@ezcoder.dev/sdk 1.1.0 → 1.2.0

package/dist/cron/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/cron/registerJob.ts"],"sourcesContent":["import { supabase } from '../core/supabase';\r\nimport { env } from '../core/config';\r\n\r\ninterface RegisterJobOptions {\r\n  httpMethod?: string;\r\n  headers?: Record<string, string>;\r\n  body?: Record<string, unknown>;\r\n  timezone?: string;\r\n  timeoutSeconds?: number;\r\n}\r\n\r\ninterface RegisterJobResult {\r\n  success: boolean;\r\n  job?: Record<string, unknown>;\r\n  error?: string;\r\n}\r\n\r\nexport async function registerCronJob(\r\n  name: string,\r\n  cronExpression: string,\r\n  endpointUrl: string,\r\n  options: RegisterJobOptions = {},\r\n): Promise<RegisterJobResult> {\r\n  const apiUrl = env.EZCODER_API_URL;\r\n  const projectId = env.EZC_PROJECT_ID;\r\n\r\n  if (!apiUrl || !projectId) {\r\n    return { success: false, error: 'EZCODER_API_URL and EZC_PROJECT_ID are required' };\r\n  }\r\n\r\n  const session = await supabase.auth.getSession();\r\n  const token = session.data.session?.access_token;\r\n\r\n  if (!token) {\r\n    return { success: false, error: 'Authentication required' };\r\n  }\r\n\r\n  try {\r\n    const res = await fetch(`${apiUrl}/api/project-cron/register`, {\r\n      method: 'POST',\r\n      headers: {\r\n        'Content-Type': 'application/json',\r\n        Authorization: `Bearer ${token}`,\r\n      },\r\n      body: JSON.stringify({\r\n        projectId,\r\n        name,\r\n        cronExpression,\r\n        endpointUrl,\r\n        httpMethod: options.httpMethod || 'POST',\r\n        headers: options.headers,\r\n        body: options.body,\r\n        timezone: options.timezone,\r\n        timeoutSeconds: options.timeoutSeconds,\r\n      }),\r\n    });\r\n\r\n    const data = await res.json();\r\n\r\n    if (!res.ok) {\r\n      return { success: false, error: data.error || `HTTP ${res.status}` };\r\n    }\r\n\r\n    return { success: true, job: data.job };\r\n  } catch (err) {\r\n    return { success: false, error: err instanceof Error ? err.message : 'Network error' };\r\n  }\r\n}\r\n"],"mappings":";;;;;;AAiBA,eAAsB,gBACpB,MACA,gBACA,aACA,UAA8B,CAAC,GACH;AAC5B,QAAM,SAAS,IAAI;AACnB,QAAM,YAAY,IAAI;AAEtB,MAAI,CAAC,UAAU,CAAC,WAAW;AACzB,WAAO,EAAE,SAAS,OAAO,OAAO,kDAAkD;AAAA,EACpF;AAEA,QAAM,UAAU,MAAM,SAAS,KAAK,WAAW;AAC/C,QAAM,QAAQ,QAAQ,KAAK,SAAS;AAEpC,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,SAAS,OAAO,OAAO,0BAA0B;AAAA,EAC5D;AAEA,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,8BAA8B;AAAA,MAC7D,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK;AAAA,MAChC;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,YAAY,QAAQ,cAAc;AAAA,QAClC,SAAS,QAAQ;AAAA,QACjB,MAAM,QAAQ;AAAA,QACd,UAAU,QAAQ;AAAA,QAClB,gBAAgB,QAAQ;AAAA,MAC1B,CAAC;AAAA,IACH,CAAC;AAED,UAAM,OAAO,MAAM,IAAI,KAAK;AAE5B,QAAI,CAAC,IAAI,IAAI;AACX,aAAO,EAAE,SAAS,OAAO,OAAO,KAAK,SAAS,QAAQ,IAAI,MAAM,GAAG;AAAA,IACrE;AAEA,WAAO,EAAE,SAAS,MAAM,KAAK,KAAK,IAAI;AAAA,EACxC,SAAS,KAAK;AACZ,WAAO,EAAE,SAAS,OAAO,OAAO,eAAe,QAAQ,IAAI,UAAU,gBAAgB;AAAA,EACvF;AACF;","names":[]}
+{"version":3,"sources":["../../src/cron/registerJob.ts"],"sourcesContent":["/**\r\n * SDK registerCronJob (B1).\r\n *\r\n * Routes to /api/project-cron/register using the SERVER-class project token.\r\n *\r\n * BEFORE B1, this function read the Supabase auth session and sent the\r\n * resulting JWT as `Authorization: Bearer`. The server endpoint expected\r\n * a NextAuth session — they never matched, so every register returned 401.\r\n *\r\n * AFTER B1:\r\n *   - Reads EZC_PROJECT_TOKEN_SERVER from server-side env.\r\n *   - Sends via `X-EzCoder-Server-Token` header.\r\n *   - Refuses to run from browser bundles with a clear, actionable error.\r\n *   - The server endpoint now uses verifyProjectServerToken (project-scoped\r\n *     auth) instead of NextAuth getServerSession (user-scoped auth).\r\n */\r\n\r\nimport { env } from '../core/config';\r\nimport { resolveServerToken } from '../core/projectToken';\r\n\r\ninterface RegisterJobOptions {\r\n  httpMethod?: string;\r\n  headers?: Record<string, string>;\r\n  body?: Record<string, unknown>;\r\n  timezone?: string;\r\n  timeoutSeconds?: number;\r\n}\r\n\r\ninterface RegisterJobResult {\r\n  success: boolean;\r\n  job?: Record<string, unknown>;\r\n  error?: string;\r\n  code?: string;\r\n}\r\n\r\nexport async function registerCronJob(\r\n  name: string,\r\n  cronExpression: string,\r\n  endpointUrl: string,\r\n  options: RegisterJobOptions = {},\r\n): Promise<RegisterJobResult> {\r\n  const apiUrl = env.EZCODER_API_URL;\r\n  const projectId = env.EZC_PROJECT_ID;\r\n\r\n  if (!apiUrl || !projectId) {\r\n    return {\r\n      success: false,\r\n      error: 'EZCODER_API_URL and EZC_PROJECT_ID are required',\r\n      code: 'sdk_misconfigured',\r\n    };\r\n  }\r\n\r\n  const tokenResolution = resolveServerToken();\r\n  if (!tokenResolution.ok) {\r\n    return { success: false, error: tokenResolution.reason, code: 'no_server_token' };\r\n  }\r\n\r\n  try {\r\n    const res = await fetch(`${apiUrl}/api/project-cron/register`, {\r\n      method: 'POST',\r\n      headers: {\r\n        'Content-Type': 'application/json',\r\n        'X-EzCoder-Server-Token': tokenResolution.token,\r\n      },\r\n      body: JSON.stringify({\r\n        projectId,\r\n        name,\r\n        cronExpression,\r\n        endpointUrl,\r\n        httpMethod: options.httpMethod || 'POST',\r\n        headers: options.headers,\r\n        body: options.body,\r\n        timezone: options.timezone,\r\n        timeoutSeconds: options.timeoutSeconds,\r\n      }),\r\n    });\r\n\r\n    const raw: unknown = await res.json().catch(() => ({}));\r\n    const data = (raw && typeof raw === 'object' ? raw : {}) as {\r\n      job?: Record<string, unknown>;\r\n      error?: string;\r\n      code?: string;\r\n    };\r\n\r\n    if (!res.ok) {\r\n      return {\r\n        success: false,\r\n        error: data.error ?? `HTTP ${res.status}`,\r\n        code: data.code,\r\n      };\r\n    }\r\n\r\n    return { success: true, job: data.job };\r\n  } catch (err: unknown) {\r\n    return {\r\n      success: false,\r\n      error: err instanceof Error ? err.message : 'Network error',\r\n      code: 'network_error',\r\n    };\r\n  }\r\n}\r\n"],"mappings":";;;;;;;;AAmCA,eAAsB,gBACpB,MACA,gBACA,aACA,UAA8B,CAAC,GACH;AAC5B,QAAM,SAAS,IAAI;AACnB,QAAM,YAAY,IAAI;AAEtB,MAAI,CAAC,UAAU,CAAC,WAAW;AACzB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO;AAAA,MACP,MAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,kBAAkB,mBAAmB;AAC3C,MAAI,CAAC,gBAAgB,IAAI;AACvB,WAAO,EAAE,SAAS,OAAO,OAAO,gBAAgB,QAAQ,MAAM,kBAAkB;AAAA,EAClF;AAEA,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,8BAA8B;AAAA,MAC7D,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,0BAA0B,gBAAgB;AAAA,MAC5C;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,YAAY,QAAQ,cAAc;AAAA,QAClC,SAAS,QAAQ;AAAA,QACjB,MAAM,QAAQ;AAAA,QACd,UAAU,QAAQ;AAAA,QAClB,gBAAgB,QAAQ;AAAA,MAC1B,CAAC;AAAA,IACH,CAAC;AAED,UAAM,MAAe,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACtD,UAAM,OAAQ,OAAO,OAAO,QAAQ,WAAW,MAAM,CAAC;AAMtD,QAAI,CAAC,IAAI,IAAI;AACX,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,KAAK,SAAS,QAAQ,IAAI,MAAM;AAAA,QACvC,MAAM,KAAK;AAAA,MACb;AAAA,IACF;AAEA,WAAO,EAAE,SAAS,MAAM,KAAK,KAAK,IAAI;AAAA,EACxC,SAAS,KAAc;AACrB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,MAC5C,MAAM;AAAA,IACR;AAAA,EACF;AACF;","names":[]}

package/dist/database/index.js

@@ -11,9 +11,10 @@ import {
   useDatabaseOptional,
   useIsDatabaseConfigured,
   useRealtime
-} from "../chunk-7VGYFCQC.js";
-import "../chunk-GPF4AYNG.js";
-import "../chunk-2WG4O4J2.js";
+} from "../chunk-R4MDAYFO.js";
+import "../chunk-HJ2EIZ4S.js";
+import "../chunk-I2YGB7Z6.js";
+import "../chunk-LIUE7M7K.js";
 export {
   ConnectionError,
   DatabaseClient,

package/dist/email/index.d.ts

@@ -1,10 +1,28 @@
+/**
+ * SDK sendEmail (B1).
+ *
+ * Routes to /api/project-email/send using the SERVER-class project token.
+ *
+ * BEFORE B1, this function read the Supabase auth session and sent the
+ * resulting JWT as `Authorization: Bearer`. The server endpoint expected
+ * the project token (ezc_) — they never matched, so every send returned 401.
+ *
+ * AFTER B1:
+ *   - Reads EZC_PROJECT_TOKEN_SERVER from server-side env.
+ *   - Sends via `X-EzCoder-Server-Token` header.
+ *   - Refuses to run from browser bundles with a clear, actionable error.
+ *   - Falls back to the legacy single-class token through Phase 1, with a
+ *     one-shot deprecation warning.
+ */
 interface SendEmailOptions {
     from?: string;
+    text?: string;
 }
 interface SendEmailResult {
     success: boolean;
     id?: string;
     error?: string;
+    code?: string;
 }
 declare function sendEmail(to: string, subject: string, html: string, options?: SendEmailOptions): Promise<SendEmailResult>;
 

package/dist/email/index.js

@@ -1,42 +1,57 @@
 import {
-  env,
-  supabase
-} from "../chunk-2WG4O4J2.js";
+  resolveServerToken
+} from "../chunk-CQKYANAW.js";
+import {
+  env
+} from "../chunk-LIUE7M7K.js";
 
 // src/email/sendEmail.ts
 async function sendEmail(to, subject, html, options = {}) {
   const apiUrl = env.EZCODER_API_URL;
   const projectId = env.EZC_PROJECT_ID;
   if (!apiUrl || !projectId) {
-    return { success: false, error: "EZCODER_API_URL and EZC_PROJECT_ID are required" };
+    return {
+      success: false,
+      error: "EZCODER_API_URL and EZC_PROJECT_ID are required",
+      code: "sdk_misconfigured"
+    };
   }
-  const session = await supabase.auth.getSession();
-  const token = session.data.session?.access_token;
-  if (!token) {
-    return { success: false, error: "Authentication required" };
+  const tokenResolution = resolveServerToken();
+  if (!tokenResolution.ok) {
+    return { success: false, error: tokenResolution.reason, code: "no_server_token" };
   }
   try {
     const res = await fetch(`${apiUrl}/api/project-email/send`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
-        Authorization: `Bearer ${token}`
+        "X-EzCoder-Server-Token": tokenResolution.token
       },
       body: JSON.stringify({
         projectId,
         to,
         subject,
         html,
+        text: options.text,
         from: options.from
       })
     });
-    const data = await res.json();
+    const raw = await res.json().catch(() => ({}));
+    const data = raw && typeof raw === "object" ? raw : {};
     if (!res.ok) {
-      return { success: false, error: data.error || `HTTP ${res.status}` };
+      return {
+        success: false,
+        error: data.error ?? `HTTP ${res.status}`,
+        code: data.code
+      };
     }
     return { success: true, id: data.id };
   } catch (err) {
-    return { success: false, error: err instanceof Error ? err.message : "Network error" };
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : "Network error",
+      code: "network_error"
+    };
   }
 }
 export {

package/dist/email/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/email/sendEmail.ts"],"sourcesContent":["import { supabase } from '../core/supabase';\r\nimport { env } from '../core/config';\r\n\r\ninterface SendEmailOptions {\r\n  from?: string;\r\n}\r\n\r\ninterface SendEmailResult {\r\n  success: boolean;\r\n  id?: string;\r\n  error?: string;\r\n}\r\n\r\nexport async function sendEmail(\r\n  to: string,\r\n  subject: string,\r\n  html: string,\r\n  options: SendEmailOptions = {},\r\n): Promise<SendEmailResult> {\r\n  const apiUrl = env.EZCODER_API_URL;\r\n  const projectId = env.EZC_PROJECT_ID;\r\n\r\n  if (!apiUrl || !projectId) {\r\n    return { success: false, error: 'EZCODER_API_URL and EZC_PROJECT_ID are required' };\r\n  }\r\n\r\n  const session = await supabase.auth.getSession();\r\n  const token = session.data.session?.access_token;\r\n\r\n  if (!token) {\r\n    return { success: false, error: 'Authentication required' };\r\n  }\r\n\r\n  try {\r\n    const res = await fetch(`${apiUrl}/api/project-email/send`, {\r\n      method: 'POST',\r\n      headers: {\r\n        'Content-Type': 'application/json',\r\n        Authorization: `Bearer ${token}`,\r\n      },\r\n      body: JSON.stringify({\r\n        projectId,\r\n        to,\r\n        subject,\r\n        html,\r\n        from: options.from,\r\n      }),\r\n    });\r\n\r\n    const data = await res.json();\r\n\r\n    if (!res.ok) {\r\n      return { success: false, error: data.error || `HTTP ${res.status}` };\r\n    }\r\n\r\n    return { success: true, id: data.id };\r\n  } catch (err) {\r\n    return { success: false, error: err instanceof Error ? err.message : 'Network error' };\r\n  }\r\n}\r\n"],"mappings":";;;;;;AAaA,eAAsB,UACpB,IACA,SACA,MACA,UAA4B,CAAC,GACH;AAC1B,QAAM,SAAS,IAAI;AACnB,QAAM,YAAY,IAAI;AAEtB,MAAI,CAAC,UAAU,CAAC,WAAW;AACzB,WAAO,EAAE,SAAS,OAAO,OAAO,kDAAkD;AAAA,EACpF;AAEA,QAAM,UAAU,MAAM,SAAS,KAAK,WAAW;AAC/C,QAAM,QAAQ,QAAQ,KAAK,SAAS;AAEpC,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,SAAS,OAAO,OAAO,0BAA0B;AAAA,EAC5D;AAEA,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,eAAe,UAAU,KAAK;AAAA,MAChC;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM,QAAQ;AAAA,MAChB,CAAC;AAAA,IACH,CAAC;AAED,UAAM,OAAO,MAAM,IAAI,KAAK;AAE5B,QAAI,CAAC,IAAI,IAAI;AACX,aAAO,EAAE,SAAS,OAAO,OAAO,KAAK,SAAS,QAAQ,IAAI,MAAM,GAAG;AAAA,IACrE;AAEA,WAAO,EAAE,SAAS,MAAM,IAAI,KAAK,GAAG;AAAA,EACtC,SAAS,KAAK;AACZ,WAAO,EAAE,SAAS,OAAO,OAAO,eAAe,QAAQ,IAAI,UAAU,gBAAgB;AAAA,EACvF;AACF;","names":[]}
+{"version":3,"sources":["../../src/email/sendEmail.ts"],"sourcesContent":["/**\r\n * SDK sendEmail (B1).\r\n *\r\n * Routes to /api/project-email/send using the SERVER-class project token.\r\n *\r\n * BEFORE B1, this function read the Supabase auth session and sent the\r\n * resulting JWT as `Authorization: Bearer`. The server endpoint expected\r\n * the project token (ezc_) — they never matched, so every send returned 401.\r\n *\r\n * AFTER B1:\r\n *   - Reads EZC_PROJECT_TOKEN_SERVER from server-side env.\r\n *   - Sends via `X-EzCoder-Server-Token` header.\r\n *   - Refuses to run from browser bundles with a clear, actionable error.\r\n *   - Falls back to the legacy single-class token through Phase 1, with a\r\n *     one-shot deprecation warning.\r\n */\r\n\r\nimport { env } from '../core/config';\r\nimport { resolveServerToken } from '../core/projectToken';\r\n\r\ninterface SendEmailOptions {\r\n  from?: string;\r\n  text?: string;\r\n}\r\n\r\ninterface SendEmailResult {\r\n  success: boolean;\r\n  id?: string;\r\n  error?: string;\r\n  code?: string;\r\n}\r\n\r\nexport async function sendEmail(\r\n  to: string,\r\n  subject: string,\r\n  html: string,\r\n  options: SendEmailOptions = {},\r\n): Promise<SendEmailResult> {\r\n  const apiUrl = env.EZCODER_API_URL;\r\n  const projectId = env.EZC_PROJECT_ID;\r\n\r\n  if (!apiUrl || !projectId) {\r\n    return {\r\n      success: false,\r\n      error: 'EZCODER_API_URL and EZC_PROJECT_ID are required',\r\n      code: 'sdk_misconfigured',\r\n    };\r\n  }\r\n\r\n  const tokenResolution = resolveServerToken();\r\n  if (!tokenResolution.ok) {\r\n    return { success: false, error: tokenResolution.reason, code: 'no_server_token' };\r\n  }\r\n\r\n  try {\r\n    const res = await fetch(`${apiUrl}/api/project-email/send`, {\r\n      method: 'POST',\r\n      headers: {\r\n        'Content-Type': 'application/json',\r\n        'X-EzCoder-Server-Token': tokenResolution.token,\r\n      },\r\n      body: JSON.stringify({\r\n        projectId,\r\n        to,\r\n        subject,\r\n        html,\r\n        text: options.text,\r\n        from: options.from,\r\n      }),\r\n    });\r\n\r\n    const raw: unknown = await res.json().catch(() => ({}));\r\n    const data = (raw && typeof raw === 'object' ? raw : {}) as {\r\n      id?: string;\r\n      error?: string;\r\n      code?: string;\r\n    };\r\n\r\n    if (!res.ok) {\r\n      return {\r\n        success: false,\r\n        error: data.error ?? `HTTP ${res.status}`,\r\n        code: data.code,\r\n      };\r\n    }\r\n\r\n    return { success: true, id: data.id };\r\n  } catch (err: unknown) {\r\n    return {\r\n      success: false,\r\n      error: err instanceof Error ? err.message : 'Network error',\r\n      code: 'network_error',\r\n    };\r\n  }\r\n}\r\n"],"mappings":";;;;;;;;AAgCA,eAAsB,UACpB,IACA,SACA,MACA,UAA4B,CAAC,GACH;AAC1B,QAAM,SAAS,IAAI;AACnB,QAAM,YAAY,IAAI;AAEtB,MAAI,CAAC,UAAU,CAAC,WAAW;AACzB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO;AAAA,MACP,MAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,kBAAkB,mBAAmB;AAC3C,MAAI,CAAC,gBAAgB,IAAI;AACvB,WAAO,EAAE,SAAS,OAAO,OAAO,gBAAgB,QAAQ,MAAM,kBAAkB;AAAA,EAClF;AAEA,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,GAAG,MAAM,2BAA2B;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,0BAA0B,gBAAgB;AAAA,MAC5C;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM,QAAQ;AAAA,QACd,MAAM,QAAQ;AAAA,MAChB,CAAC;AAAA,IACH,CAAC;AAED,UAAM,MAAe,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACtD,UAAM,OAAQ,OAAO,OAAO,QAAQ,WAAW,MAAM,CAAC;AAMtD,QAAI,CAAC,IAAI,IAAI;AACX,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,KAAK,SAAS,QAAQ,IAAI,MAAM;AAAA,QACvC,MAAM,KAAK;AAAA,MACb;AAAA,IACF;AAEA,WAAO,EAAE,SAAS,MAAM,IAAI,KAAK,GAAG;AAAA,EACtC,SAAS,KAAc;AACrB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,MAC5C,MAAM;AAAA,IACR;AAAA,EACF;AACF;","names":[]}

package/dist/index.d.ts

@@ -14,6 +14,9 @@ declare const env: {
     EZC_PROJECT_ID: string;
     EZCODER_API_URL: string;
     EZC_SECRET_KEY: string;
+    EZC_PROJECT_TOKEN_PUBLIC: string;
+    EZC_PROJECT_TOKEN_SERVER: string;
+    EZC_PROJECT_TOKEN_LEGACY: string;
     S3_BUCKET: string;
     CLOUDINARY_URL: string;
     STORAGE_BUCKET_PUBLIC: string;
@@ -34,4 +37,167 @@ declare const isSupabaseConfigured: boolean;
 declare const ezcoder: EzcoderClient;
 declare const ezcoderAuthIntegration: AuthIntegration;
 
-export { AuthIntegration, EzcoderClient, env, ezcoder, ezcoderAuthIntegration, features, isFeatureConfigured, isSupabaseConfigured, supabase };
+/**
+ * @module manifest-consumer
+ * @description Runtime + build-time consumer of the EzCoder Capability Manifest.
+ *
+ * Track B (B7) — the user-app SDK reads the project's Capability Manifest so
+ * it knows which feature modules are actually required (auth, storage,
+ * payments, email, cron, notifications, database) and which env refs to
+ * expect. The SDK historically auto-registered everything regardless of
+ * project needs; this consumer adds *opt-in* awareness without breaking
+ * existing consumers.
+ *
+ * Failure mode is deliberately permissive: any fetch/parse error falls
+ * through to "all modules considered required" so a flaky network blip on
+ * the user's deployed site never silently disables a feature.
+ */
+/**
+ * The seven modules the SDK can register. Mirrors the keys of
+ * `service_requirements` in lib/manifest/schema.ts plus `database` derived
+ * from the `database` requirement block.
+ */
+interface RequiredModules {
+    auth: boolean;
+    storage: boolean;
+    payments: boolean;
+    email: boolean;
+    cron: boolean;
+    database: boolean;
+    notifications: boolean;
+}
+/**
+ * Public + (publicly-visible names of) secret env refs. The server-side
+ * endpoint deliberately strips `secret` before returning, but we keep the
+ * field on the consumer type as an empty array for forward-compat — once a
+ * privileged consumer path exists it can populate it.
+ */
+interface EnvRefs {
+    public: ReadonlyArray<string>;
+    secret: ReadonlyArray<string>;
+}
+/**
+ * The shape the SDK actually consumes. A trimmed projection of the full
+ * Capability Manifest; the server endpoint enforces the projection so the
+ * SDK can never see secret-ref names even if it asks for them.
+ */
+interface SanitizedManifest {
+    manifest_version: number;
+    project_id: string;
+    service_requirements: {
+        database?: {
+            provider: string;
+            rls_required: boolean;
+            tables: ReadonlyArray<string>;
+        };
+        auth?: {
+            provider: string;
+            flows: ReadonlyArray<string>;
+        };
+        storage?: {
+            buckets: ReadonlyArray<string>;
+        };
+        payments?: {
+            mode: string;
+        };
+        email?: {
+            provider: string;
+        };
+        cron?: {
+            jobs: ReadonlyArray<{
+                name: string;
+                schedule: string;
+            }>;
+        };
+    };
+    env_refs: {
+        public: ReadonlyArray<string>;
+    };
+    validation_gates: ReadonlyArray<string>;
+}
+/**
+ * Wraps a sanitized manifest payload and exposes module/env-ref queries.
+ * Instances are immutable — `manifest` is captured at construction time and
+ * never mutated. Use the static `load()` / `loadFromBuildOutput()` factories
+ * rather than calling `new` directly so the page-lifetime cache is honoured.
+ */
+declare class EzCoderManifest {
+    private readonly manifest;
+    private readonly source;
+    constructor(manifest: SanitizedManifest | null, source: 'runtime' | 'build' | 'fallback');
+    /**
+     * Fetch the manifest at runtime from the platform API. Returns a
+     * cached instance for the lifetime of the page; concurrent callers share
+     * a single in-flight fetch. Falls back to a permissive (all-modules-on)
+     * instance on any error.
+     */
+    static load(): Promise<EzCoderManifest>;
+    /**
+     * Read a manifest written by the build-time codegen step (see
+     * scripts/fetch-build-manifest.js). Used by SSG callers that want to
+     * avoid a runtime network round-trip. Returns null when no build-time
+     * manifest is present — callers should fall back to `load()`.
+     *
+     * Implementation note: we deliberately avoid a static `import` because
+     * (a) the file may not exist, which would be a hard module-resolution
+     * error, and (b) browser bundles must not pull in the JSON. We probe
+     * `process` to detect Node, then read the file from disk via the eval'd
+     * dynamic require — the eval indirection keeps bundlers from following
+     * the path at build time.
+     */
+    static loadFromBuildOutput(): EzCoderManifest | null;
+    /**
+     * Returns the boolean enablement map for each SDK module. When no
+     * manifest is loaded, returns the permissive default (everything on) so
+     * legacy behaviour is preserved.
+     */
+    getRequiredModules(): RequiredModules;
+    /**
+     * Returns the env refs declared by the manifest. The `secret` array is
+     * always empty when the manifest came from the public SDK endpoint —
+     * server-only refs are stripped before transit (see pages/api/sdk/manifest.js).
+     */
+    getEnvRefs(): EnvRefs;
+    /**
+     * Convenience: is a given module required by this app?
+     */
+    has(module: keyof RequiredModules): boolean;
+    /**
+     * Where the manifest was loaded from. Useful for debugging and for
+     * surface-level telemetry (`fallback` means we never got the real one).
+     */
+    getSource(): 'runtime' | 'build' | 'fallback';
+    /**
+     * Test-only helper: wipe the page-lifetime cache. Never call this in
+     * production code.
+     */
+    static __resetCacheForTests(): void;
+}
+
+/**
+ * @module useEzCoderManifest
+ * @description React hook that exposes the loaded Capability Manifest to
+ * components so they can branch on whether a feature module is required by
+ * the current project.
+ *
+ * Importing this file pulls `react` as a peer dep — kept in a dedicated
+ * file so SSR / non-React entries can consume `manifest-consumer.ts`
+ * without touching React.
+ */
+
+interface UseEzCoderManifestResult {
+    manifest: EzCoderManifest | null;
+    modules: RequiredModules | null;
+    loading: boolean;
+    source: 'runtime' | 'build' | 'fallback' | null;
+}
+/**
+ * Synchronously prefers a build-time manifest (avoids a render-blocking
+ * fetch on SSG/SSR); otherwise kicks off the async runtime load. Until the
+ * load resolves, `modules` is null and callers should treat features as
+ * unknown (recommended: render the historical default, then re-render once
+ * `modules` settles).
+ */
+declare function useEzCoderManifest(): UseEzCoderManifestResult;
+
+export { AuthIntegration, type EnvRefs, EzCoderManifest, EzcoderClient, type RequiredModules, type SanitizedManifest, type UseEzCoderManifestResult, env, ezcoder, ezcoderAuthIntegration, features, isFeatureConfigured, isSupabaseConfigured, supabase, useEzCoderManifest };

package/dist/index.js

@@ -2,21 +2,276 @@ import {
   DatabaseClient,
   DatabaseProvider,
   useDatabase
-} from "./chunk-7VGYFCQC.js";
+} from "./chunk-R4MDAYFO.js";
 import {
   ezcoder,
   ezcoderAuthIntegration
-} from "./chunk-GPF4AYNG.js";
+} from "./chunk-HJ2EIZ4S.js";
 import {
-  env,
-  features,
-  isFeatureConfigured,
   isSupabaseConfigured,
   supabase
-} from "./chunk-2WG4O4J2.js";
+} from "./chunk-I2YGB7Z6.js";
+import {
+  env,
+  features,
+  isFeatureConfigured
+} from "./chunk-LIUE7M7K.js";
+
+// src/manifest-consumer.ts
+var manifestCache = /* @__PURE__ */ new Map();
+var inflightLoads = /* @__PURE__ */ new Map();
+var PERMISSIVE_DEFAULT_MODULES = Object.freeze({
+  auth: true,
+  storage: true,
+  payments: true,
+  email: true,
+  cron: true,
+  database: true,
+  notifications: true
+});
+var EzCoderManifest = class _EzCoderManifest {
+  constructor(manifest, source) {
+    this.manifest = manifest;
+    this.source = source;
+  }
+  /**
+   * Fetch the manifest at runtime from the platform API. Returns a
+   * cached instance for the lifetime of the page; concurrent callers share
+   * a single in-flight fetch. Falls back to a permissive (all-modules-on)
+   * instance on any error.
+   */
+  static async load() {
+    const projectId = env.EZC_PROJECT_ID;
+    const apiUrl = env.EZCODER_API_URL;
+    const publicToken = readPublicToken();
+    if (!projectId || !apiUrl) {
+      return new _EzCoderManifest(null, "fallback");
+    }
+    const cacheKey = `${projectId}::${apiUrl}`;
+    const cached = manifestCache.get(cacheKey);
+    if (cached) return cached;
+    const inflight = inflightLoads.get(cacheKey);
+    if (inflight) return inflight;
+    const loadPromise = fetchManifest(apiUrl, publicToken).then((m) => {
+      const instance = new _EzCoderManifest(m, "runtime");
+      manifestCache.set(cacheKey, instance);
+      return instance;
+    }).catch((err) => {
+      const message = err instanceof Error ? err.message : "unknown";
+      if (typeof console !== "undefined") {
+        console.warn(`[EzCoder SDK] manifest fetch failed (${message}); falling back to permissive mode.`);
+      }
+      const fallback = new _EzCoderManifest(null, "fallback");
+      manifestCache.set(cacheKey, fallback);
+      return fallback;
+    }).finally(() => {
+      inflightLoads.delete(cacheKey);
+    });
+    inflightLoads.set(cacheKey, loadPromise);
+    return loadPromise;
+  }
+  /**
+   * Read a manifest written by the build-time codegen step (see
+   * scripts/fetch-build-manifest.js). Used by SSG callers that want to
+   * avoid a runtime network round-trip. Returns null when no build-time
+   * manifest is present — callers should fall back to `load()`.
+   *
+   * Implementation note: we deliberately avoid a static `import` because
+   * (a) the file may not exist, which would be a hard module-resolution
+   * error, and (b) browser bundles must not pull in the JSON. We probe
+   * `process` to detect Node, then read the file from disk via the eval'd
+   * dynamic require — the eval indirection keeps bundlers from following
+   * the path at build time.
+   */
+  static loadFromBuildOutput() {
+    try {
+      if (typeof process === "undefined" || !process.versions?.node) {
+        return null;
+      }
+      const getRequire = new Function(
+        'return typeof require === "function" ? require : null;'
+      );
+      const dynamicRequire = getRequire();
+      if (!dynamicRequire) return null;
+      const fs = dynamicRequire("fs");
+      const path = dynamicRequire("path");
+      const cwd = process.cwd();
+      const full = path.resolve(cwd, "node_modules", ".ezcoder", "manifest.json");
+      const raw = fs.readFileSync(full, "utf8");
+      const payload = JSON.parse(raw);
+      const parsed = parseManifestPayload(payload);
+      if (!parsed) return null;
+      return new _EzCoderManifest(parsed, "build");
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Returns the boolean enablement map for each SDK module. When no
+   * manifest is loaded, returns the permissive default (everything on) so
+   * legacy behaviour is preserved.
+   */
+  getRequiredModules() {
+    if (!this.manifest) {
+      return { ...PERMISSIVE_DEFAULT_MODULES };
+    }
+    const sr = this.manifest.service_requirements;
+    return {
+      auth: Boolean(sr.auth),
+      storage: Boolean(sr.storage),
+      payments: Boolean(sr.payments),
+      email: Boolean(sr.email),
+      cron: Boolean(sr.cron),
+      database: Boolean(sr.database),
+      // notifications is not in service_requirements v0; derive from email
+      // OR auth so the existing notifications module behaves sensibly.
+      notifications: Boolean(sr.email || sr.auth)
+    };
+  }
+  /**
+   * Returns the env refs declared by the manifest. The `secret` array is
+   * always empty when the manifest came from the public SDK endpoint —
+   * server-only refs are stripped before transit (see pages/api/sdk/manifest.js).
+   */
+  getEnvRefs() {
+    if (!this.manifest) {
+      return { public: [], secret: [] };
+    }
+    return {
+      public: this.manifest.env_refs.public,
+      secret: []
+    };
+  }
+  /**
+   * Convenience: is a given module required by this app?
+   */
+  has(module) {
+    return this.getRequiredModules()[module];
+  }
+  /**
+   * Where the manifest was loaded from. Useful for debugging and for
+   * surface-level telemetry (`fallback` means we never got the real one).
+   */
+  getSource() {
+    return this.source;
+  }
+  /**
+   * Test-only helper: wipe the page-lifetime cache. Never call this in
+   * production code.
+   */
+  static __resetCacheForTests() {
+    manifestCache.clear();
+    inflightLoads.clear();
+  }
+};
+function readPublicToken() {
+  const fromVite = safeEnv("VITE_EZC_PROJECT_TOKEN_PUBLIC");
+  if (fromVite) return fromVite;
+  const fromNext = safeEnv("NEXT_PUBLIC_EZC_PROJECT_TOKEN_PUBLIC");
+  if (fromNext) return fromNext;
+  return safeEnv("EZC_PROJECT_TOKEN_PUBLIC");
+}
+function safeEnv(key) {
+  try {
+    if (typeof import.meta !== "undefined" && import.meta.env) {
+      const v = import.meta.env[key];
+      if (typeof v === "string") return v;
+    }
+  } catch {
+  }
+  try {
+    if (typeof process !== "undefined" && process.env) {
+      return process.env[key] || "";
+    }
+  } catch {
+  }
+  return "";
+}
+async function fetchManifest(apiUrl, publicToken) {
+  const headers = {
+    "Accept": "application/json"
+  };
+  if (publicToken) {
+    headers["X-EzCoder-Public-Token"] = publicToken;
+  }
+  const res = await fetch(`${apiUrl}/api/sdk/manifest`, {
+    method: "GET",
+    headers,
+    // Browsers will fold the 5-minute cache header automatically; this hint
+    // is here for non-browser runtimes that respect it.
+    cache: "default"
+  });
+  if (!res.ok) {
+    throw new Error(`HTTP ${res.status}`);
+  }
+  const body = await res.json();
+  const parsed = parseManifestPayload(body);
+  if (!parsed) {
+    throw new Error("manifest payload failed shape validation");
+  }
+  return parsed;
+}
+function parseManifestPayload(input) {
+  if (!isRecord(input)) return null;
+  const projectId = input.project_id;
+  const serviceReqs = input.service_requirements;
+  const envRefs = input.env_refs;
+  const gates = input.validation_gates;
+  if (typeof projectId !== "string" || projectId.length === 0) return null;
+  if (!isRecord(serviceReqs)) return null;
+  if (!isRecord(envRefs) || !Array.isArray(envRefs.public)) return null;
+  if (!Array.isArray(gates)) return null;
+  const manifestVersion = typeof input.manifest_version === "number" ? input.manifest_version : 0;
+  return {
+    manifest_version: manifestVersion,
+    project_id: projectId,
+    service_requirements: serviceReqs,
+    env_refs: { public: envRefs.public.filter((v) => typeof v === "string") },
+    validation_gates: gates.filter((v) => typeof v === "string")
+  };
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/useEzCoderManifest.ts
+import { useEffect, useState } from "react";
+function useEzCoderManifest() {
+  const [manifest, setManifest] = useState(
+    () => EzCoderManifest.loadFromBuildOutput()
+  );
+  const [loading, setLoading] = useState(manifest === null);
+  useEffect(() => {
+    if (manifest) return;
+    let cancelled = false;
+    EzCoderManifest.load().then((m) => {
+      if (cancelled) return;
+      setManifest(m);
+      setLoading(false);
+    }).catch(() => {
+      if (cancelled) return;
+      setLoading(false);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+  return {
+    manifest,
+    modules: manifest ? manifest.getRequiredModules() : null,
+    loading,
+    source: manifest ? manifest.getSource() : null
+  };
+}
+
+// src/index.ts
+if (typeof window !== "undefined") {
+  void EzCoderManifest.load();
+}
 export {
   DatabaseClient,
   DatabaseProvider,
+  EzCoderManifest,
   env,
   ezcoder,
   ezcoderAuthIntegration,
@@ -24,6 +279,7 @@ export {
   isFeatureConfigured,
   isSupabaseConfigured,
   supabase,
-  useDatabase
+  useDatabase,
+  useEzCoderManifest
 };
 //# sourceMappingURL=index.js.map