@hachej/boring-core 0.1.48 → 0.1.50

package/dist/{chunk-VYXEXOCO.js → chunk-2ZTKRLVG.js}

@@ -1,11 +1,15 @@
 import {
   TopBarSlotProvider
 } from "./chunk-HYNKZSTF.js";
+import {
+  canUseProtectedApi,
+  isRuntimeEmailVerificationEnabled
+} from "./chunk-I4PGL4ZD.js";
 import {
   ConfigFetchError,
   ERROR_CODES,
   HttpError
-} from "./chunk-LIBHVT7V.js";
+} from "./chunk-QZGYKLXB.js";
 
 // src/front/AppErrorBoundary.tsx
 import { Component } from "react";
@@ -660,11 +664,16 @@ function WorkspaceAuthProvider({
   const queryClient = useQueryClient();
   const routeWorkspaceId = id?.trim() ? id : workspaceIdFromPath(location.pathname, workspaceRoute, workspaceIdParam);
   const session = useSession();
-  const isAuthenticated = Boolean(session.data?.user);
+  const config = useOptionalConfig();
+  const user = session.data?.user ?? null;
+  const canQueryProtectedApi = canUseProtectedApi(
+    user,
+    isRuntimeEmailVerificationEnabled(config)
+  );
   const workspacesQuery = useQuery2({
     queryKey: WORKSPACES_QUERY_KEY,
     queryFn: fetchWorkspaces,
-    enabled: isAuthenticated
+    enabled: canQueryProtectedApi
   });
   const defaultWorkspace = routeWorkspaceId === null ? workspacesQuery.data?.find((workspace2) => workspace2.isDefault) ?? workspacesQuery.data?.[0] ?? null : null;
   const resolvedId = routeWorkspaceId ?? defaultWorkspace?.id ?? null;
@@ -677,13 +686,13 @@ function WorkspaceAuthProvider({
       }
       return fetchWorkspace(resolvedId);
     },
-    enabled: isAuthenticated && resolvedId !== null
+    enabled: canQueryProtectedApi && resolvedId !== null
   });
   const detail = detailQuery.data ?? cachedDetail ?? null;
   const workspace = detailQuery.isError ? null : detail?.workspace ?? null;
   const role = detailQuery.isError ? null : detail?.role ?? null;
   const routeStatus = (() => {
-    if (!isAuthenticated) return { status: "idle", workspaceId: routeWorkspaceId };
+    if (!canQueryProtectedApi) return { status: "idle", workspaceId: routeWorkspaceId };
     if (routeWorkspaceId === null) return { status: "idle", workspaceId: null };
     if (detailQuery.isError) return routeStatusFromError(routeWorkspaceId, detailQuery.error);
     if (detailQuery.isPending && !detail) return { status: "loading", workspaceId: routeWorkspaceId };
@@ -709,11 +718,16 @@ var UserContext = createContext5(null);
 var STALE_MS = 6e4;
 function UserIdentityProvider({ children }) {
   const { data: session } = useSession();
+  const config = useOptionalConfig();
+  const canFetchIdentity = canUseProtectedApi(
+    session?.user,
+    isRuntimeEmailVerificationEnabled(config)
+  );
   const [identity, setIdentity] = useState6(null);
   const fetchedForRef = useRef3(null);
   const lastFetchRef = useRef3(0);
   useEffect7(() => {
-    if (!session?.user) {
+    if (!session?.user || !canFetchIdentity) {
       setIdentity(null);
       fetchedForRef.current = null;
       return;
@@ -736,7 +750,7 @@ function UserIdentityProvider({ children }) {
     return () => {
       cancelled = true;
     };
-  }, [session?.user?.id]);
+  }, [canFetchIdentity, session?.user?.id]);
   return /* @__PURE__ */ jsx6(UserContext.Provider, { value: identity, children });
 }
 function useUser() {
@@ -892,6 +906,7 @@ function SignInPage() {
 // src/front/auth/SignUpPage.tsx
 import { useState as useState9 } from "react";
 import { useForm as useForm2 } from "react-hook-form";
+import { useNavigate } from "react-router-dom";
 import { zodResolver as zodResolver2 } from "@hookform/resolvers/zod";
 import { z as z2 } from "zod";
 import { Button as Button4, Card as Card2, CardContent as CardContent2, CardDescription as CardDescription2, CardFooter as CardFooter2, CardHeader as CardHeader2, CardTitle as CardTitle2, Input as Input2, Label as Label2 } from "@hachej/boring-ui-kit";
@@ -909,6 +924,7 @@ function readGoogleAuthError2() {
 }
 function SignUpPage() {
   const signUp = useSignUp();
+  const navigate = useNavigate();
   const config = useOptionalConfig();
   const [serverError, setServerError] = useState9(null);
   const [oauthError, setOauthError] = useState9(() => readGoogleAuthError2());
@@ -935,6 +951,8 @@ function SignUpPage() {
       );
       if (result.error) {
         setServerError(result.error.message ?? "Sign up failed");
+      } else if (isRuntimeEmailVerificationEnabled(config)) {
+        navigate(routes.verifyEmail, { replace: true });
       } else {
         setSuccess(true);
       }
@@ -1214,16 +1232,23 @@ function getCookie(name) {
 function deleteCookie(name) {
   document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
 }
+function navigateToSignIn() {
+  if (typeof window === "undefined") return;
+  window.history.replaceState({}, "", routes.signin);
+  window.dispatchEvent(new PopStateEvent("popstate"));
+}
 function VerifyEmailPage() {
   const session = useSession();
   const verifyEmail = useVerifyEmail();
   const sendVerificationEmail = useSendVerificationEmail();
+  const signOut = useSignOut();
   const token = typeof window !== "undefined" ? new URLSearchParams(window.location.search).get("token") : null;
   const [status, setStatus] = useState12(token ? "verifying" : "no-token");
   const [inviteWarning, setInviteWarning] = useState12(null);
   const [cooldown, setCooldown] = useState12(0);
   const [resendEmail, setResendEmail] = useState12("");
   const [resendSent, setResendSent] = useState12(false);
+  const [isSigningOut, setIsSigningOut] = useState12(false);
   const verifiedRef = useRef4(false);
   const sessionEmail = session.data?.user?.email ?? null;
   useEffect8(() => {
@@ -1278,6 +1303,15 @@ function VerifyEmailPage() {
     setResendSent(true);
     setCooldown(60);
   }, [sessionEmail, resendEmail, cooldown, sendVerificationEmail]);
+  const handleBackToSignIn = useCallback3(async () => {
+    if (isSigningOut) return;
+    setIsSigningOut(true);
+    try {
+      await signOut();
+    } finally {
+      navigateToSignIn();
+    }
+  }, [isSigningOut, signOut]);
   const resendButton = /* @__PURE__ */ jsx12(
     Button7,
     {
@@ -1329,17 +1363,38 @@ function VerifyEmailPage() {
         /* @__PURE__ */ jsx12(CardDescription5, { children: "This verification link is no longer valid. Request a new one below." })
       ] }),
       /* @__PURE__ */ jsx12(CardContent5, { children: resendSection }),
-      /* @__PURE__ */ jsx12(CardFooter5, { children: /* @__PURE__ */ jsx12("a", { href: routes.signin, className: "text-sm text-muted-foreground hover:underline", children: "Back to sign in" }) })
+      /* @__PURE__ */ jsx12(CardFooter5, { children: /* @__PURE__ */ jsx12(
+        Button7,
+        {
+          type: "button",
+          variant: "link",
+          className: "h-auto p-0 text-sm text-muted-foreground hover:underline",
+          disabled: isSigningOut,
+          onClick: handleBackToSignIn,
+          children: isSigningOut ? "Signing out\u2026" : "Back to sign in"
+        }
+      ) })
     ] }) });
   }
+  const isWaitingForEmailClick = status === "no-token" && Boolean(sessionEmail);
   return /* @__PURE__ */ jsx12("div", { className: "flex min-h-screen items-center justify-center p-4", children: /* @__PURE__ */ jsxs5(Card5, { className: "w-full max-w-sm", children: [
     inviteWarning && /* @__PURE__ */ jsx12("div", { role: "status", className: "px-6 pt-4", children: /* @__PURE__ */ jsx12("div", { className: "rounded-md bg-muted px-3 py-2 text-sm text-muted-foreground", children: inviteWarning }) }),
     /* @__PURE__ */ jsxs5(CardHeader5, { children: [
-      /* @__PURE__ */ jsx12(CardTitle5, { children: "Invalid verification link" }),
-      /* @__PURE__ */ jsx12(CardDescription5, { children: status === "no-token" ? "No verification token found. Check the link in your email." : "This verification link is invalid. Request a new one below." })
+      /* @__PURE__ */ jsx12(CardTitle5, { children: isWaitingForEmailClick ? "Check your email" : "Invalid verification link" }),
+      /* @__PURE__ */ jsx12(CardDescription5, { children: isWaitingForEmailClick ? "We sent a verification link to your email address. Please check your inbox to continue." : status === "no-token" ? "No verification token found. Check the link in your email." : "This verification link is invalid. Request a new one below." })
     ] }),
     /* @__PURE__ */ jsx12(CardContent5, { children: resendSection }),
-    /* @__PURE__ */ jsx12(CardFooter5, { children: /* @__PURE__ */ jsx12("a", { href: routes.signin, className: "text-sm text-muted-foreground hover:underline", children: "Back to sign in" }) })
+    /* @__PURE__ */ jsx12(CardFooter5, { children: /* @__PURE__ */ jsx12(
+      Button7,
+      {
+        type: "button",
+        variant: "link",
+        className: "h-auto p-0 text-sm text-muted-foreground hover:underline",
+        disabled: isSigningOut,
+        onClick: handleBackToSignIn,
+        children: isSigningOut ? "Signing out\u2026" : "Back to sign in"
+      }
+    ) })
   ] }) });
 }
 
@@ -1399,6 +1454,9 @@ function formatMemberSince(value) {
   });
 }
 function SettingsTopBar() {
+  const config = useOptionalConfig();
+  const appTitle = config?.appName ?? "Boring UI";
+  const appInitial = (appTitle.trim().charAt(0) || "B").toUpperCase();
   return /* @__PURE__ */ jsx13(
     "header",
     {
@@ -1410,10 +1468,10 @@ function SettingsTopBar() {
           {
             "aria-hidden": "true",
             className: "flex h-7 w-7 shrink-0 items-center justify-center rounded-md bg-foreground text-[12px] font-semibold text-background",
-            children: "S"
+            children: appInitial
           }
         ),
-        /* @__PURE__ */ jsx13("span", { className: "truncate text-[13px] font-medium tracking-tight text-foreground", children: "Sovereign Workspace" }),
+        /* @__PURE__ */ jsx13("span", { className: "truncate text-[13px] font-medium tracking-tight text-foreground", children: appTitle }),
         /* @__PURE__ */ jsx13("span", { "aria-hidden": "true", className: "text-muted-foreground/30", children: "/" }),
         /* @__PURE__ */ jsx13("span", { className: "truncate text-[13px] text-muted-foreground", children: "Account settings" })
       ] })
@@ -1740,7 +1798,7 @@ function UserSettingsPage({ topBar, extraSections = [] } = {}) {
 
 // src/front/auth/InviteAcceptPage.tsx
 import { useCallback as useCallback5, useState as useState14 } from "react";
-import { useParams as useParams2, useNavigate } from "react-router-dom";
+import { useParams as useParams2, useNavigate as useNavigate2 } from "react-router-dom";
 import { useQuery as useQuery3, useMutation, useQueryClient as useQueryClient2 } from "@tanstack/react-query";
 import {
   Button as Button9,
@@ -1757,7 +1815,7 @@ import { jsx as jsx14, jsxs as jsxs7 } from "react/jsx-runtime";
 function InviteAcceptPage() {
   const { token } = useParams2();
   const session = useSession();
-  const navigate = useNavigate();
+  const navigate = useNavigate2();
   const queryClient = useQueryClient2();
   const [acceptError, setAcceptError] = useState14(null);
   const isSignedIn = Boolean(session.data);
@@ -1891,6 +1949,15 @@ import { matchPath as matchPath2 } from "react-router-dom";
 import { Fragment as Fragment3, jsx as jsx15 } from "react/jsx-runtime";
 var DEFAULT_GRACE_MS = 3e4;
 var UNSAFE_REDIRECT_RE = /[\0\r\n<>"'`]/;
+var UNVERIFIED_ALLOWED_PATHS = /* @__PURE__ */ new Set([
+  routes.signup,
+  routes.forgotPassword,
+  routes.resetPassword,
+  routes.verifyEmail,
+  routes.authError,
+  routes.callbackGithub,
+  routes.callbackGoogle
+]);
 function normalizePath(pathname) {
   if (!pathname) return "/";
   return pathname.startsWith("/") ? pathname : `/${pathname}`;
@@ -1921,6 +1988,9 @@ function isPublicPath(pathname, publicPaths) {
     return normalizedPath === candidate || normalizedPath.startsWith(`${candidate}/`);
   });
 }
+function shouldBlockUnverifiedUser(pathname, hasSession, requireEmailVerification, isEmailVerified) {
+  return hasSession && requireEmailVerification && !isEmailVerified && !UNVERIFIED_ALLOWED_PATHS.has(normalizePath(pathname));
+}
 function readSafeRedirect(search) {
   const redirect = new URLSearchParams(normalizeSearch(search)).get("redirect");
   if (!redirect) return null;
@@ -1950,7 +2020,8 @@ function AuthGate({
   graceMs = DEFAULT_GRACE_MS,
   location,
   navigate,
-  now
+  now,
+  requireEmailVerification = false
 }) {
   const session = useSession();
   const nullSinceRef = useRef5(null);
@@ -1962,6 +2033,7 @@ function AuthGate({
     () => publicPaths.map(normalizePublicPath),
     [publicPaths]
   );
+  const isEmailVerified = session.data?.user?.emailVerified ?? false;
   useEffect9(() => {
     return () => {
       if (!redirectTimerRef.current) return;
@@ -1978,6 +2050,10 @@ function AuthGate({
     const currentPath = buildCurrentPath(currentLocation);
     if (session.data) {
       nullSinceRef.current = null;
+      if (shouldBlockUnverifiedUser(pathname2, true, requireEmailVerification, isEmailVerified)) {
+        goTo(routes.verifyEmail, { replace: true });
+        return;
+      }
       if (pathname2 === routes.signin) {
         const destination = readSafeRedirect(currentLocation.search) ?? "/";
         if (destination !== currentPath) {
@@ -2008,15 +2084,16 @@ function AuthGate({
       goTo(`${routes.signin}?redirect=${encodeURIComponent(currentPath)}`, { replace: true });
     }, remainingMs);
     redirectTimerRef.current.unref?.();
-  }, [currentLocation, goTo, graceMs, normalizedPublicPaths, readNow, session.data, session.isPending]);
+  }, [currentLocation, goTo, graceMs, isEmailVerified, normalizedPublicPaths, readNow, requireEmailVerification, session.data, session.isPending]);
   const pathname = normalizePath(currentLocation.pathname);
+  if (shouldBlockUnverifiedUser(pathname, Boolean(session.data), requireEmailVerification, isEmailVerified)) return null;
   if (session.isPending && !isPublicPath(pathname, normalizedPublicPaths)) return null;
   return /* @__PURE__ */ jsx15(Fragment3, { children });
 }
 
 // src/front/CoreFront.tsx
 import { Suspense, useCallback as useCallback9, useMemo as useMemo6 } from "react";
-import { BrowserRouter, Routes, Route, useLocation as useLocation2, useNavigate as useNavigate5 } from "react-router-dom";
+import { BrowserRouter, Routes, Route, useLocation as useLocation2, useNavigate as useNavigate6 } from "react-router-dom";
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { Helmet, HelmetProvider } from "react-helmet-async";
 
@@ -2040,7 +2117,7 @@ import {
   Settings,
   Sun
 } from "lucide-react";
-import { useNavigate as useNavigate2 } from "react-router-dom";
+import { useNavigate as useNavigate3 } from "react-router-dom";
 import { jsx as jsx16, jsxs as jsxs8 } from "react/jsx-runtime";
 var THEME_ORDER = ["light", "dark", "system"];
 function labelForTheme(preference) {
@@ -2062,7 +2139,7 @@ function initialsFor2(name, email) {
 function UserMenu() {
   const identity = useUser();
   const signOut = useSignOut();
-  const navigate = useNavigate2();
+  const navigate = useNavigate3();
   const { preference, setTheme } = useTheme();
   const [isSigningOut, setIsSigningOut] = useState15(false);
   const user = identity?.user;
@@ -2192,7 +2269,7 @@ import {
   useToast
 } from "@hachej/boring-ui-kit";
 import { ChevronsUpDown, LayoutGrid, Plus, Settings as Settings2 } from "lucide-react";
-import { useNavigate as useNavigate3 } from "react-router-dom";
+import { useNavigate as useNavigate4 } from "react-router-dom";
 import { z as z6 } from "zod";
 import { Fragment as Fragment4, jsx as jsx17, jsxs as jsxs9 } from "react/jsx-runtime";
 var workspaceNameSchema = z6.object({
@@ -2238,10 +2315,12 @@ function OpenInNewTabIcon({ className }) {
   ] });
 }
 function WorkspaceSwitcher({
-  appTitle = "Sovereign Workspace",
+  appTitle,
   workspacePathPrefix = "/workspace"
 }) {
-  const navigate = useNavigate3();
+  const config = useOptionalConfig();
+  const resolvedAppTitle = appTitle ?? config?.appName ?? "Boring UI";
+  const navigate = useNavigate4();
   const queryClient = useQueryClient3();
   const { toast } = useToastCompat();
   const currentWorkspace = useCurrentWorkspace();
@@ -2328,7 +2407,7 @@ function WorkspaceSwitcher({
             {
               "aria-hidden": "true",
               className: "flex h-7 w-7 shrink-0 items-center justify-center rounded-md bg-foreground text-[12px] font-semibold text-background",
-              children: appTitle.charAt(0).toUpperCase()
+              children: resolvedAppTitle.charAt(0).toUpperCase()
             }
           ),
           /* @__PURE__ */ jsx17("span", { className: "text-[13px] font-medium text-foreground", children: "Create your first workspace" })
@@ -2348,11 +2427,11 @@ function WorkspaceSwitcher({
               {
                 "aria-hidden": "true",
                 className: "flex h-7 w-7 shrink-0 items-center justify-center rounded-md bg-foreground text-[12px] font-semibold text-background",
-                children: appTitle.charAt(0).toUpperCase()
+                children: resolvedAppTitle.charAt(0).toUpperCase()
               }
             ),
             /* @__PURE__ */ jsxs9("span", { className: "flex min-w-0 items-center gap-1.5", children: [
-              /* @__PURE__ */ jsx17("span", { className: "truncate text-[13px] font-medium text-foreground", children: appTitle }),
+              /* @__PURE__ */ jsx17("span", { className: "truncate text-[13px] font-medium text-foreground", children: resolvedAppTitle }),
               /* @__PURE__ */ jsx17("span", { "aria-hidden": "true", className: "text-muted-foreground/30", children: "/" }),
               /* @__PURE__ */ jsx17("span", { className: "truncate text-[13px] font-normal text-muted-foreground", children: switcherLabel })
             ] }),
@@ -2985,7 +3064,7 @@ function MembersPage() {
 // src/front/workspace/WorkspaceSettingsPage.tsx
 import { useCallback as useCallback8, useEffect as useEffect10, useState as useState19 } from "react";
 import { useQuery as useQuery6, useMutation as useMutation4, useQueryClient as useQueryClient6 } from "@tanstack/react-query";
-import { useNavigate as useNavigate4 } from "react-router-dom";
+import { useNavigate as useNavigate5 } from "react-router-dom";
 import {
   AlertDialog as AlertDialog3,
   AlertDialogCancel as AlertDialogCancel3,
@@ -3020,7 +3099,10 @@ var STATE_TONES = {
   error: "danger"
 };
 function SettingsTopBar2({ workspaceId, workspaceName }) {
-  const navigate = useNavigate4();
+  const config = useOptionalConfig();
+  const appTitle = config?.appName ?? "Boring UI";
+  const appInitial = (appTitle.trim().charAt(0) || "B").toUpperCase();
+  const navigate = useNavigate5();
   const workspaceHref = workspaceId ? `/workspace/${encodeURIComponent(workspaceId)}` : "/";
   return /* @__PURE__ */ jsx21(
     "header",
@@ -3038,10 +3120,10 @@ function SettingsTopBar2({ workspaceId, workspaceName }) {
             title: "Back to workspace",
             onClick: () => navigate(workspaceHref),
             className: "shrink-0 bg-foreground text-[12px] font-semibold text-background hover:bg-foreground/90",
-            children: "S"
+            children: appInitial
           }
         ),
-        /* @__PURE__ */ jsx21("span", { className: "truncate text-[13px] font-medium tracking-tight text-foreground", children: "Sovereign Workspace" }),
+        /* @__PURE__ */ jsx21("span", { className: "truncate text-[13px] font-medium tracking-tight text-foreground", children: appTitle }),
         /* @__PURE__ */ jsx21("span", { "aria-hidden": "true", className: "text-muted-foreground/30", children: "/" }),
         /* @__PURE__ */ jsx21("span", { className: "truncate text-[13px] text-muted-foreground", children: workspaceName }),
         /* @__PURE__ */ jsx21("span", { "aria-hidden": "true", className: "text-muted-foreground/30", children: "/" }),
@@ -3091,7 +3173,7 @@ function WorkspaceSettingsPage({ topBar } = {}) {
   const workspace = useCurrentWorkspace();
   const role = useWorkspaceRole();
   const queryClient = useQueryClient6();
-  const navigate = useNavigate4();
+  const navigate = useNavigate5();
   const workspaceId = workspace?.id ?? "";
   const [nameValue, setNameValue] = useState19(null);
   const [nameError, setNameError] = useState19(null);
@@ -3533,8 +3615,9 @@ function createDefaultQueryClient() {
   });
 }
 function RouterAuthGate({ children, publicPaths }) {
+  const config = useConfig();
   const location = useLocation2();
-  const navigate = useNavigate5();
+  const navigate = useNavigate6();
   const authLocation = useMemo6(
     () => ({ pathname: location.pathname, search: location.search, hash: location.hash }),
     [location.hash, location.pathname, location.search]
@@ -3551,6 +3634,7 @@ function RouterAuthGate({ children, publicPaths }) {
       location: authLocation,
       navigate: navigateWithinRouter,
       publicPaths,
+      requireEmailVerification: isRuntimeEmailVerificationEnabled(config),
       children
     }
   );
@@ -3605,7 +3689,7 @@ function CoreFront({ children, authPages, cspNonce, workspaceRoute, workspaceIdP
 
 // src/front/commands/CoreCommandContributions.tsx
 import { useMemo as useMemo7, useState as useState20 } from "react";
-import { useNavigate as useNavigate6 } from "react-router-dom";
+import { useNavigate as useNavigate7 } from "react-router-dom";
 
 // src/front/workspace/commands.ts
 function getWorkspaceCommands(workspaceId, navigate) {
@@ -3643,7 +3727,7 @@ function toPaletteCommand(command) {
   };
 }
 function useCoreCommands() {
-  const navigate = useNavigate6();
+  const navigate = useNavigate7();
   const signOut = useSignOut();
   const workspace = useCurrentWorkspace();
   const [isSigningOut, setIsSigningOut] = useState20(false);

package/dist/{chunk-FZC3VL5D.js → chunk-BVZ2YT3M.js}

@@ -1,7 +1,7 @@
 import {
   ERROR_CODES,
   HttpError
-} from "./chunk-LIBHVT7V.js";
+} from "./chunk-QZGYKLXB.js";
 import {
   __export
 } from "./chunk-MLKGABMK.js";

package/dist/chunk-I4PGL4ZD.js

@@ -0,0 +1,17 @@
+// src/shared/authPolicy.ts
+function isCoreEmailVerificationEnabled(config) {
+  return Boolean(config.auth.mail);
+}
+function isRuntimeEmailVerificationEnabled(config) {
+  return config?.features.emailVerification === true;
+}
+function canUseProtectedApi(user, requireEmailVerification) {
+  if (!user) return false;
+  return !requireEmailVerification || user.emailVerified === true;
+}
+
+export {
+  isCoreEmailVerificationEnabled,
+  isRuntimeEmailVerificationEnabled,
+  canUseProtectedApi
+};

package/dist/{chunk-LIBHVT7V.js → chunk-QZGYKLXB.js}

@@ -5,6 +5,7 @@ var ERROR_CODES = {
   FORBIDDEN: "forbidden",
   WEAK_PASSWORD: "weak_password",
   EMAIL_IN_USE: "email_in_use",
+  EMAIL_NOT_VERIFIED: "email_not_verified",
   // Workspace membership
   NOT_MEMBER: "not_member",
   LAST_OWNER: "last_owner",

package/dist/{chunk-6GAQRQKO.js → chunk-ZMS6O4CY.js}

@@ -12,16 +12,19 @@ import {
   workspaceRuntimes,
   workspaceSettings,
   workspaces
-} from "./chunk-FZC3VL5D.js";
+} from "./chunk-BVZ2YT3M.js";
 import {
   noopTelemetry,
   safeCapture
 } from "./chunk-AQBXNPMD.js";
+import {
+  isCoreEmailVerificationEnabled
+} from "./chunk-I4PGL4ZD.js";
 import {
   ConfigValidationError,
   ERROR_CODES,
   HttpError
-} from "./chunk-LIBHVT7V.js";
+} from "./chunk-QZGYKLXB.js";
 
 // src/server/config/schema.ts
 import { z } from "zod";
@@ -290,7 +293,8 @@ function buildRuntimeConfigPayload(config) {
       githubOauth: config.features.githubOauth,
       googleOauth: isGoogleOauthUsable(config),
       invitesEnabled: config.features.invitesEnabled,
-      sendWelcomeEmail: config.features.sendWelcomeEmail
+      sendWelcomeEmail: config.features.sendWelcomeEmail,
+      emailVerification: isCoreEmailVerificationEnabled(config)
     }
   };
 }
@@ -419,7 +423,7 @@ function registerCapabilities(app) {
       contributors.set(name, fn);
     }
   );
-  const hasMail = !!app.config.auth.mail;
+  const emailVerificationEnabled = isCoreEmailVerificationEnabled(app.config);
   app.registerCapabilitiesContributor("core", () => {
     const googleOauth = isGoogleOauthUsable(app.config);
     const core = {
@@ -428,15 +432,15 @@ function registerCapabilities(app) {
         invitesEnabled: app.config.features.invitesEnabled,
         githubOauth: app.config.features.githubOauth,
         googleOauth,
-        emailFlows: hasMail
+        emailFlows: emailVerificationEnabled
       },
       auth: {
         emailPassword: true,
         github: false,
         google: googleOauth,
-        emailVerification: hasMail,
-        passwordReset: hasMail,
-        magicLink: hasMail
+        emailVerification: emailVerificationEnabled,
+        passwordReset: emailVerificationEnabled,
+        magicLink: emailVerificationEnabled
       }
     };
     return { core };
@@ -1747,7 +1751,8 @@ function buildMailTransport(config) {
 function createAuth(config, db, opts) {
   const transport = buildMailTransport(config);
   const telemetry = opts?.telemetry ?? noopTelemetry;
-  const emailVerificationConfig = transport ? {
+  const emailVerificationEnabled = isCoreEmailVerificationEnabled(config);
+  const emailVerificationConfig = emailVerificationEnabled && transport ? {
     sendOnSignUp: true,
     sendVerificationEmail: async (data) => {
       const email = await renderVerifyEmail({
@@ -1930,7 +1935,8 @@ var authHookPlugin = async (app, opts) => {
           request.user = {
             id: result.user.id,
             email: result.user.email,
-            name: result.user.name ?? null
+            name: result.user.name ?? null,
+            emailVerified: Boolean(result.user.emailVerified)
           };
         }
       } catch {
@@ -1938,7 +1944,8 @@ var authHookPlugin = async (app, opts) => {
       }
     }
     const path = request.url.split("?")[0];
-    if (path.startsWith("/api/v1/") && !publicPatterns.some((re) => re.test(path)) && !request.user) {
+    const isProtectedApi = path.startsWith("/api/v1/") && !publicPatterns.some((re) => re.test(path));
+    if (isProtectedApi && !request.user) {
       throw new HttpError({
         status: 401,
         code: ERROR_CODES.UNAUTHORIZED,
@@ -1946,6 +1953,14 @@ var authHookPlugin = async (app, opts) => {
         requestId: request.id
       });
     }
+    if (isProtectedApi && isCoreEmailVerificationEnabled(app.config) && request.user?.emailVerified !== true) {
+      throw new HttpError({
+        status: 403,
+        code: ERROR_CODES.EMAIL_NOT_VERIFIED,
+        message: "Email verification required",
+        requestId: request.id
+      });
+    }
   });
 };
 var authHook = fp2(authHookPlugin, { name: "auth-hook" });

package/dist/{connection-C5SiqoNc.d.ts → connection-B1iC6B-w.d.ts}

@@ -1,4 +1,4 @@
-import { C as CoreConfig, W as Workspace, E as ERROR_CODES, M as MemberRole, a as WorkspaceMember, U as User, b as WorkspaceInvite, c as WorkspaceRuntime, d as WorkspaceRuntimeResourceSelector, e as WorkspaceRuntimeResource, f as WorkspaceRuntimeResourceInput, g as CapabilitiesResponse } from './types-CWtJ4kgd.js';
+import { C as CoreConfig, c as Workspace, E as ERROR_CODES, M as MemberRole, d as WorkspaceMember, U as User, e as WorkspaceInvite, f as WorkspaceRuntime, W as WorkspaceRuntimeResourceSelector, a as WorkspaceRuntimeResource, b as WorkspaceRuntimeResourceInput, g as CapabilitiesResponse } from './types-Bb7I-83I.js';
 import { drizzle } from 'drizzle-orm/postgres-js';
 import postgres from 'postgres';
 
@@ -131,6 +131,7 @@ declare module 'fastify' {
             id: string;
             email: string;
             name: string | null;
+            emailVerified: boolean;
         } | null;
         cspNonce?: string;
     }
@@ -142,4 +143,4 @@ declare function createDatabase(config: CoreConfig): {
     sql: postgres.Sql;
 };
 
-export { type AuthProvider as A, type CreateCoreAppOptions as C, type Database as D, type ProvisionContext as P, type UserStore as U, type WorkspaceStore as W, type WorkspaceProvisioner as a, type CapabilitiesContributor as b, createDatabase as c, type ProvisionResult as d };
+export { type AuthProvider as A, type CreateCoreAppOptions as C, type Database as D, type ProvisionContext as P, type UserStore as U, type WorkspaceStore as W, type WorkspaceProvisioner as a, type CapabilitiesContributor as b, type ProvisionResult as c, createDatabase as d };

package/dist/front/index.d.ts

@@ -1,7 +1,7 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import * as react from 'react';
 import { Component, ReactNode, ErrorInfo } from 'react';
-import { R as RuntimeConfig, g as CapabilitiesResponse, a as WorkspaceMember, U as User, W as Workspace, M as MemberRole, S as SessionState } from '../types-CWtJ4kgd.js';
+import { R as RuntimeConfig, g as CapabilitiesResponse, d as WorkspaceMember, U as User, c as Workspace, M as MemberRole, S as SessionState } from '../types-Bb7I-83I.js';
 import * as _tanstack_react_query from '@tanstack/react-query';
 import * as better_auth_react from 'better-auth/react';
 import { createAuthClient } from 'better-auth/react';
@@ -461,8 +461,9 @@ interface AuthGateProps {
         replace?: boolean;
     }) => void;
     now?: () => number;
+    requireEmailVerification?: boolean;
 }
-declare function AuthGate({ children, publicPaths, graceMs, location, navigate, now, }: AuthGateProps): react_jsx_runtime.JSX.Element | null;
+declare function AuthGate({ children, publicPaths, graceMs, location, navigate, now, requireEmailVerification, }: AuthGateProps): react_jsx_runtime.JSX.Element | null;
 
 interface CoreCommand {
     id: string;

package/dist/front/index.js

@@ -58,12 +58,13 @@ import {
   useWorkspaceMembers,
   useWorkspaceRole,
   useWorkspaceRouteStatus
-} from "../chunk-VYXEXOCO.js";
+} from "../chunk-2ZTKRLVG.js";
 import {
   TopBarSlotProvider,
   useTopBarSlot
 } from "../chunk-HYNKZSTF.js";
-import "../chunk-LIBHVT7V.js";
+import "../chunk-I4PGL4ZD.js";
+import "../chunk-QZGYKLXB.js";
 import "../chunk-MLKGABMK.js";
 export {
   AppErrorBoundary,

package/dist/server/db/index.d.ts

@@ -1,7 +1,7 @@
-import { U as UserStore, W as WorkspaceStore } from '../../connection-C5SiqoNc.js';
-export { D as Database, c as createDatabase } from '../../connection-C5SiqoNc.js';
-export { F as FinishReservationInput, G as GrantOnceInput, I as InsufficientCreditError, M as MeteringBalance, P as PostgresMeteringStore, R as RecordUsageInput, a as RecordUsageResult, b as ReservationFinalStatus, c as ReserveInput, d as ReserveResult, e as RunMigrationsOptions, r as runMigrations } from '../../PostgresMeteringStore-DhOVVtau.js';
-import { U as User, W as Workspace, E as ERROR_CODES, M as MemberRole, a as WorkspaceMember, b as WorkspaceInvite, c as WorkspaceRuntime, d as WorkspaceRuntimeResourceSelector, e as WorkspaceRuntimeResource, f as WorkspaceRuntimeResourceInput } from '../../types-CWtJ4kgd.js';
+import { U as UserStore, W as WorkspaceStore } from '../../connection-B1iC6B-w.js';
+export { D as Database, d as createDatabase } from '../../connection-B1iC6B-w.js';
+export { F as FinishReservationInput, G as GrantOnceInput, I as InsufficientCreditError, M as MeteringBalance, P as PostgresMeteringStore, R as RecordUsageInput, a as RecordUsageResult, b as ReservationFinalStatus, c as ReserveInput, d as ReserveResult, e as RunMigrationsOptions, r as runMigrations } from '../../PostgresMeteringStore-qjKGmVFr.js';
+import { U as User, c as Workspace, E as ERROR_CODES, M as MemberRole, d as WorkspaceMember, e as WorkspaceInvite, f as WorkspaceRuntime, W as WorkspaceRuntimeResourceSelector, a as WorkspaceRuntimeResource, b as WorkspaceRuntimeResourceInput } from '../../types-Bb7I-83I.js';
 import { PostgresJsDatabase } from 'drizzle-orm/postgres-js';
 import 'postgres';
 

package/dist/server/db/index.js

@@ -7,8 +7,8 @@ import {
   PostgresWorkspaceStore,
   createDatabase,
   runMigrations
-} from "../../chunk-FZC3VL5D.js";
-import "../../chunk-LIBHVT7V.js";
+} from "../../chunk-BVZ2YT3M.js";
+import "../../chunk-QZGYKLXB.js";
 import "../../chunk-MLKGABMK.js";
 export {
   InsufficientCreditError,