,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CACpB,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,EAC3B,yFAAyF,CAC1F,CAAA;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,KAAK,CAAC,KAAa,EAAE,WAAmB;QAC5C,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,eAAe,CAAC,wCAAwC,CAAC,CAAA;QACrE,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,eAAe,CACzE,MAAM,SAAS,CAAC,KAAK,CAAC,CACvB,CAAA;QACD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC3C,MAAM,IAAI,aAAa,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,CAAC;YAC7C,MAAM,IAAI,aAAa,CAAC,sCAAsC,CAAC,CAAA;QACjE,CAAC;QACD,uFAAuF;QACvF,sFAAsF;QACtF,mFAAmF;QACnF,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAClF,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CACjC,CAAA;QACD,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,aAAa,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;QAErE,sFAAsF;QACtF,+EAA+E;QAC/E,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,aAAa,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAA;QACxD,CAAC;QAED,qFAAqF;QACrF,wCAAwC;QACxC,MAAM,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,YAAY,CAAC;YAC1C,GAAG,QAAQ;YACX,MAAM,EAAE,MAAM,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC;SACzD,CAAC,CAAA;QACF,gFAAgF;QAChF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAC7F,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,KAAK,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;gBAC3B,MAAM,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,OAAO;;;cAGK,QAAQ;8CACwB,QAAQ;;eAEvC,CAAA;AACf,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cat-factory/workspaces",
-  "version": "0.7.46",
+  "version": "0.8.0",
   "description": "Tenancy base services (workspaces and accounts) for the Agent Architecture Board.",
   "repository": {
     "type": "git",
@@ -24,14 +24,17 @@
     "access": "public"
   },
   "dependencies": {
-    "@cat-factory/contracts": "0.36.0",
-    "@cat-factory/kernel": "0.38.1"
+    "@cat-factory/contracts": "0.37.0",
+    "@cat-factory/kernel": "0.39.0"
   },
   "devDependencies": {
-    "typescript": "7.0.1-rc"
+    "typescript": "7.0.1-rc",
+    "vitest": "^4.1.9"
   },
   "scripts": {
     "build": "tsc -b tsconfig.build.json",
-    "typecheck": "tsc -p tsconfig.json --noEmit"
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:run": "vitest run"
   }
 }