@happyvertical/smrt-users 0.30.0

package/dist/sveltekit/index.d.ts

@@ -0,0 +1,379 @@
+import { SmrtClassOptions } from '@happyvertical/smrt-core';
+import { OidcLoginResult, OidcProviderResolutionOptions, OidcTransaction } from '../services/OidcLoginService.js';
+import { TerminalAuthError, TerminalAuthRateLimitError, TerminalAuthService, TerminalAuthServiceOptions } from '../services/TerminalAuthService.js';
+export { type CliResource, type CommandDefinition, type CommandKind, type CommandPolicyContext, type CommandScope, type CreateResourceListHandlerOptions, createResourceListHandler, InvalidBearerError, type ResolvedSession, type ResourceListResponseBody, } from './resource-list-handler.js';
+export { defaultSessionLocals, type SessionLocals } from './types.js';
+/**
+ * Options for session handler
+ */
+export interface SessionHandlerOptions extends SmrtClassOptions {
+    /** Cookie name (default: 'sid') */
+    cookieName?: string;
+    /** Session TTL in seconds (default: 7 days) */
+    ttl?: number;
+    /** Paths to skip session loading (e.g., '/api/health') */
+    skipPaths?: string[];
+    /** Whether to auto-extend sessions on each request (default: false) */
+    autoExtend?: boolean;
+    /** Cookie domain (default: undefined, uses request domain) */
+    cookieDomain?: string;
+    /** Cookie path (default: '/') */
+    cookiePath?: string;
+    /** Whether cookies are secure (default: true in production) */
+    cookieSecure?: boolean;
+    /** SameSite cookie attribute (default: 'lax') */
+    cookieSameSite?: 'strict' | 'lax' | 'none';
+    /** Whether to enter smrt-tenancy request context when tenant data exists */
+    enterTenantContext?: boolean;
+    /** Whether to enforce Postgres RLS via request-scoped transactions */
+    postgresRls?: boolean;
+}
+/**
+ * SvelteKit Handle type (minimal definition to avoid requiring @sveltejs/kit as dependency)
+ */
+type HandleInput = {
+    event: {
+        cookies: {
+            get: (name: string) => string | undefined;
+            set: (name: string, value: string, options?: Record<string, unknown>) => void;
+            delete: (name: string, options?: Record<string, unknown>) => void;
+        };
+        locals: Record<string, unknown>;
+        url: {
+            pathname: string;
+            protocol?: string;
+        };
+        request: {
+            headers: Headers;
+        };
+    };
+    resolve: (event: unknown) => Promise<Response>;
+};
+type Handle = (input: HandleInput) => Promise<Response>;
+type SvelteKitRequestEvent = {
+    cookies: HandleInput['event']['cookies'];
+    getClientAddress?: () => string;
+    locals?: Record<string, unknown>;
+    params?: Record<string, string | undefined>;
+    request: Request;
+    url: URL;
+};
+type OidcProviderResolver = string | ((event: SvelteKitRequestEvent) => string | undefined);
+type OidcStringResolver<T> = T | ((result: OidcLoginResult, event: SvelteKitRequestEvent) => T | Promise<T>);
+export interface OidcSvelteKitOptions extends SmrtClassOptions, OidcProviderResolutionOptions {
+    /** Optional fetch override for tests or custom runtimes. */
+    fetch?: typeof fetch;
+    /** JWT clock tolerance passed to jose. */
+    clockTolerance?: number | string;
+    /** Provider name, or a resolver. Defaults to event.params.provider. */
+    provider?: OidcProviderResolver;
+    /** Callback path used when provider.redirectUri is omitted. */
+    callbackPath?: string | ((providerName: string) => string);
+    /** Query parameter used to preserve post-login redirects. */
+    returnToParam?: string;
+    /** Prefix for the temporary OIDC transaction cookie. */
+    transactionCookiePrefix?: string;
+    /** Temporary transaction cookie TTL in seconds. Default: 10 minutes. */
+    transactionTtl?: number;
+    /** Cookie path for the temporary OIDC transaction. */
+    transactionCookiePath?: string;
+    /** Secure flag for the temporary OIDC transaction cookie. */
+    transactionCookieSecure?: boolean;
+    /** SameSite value for the temporary OIDC transaction cookie. */
+    transactionCookieSameSite?: 'strict' | 'lax' | 'none';
+    /** HMAC secret for transaction cookie integrity. Defaults to clientSecret. */
+    transactionCookieSecret?: string;
+    /** Session cookie name. Defaults to sid. */
+    sessionCookieName?: string;
+    /** Session cookie path. Defaults to /. */
+    sessionCookiePath?: string;
+    /** Secure flag for the session cookie. Defaults to true on HTTPS. */
+    sessionCookieSecure?: boolean;
+    /** SameSite value for the session cookie. */
+    sessionCookieSameSite?: 'strict' | 'lax' | 'none';
+    /** Session TTL in seconds. Defaults to the package session default. */
+    sessionTtl?: number;
+    /** Optional tenant to bind to the session. */
+    tenantId?: OidcStringResolver<string | null | undefined>;
+    /** Redirect target after successful callback. */
+    successRedirect?: OidcStringResolver<string>;
+    /** Redirect target after failed callback. If omitted, failures return 401. */
+    failureRedirect?: string | ((error: unknown, event: SvelteKitRequestEvent) => string);
+}
+export interface BeginOidcLoginResult {
+    providerName: string;
+    transaction: OidcTransaction;
+    url: URL;
+}
+export interface CompleteOidcLoginResult extends OidcLoginResult {
+    providerName: string;
+    returnTo?: string;
+    sessionId: string;
+}
+/**
+ * Creates a SvelteKit handle hook for session management.
+ *
+ * This hook:
+ * 1. Reads the session cookie
+ * 2. Loads session context (user + permissions) if valid
+ * 3. Populates event.locals with user, permissions, tenantId, sessionId
+ * 4. Optionally extends session on each request
+ *
+ * @example
+ * ```typescript
+ * // hooks.server.ts
+ * import { createSessionHandler } from '@happyvertical/smrt-users/sveltekit';
+ *
+ * const sessionHandler = createSessionHandler({
+ *   db: { type: 'sqlite', url: 'app.db' },
+ *   cookieName: 'sid',
+ *   ttl: 7 * 24 * 60 * 60, // 7 days
+ *   skipPaths: ['/api/health', '/api/public'],
+ * });
+ *
+ * export const handle = sessionHandler;
+ * // Or with sequence:
+ * // export const handle = sequence(sessionHandler, otherHandler);
+ * ```
+ */
+export declare function createSessionHandler(options: SessionHandlerOptions): Handle;
+/**
+ * Options for creating a session cookie
+ */
+export interface CreateSessionCookieOptions {
+    /** Session TTL in seconds (default: 7 days) */
+    ttl?: number;
+    /** User agent string */
+    userAgent?: string;
+    /** Client IP address */
+    ipAddress?: string;
+    /** Custom session data */
+    data?: Record<string, unknown>;
+}
+/**
+ * Helper to create a session and set the cookie after login.
+ *
+ * @example
+ * ```typescript
+ * // +page.server.ts
+ * import { createSessionCookie } from '@happyvertical/smrt-users/sveltekit';
+ * import { redirect } from '@sveltejs/kit';
+ *
+ * export const actions = {
+ *   login: async (event) => {
+ *     // Validate credentials...
+ *     const user = await validateLogin(email, password);
+ *
+ *     await createSessionCookie(event, user.id, tenantId, {
+ *       db: { type: 'sqlite', url: 'app.db' },
+ *       ipAddress: event.getClientAddress(),
+ *       userAgent: event.request.headers.get('user-agent') ?? '',
+ *     });
+ *
+ *     throw redirect(303, '/dashboard');
+ *   }
+ * };
+ * ```
+ */
+export declare function createSessionCookie(event: HandleInput['event'], userId: string, tenantId: string | undefined, options: SmrtClassOptions & CreateSessionCookieOptions & {
+    cookieName?: string;
+    cookiePath?: string;
+    cookieSecure?: boolean;
+    cookieSameSite?: 'strict' | 'lax' | 'none';
+}): Promise<string>;
+/**
+ * Helper to destroy a session and delete the cookie on logout.
+ *
+ * @example
+ * ```typescript
+ * // +page.server.ts
+ * import { destroySessionCookie } from '@happyvertical/smrt-users/sveltekit';
+ * import { redirect } from '@sveltejs/kit';
+ *
+ * export const actions = {
+ *   logout: async (event) => {
+ *     await destroySessionCookie(event, {
+ *       db: { type: 'sqlite', url: 'app.db' }
+ *     });
+ *     throw redirect(303, '/');
+ *   }
+ * };
+ * ```
+ */
+export declare function destroySessionCookie(event: HandleInput['event'], options: SmrtClassOptions & {
+    cookieName?: string;
+    cookiePath?: string;
+    ttl?: number;
+}): Promise<void>;
+/**
+ * Helper to switch tenant context for the current session.
+ *
+ * Returns `false` without switching when there is no session, or — fail-closed
+ * (#1400) — when the session's user is not an active member of `tenantId`. The
+ * target tenant id is therefore safe to take straight from untrusted form data,
+ * but callers MUST honour the boolean result rather than assuming success.
+ *
+ * @example
+ * ```typescript
+ * // +page.server.ts
+ * import { switchSessionTenant } from '@happyvertical/smrt-users/sveltekit';
+ * import { fail } from '@sveltejs/kit';
+ *
+ * export const actions = {
+ *   switchTenant: async (event) => {
+ *     const data = await event.request.formData();
+ *     const tenantId = data.get('tenantId') as string;
+ *
+ *     const switched = await switchSessionTenant(event, tenantId, {
+ *       db: { type: 'sqlite', url: 'app.db' }
+ *     });
+ *     if (!switched) {
+ *       return fail(403, { error: 'Not a member of that tenant.' });
+ *     }
+ *
+ *     return { success: true };
+ *   }
+ * };
+ * ```
+ */
+export declare function switchSessionTenant(event: HandleInput['event'], tenantId: string | null, options: SmrtClassOptions & {
+    cookieName?: string;
+    ttl?: number;
+}): Promise<boolean>;
+/**
+ * Start an OIDC login from a SvelteKit route.
+ *
+ * Sets a short-lived, HTTP-only transaction cookie containing state, nonce,
+ * and PKCE verifier, then returns the provider authorization URL.
+ */
+export declare function beginOidcLogin(event: SvelteKitRequestEvent, options: OidcSvelteKitOptions): Promise<BeginOidcLoginResult>;
+/**
+ * Complete an OIDC callback, create or update the SMRT user/profile, and set
+ * the session cookie.
+ */
+export declare function completeOidcLogin(event: SvelteKitRequestEvent, options: OidcSvelteKitOptions): Promise<CompleteOidcLoginResult>;
+/**
+ * Create a SvelteKit GET handler that redirects to an OIDC provider.
+ *
+ * @example
+ * ```typescript
+ * // src/routes/auth/[provider]/login/+server.ts
+ * import { createOidcLoginHandler } from '@happyvertical/smrt-users/sveltekit';
+ *
+ * export const GET = createOidcLoginHandler({
+ *   db: { type: 'postgres', url: process.env.DATABASE_URL! },
+ * });
+ * ```
+ */
+export declare function createOidcLoginHandler(options: OidcSvelteKitOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
+/**
+ * Create a SvelteKit GET handler for the provider callback.
+ */
+export declare function createOidcCallbackHandler(options: OidcSvelteKitOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
+/**
+ * Pull `Bearer <token>` out of an `Authorization` header. Returns `null` if
+ * the header is missing or malformed.
+ */
+export declare function parseBearerToken(authorization: string | null): string | null;
+/** Options for the terminal-auth start handler. */
+export interface CreateTerminalAuthStartHandlerOptions extends TerminalAuthServiceOptions {
+    /**
+     * Override the verification origin returned to the CLI (e.g. when the
+     * public origin differs from the request origin behind a proxy). Defaults
+     * to `event.url.origin`.
+     */
+    verificationOrigin?: string | ((event: SvelteKitRequestEvent) => string);
+}
+/**
+ * Create a SvelteKit POST handler that starts a new terminal-auth request.
+ * Mount under `/api/cli/auth/start/+server.ts`:
+ *
+ * ```ts
+ * export const POST = createTerminalAuthStartHandler({
+ *   db: { type: 'postgres', url: process.env.DATABASE_URL! },
+ *   userCodePrefix: 'WG',
+ * });
+ * ```
+ */
+export declare function createTerminalAuthStartHandler(options: CreateTerminalAuthStartHandlerOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
+/**
+ * Create a SvelteKit POST handler that exchanges a polling device code for a
+ * bearer token once the request has been approved. Mount under
+ * `/api/cli/auth/token/+server.ts`.
+ */
+export declare function createTerminalAuthTokenHandler(options: TerminalAuthServiceOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
+/**
+ * Create a SvelteKit DELETE handler that revokes the bearer token in the
+ * request's `Authorization` header. Always returns `{ authenticated: false }`
+ * — does not leak whether the token was actually live, by design.
+ */
+export declare function createBearerSessionDeleteHandler(options: TerminalAuthServiceOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
+/**
+ * Look up the session associated with a bearer token. Use from
+ * `hooks.server.ts` to resolve `Authorization: Bearer <sid>` headers
+ * alongside cookie-based sessions.
+ */
+export declare function loadBearerSessionContext(token: string, options: TerminalAuthServiceOptions): Promise<import('../index.js').SessionContext | null>;
+/** Shape passed back to `+page.server.ts` `load`. */
+export interface TerminalLoginPageData {
+    userCode: string;
+    requestStatus: string | null;
+}
+/** Shape returned by the approve action on success. */
+export interface TerminalLoginApproveSuccess {
+    approved: true;
+    requestStatus: string;
+    userCode: string;
+}
+/** Shape returned by the approve action on failure (HTTP 4xx). */
+export interface TerminalLoginApproveFailure {
+    status: number;
+    error: string;
+    userCode: string;
+}
+/**
+ * Page-server helper for the terminal-login approval page. Returns
+ * `{ load, approve }` you can spread into a `+page.server.ts` module.
+ *
+ * `approve` is the action implementation, not a wrapped object — wire it up
+ * as you like, e.g. `export const actions = { approve: handler.approve }`.
+ *
+ * @example
+ * ```ts
+ * // src/routes/terminal-login/+page.server.ts
+ * import { mountTerminalLoginPage } from '@happyvertical/smrt-users/sveltekit';
+ *
+ * const handlers = mountTerminalLoginPage({
+ *   db: { type: 'postgres', url: process.env.DATABASE_URL! },
+ *   userCodePrefix: 'WG',
+ *   requireUser: (event) => Boolean(event.locals.user),
+ *   resolveUser: (event) => event.locals.user,
+ *   resolveTenantId: (event) => event.locals.tenantId,
+ * });
+ *
+ * export const load = handlers.load;
+ * export const actions = { approve: handlers.approve };
+ * ```
+ */
+export interface MountTerminalLoginPageOptions extends TerminalAuthServiceOptions {
+    /** Resolve the authenticated user from `event.locals`. */
+    resolveUser: (event: SvelteKitRequestEvent) => {
+        id?: string | null;
+        email?: string | null;
+    } | null | undefined;
+    /** Resolve the tenant id from `event.locals`. */
+    resolveTenantId: (event: SvelteKitRequestEvent) => string | null | undefined;
+    /** Query-string parameter holding the user code on the page URL. */
+    codeQueryParam?: string;
+}
+export interface MountedTerminalLoginPage {
+    load: (event: SvelteKitRequestEvent) => Promise<TerminalLoginPageData>;
+    approve: (event: SvelteKitRequestEvent) => Promise<TerminalLoginApproveSuccess | {
+        type: 'failure';
+        status: number;
+        data: TerminalLoginApproveFailure;
+    }>;
+}
+export declare function mountTerminalLoginPage(options: MountTerminalLoginPageOptions): MountedTerminalLoginPage;
+export { TerminalAuthError, TerminalAuthRateLimitError, TerminalAuthService, type TerminalAuthServiceOptions, };
+//# sourceMappingURL=index.d.ts.map

package/dist/sveltekit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sveltekit/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AASH,OAAO,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAEjE,OAAO,EAKL,KAAK,eAAe,EAGpB,KAAK,6BAA6B,EAClC,KAAK,eAAe,EAGrB,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAEL,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,EAChC,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,YAAY,EACjB,KAAK,gCAAgC,EACrC,yBAAyB,EACzB,kBAAkB,EAClB,KAAK,eAAe,EACpB,KAAK,wBAAwB,GAC9B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,KAAK,aAAa,EAAE,MAAM,YAAY,CAAC;AAItE;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,gBAAgB;IAC7D,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,uEAAuE;IACvE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,8DAA8D;IAC9D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,iDAAiD;IACjD,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC3C,4EAA4E;IAC5E,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,sEAAsE;IACtE,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,KAAK,WAAW,GAAG;IACjB,KAAK,EAAE;QACL,OAAO,EAAE;YACP,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;YAC1C,GAAG,EAAE,CACH,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC9B,IAAI,CAAC;YACV,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;SACnE,CAAC;QACF,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAChC,GAAG,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAC7C,OAAO,EAAE;YAAE,OAAO,EAAE,OAAO,CAAA;SAAE,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD,CAAC;AAEF,KAAK,MAAM,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAExD,KAAK,qBAAqB,GAAG;IAC3B,OAAO,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,MAAM,CAAC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAEF,KAAK,oBAAoB,GACrB,MAAM,GACN,CAAC,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,GAAG,SAAS,CAAC,CAAC;AAE3D,KAAK,kBAAkB,CAAC,CAAC,IACrB,CAAC,GACD,CAAC,CAAC,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,qBAAqB,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;AAEhF,MAAM,WAAW,oBACf,SAAQ,gBAAgB,EACtB,6BAA6B;IAC/B,4DAA4D;IAC5D,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,0CAA0C;IAC1C,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,uEAAuE;IACvE,QAAQ,CAAC,EAAE,oBAAoB,CAAC;IAChC,+DAA+D;IAC/D,YAAY,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;IAC3D,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,wDAAwD;IACxD,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,wEAAwE;IACxE,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,6DAA6D;IAC7D,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,gEAAgE;IAChE,yBAAyB,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACtD,8EAA8E;IAC9E,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,4CAA4C;IAC5C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,0CAA0C;IAC1C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qEAAqE;IACrE,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,6CAA6C;IAC7C,qBAAqB,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAClD,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,kBAAkB,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,CAAC;IACzD,iDAAiD;IACjD,eAAe,CAAC,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC7C,8EAA8E;IAC9E,eAAe,CAAC,EACZ,MAAM,GACN,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,qBAAqB,KAAK,MAAM,CAAC,CAAC;CAChE;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,eAAe,CAAC;IAC7B,GAAG,EAAE,GAAG,CAAC;CACV;AAED,MAAM,WAAW,uBAAwB,SAAQ,eAAe;IAC9D,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,MAAM,CA0E3E;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wBAAwB;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,OAAO,EAAE,gBAAgB,GACvB,0BAA0B,GAAG;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;CAC5C,GACF,OAAO,CAAC,MAAM,CAAC,CAyBjB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,OAAO,EAAE,gBAAgB,GAAG;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GACA,OAAO,CAAC,IAAI,CAAC,CAkBf;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,EAC3B,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,OAAO,EAAE,gBAAgB,GAAG;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GACA,OAAO,CAAC,OAAO,CAAC,CASlB;AA+PD;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,qBAAqB,EAC5B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,oBAAoB,CAAC,CAyB/B;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,qBAAqB,EAC5B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,uBAAuB,CAAC,CA0DlC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,oBAAoB,IACpD,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAI/D;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,oBAAoB,IACvD,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAW/D;AAoCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAG5E;AAED,mDAAmD;AACnD,MAAM,WAAW,qCACf,SAAQ,0BAA0B;IAClC;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,CAAC,CAAC;CAC1E;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,qCAAqC,IAEhC,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAS/D;AAED;;;;GAIG;AACH,wBAAgB,8BAA8B,CAC5C,OAAO,EAAE,0BAA0B,IAErB,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAc/D;AAED;;;;GAIG;AACH,wBAAgB,gCAAgC,CAC9C,OAAO,EAAE,0BAA0B,IAErB,OAAO,qBAAqB,KAAG,OAAO,CAAC,QAAQ,CAAC,CAY/D;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,0BAA0B,wDAIpC;AAED,qDAAqD;AACrD,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,uDAAuD;AACvD,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,IAAI,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,kEAAkE;AAClE,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,6BACf,SAAQ,0BAA0B;IAClC,0DAA0D;IAC1D,WAAW,EAAE,CACX,KAAK,EAAE,qBAAqB,KACzB;QAAE,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,GAAG,SAAS,CAAC;IACtE,iDAAiD;IACjD,eAAe,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAC7E,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,CAAC,KAAK,EAAE,qBAAqB,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACvE,OAAO,EAAE,CACP,KAAK,EAAE,qBAAqB,KACzB,OAAO,CACR,2BAA2B,GAC3B;QAAE,IAAI,EAAE,SAAS,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,2BAA2B,CAAA;KAAE,CACzE,CAAC;CACH;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,6BAA6B,GACrC,wBAAwB,CAuF1B;AASD,OAAO,EACL,iBAAiB,EACjB,0BAA0B,EAC1B,mBAAmB,EACnB,KAAK,0BAA0B,GAChC,CAAC"}

package/dist/sveltekit/resource-list-handler.d.ts

@@ -0,0 +1,127 @@
+import { SmartObjectConfig } from '@happyvertical/smrt-core';
+import { TerminalAuthServiceOptions } from '../services/TerminalAuthService.js';
+import { SessionLocals } from './types.js';
+type ApiHttpMethod = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
+export type CommandKind = 'crud' | 'custom';
+export type CommandScope = 'item' | 'collection';
+export interface CommandDefinition {
+    /** Method name in source casing — source of truth for HTTP routing. */
+    methodName: string;
+    /** Kebab-case identifier used by the CLI argv parser. */
+    commandName: string;
+    kind: CommandKind;
+    scope: CommandScope;
+    httpMethod: ApiHttpMethod;
+    /** URL path segments after `/<apiPath>[/<id>]/`. May be empty. */
+    pathSegments: string[];
+    description?: string;
+    /** JSONSchema describing the command's argv-flag surface. */
+    parameters?: Record<string, unknown>;
+}
+export interface CliResource {
+    /** Kebab-case identifier; the first positional argument after the CLI name. */
+    slug: string;
+    className: string;
+    qualifiedName?: string;
+    packageName?: string;
+    label: string;
+    /** Collection segment, no leading slash, no `/api` prefix. */
+    apiPath: string;
+    commands: CommandDefinition[];
+}
+export interface ResolvedSession {
+    user: SessionLocals['user'];
+    membership?: SessionLocals['membership'];
+    permissions: string[];
+    tenantId: string | null;
+    sessionId: string | null;
+}
+export interface CommandPolicyContext {
+    resource: Omit<CliResource, 'commands'>;
+    command: CommandDefinition;
+    session: ResolvedSession;
+    /**
+     * Stable identifiers for policy authors that need more than the
+     * caller-facing `resource` view (e.g. package-scoped role checks).
+     */
+    classMeta: {
+        name: string;
+        qualifiedName?: string;
+        packageName?: string;
+        decoratorConfig: SmartObjectConfig;
+    };
+}
+export interface ResourceListResponseBody {
+    user: {
+        authenticated: boolean;
+        id?: string;
+    };
+    warnings: string[];
+    resources: CliResource[];
+}
+export interface CreateResourceListHandlerOptions extends TerminalAuthServiceOptions {
+    /**
+     * Ensures `ObjectRegistry` is populated before the handler walks it.
+     *
+     * v0.1 escape hatch: the consumer app must trigger its `@smrt()` side
+     * effects (typically by importing the generated `smrt-register.ts`).
+     * Without this, a fresh request handler process may see an empty
+     * registry and return zero resources.
+     */
+    ensureRegistry: () => void | Promise<void>;
+    /**
+     * Resolve the caller's session. Defaults to `event.locals` (set by
+     * `createSessionHandler` in `hooks.server.ts`) with a `Bearer <token>`
+     * fallback for terminal-auth CLI clients.
+     *
+     * If a bearer token is present but doesn't resolve to a live session,
+     * the handler responds 401 — NOT silent anonymous, so a stale CLI token
+     * gets a clear signal to re-authenticate.
+     */
+    resolveSession?: (event: SveltekitEvent) => Promise<ResolvedSession>;
+    /**
+     * Per-command permission filter. Default: deny everything when the
+     * caller is anonymous; allow everything when authenticated.
+     *
+     * Note: this is _capability filtering_, not row-level authorization.
+     * Per-route handlers remain authoritative for `can user X update record Y`.
+     */
+    commandPolicy?: (ctx: CommandPolicyContext) => boolean | Promise<boolean>;
+    /**
+     * Override the slug derivation. Default: kebab-case of `collection`
+     * (which is already plural+lowercase from the manifest generator).
+     */
+    resourceSlug?: (meta: {
+        className: string;
+        collection: string;
+        qualifiedName?: string;
+        packageName?: string;
+    }) => string;
+    /**
+     * Match the vite plugin's `svelteKit.kebabRoutes` setting. When `true`,
+     * custom method URL segments are kebab-cased on the wire (the CLI sends
+     * `/discover-from-url`); when `false`, source-cased (`/discoverFromUrl`).
+     * Defaults to `false` to match the vite plugin default.
+     */
+    kebabRoutes?: boolean;
+}
+type SveltekitEvent = {
+    cookies: {
+        get: (name: string) => string | undefined;
+    };
+    locals?: Record<string, unknown>;
+    request: Request;
+    url: URL;
+};
+export declare function createResourceListHandler(options: CreateResourceListHandlerOptions): (event: SveltekitEvent) => Promise<Response>;
+/**
+ * Thrown by the default `resolveSession` when a bearer token is present in
+ * the request but doesn't resolve to a live session. The handler catches
+ * this and responds 401. Exported so custom `resolveSession` implementations
+ * can opt in to the same semantics.
+ */
+export declare class InvalidBearerError extends Error {
+    constructor(message?: string);
+}
+export {};
+//# sourceMappingURL=resource-list-handler.d.ts.map

package/dist/sveltekit/resource-list-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-list-handler.d.ts","sourceRoot":"","sources":["../../src/sveltekit/resource-list-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH,OAAO,yBAAyB,CAAC;AAEjC,OAAO,EAEL,KAAK,iBAAiB,EACvB,MAAM,0BAA0B,CAAC;AAMlC,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,oCAAoC,CAAC;AAErF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AA4ChD,KAAK,aAAa,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEjE,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,QAAQ,CAAC;AAC5C,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,YAAY,CAAC;AAEjD,MAAM,WAAW,iBAAiB;IAChC,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAC;IACnB,yDAAyD;IACzD,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,WAAW,CAAC;IAClB,KAAK,EAAE,YAAY,CAAC;IACpB,UAAU,EAAE,aAAa,CAAC;IAC1B,kEAAkE;IAClE,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,+EAA+E;IAC/E,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,iBAAiB,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5B,UAAU,CAAC,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACzC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACxC,OAAO,EAAE,iBAAiB,CAAC;IAC3B,OAAO,EAAE,eAAe,CAAC;IACzB;;;OAGG;IACH,SAAS,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,eAAe,EAAE,iBAAiB,CAAC;KACpC,CAAC;CACH;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE;QAAE,aAAa,EAAE,OAAO,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,WAAW,EAAE,CAAC;CAC1B;AAoBD,MAAM,WAAW,gCACf,SAAQ,0BAA0B;IAClC;;;;;;;OAOG;IACH,cAAc,EAAE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3C;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,cAAc,KAAK,OAAO,CAAC,eAAe,CAAC,CAAC;IAErE;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,oBAAoB,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAE1E;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,KAAK,MAAM,CAAC;IAEb;;;;;OAKG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,KAAK,cAAc,GAAG;IACpB,OAAO,EAAE;QAAE,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IACvD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAMF,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,gCAAgC,GACxC,CAAC,KAAK,EAAE,cAAc,KAAK,OAAO,CAAC,QAAQ,CAAC,CA8L9C;AA0cD;;;;;GAKG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,SAAqC;CAIzD"}

package/dist/sveltekit/types.d.ts

@@ -0,0 +1,31 @@
+import { Membership } from '../models/Membership.js';
+import { User } from '../models/User.js';
+/**
+ * Extended locals interface for SvelteKit
+ *
+ * Add to your app.d.ts:
+ * ```typescript
+ * declare global {
+ *   namespace App {
+ *     interface Locals extends SessionLocals {}
+ *   }
+ * }
+ * ```
+ */
+export interface SessionLocals {
+    /** The authenticated user (null if not authenticated) */
+    user: User | null;
+    /** Active membership for the current tenant (null if none) */
+    membership?: Membership | null;
+    /** User's resolved permissions */
+    permissions: string[];
+    /** Current tenant context (null if no tenant selected) */
+    tenantId: string | null;
+    /** Session ID (null if no session) */
+    sessionId: string | null;
+}
+/**
+ * Default session locals values
+ */
+export declare const defaultSessionLocals: SessionLocals;
+//# sourceMappingURL=types.d.ts.map

package/dist/sveltekit/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/sveltekit/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAE9C;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,aAAa;IAC5B,yDAAyD;IACzD,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAClB,8DAA8D;IAC9D,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/B,kCAAkC;IAClC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,sCAAsC;IACtC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,aAMlC,CAAC"}

package/dist/sveltekit.d.ts

@@ -0,0 +1,2 @@
+export * from './sveltekit/index.js';
+//# sourceMappingURL=sveltekit.d.ts.map

package/dist/sveltekit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sveltekit.d.ts","sourceRoot":"","sources":["../src/sveltekit.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC"}