@fusebase/fusebase-gate-sdk 2.2.15-sdk.5 → 2.2.15-sdk.6

package/dist/apis/AppMagicLinksApi.d.ts

@@ -0,0 +1,45 @@
+/**
+ * AppMagicLinks API
+ *
+ * Generated from contract introspection
+ * Domain: app-magic-links
+ */
+import type { Client } from "../runtime/transport";
+import type { ActivateAppMagicLinkResponseContract, CreateAppMagicLinkRequestContract, CreateAppMagicLinkResponseContract, orgIdInPathRequired, RequestAppMagicLinkRequestContract, RequestAppMagicLinkResponseContract } from "../types";
+export declare class AppMagicLinksApi {
+    private client;
+    constructor(client: Client);
+    /**
+     * Activate an app magic link
+     * Unauthenticated activation: exchange a magic-link globalId for a session token (used to set the eversessionid cookie on the app subdomain), a Gate feature token, and a Dashboard feature token, all scoped to the magic link's app and target user. Re-evaluates accessPrincipals at activation time so a link issued before access was revoked can no longer be redeemed. Within the 24h TTL the link can be activated more than once.
+     */
+    activateAppMagicLink(params: {
+        path: {
+            globalId: string;
+        };
+        headers?: Record<string, string>;
+    }): Promise<ActivateAppMagicLinkResponseContract>;
+    /**
+     * Create an app magic link (invite flow)
+     * Owner/admin invite flow. Issues a 24h magic link for the recipient email and dispatches it via the magic_link_app email template. When addToAccessPrincipals is true (default), provisions a brand-new user record if needed and appends a user principal to every feature of the app. Requires app_magic_link.write and org access.
+     */
+    createAppMagicLink(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+            appId: string;
+        };
+        headers?: Record<string, string>;
+        body: CreateAppMagicLinkRequestContract;
+    }): Promise<CreateAppMagicLinkResponseContract>;
+    /**
+     * Request an app magic link (visitor self-service flow)
+     * Unauthenticated visitor flow. The link is dispatched only when the email already has access to the app under its current accessPrincipals; otherwise the call is a no-op. Always returns 200 with `{ ok: true }` so the response cannot be used to enumerate emails or access. Apply per-IP rate limiting upstream of this call.
+     */
+    requestAppMagicLink(params: {
+        path: {
+            host: string;
+        };
+        headers?: Record<string, string>;
+        body: RequestAppMagicLinkRequestContract;
+    }): Promise<RequestAppMagicLinkResponseContract>;
+}

package/dist/apis/AppMagicLinksApi.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * AppMagicLinks API
+ *
+ * Generated from contract introspection
+ * Domain: app-magic-links
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppMagicLinksApi = void 0;
+class AppMagicLinksApi {
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Activate an app magic link
+     * Unauthenticated activation: exchange a magic-link globalId for a session token (used to set the eversessionid cookie on the app subdomain), a Gate feature token, and a Dashboard feature token, all scoped to the magic link's app and target user. Re-evaluates accessPrincipals at activation time so a link issued before access was revoked can no longer be redeemed. Within the 24h TTL the link can be activated more than once.
+     */
+    async activateAppMagicLink(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/apps/magic-links/:globalId/activate",
+            pathParams: params.path,
+            headers: params.headers,
+            opId: "activateAppMagicLink",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Create an app magic link (invite flow)
+     * Owner/admin invite flow. Issues a 24h magic link for the recipient email and dispatches it via the magic_link_app email template. When addToAccessPrincipals is true (default), provisions a brand-new user record if needed and appends a user principal to every feature of the app. Requires app_magic_link.write and org access.
+     */
+    async createAppMagicLink(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/apps/:appId/magic-links",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "createAppMagicLink",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Request an app magic link (visitor self-service flow)
+     * Unauthenticated visitor flow. The link is dispatched only when the email already has access to the app under its current accessPrincipals; otherwise the call is a no-op. Always returns 200 with `{ ok: true }` so the response cannot be used to enumerate emails or access. Apply per-IP rate limiting upstream of this call.
+     */
+    async requestAppMagicLink(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/apps/by-host/:host/magic-links/request",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "requestAppMagicLink",
+            expectedContentType: "application/json",
+        });
+    }
+}
+exports.AppMagicLinksApi = AppMagicLinksApi;

package/dist/apis/FusebaseAuthApi.d.ts

@@ -0,0 +1,83 @@
+/**
+ * FusebaseAuth API
+ *
+ * Generated from contract introspection
+ * Domain: fusebase-auth
+ */
+import type { Client } from "../runtime/transport";
+import type { FusebaseAuthChallengeRequestContract, FusebaseAuthChallengeResponseContract, FusebaseAuthLoginRequestContract, FusebaseAuthLoginResponseContract, FusebaseAuthLogoutResponseContract, FusebaseAuthPasswordResetRequestContract, FusebaseAuthPasswordResetResponseContract, FusebaseAuthPasswordRestoreKeyResponseContract, FusebaseAuthPasswordRestoreRequestContract, FusebaseAuthPasswordRestoreResponseContract, FusebaseAuthRegisterMemberRequestContract, FusebaseAuthRegisterMemberResponseContract, FusebaseAuthRegisterRequestContract, FusebaseAuthRegisterResponseContract, orgIdInPathRequired } from "../types";
+export declare class FusebaseAuthApi {
+    private client;
+    constructor(client: Client);
+    /**
+     * Check Fusebase password restore key
+     * Checks a restore-password session key through user-service. Returns `{ valid: false }` instead of exposing upstream errors.
+     */
+    checkFusebasePasswordRestoreKey(params: {
+        path: {
+            key: string;
+        };
+        headers?: Record<string, string>;
+    }): Promise<FusebaseAuthPasswordRestoreKeyResponseContract>;
+    /**
+     * Complete Fusebase auth challenge
+     * Visitor-safe challenge completion endpoint for CAPTCHA, OTP, mail OTP, and MFA flows returned by register/login.
+     */
+    completeFusebaseAuthChallenge(params: {
+        headers?: Record<string, string>;
+        body: FusebaseAuthChallengeRequestContract;
+    }): Promise<FusebaseAuthChallengeResponseContract>;
+    /**
+     * Login a Fusebase user
+     * Visitor-safe email/password login proxy for AI App auth. Forwards to auth-form `/auth/api/auth` server-side and returns sessionId for the app backend to set as its own cookie. Never provisions org membership.
+     */
+    loginFusebaseUser(params: {
+        headers?: Record<string, string>;
+        body: FusebaseAuthLoginRequestContract;
+    }): Promise<FusebaseAuthLoginResponseContract>;
+    /**
+     * Get Fusebase auth logout cookie hints
+     * Returns the app-domain cookies that the AI App backend/frontend should clear. Gate cannot clear cookies for an app domain when called on the Gate domain.
+     */
+    logoutFusebaseUser(params: {
+        headers?: Record<string, string>;
+    }): Promise<FusebaseAuthLogoutResponseContract>;
+    /**
+     * Register a Fusebase user and add org membership
+     * Protected AI App onboarding flow. Creates a Fusebase account through auth-form, then adds the newly created user to the path org with the requested role. Requires org.members.write and org access. This endpoint is for registration only; do not call it on login because that can overwrite or duplicate existing membership intent.
+     */
+    registerFusebaseOrgMember(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+        };
+        headers?: Record<string, string>;
+        body: FusebaseAuthRegisterMemberRequestContract;
+    }): Promise<FusebaseAuthRegisterMemberResponseContract>;
+    /**
+     * Register a Fusebase user
+     * Visitor-safe email/password Fusebase registration proxy for AI App auth. Forwards to auth-form `/auth/api/register` server-side and returns the Fusebase sessionId for the app backend to set as its own cookie. Does not add org membership.
+     */
+    registerFusebaseUser(params: {
+        headers?: Record<string, string>;
+        body: FusebaseAuthRegisterRequestContract;
+    }): Promise<FusebaseAuthRegisterResponseContract>;
+    /**
+     * Request Fusebase password restore
+     * Visitor-safe password restore request. Forwards to auth-form `/auth/api/remind` and always returns a generic success shape so the route does not enumerate accounts.
+     */
+    requestFusebasePasswordRestore(params: {
+        headers?: Record<string, string>;
+        body: FusebaseAuthPasswordRestoreRequestContract;
+    }): Promise<FusebaseAuthPasswordRestoreResponseContract>;
+    /**
+     * Reset Fusebase password
+     * Completes a password restore session by setting a new password through user-service.
+     */
+    resetFusebasePassword(params: {
+        path: {
+            key: string;
+        };
+        headers?: Record<string, string>;
+        body: FusebaseAuthPasswordResetRequestContract;
+    }): Promise<FusebaseAuthPasswordResetResponseContract>;
+}

package/dist/apis/FusebaseAuthApi.js

@@ -0,0 +1,128 @@
+"use strict";
+/**
+ * FusebaseAuth API
+ *
+ * Generated from contract introspection
+ * Domain: fusebase-auth
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FusebaseAuthApi = void 0;
+class FusebaseAuthApi {
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Check Fusebase password restore key
+     * Checks a restore-password session key through user-service. Returns `{ valid: false }` instead of exposing upstream errors.
+     */
+    async checkFusebasePasswordRestoreKey(params) {
+        return this.client.request({
+            method: "GET",
+            path: "/auth/fusebase/password-restore/:key",
+            pathParams: params.path,
+            headers: params.headers,
+            opId: "checkFusebasePasswordRestoreKey",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Complete Fusebase auth challenge
+     * Visitor-safe challenge completion endpoint for CAPTCHA, OTP, mail OTP, and MFA flows returned by register/login.
+     */
+    async completeFusebaseAuthChallenge(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/auth/fusebase/challenge",
+            headers: params.headers,
+            body: params.body,
+            opId: "completeFusebaseAuthChallenge",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Login a Fusebase user
+     * Visitor-safe email/password login proxy for AI App auth. Forwards to auth-form `/auth/api/auth` server-side and returns sessionId for the app backend to set as its own cookie. Never provisions org membership.
+     */
+    async loginFusebaseUser(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/auth/fusebase/login",
+            headers: params.headers,
+            body: params.body,
+            opId: "loginFusebaseUser",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Get Fusebase auth logout cookie hints
+     * Returns the app-domain cookies that the AI App backend/frontend should clear. Gate cannot clear cookies for an app domain when called on the Gate domain.
+     */
+    async logoutFusebaseUser(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/auth/fusebase/logout",
+            headers: params.headers,
+            opId: "logoutFusebaseUser",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Register a Fusebase user and add org membership
+     * Protected AI App onboarding flow. Creates a Fusebase account through auth-form, then adds the newly created user to the path org with the requested role. Requires org.members.write and org access. This endpoint is for registration only; do not call it on login because that can overwrite or duplicate existing membership intent.
+     */
+    async registerFusebaseOrgMember(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/auth/fusebase/register-member",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "registerFusebaseOrgMember",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Register a Fusebase user
+     * Visitor-safe email/password Fusebase registration proxy for AI App auth. Forwards to auth-form `/auth/api/register` server-side and returns the Fusebase sessionId for the app backend to set as its own cookie. Does not add org membership.
+     */
+    async registerFusebaseUser(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/auth/fusebase/register",
+            headers: params.headers,
+            body: params.body,
+            opId: "registerFusebaseUser",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Request Fusebase password restore
+     * Visitor-safe password restore request. Forwards to auth-form `/auth/api/remind` and always returns a generic success shape so the route does not enumerate accounts.
+     */
+    async requestFusebasePasswordRestore(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/auth/fusebase/password-restore",
+            headers: params.headers,
+            body: params.body,
+            opId: "requestFusebasePasswordRestore",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Reset Fusebase password
+     * Completes a password restore session by setting a new password through user-service.
+     */
+    async resetFusebasePassword(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/auth/fusebase/password-restore/:key",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "resetFusebasePassword",
+            expectedContentType: "application/json",
+        });
+    }
+}
+exports.FusebaseAuthApi = FusebaseAuthApi;

package/dist/index.d.ts

@@ -7,9 +7,11 @@ export * from "./runtime";
 export * from "./types";
 export { AccessApi } from "./apis/AccessApi";
 export { AppApisApi } from "./apis/AppApisApi";
+export { AppMagicLinksApi } from "./apis/AppMagicLinksApi";
 export { BillingApi } from "./apis/BillingApi";
 export { EmailsApi } from "./apis/EmailsApi";
 export { FilesApi } from "./apis/FilesApi";
+export { FusebaseAuthApi } from "./apis/FusebaseAuthApi";
 export { HealthApi } from "./apis/HealthApi";
 export { IsolatedStoresApi } from "./apis/IsolatedStoresApi";
 export { McpManagerApi } from "./apis/McpManagerApi";

package/dist/index.js

@@ -19,19 +19,23 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.WorkspacesApi = exports.TokensApi = exports.SystemApi = exports.PortalsApi = exports.OrgUsersApi = exports.OrgGroupsApi = exports.NotesApi = exports.McpManagerApi = exports.IsolatedStoresApi = exports.HealthApi = exports.FilesApi = exports.EmailsApi = exports.BillingApi = exports.AppApisApi = exports.AccessApi = void 0;
+exports.WorkspacesApi = exports.TokensApi = exports.SystemApi = exports.PortalsApi = exports.OrgUsersApi = exports.OrgGroupsApi = exports.NotesApi = exports.McpManagerApi = exports.IsolatedStoresApi = exports.HealthApi = exports.FusebaseAuthApi = exports.FilesApi = exports.EmailsApi = exports.BillingApi = exports.AppMagicLinksApi = exports.AppApisApi = exports.AccessApi = void 0;
 __exportStar(require("./runtime"), exports);
 __exportStar(require("./types"), exports);
 var AccessApi_1 = require("./apis/AccessApi");
 Object.defineProperty(exports, "AccessApi", { enumerable: true, get: function () { return AccessApi_1.AccessApi; } });
 var AppApisApi_1 = require("./apis/AppApisApi");
 Object.defineProperty(exports, "AppApisApi", { enumerable: true, get: function () { return AppApisApi_1.AppApisApi; } });
+var AppMagicLinksApi_1 = require("./apis/AppMagicLinksApi");
+Object.defineProperty(exports, "AppMagicLinksApi", { enumerable: true, get: function () { return AppMagicLinksApi_1.AppMagicLinksApi; } });
 var BillingApi_1 = require("./apis/BillingApi");
 Object.defineProperty(exports, "BillingApi", { enumerable: true, get: function () { return BillingApi_1.BillingApi; } });
 var EmailsApi_1 = require("./apis/EmailsApi");
 Object.defineProperty(exports, "EmailsApi", { enumerable: true, get: function () { return EmailsApi_1.EmailsApi; } });
 var FilesApi_1 = require("./apis/FilesApi");
 Object.defineProperty(exports, "FilesApi", { enumerable: true, get: function () { return FilesApi_1.FilesApi; } });
+var FusebaseAuthApi_1 = require("./apis/FusebaseAuthApi");
+Object.defineProperty(exports, "FusebaseAuthApi", { enumerable: true, get: function () { return FusebaseAuthApi_1.FusebaseAuthApi; } });
 var HealthApi_1 = require("./apis/HealthApi");
 Object.defineProperty(exports, "HealthApi", { enumerable: true, get: function () { return HealthApi_1.HealthApi; } });
 var IsolatedStoresApi_1 = require("./apis/IsolatedStoresApi");

package/dist/types/app-magic-link/app-magic-link.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Request body for createAppMagicLink (owner/admin invite flow).
+ */
+export interface CreateAppMagicLinkRequestContract {
+    /**
+     * Recipient email address. The link is dispatched to this address.
+     * @format email
+     */
+    email: string;
+    /**
+     * Relative app path to land on after activation (e.g. /proposals/abc).
+     * Omit for root.
+     * @nullable true
+     */
+    redirectPath?: string | null;
+    /**
+     * When true (default), append a user principal to every feature of the app
+     * and provision a new user record if the email is not yet known.
+     * When false, the user must already exist or the call rejects with NotFound.
+     */
+    addToAccessPrincipals?: boolean;
+}
+/**
+ * Response body for createAppMagicLink.
+ */
+export interface CreateAppMagicLinkResponseContract {
+    /**
+     * globalId of the magic link row, also the value passed to the activation
+     * endpoint.
+     */
+    id: string;
+    /**
+     * Fully qualified URL to the app `/link` route with `id` (and optional
+     * `redirect`) query params.
+     */
+    magicLinkUrl: string;
+    /**
+     * Unix timestamp (seconds) when the link expires (createdAt + 24h).
+     */
+    expiresAt: number;
+}
+/**
+ * Request body for requestAppMagicLink (visitor self-service flow).
+ */
+export interface RequestAppMagicLinkRequestContract {
+    /**
+     * Email address typed by the visitor. The link is dispatched to this address
+     * only when it already has access to the app.
+     * @format email
+     */
+    email: string;
+    /**
+     * Optional relative app path to land on after activation
+     * (e.g. /proposals/abc). Omit for root.
+     * @nullable true
+     */
+    redirectPath?: string | null;
+}
+/**
+ * Generic acknowledgment. Returned for both allowed and denied requests so
+ * the response cannot be used to enumerate emails or access state.
+ */
+export interface RequestAppMagicLinkResponseContract {
+    /**
+     * Always true.
+     */
+    ok: boolean;
+}
+/**
+ * Response body for activateAppMagicLink.
+ */
+export interface ActivateAppMagicLinkResponseContract {
+    /**
+     * globalId of the magic link that was activated.
+     */
+    id: string;
+    /**
+     * Session id usable as the `eversessionid` cookie value.
+     */
+    sessionToken: string;
+    /**
+     * Fusebase Gate token scoped to the resolved app feature and target user.
+     * May be empty if upstream token issuance failed; the activation itself
+     * still succeeded and the SPA can retry.
+     */
+    featureToken: string;
+    /**
+     * Dashboard service token scoped to the same feature and user. May be empty
+     * if upstream token issuance failed.
+     */
+    dashboardToken: string;
+    /**
+     * Relative app path the SPA should navigate to after the cookie is set
+     * (e.g. /proposals/abc). Defaults to `/` when no `redirectPath` was provided
+     * when the link was created.
+     */
+    redirectPath: string;
+    /**
+     * Unix timestamp (seconds) when the magic link expires.
+     */
+    expiresAt: number;
+    /**
+     * globalId of the resolved app feature whose access the tokens are scoped to.
+     */
+    appFeatureId: string;
+}

package/dist/types/app-magic-link/app-magic-link.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/fusebase-auth/fusebase-auth.d.ts

@@ -0,0 +1,104 @@
+export interface FusebaseAuthSessionContract {
+    sessionId: string;
+    userId: number;
+}
+export interface FusebaseAuthChallengeContract {
+    type: string;
+    state: string;
+    image?: string;
+    question?: string;
+    email?: string;
+}
+export interface FusebaseAuthRegisterRequestContract {
+    /**
+     * User email. Forwarded to auth-form as `login`.
+     * @format email
+     */
+    email: string;
+    password: string;
+    firstName?: string;
+    lastName?: string;
+    fullName?: string;
+    subscribe?: boolean;
+    redirectPath?: string | null;
+    tags?: string[];
+}
+export interface FusebaseAuthRegisterResponseContract {
+    status: "authenticated" | "challenge_required";
+    session?: FusebaseAuthSessionContract;
+    challenge?: FusebaseAuthChallengeContract;
+    redirectPath: string;
+}
+export interface FusebaseAuthRegisterMemberRequestContract extends FusebaseAuthRegisterRequestContract {
+    /**
+     * Org role to grant after the Fusebase account is created.
+     * Defaults to `client`.
+     */
+    orgRole?: string;
+    memberTTL?: number | null;
+    defaultWorkspaceRole?: string;
+}
+export interface FusebaseAuthRegisterMemberResponseContract extends FusebaseAuthRegisterResponseContract {
+    membership?: {
+        orgId: string;
+        userId: number;
+        role: string;
+        memberTTL?: number | null;
+    };
+}
+export interface FusebaseAuthLoginRequestContract {
+    /**
+     * User email. Forwarded to auth-form as `login`.
+     * @format email
+     */
+    email: string;
+    password: string;
+    redirectPath?: string | null;
+    device?: Record<string, unknown>;
+}
+export interface FusebaseAuthLoginResponseContract {
+    status: "authenticated" | "challenge_required";
+    session?: FusebaseAuthSessionContract;
+    challenge?: FusebaseAuthChallengeContract;
+    redirectPath: string;
+}
+export interface FusebaseAuthChallengeRequestContract {
+    state: string;
+    answer: string;
+    redirectPath?: string | null;
+}
+export interface FusebaseAuthChallengeResponseContract {
+    status: "authenticated" | "challenge_required";
+    session?: FusebaseAuthSessionContract;
+    challenge?: FusebaseAuthChallengeContract;
+    redirectPath: string;
+}
+export interface FusebaseAuthPasswordRestoreRequestContract {
+    /**
+     * User email. The response is intentionally generic.
+     * @format email
+     */
+    email: string;
+    customAuthUrl?: string;
+    portalId?: string;
+    workspaceId?: string;
+}
+export interface FusebaseAuthPasswordRestoreResponseContract {
+    ok: true;
+}
+export interface FusebaseAuthPasswordRestoreKeyResponseContract {
+    valid: boolean;
+}
+export interface FusebaseAuthPasswordResetRequestContract {
+    password: string;
+}
+export interface FusebaseAuthPasswordResetResponseContract {
+    ok: true;
+}
+export interface FusebaseAuthLogoutResponseContract {
+    ok: true;
+    /**
+     * App/BFF should clear these cookies on its own domain.
+     */
+    cookiesToDelete: string[];
+}

package/dist/types/fusebase-auth/fusebase-auth.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/types/index.d.ts

@@ -6,9 +6,11 @@
  */
 export type { AuthenticatedUserSummaryContract, MyOrgAccessResponseContract } from "./access/access";
 export type { AppApiOperationContract, AppApiOperationListResponseContract, CallAppApiRequestContract, CallAppApiResponseContract } from "./app-api/app-api";
+export type { ActivateAppMagicLinkResponseContract, CreateAppMagicLinkRequestContract, CreateAppMagicLinkResponseContract, RequestAppMagicLinkRequestContract, RequestAppMagicLinkResponseContract } from "./app-magic-link/app-magic-link";
 export * from "./billing/billing";
 export type { OrgEmailSendRequestContract, OrgEmailSendResponseContract } from "./email/email";
 export * from "./file/file";
+export type { FusebaseAuthChallengeContract, FusebaseAuthChallengeRequestContract, FusebaseAuthChallengeResponseContract, FusebaseAuthLoginRequestContract, FusebaseAuthLoginResponseContract, FusebaseAuthLogoutResponseContract, FusebaseAuthPasswordResetRequestContract, FusebaseAuthPasswordResetResponseContract, FusebaseAuthPasswordRestoreKeyResponseContract, FusebaseAuthPasswordRestoreRequestContract, FusebaseAuthPasswordRestoreResponseContract, FusebaseAuthRegisterMemberRequestContract, FusebaseAuthRegisterMemberResponseContract, FusebaseAuthRegisterRequestContract, FusebaseAuthRegisterResponseContract, FusebaseAuthSessionContract } from "./fusebase-auth/fusebase-auth";
 export * from "./isolated-store/isolated-store";
 export * from "./mcp-manager/mcp-manager";
 export type { MeAuthContract, MeOrgGroupContract, MeResponseContract, MeScopeContract, MeUserContract } from "./me/me";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fusebase/fusebase-gate-sdk",
-  "version": "2.2.15-sdk.5",
+  "version": "2.2.15-sdk.6",
   "description": "TypeScript SDK for Fusebase Gate APIs - Generated from contract introspection",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/release-notes/2.2.15-sdk.6.md

@@ -0,0 +1,93 @@
+# Release Notes 2.2.15-sdk.6
+
+- Current ref: `HEAD`
+- Previous tag: `v2.2.15-sdk.5`
+- Generated at: 2026-05-21T09:33:50.726Z
+
+## Included Drafts
+
+- `docs/release-notes/2026-05-06-app-magic-links.md` - 2026-05-06-app-magic-links
+- `docs/release-notes/2026-05-20-app-magic-links-product-app-naming.md` - 2026-05-20-app-magic-links-product-app-naming
+- `docs/release-notes/2026-05-21-fusebase-auth-app-flows.md` - 2026-05-21-fusebase-auth-app-flows
+
+## Summary
+
+### 2026-05-06-app-magic-links
+
+Surface AI App **Magic Link** flows through Gate. Three new ops let app owners and runtime apps issue, request, and activate magic links against `nimbus-ai`'s storage layer. Ships with a new `appMagicLinks` MCP prompt group and the regenerated `app-magic-links.md` skill reference under `generated/claude_skills/fusebase-gate/references/`.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+Update the `appMagicLinks` MCP prompt (and the regenerated `app-magic-links.md` skill reference) so it accounts for the `app → product` / `feature → app` rename. The magic-link **wire contract still uses the pre-rename field names** (`appId`, `appFeatureId`, `featureToken`), which no longer match the CLI (`fusebase.json`, `fusebase app list`). The stale skill caused agents to pass an App id where Gate expects a Product id, failing with `App not found`. No API, SDK, or permission changes — skill/prompt content only.
+
+
+## API / SDK Changes
+
+### 2026-05-06-app-magic-links
+
+- New ops in `src/api/contracts/ops/app-magic-links/app-magic-links.ts`:
+  - `createAppMagicLink` — `POST /:orgId/apps/:appId/magic-links`. Owner/admin invite flow. Requires the new permission `app_magic_link.write` and org access.
+  - `requestAppMagicLink` — `POST /apps/by-host/:host/magic-links/request`. Visitor self-service flow (no auth). Always returns `{ ok: true }` so it cannot be used to enumerate emails or access state. Apply per-IP rate limiting upstream.
+  - `activateAppMagicLink` — `POST /apps/magic-links/:globalId/activate`. Visitor activation (no auth). Returns `{ id, sessionToken, featureToken, dashboardToken, redirectPath, expiresAt, appFeatureId }`. Surfaces `403` with `reason=expired|revoked` and `404` for unknown/deleted links.
+- New permission `app_magic_link.write` registered in `GatePermission` and granted to owner/manager/member/guest roles via the existing `GATE_ALL_PERMISSIONS` set.
+- New controller `AppMagicLinksController` (`src/controllers/app-magic-links/app-magic-links.ts`) and nimbus-ai client wrapper `src/clients/app-magic-link-client.ts`. The wrapper forwards the caller's userId via the standard `Authorization: Internal <userId>:gate` + `X-Secret` header pair on the create endpoint, and only `X-Secret` on the visitor endpoints.
+- Bumped `@internal/nimbus-ai` peer to `^1.58.0` to pick up the new `apiCreateAppMagicLink`, `apiRequestAppMagicLink`, and `apiActivateAppMagicLink` methods. The 1.58.0 client is published by the nimbus-ai NIM-40935 MR (`internal/nimbus-ai!65`); CI on this MR will be red until that MR lands and the registry has 1.58.0.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- None. The HTTP contracts, SDK, OpenAPI spec, and permissions are unchanged.
+
+
+## Consumer Impact
+
+### 2026-05-06-app-magic-links
+
+- New SDK domain `AppMagicLinksApi` with three methods (`createAppMagicLink`, `requestAppMagicLink`, `activateAppMagicLink`) materialized in `generated/sdk-client/src/apis/AppMagicLinksApi.ts`.
+- New SDK type module `generated/sdk-client/src/types/app-magic-link/`.
+- Apps that want to ship a one-click client onboarding flow can now invite-by-email (with optional `addToAccessPrincipals=true` to provision a brand-new user) and surface a `/link?id=…&redirect=…` route in their SPA scaffold (see follow-up subtask NIM-41013 for the apps-cli template).
+- The `request` endpoint never mutates `accessPrincipals` and never provisions users, by design — visitors can self-service only when they already have access.
+- New MCP prompt group `appMagicLinks` (registered in `src/mcp/prompts/index.ts`) covers when to use each flow, deep-link `redirectPath` rules, and expired/revoked link handling. The op contracts declare `promptGroups: ["authz", "sdk", "appMagicLinks"]` (authed) and `["sdk", "appMagicLinks"]` (visitor), so prompt-aware MCP clients receive the guidance automatically.
+- New skill reference file `generated/claude_skills/fusebase-gate/references/app-magic-links.md` (marker `mcp-app-magic-links-loaded`). `npm run mcp:skills:copy-to-apps-cli:local` propagates it into `apps-cli/project-template/.claude/skills/fusebase-gate/references/` for fresh `fusebase init` output.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- `src/mcp/prompts/app-magic-links.ts` — bumped `version` `1.0.0` → `1.1.0`. New "Terminology: `product` / `app` vs the Gate wire contract" section maps the renamed concepts onto the unchanged wire fields:
+  - `createAppMagicLink`'s `appId` **path segment** is the **Product id** (`productId` in `fusebase.json`), not an App id.
+  - `appFeatureId` in the activation response and the scope of `featureToken` is an **App** id (`apps[].id` / `fusebase app list`).
+  - The wire field names stay at their pre-rename spelling for backward compatibility; only the human-facing concepts were renamed.
+- The Invite-flow, Identity/Scoping, Activation, and Working-Rules sections now use `Product` / `App` consistently ("every App of the Product", "App-scoped by host", etc.) and call out the `App not found` failure mode explicitly.
+- The Activation section now folds in the SPA `fetch`-vs-SDK note and the `fbsdashboardtoken` cookie detail, so the next `mcp:skills:copy-to-apps-cli` no longer reverts the apps-cli-side hand edits — the generated skill is the single source of truth again.
+- Regenerated `generated/claude_skills/fusebase-gate/references/app-magic-links.md` (frontmatter `version: 1.1.0`). `apps-cli` receives the same file under `project-template/.claude/skills/fusebase-gate/references/`.
+
+
+## Verification
+
+### 2026-05-06-app-magic-links
+
+- `npm run lint`
+- `npm test` (190 tests pass; new tests in `tests/unit/app-magic-links-contracts.test.ts` and `tests/unit/app-magic-links-controller.test.ts`)
+- `npm run build`
+- `FEATURE_FLAGS=isolated_sql_stores,isolated_nosql_stores npm run build:sdk` — SDK regenerated, `dist/apis/AppMagicLinksApi.{js,d.ts}` and `dist/types/app-magic-link/` produced; OpenAPI spec updated.
+- `npm run mcp:skills:generate` — `app-magic-links.md` written under `generated/claude_skills/fusebase-gate/references/`; `SKILL.md` TOC updated.
+- `npm run mcp:skills:validate` — passes (1 skill).
+- `npm run mcp:skills:copy-to-apps-cli:local` — generated skill copied into the local apps-cli checkout (commit owned by NIM-41013).
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- `npm run build` — clean.
+- `npm run lint` — 0 errors (5 pre-existing `dist/` warnings).
+- `npm test` — 216 pass / 1 skipped, including the new `mcp-prompts.test.ts` case `maps the product/app rename onto the magic-link wire contract`.
+- `npm run mcp:skills:generate` — only `app-magic-links.md` rewritten.
+- `npm run mcp:skills:validate` — passes (1 skill).
+
+
+## Follow-ups
+
+### 2026-05-06-app-magic-links
+
+- **CI dependency:** the dependency bump to `@internal/nimbus-ai@^1.58.0` requires `internal/nimbus-ai!65` (NIM-40935) to merge and publish 1.58.0 to the GitLab npm registry. After it merges, this branch should be rebased and `npm install` re-run to refresh the lock file with the upstream-published integrity hash.
+- **NIM-41013:** receive the generated skill in `apps-cli` and ship the `/link` route example in `feature-templates/spa/`. The skill file is already in the local apps-cli working tree from `mcp:skills:copy-to-apps-cli:local`; NIM-41013 owns the apps-cli commit.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- Optional: align the magic-link wire field names (`appId` → `productId`, `appFeatureId` → `appId`) and the `nimbus-ai` `app_magic_links` columns with the new terminology. That is a contract/SDK change deferred as a separate product decision (see story-spec `NIM-40935/README.md` Open Questions); this change only makes the skill describe the current contract correctly.

package/release-notes/latest.md

@@ -1,9 +1,93 @@
-# Release Notes 2.2.15-sdk.5
+# Release Notes 2.2.15-sdk.6
 
 - Current ref: `HEAD`
 - Previous tag: `v2.2.15-sdk.5`
-- Generated at: 2026-05-18T10:10:39.543Z
+- Generated at: 2026-05-21T09:33:50.726Z
 
 ## Included Drafts
 
-- None
+- `docs/release-notes/2026-05-06-app-magic-links.md` - 2026-05-06-app-magic-links
+- `docs/release-notes/2026-05-20-app-magic-links-product-app-naming.md` - 2026-05-20-app-magic-links-product-app-naming
+- `docs/release-notes/2026-05-21-fusebase-auth-app-flows.md` - 2026-05-21-fusebase-auth-app-flows
+
+## Summary
+
+### 2026-05-06-app-magic-links
+
+Surface AI App **Magic Link** flows through Gate. Three new ops let app owners and runtime apps issue, request, and activate magic links against `nimbus-ai`'s storage layer. Ships with a new `appMagicLinks` MCP prompt group and the regenerated `app-magic-links.md` skill reference under `generated/claude_skills/fusebase-gate/references/`.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+Update the `appMagicLinks` MCP prompt (and the regenerated `app-magic-links.md` skill reference) so it accounts for the `app → product` / `feature → app` rename. The magic-link **wire contract still uses the pre-rename field names** (`appId`, `appFeatureId`, `featureToken`), which no longer match the CLI (`fusebase.json`, `fusebase app list`). The stale skill caused agents to pass an App id where Gate expects a Product id, failing with `App not found`. No API, SDK, or permission changes — skill/prompt content only.
+
+
+## API / SDK Changes
+
+### 2026-05-06-app-magic-links
+
+- New ops in `src/api/contracts/ops/app-magic-links/app-magic-links.ts`:
+  - `createAppMagicLink` — `POST /:orgId/apps/:appId/magic-links`. Owner/admin invite flow. Requires the new permission `app_magic_link.write` and org access.
+  - `requestAppMagicLink` — `POST /apps/by-host/:host/magic-links/request`. Visitor self-service flow (no auth). Always returns `{ ok: true }` so it cannot be used to enumerate emails or access state. Apply per-IP rate limiting upstream.
+  - `activateAppMagicLink` — `POST /apps/magic-links/:globalId/activate`. Visitor activation (no auth). Returns `{ id, sessionToken, featureToken, dashboardToken, redirectPath, expiresAt, appFeatureId }`. Surfaces `403` with `reason=expired|revoked` and `404` for unknown/deleted links.
+- New permission `app_magic_link.write` registered in `GatePermission` and granted to owner/manager/member/guest roles via the existing `GATE_ALL_PERMISSIONS` set.
+- New controller `AppMagicLinksController` (`src/controllers/app-magic-links/app-magic-links.ts`) and nimbus-ai client wrapper `src/clients/app-magic-link-client.ts`. The wrapper forwards the caller's userId via the standard `Authorization: Internal <userId>:gate` + `X-Secret` header pair on the create endpoint, and only `X-Secret` on the visitor endpoints.
+- Bumped `@internal/nimbus-ai` peer to `^1.58.0` to pick up the new `apiCreateAppMagicLink`, `apiRequestAppMagicLink`, and `apiActivateAppMagicLink` methods. The 1.58.0 client is published by the nimbus-ai NIM-40935 MR (`internal/nimbus-ai!65`); CI on this MR will be red until that MR lands and the registry has 1.58.0.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- None. The HTTP contracts, SDK, OpenAPI spec, and permissions are unchanged.
+
+
+## Consumer Impact
+
+### 2026-05-06-app-magic-links
+
+- New SDK domain `AppMagicLinksApi` with three methods (`createAppMagicLink`, `requestAppMagicLink`, `activateAppMagicLink`) materialized in `generated/sdk-client/src/apis/AppMagicLinksApi.ts`.
+- New SDK type module `generated/sdk-client/src/types/app-magic-link/`.
+- Apps that want to ship a one-click client onboarding flow can now invite-by-email (with optional `addToAccessPrincipals=true` to provision a brand-new user) and surface a `/link?id=…&redirect=…` route in their SPA scaffold (see follow-up subtask NIM-41013 for the apps-cli template).
+- The `request` endpoint never mutates `accessPrincipals` and never provisions users, by design — visitors can self-service only when they already have access.
+- New MCP prompt group `appMagicLinks` (registered in `src/mcp/prompts/index.ts`) covers when to use each flow, deep-link `redirectPath` rules, and expired/revoked link handling. The op contracts declare `promptGroups: ["authz", "sdk", "appMagicLinks"]` (authed) and `["sdk", "appMagicLinks"]` (visitor), so prompt-aware MCP clients receive the guidance automatically.
+- New skill reference file `generated/claude_skills/fusebase-gate/references/app-magic-links.md` (marker `mcp-app-magic-links-loaded`). `npm run mcp:skills:copy-to-apps-cli:local` propagates it into `apps-cli/project-template/.claude/skills/fusebase-gate/references/` for fresh `fusebase init` output.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- `src/mcp/prompts/app-magic-links.ts` — bumped `version` `1.0.0` → `1.1.0`. New "Terminology: `product` / `app` vs the Gate wire contract" section maps the renamed concepts onto the unchanged wire fields:
+  - `createAppMagicLink`'s `appId` **path segment** is the **Product id** (`productId` in `fusebase.json`), not an App id.
+  - `appFeatureId` in the activation response and the scope of `featureToken` is an **App** id (`apps[].id` / `fusebase app list`).
+  - The wire field names stay at their pre-rename spelling for backward compatibility; only the human-facing concepts were renamed.
+- The Invite-flow, Identity/Scoping, Activation, and Working-Rules sections now use `Product` / `App` consistently ("every App of the Product", "App-scoped by host", etc.) and call out the `App not found` failure mode explicitly.
+- The Activation section now folds in the SPA `fetch`-vs-SDK note and the `fbsdashboardtoken` cookie detail, so the next `mcp:skills:copy-to-apps-cli` no longer reverts the apps-cli-side hand edits — the generated skill is the single source of truth again.
+- Regenerated `generated/claude_skills/fusebase-gate/references/app-magic-links.md` (frontmatter `version: 1.1.0`). `apps-cli` receives the same file under `project-template/.claude/skills/fusebase-gate/references/`.
+
+
+## Verification
+
+### 2026-05-06-app-magic-links
+
+- `npm run lint`
+- `npm test` (190 tests pass; new tests in `tests/unit/app-magic-links-contracts.test.ts` and `tests/unit/app-magic-links-controller.test.ts`)
+- `npm run build`
+- `FEATURE_FLAGS=isolated_sql_stores,isolated_nosql_stores npm run build:sdk` — SDK regenerated, `dist/apis/AppMagicLinksApi.{js,d.ts}` and `dist/types/app-magic-link/` produced; OpenAPI spec updated.
+- `npm run mcp:skills:generate` — `app-magic-links.md` written under `generated/claude_skills/fusebase-gate/references/`; `SKILL.md` TOC updated.
+- `npm run mcp:skills:validate` — passes (1 skill).
+- `npm run mcp:skills:copy-to-apps-cli:local` — generated skill copied into the local apps-cli checkout (commit owned by NIM-41013).
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- `npm run build` — clean.
+- `npm run lint` — 0 errors (5 pre-existing `dist/` warnings).
+- `npm test` — 216 pass / 1 skipped, including the new `mcp-prompts.test.ts` case `maps the product/app rename onto the magic-link wire contract`.
+- `npm run mcp:skills:generate` — only `app-magic-links.md` rewritten.
+- `npm run mcp:skills:validate` — passes (1 skill).
+
+
+## Follow-ups
+
+### 2026-05-06-app-magic-links
+
+- **CI dependency:** the dependency bump to `@internal/nimbus-ai@^1.58.0` requires `internal/nimbus-ai!65` (NIM-40935) to merge and publish 1.58.0 to the GitLab npm registry. After it merges, this branch should be rebased and `npm install` re-run to refresh the lock file with the upstream-published integrity hash.
+- **NIM-41013:** receive the generated skill in `apps-cli` and ship the `/link` route example in `feature-templates/spa/`. The skill file is already in the local apps-cli working tree from `mcp:skills:copy-to-apps-cli:local`; NIM-41013 owns the apps-cli commit.
+
+### 2026-05-20-app-magic-links-product-app-naming
+
+- Optional: align the magic-link wire field names (`appId` → `productId`, `appFeatureId` → `appId`) and the `nimbus-ai` `app_magic_links` columns with the new terminology. That is a contract/SDK change deferred as a separate product decision (see story-spec `NIM-40935/README.md` Open Questions); this change only makes the skill describe the current contract correctly.

package/release-notes/2.2.15-sdk.5.md

@@ -1,9 +0,0 @@
-# Release Notes 2.2.15-sdk.5
-
-- Current ref: `HEAD`
-- Previous tag: `v2.2.15-sdk.5`
-- Generated at: 2026-05-18T10:10:39.543Z
-
-## Included Drafts
-
-- None