@every-app/sdk 0.1.2 → 0.1.4

package/dist/core/authenticatedFetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAevD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}
+{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAaA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAmBvD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}

package/dist/core/authenticatedFetch.js

@@ -1,7 +1,11 @@
+import { LOCAL_ONLY_TOKEN, isLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 /**
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken() {
+    if (isLocalOnlyClient()) {
+        return LOCAL_ONLY_TOKEN;
+    }
     const windowWithSession = window;
     const sessionManager = windowWithSession.__embeddedSessionManager;
     if (!sessionManager) {

package/dist/core/localDemoSessionManager.d.ts

@@ -0,0 +1,42 @@
+export interface SessionManagerConfig {
+    appId: string;
+}
+/**
+ * A simplified session manager for local demo mode.
+ *
+ * This manager bypasses all real authentication and returns static demo credentials.
+ * It should only be used in development when LOCAL_DEMO_ONLY_MODE is enabled.
+ *
+ * SECURITY: This class is only instantiated when isLocalDemoModeClient() returns true,
+ * which includes a production safety check.
+ */
+export declare class LocalDemoSessionManager {
+    readonly parentOrigin: string;
+    readonly appId: string;
+    readonly isInIframe: boolean;
+    constructor(config: SessionManagerConfig);
+    /**
+     * Returns the static demo token.
+     * No expiration logic needed since this is just for local development.
+     */
+    getToken(): Promise<string>;
+    /**
+     * Always returns VALID status with the demo token.
+     */
+    getTokenState(): {
+        status: "NO_TOKEN" | "VALID" | "EXPIRED" | "REFRESHING";
+        token: string | null;
+    };
+    /**
+     * Returns static demo user info.
+     */
+    getUser(): {
+        userId: string;
+        email: string;
+    };
+    /**
+     * No-op for demo mode - token never needs refreshing.
+     */
+    requestNewToken(): Promise<string>;
+}
+//# sourceMappingURL=localDemoSessionManager.d.ts.map

package/dist/core/localDemoSessionManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"localDemoSessionManager.d.ts","sourceRoot":"","sources":["../../src/core/localDemoSessionManager.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;;GAQG;AACH,qBAAa,uBAAuB;IAClC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAQ;gBAExB,MAAM,EAAE,oBAAoB;IAcxC;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAIjC;;OAEG;IACH,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAID;;OAEG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IAO5C;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;CAGzC"}

package/dist/core/localDemoSessionManager.js

@@ -0,0 +1,52 @@
+import { LOCAL_DEMO_TOKEN, LOCAL_DEMO_USER_ID, LOCAL_DEMO_EMAIL, } from "../shared/localOnly";
+/**
+ * A simplified session manager for local demo mode.
+ *
+ * This manager bypasses all real authentication and returns static demo credentials.
+ * It should only be used in development when LOCAL_DEMO_ONLY_MODE is enabled.
+ *
+ * SECURITY: This class is only instantiated when isLocalDemoModeClient() returns true,
+ * which includes a production safety check.
+ */
+export class LocalDemoSessionManager {
+    parentOrigin;
+    appId;
+    isInIframe = true;
+    constructor(config) {
+        if (!config.appId) {
+            throw new Error("[LocalDemoSessionManager] appId is required.");
+        }
+        this.appId = config.appId;
+        this.parentOrigin = typeof window !== "undefined" ? window.location.origin : "http://localhost";
+        console.warn("[LocalDemoSessionManager] Running in LOCAL DEMO MODE. " +
+            "Authentication is bypassed. Do not use in production!");
+    }
+    /**
+     * Returns the static demo token.
+     * No expiration logic needed since this is just for local development.
+     */
+    async getToken() {
+        return LOCAL_DEMO_TOKEN;
+    }
+    /**
+     * Always returns VALID status with the demo token.
+     */
+    getTokenState() {
+        return { status: "VALID", token: LOCAL_DEMO_TOKEN };
+    }
+    /**
+     * Returns static demo user info.
+     */
+    getUser() {
+        return {
+            userId: LOCAL_DEMO_USER_ID,
+            email: LOCAL_DEMO_EMAIL,
+        };
+    }
+    /**
+     * No-op for demo mode - token never needs refreshing.
+     */
+    async requestNewToken() {
+        return LOCAL_DEMO_TOKEN;
+    }
+}

package/dist/core/sessionManager.d.ts

@@ -10,6 +10,7 @@ export declare class SessionManager {
     readonly parentOrigin: string;
     readonly appId: string;
     readonly isInIframe: boolean;
+    readonly isDemoModeLocalOnly: boolean;
     private token;
     private refreshPromise;
     constructor(config: SessionManagerConfig);

package/dist/core/sessionManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAE7B,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAqBxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuDzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IA+DlC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAOjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAwBpD"}
+{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IAEtC,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAoCxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAsDlC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAcjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CA+BpD"}

package/dist/core/sessionManager.js

@@ -1,3 +1,4 @@
+import { LOCAL_ONLY_EMAIL, LOCAL_ONLY_TOKEN, LOCAL_ONLY_USER_ID, isLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
@@ -19,25 +20,37 @@ export class SessionManager {
     parentOrigin;
     appId;
     isInIframe;
+    isDemoModeLocalOnly;
     token = null;
     refreshPromise = null;
     constructor(config) {
         if (!config.appId) {
             throw new Error("[SessionManager] appId is required.");
         }
+        this.isDemoModeLocalOnly = isLocalOnlyClient();
         const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-        if (!gatewayUrl) {
-            throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
-        }
-        try {
-            new URL(gatewayUrl);
-        }
-        catch {
-            throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
+        if (!this.isDemoModeLocalOnly) {
+            if (!gatewayUrl) {
+                throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
+            }
+            try {
+                new URL(gatewayUrl);
+            }
+            catch {
+                throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
+            }
         }
         this.appId = config.appId;
-        this.parentOrigin = gatewayUrl;
+        this.parentOrigin = this.isDemoModeLocalOnly
+            ? window.location.origin
+            : gatewayUrl;
         this.isInIframe = isRunningInIframe();
+        if (this.isDemoModeLocalOnly) {
+            this.token = {
+                token: LOCAL_ONLY_TOKEN,
+                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
+            };
+        }
     }
     isTokenExpiringSoon(bufferMs = TOKEN_EXPIRY_BUFFER_MS) {
         if (!this.token)
@@ -46,7 +59,6 @@ export class SessionManager {
     }
     postMessageWithResponse(request, responseType, requestId) {
         return new Promise((resolve, reject) => {
-            const startTime = Date.now();
             const cleanup = () => {
                 clearTimeout(timeout);
                 window.removeEventListener("message", handler);
@@ -61,11 +73,6 @@ export class SessionManager {
                 if (event.data.type === responseType &&
                     event.data.requestId === requestId) {
                     cleanup();
-                    console.log("[SessionManager] postMessage response received", {
-                        requestId,
-                        responseType,
-                        elapsedMs: Date.now() - startTime,
-                    });
                     if (event.data.error) {
                         reject(new Error(event.data.error));
                     }
@@ -76,38 +83,25 @@ export class SessionManager {
             };
             const timeout = setTimeout(() => {
                 cleanup();
-                console.log("[SessionManager] postMessage response timeout", {
-                    requestId,
-                    responseType,
-                    timeoutMs: MESSAGE_TIMEOUT_MS,
-                });
                 reject(new Error("Token request timeout - parent did not respond"));
             }, MESSAGE_TIMEOUT_MS);
             window.addEventListener("message", handler);
-            console.log("[SessionManager] postMessage request sent", {
-                requestId,
-                requestType: request.type,
-                parentOrigin: this.parentOrigin,
-            });
             window.parent.postMessage(request, this.parentOrigin);
         });
     }
     async requestNewToken() {
+        if (this.isDemoModeLocalOnly) {
+            this.token = {
+                token: LOCAL_ONLY_TOKEN,
+                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
+            };
+            return this.token.token;
+        }
         if (this.refreshPromise) {
-            console.log("[SessionManager] Reusing in-flight token request", {
-                appId: this.appId,
-            });
             return this.refreshPromise;
         }
         this.refreshPromise = (async () => {
             const requestId = crypto.randomUUID();
-            const startTime = Date.now();
-            console.log("[SessionManager] Requesting new session token", {
-                requestId,
-                appId: this.appId,
-                parentOrigin: this.parentOrigin,
-                isInIframe: this.isInIframe,
-            });
             const response = await this.postMessageWithResponse({
                 type: "SESSION_TOKEN_REQUEST",
                 requestId,
@@ -128,11 +122,6 @@ export class SessionManager {
                 token: response.token,
                 expiresAt,
             };
-            console.log("[SessionManager] Session token stored", {
-                requestId,
-                elapsedMs: Date.now() - startTime,
-                expiresAt,
-            });
             return this.token.token;
         })();
         try {
@@ -143,6 +132,12 @@ export class SessionManager {
         }
     }
     async getToken() {
+        if (this.isDemoModeLocalOnly) {
+            if (!this.token || this.isTokenExpiringSoon()) {
+                return this.requestNewToken();
+            }
+            return this.token.token;
+        }
         if (this.isTokenExpiringSoon()) {
             return this.requestNewToken();
         }
@@ -165,6 +160,12 @@ export class SessionManager {
      * Returns null if no valid token is available.
      */
     getUser() {
+        if (this.isDemoModeLocalOnly) {
+            return {
+                userId: LOCAL_ONLY_USER_ID,
+                email: LOCAL_ONLY_EMAIL,
+            };
+        }
         if (!this.token) {
             return null;
         }

package/dist/shared/demoModeLocalOnly.d.ts

@@ -0,0 +1,14 @@
+export declare const LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export declare const LOCAL_ONLY_USER_ID = "demo-local-user";
+export declare const LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export declare function isLocalOnlyClient(): boolean;
+export declare function isLocalOnlyServer(): boolean;
+export declare function createLocalOnlySessionPayload(audience: string): {
+    sub: string;
+    email: string;
+    iss: string;
+    aud: string;
+    iat: number;
+    exp: number;
+};
+//# sourceMappingURL=demoModeLocalOnly.d.ts.map

package/dist/shared/demoModeLocalOnly.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"demoModeLocalOnly.d.ts","sourceRoot":"","sources":["../../src/shared/demoModeLocalOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,yBAAyB,CAAC;AACvD,eAAO,MAAM,kBAAkB,oBAAoB,CAAC;AACpD,eAAO,MAAM,gBAAgB,0BAA0B,CAAC;AAExD,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED,wBAAgB,iBAAiB,IAAI,OAAO,CAa3C;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,MAAM;;;;;;;EAY7D"}

package/dist/shared/demoModeLocalOnly.js

@@ -0,0 +1,30 @@
+export const LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export const LOCAL_ONLY_USER_ID = "demo-local-user";
+export const LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export function isLocalOnlyClient() {
+    return import.meta.env.VITE_LOCAL_ONLY === "true";
+}
+export function isLocalOnlyServer() {
+    const metaEnv = import.meta
+        .env;
+    const metaValue = metaEnv?.LOCAL_ONLY ?? metaEnv?.VITE_LOCAL_ONLY;
+    if (metaValue === "true") {
+        return true;
+    }
+    if (typeof process !== "undefined" && process.env?.LOCAL_ONLY === "true") {
+        return true;
+    }
+    return false;
+}
+export function createLocalOnlySessionPayload(audience) {
+    const issuedAt = Math.floor(Date.now() / 1000);
+    const expiresAt = issuedAt + 60 * 60;
+    return {
+        sub: LOCAL_ONLY_USER_ID,
+        email: LOCAL_ONLY_EMAIL,
+        iss: "local",
+        aud: audience,
+        iat: issuedAt,
+        exp: expiresAt,
+    };
+}

package/dist/shared/localOnly.d.ts

@@ -0,0 +1,14 @@
+export declare const LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export declare const LOCAL_ONLY_USER_ID = "demo-local-user";
+export declare const LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export declare function isLocalOnlyClient(): boolean;
+export declare function isLocalOnlyServer(): boolean;
+export declare function createLocalOnlySessionPayload(audience: string): {
+    sub: string;
+    email: string;
+    iss: string;
+    aud: string;
+    iat: number;
+    exp: number;
+};
+//# sourceMappingURL=localOnly.d.ts.map

package/dist/shared/localOnly.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"localOnly.d.ts","sourceRoot":"","sources":["../../src/shared/localOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,yBAAyB,CAAC;AACvD,eAAO,MAAM,kBAAkB,oBAAoB,CAAC;AACpD,eAAO,MAAM,gBAAgB,0BAA0B,CAAC;AAExD,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED,wBAAgB,iBAAiB,IAAI,OAAO,CAa3C;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,MAAM;;;;;;;EAY7D"}

package/dist/shared/localOnly.js

@@ -0,0 +1,30 @@
+export const LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export const LOCAL_ONLY_USER_ID = "demo-local-user";
+export const LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export function isLocalOnlyClient() {
+    return import.meta.env.VITE_LOCAL_ONLY === "true";
+}
+export function isLocalOnlyServer() {
+    const metaEnv = import.meta
+        .env;
+    const metaValue = metaEnv?.LOCAL_ONLY ?? metaEnv?.VITE_LOCAL_ONLY;
+    if (metaValue === "true") {
+        return true;
+    }
+    if (typeof process !== "undefined" && process.env?.LOCAL_ONLY === "true") {
+        return true;
+    }
+    return false;
+}
+export function createLocalOnlySessionPayload(audience) {
+    const issuedAt = Math.floor(Date.now() / 1000);
+    const expiresAt = issuedAt + 60 * 60;
+    return {
+        sub: LOCAL_ONLY_USER_ID,
+        email: LOCAL_ONLY_EMAIL,
+        iss: "local",
+        aud: audience,
+        iat: issuedAt,
+        exp: expiresAt,
+    };
+}

package/dist/tanstack/EmbeddedAppProvider.js

@@ -11,8 +11,8 @@ export function EmbeddedAppProvider({ children, ...config }) {
     useEveryAppRouter({ sessionManager });
     if (!sessionManager)
         return null;
-    // Check if the app is running outside of the Gateway iframe
-    if (!sessionManager.isInIframe) {
+    // Check if the app is running outside of the Gateway iframe (skip in demo mode)
+    if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly) {
         return (_jsx(GatewayRequiredError, { gatewayOrigin: sessionManager.parentOrigin, appId: config.appId }));
     }
     const value = {

package/dist/tanstack/_internal/useEveryAppSession.d.ts

@@ -1,4 +1,7 @@
-import { SessionManager, SessionManagerConfig } from "../../core/sessionManager";
+import { SessionManager } from "../../core/sessionManager";
+interface SessionManagerConfig {
+    appId: string;
+}
 interface UseEveryAppSessionParams {
     sessionManagerConfig: SessionManagerConfig;
 }

package/dist/tanstack/_internal/useEveryAppSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EACL,cAAc,EACd,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAEnC,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EAiD1B"}
+{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAE3D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA+C1B"}

package/dist/tanstack/_internal/useEveryAppSession.js

@@ -1,5 +1,5 @@
 import { useEffect, useRef, useState } from "react";
-import { SessionManager, } from "../../core/sessionManager";
+import { SessionManager } from "../../core/sessionManager";
 export function useEveryAppSession({ sessionManagerConfig, }) {
     const sessionManagerRef = useRef(null);
     const [sessionTokenState, setSessionTokenState] = useState({
@@ -13,20 +13,18 @@ export function useEveryAppSession({ sessionManagerConfig, }) {
     useEffect(() => {
         if (!sessionManager)
             return;
-        // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
-        if (!sessionManager.isInIframe)
+        // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
+        if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly)
             return;
-        console.log("[EmbeddedProvider] Initializing session token flow", {
-            appId: sessionManager.appId,
-            parentOrigin: sessionManager.parentOrigin,
-        });
         const interval = setInterval(() => {
-            const tokenState = sessionManager.getTokenState();
-            console.log("[EmbeddedProvider] Session token state", tokenState);
-            setSessionTokenState(tokenState);
+            setSessionTokenState(sessionManager.getTokenState());
         }, 5000);
-        console.log("[EmbeddedProvider] Requesting initial session token");
-        sessionManager.getToken().catch((err) => {
+        sessionManager
+            .getToken()
+            .then(() => {
+            setSessionTokenState(sessionManager.getTokenState());
+        })
+            .catch((err) => {
             console.error("[EmbeddedProvider] Initial token request failed:", err);
         });
         return () => {

package/dist/tanstack/server/authConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAG1C,wBAAgB,aAAa,IAAI,UAAU,CAK1C"}
+{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAI1C,wBAAgB,aAAa,IAAI,UAAU,CAU1C"}

package/dist/tanstack/server/authConfig.js

@@ -1,7 +1,11 @@
 import { env } from "cloudflare:workers";
+import { isLocalOnlyServer } from "../../shared/demoModeLocalOnly";
 export function getAuthConfig() {
+    const demoModeLocalOnlyEnv = env.LOCAL_ONLY;
+    const isDemoModeLocalOnly = demoModeLocalOnlyEnv === "true" || isLocalOnlyServer() === true;
+    const issuer = env.GATEWAY_URL || (isDemoModeLocalOnly ? "local" : "");
     return {
-        issuer: env.GATEWAY_URL,
+        issuer,
         audience: import.meta.env.VITE_APP_ID,
     };
 }

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAG1C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA+BrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ1C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA2CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -1,9 +1,12 @@
 import { getRequest } from "@tanstack/react-start/server";
 import { createLocalJWKSet, jwtVerify, } from "jose";
 import { env } from "cloudflare:workers";
+import { LOCAL_ONLY_TOKEN, createLocalOnlySessionPayload, isLocalOnlyServer, } from "../../shared/demoModeLocalOnly";
 export async function authenticateRequest(authConfig, providedRequest) {
     const request = providedRequest || getRequest();
     const authHeader = request.headers.get("authorization");
+    const demoModeLocalOnlyEnv = env.LOCAL_ONLY;
+    const isDemoModeLocalOnly = demoModeLocalOnlyEnv === "true" || isLocalOnlyServer() === true;
     if (!authHeader) {
         console.log("No auth header found");
         return null;
@@ -12,6 +15,12 @@ export async function authenticateRequest(authConfig, providedRequest) {
     if (!token) {
         return null;
     }
+    if (isDemoModeLocalOnly) {
+        if (token !== LOCAL_ONLY_TOKEN) {
+            return null;
+        }
+        return createLocalOnlySessionPayload(authConfig.audience);
+    }
     try {
         const session = await verifySessionToken(token, authConfig);
         return session;

package/dist/tanstack/useSessionTokenClientMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,+BAA+B,6GA2B1C,CAAC"}
+{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,+BAA+B,6GAmC1C,CAAC"}

package/dist/tanstack/useSessionTokenClientMiddleware.js

@@ -1,7 +1,15 @@
 import { createMiddleware } from "@tanstack/react-start";
+import { LOCAL_ONLY_TOKEN, isLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 export const useSessionTokenClientMiddleware = createMiddleware({
     type: "function",
 }).client(async ({ next }) => {
+    if (isLocalOnlyClient()) {
+        return next({
+            headers: {
+                Authorization: `Bearer ${LOCAL_ONLY_TOKEN}`,
+            },
+        });
+    }
     // Get the global sessionManager - this MUST be available for embedded apps
     const sessionManager = window
         .__embeddedSessionManager;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/core/authenticatedFetch.ts

@@ -1,3 +1,8 @@
+import {
+  DEMO_MODE_LOCAL_ONLY_TOKEN,
+  isDemoModeLocalOnlyClient,
+} from "../shared/demoModeLocalOnly";
+
 interface SessionManager {
   getToken(): Promise<string>;
 }
@@ -10,6 +15,10 @@ interface WindowWithSessionManager extends Window {
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken(): Promise<string> {
+  if (isDemoModeLocalOnlyClient()) {
+    return DEMO_MODE_LOCAL_ONLY_TOKEN;
+  }
+
   const windowWithSession = window as WindowWithSessionManager;
   const sessionManager = windowWithSession.__embeddedSessionManager;
 

package/src/core/sessionManager.ts

@@ -1,3 +1,10 @@
+import {
+  DEMO_MODE_LOCAL_ONLY_EMAIL,
+  DEMO_MODE_LOCAL_ONLY_TOKEN,
+  DEMO_MODE_LOCAL_ONLY_USER_ID,
+  isDemoModeLocalOnlyClient,
+} from "../shared/demoModeLocalOnly";
+
 interface SessionToken {
   token: string;
   expiresAt: number;
@@ -35,6 +42,7 @@ export class SessionManager {
   readonly parentOrigin: string;
   readonly appId: string;
   readonly isInIframe: boolean;
+  readonly isDemoModeLocalOnly: boolean;
 
   private token: SessionToken | null = null;
   private refreshPromise: Promise<string> | null = null;
@@ -44,20 +52,35 @@ export class SessionManager {
       throw new Error("[SessionManager] appId is required.");
     }
 
+    this.isDemoModeLocalOnly = isDemoModeLocalOnlyClient();
+
     const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-    if (!gatewayUrl) {
-      throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
-    }
+    if (!this.isDemoModeLocalOnly) {
+      if (!gatewayUrl) {
+        throw new Error(
+          "[SessionManager] VITE_GATEWAY_URL env var is required.",
+        );
+      }
 
-    try {
-      new URL(gatewayUrl);
-    } catch {
-      throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
+      try {
+        new URL(gatewayUrl);
+      } catch {
+        throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
+      }
     }
 
     this.appId = config.appId;
-    this.parentOrigin = gatewayUrl;
+    this.parentOrigin = this.isDemoModeLocalOnly
+      ? window.location.origin
+      : gatewayUrl;
     this.isInIframe = isRunningInIframe();
+
+    if (this.isDemoModeLocalOnly) {
+      this.token = {
+        token: DEMO_MODE_LOCAL_ONLY_TOKEN,
+        expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
+      };
+    }
   }
 
   private isTokenExpiringSoon(
@@ -107,6 +130,14 @@ export class SessionManager {
   }
 
   async requestNewToken(): Promise<string> {
+    if (this.isDemoModeLocalOnly) {
+      this.token = {
+        token: DEMO_MODE_LOCAL_ONLY_TOKEN,
+        expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
+      };
+      return this.token.token;
+    }
+
     if (this.refreshPromise) {
       return this.refreshPromise;
     }
@@ -153,6 +184,13 @@ export class SessionManager {
   }
 
   async getToken(): Promise<string> {
+    if (this.isDemoModeLocalOnly) {
+      if (!this.token || this.isTokenExpiringSoon()) {
+        return this.requestNewToken();
+      }
+      return this.token.token;
+    }
+
     if (this.isTokenExpiringSoon()) {
       return this.requestNewToken();
     }
@@ -183,6 +221,13 @@ export class SessionManager {
    * Returns null if no valid token is available.
    */
   getUser(): { userId: string; email: string } | null {
+    if (this.isDemoModeLocalOnly) {
+      return {
+        userId: DEMO_MODE_LOCAL_ONLY_USER_ID,
+        email: DEMO_MODE_LOCAL_ONLY_EMAIL,
+      };
+    }
+
     if (!this.token) {
       return null;
     }

package/src/shared/demoModeLocalOnly.ts

@@ -0,0 +1,40 @@
+export const DEMO_MODE_LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export const DEMO_MODE_LOCAL_ONLY_USER_ID = "demo-local-user";
+export const DEMO_MODE_LOCAL_ONLY_EMAIL = "demo-local-user@local";
+
+export function isDemoModeLocalOnlyClient(): boolean {
+  return import.meta.env.VITE_DEMO_MODE_LOCAL_ONLY === "true";
+}
+
+export function isDemoModeLocalOnlyServer(): boolean {
+  const metaEnv = (import.meta as { env?: Record<string, string | undefined> })
+    .env;
+  const metaValue =
+    metaEnv?.DEMO_MODE_LOCAL_ONLY ?? metaEnv?.VITE_DEMO_MODE_LOCAL_ONLY;
+  if (metaValue === "true") {
+    return true;
+  }
+
+  if (
+    typeof process !== "undefined" &&
+    process.env?.DEMO_MODE_LOCAL_ONLY === "true"
+  ) {
+    return true;
+  }
+
+  return false;
+}
+
+export function createDemoModeLocalOnlySessionPayload(audience: string) {
+  const issuedAt = Math.floor(Date.now() / 1000);
+  const expiresAt = issuedAt + 60 * 60;
+
+  return {
+    sub: DEMO_MODE_LOCAL_ONLY_USER_ID,
+    email: DEMO_MODE_LOCAL_ONLY_EMAIL,
+    iss: "local",
+    aud: audience,
+    iat: issuedAt,
+    exp: expiresAt,
+  };
+}

package/src/tanstack/EmbeddedAppProvider.tsx

@@ -27,8 +27,8 @@ export function EmbeddedAppProvider({
 
   if (!sessionManager) return null;
 
-  // Check if the app is running outside of the Gateway iframe
-  if (!sessionManager.isInIframe) {
+  // Check if the app is running outside of the Gateway iframe (skip in demo mode)
+  if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly) {
     return (
       <GatewayRequiredError
         gatewayOrigin={sessionManager.parentOrigin}

package/src/tanstack/_internal/useEveryAppSession.tsx

@@ -28,8 +28,9 @@ export function useEveryAppSession({
 
   useEffect(() => {
     if (!sessionManager) return;
-    // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
-    if (!sessionManager.isInIframe) return;
+    // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
+    if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly)
+      return;
 
     const interval = setInterval(() => {
       setSessionTokenState(sessionManager.getTokenState());

package/src/tanstack/server/authConfig.ts

@@ -1,9 +1,16 @@
 import type { AuthConfig } from "./types";
 import { env } from "cloudflare:workers";
+import { isDemoModeLocalOnlyServer } from "../../shared/demoModeLocalOnly";
 
 export function getAuthConfig(): AuthConfig {
+  const demoModeLocalOnlyEnv = (env as { DEMO_MODE_LOCAL_ONLY?: string })
+    .DEMO_MODE_LOCAL_ONLY;
+  const isDemoModeLocalOnly =
+    demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
+  const issuer = env.GATEWAY_URL || (isDemoModeLocalOnly ? "local" : "");
+
   return {
-    issuer: env.GATEWAY_URL,
+    issuer,
     audience: import.meta.env.VITE_APP_ID,
   };
 }

package/src/tanstack/server/authenticateRequest.ts

@@ -8,6 +8,11 @@ import {
 
 import type { AuthConfig } from "./types";
 import { env } from "cloudflare:workers";
+import {
+  DEMO_MODE_LOCAL_ONLY_TOKEN,
+  createDemoModeLocalOnlySessionPayload,
+  isDemoModeLocalOnlyServer,
+} from "../../shared/demoModeLocalOnly";
 
 /**
  * JWT payload structure for embedded app session tokens.
@@ -35,6 +40,11 @@ export async function authenticateRequest(
   const request = providedRequest || getRequest();
   const authHeader = request.headers.get("authorization");
 
+  const demoModeLocalOnlyEnv = (env as { DEMO_MODE_LOCAL_ONLY?: string })
+    .DEMO_MODE_LOCAL_ONLY;
+  const isDemoModeLocalOnly =
+    demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
+
   if (!authHeader) {
     console.log("No auth header found");
     return null;
@@ -46,6 +56,14 @@ export async function authenticateRequest(
     return null;
   }
 
+  if (isDemoModeLocalOnly) {
+    if (token !== DEMO_MODE_LOCAL_ONLY_TOKEN) {
+      return null;
+    }
+
+    return createDemoModeLocalOnlySessionPayload(authConfig.audience);
+  }
+
   try {
     const session = await verifySessionToken(token, authConfig);
     return session;

package/src/tanstack/useSessionTokenClientMiddleware.ts

@@ -1,9 +1,21 @@
 import { createMiddleware } from "@tanstack/react-start";
 import type { SessionManager } from "../core/sessionManager";
+import {
+  DEMO_MODE_LOCAL_ONLY_TOKEN,
+  isDemoModeLocalOnlyClient,
+} from "../shared/demoModeLocalOnly";
 
 export const useSessionTokenClientMiddleware = createMiddleware({
   type: "function",
 }).client(async ({ next }) => {
+  if (isDemoModeLocalOnlyClient()) {
+    return next({
+      headers: {
+        Authorization: `Bearer ${DEMO_MODE_LOCAL_ONLY_TOKEN}`,
+      },
+    });
+  }
+
   // Get the global sessionManager - this MUST be available for embedded apps
   const sessionManager = (window as any)
     .__embeddedSessionManager as SessionManager;