@judo/auth 0.1.0

package/LICENSE

@@ -0,0 +1,277 @@
+Eclipse Public License - v 2.0
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE
+    PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION
+    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+1. DEFINITIONS
+
+"Contribution" means:
+
+  a) in the case of the initial Contributor, the initial content
+     Distributed under this Agreement, and
+
+  b) in the case of each subsequent Contributor:
+     i) changes to the Program, and
+     ii) additions to the Program;
+  where such changes and/or additions to the Program originate from
+  and are Distributed by that particular Contributor. A Contribution
+  "originates" from a Contributor if it was added to the Program by
+  such Contributor itself or anyone acting on such Contributor's behalf.
+  Contributions do not include changes or additions to the Program that
+  are not Modified Works.
+
+"Contributor" means any person or entity that Distributes the Program.
+
+"Licensed Patents" mean patent claims licensable by a Contributor which
+are necessarily infringed by the use or sale of its Contribution alone
+or when combined with the Program.
+
+"Program" means the Contributions Distributed in accordance with this
+Agreement.
+
+"Recipient" means anyone who receives the Program under this Agreement
+or any Secondary License (as applicable), including Contributors.
+
+"Derivative Works" shall mean any work, whether in Source Code or other
+form, that is based on (or derived from) the Program and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship.
+
+"Modified Works" shall mean any work in Source Code or other form that
+results from an addition to, deletion from, or modification of the
+contents of the Program, including, for purposes of clarity any new file
+in Source Code form that contains any contents of the Program. Modified
+Works shall not include works that contain only declarations,
+interfaces, types, classes, structures, or files of the Program solely
+in each case in order to link to, bind by name, or subclass the Program
+or Modified Works thereof.
+
+"Distribute" means the acts of a) distributing or b) making available
+in any manner that enables the transfer of a copy.
+
+"Source Code" means the form of a Program preferred for making
+modifications, including but not limited to software source code,
+documentation source, and configuration files.
+
+"Secondary License" means either the GNU General Public License,
+Version 2.0, or any later versions of that license, including any
+exceptions or additional permissions as identified by the initial
+Contributor.
+
+2. GRANT OF RIGHTS
+
+  a) Subject to the terms of this Agreement, each Contributor hereby
+  grants Recipient a non-exclusive, worldwide, royalty-free copyright
+  license to reproduce, prepare Derivative Works of, publicly display,
+  publicly perform, Distribute and sublicense the Contribution of such
+  Contributor, if any, and such Derivative Works.
+
+  b) Subject to the terms of this Agreement, each Contributor hereby
+  grants Recipient a non-exclusive, worldwide, royalty-free patent
+  license under Licensed Patents to make, use, sell, offer to sell,
+  import and otherwise transfer the Contribution of such Contributor,
+  if any, in Source Code or other form. This patent license shall
+  apply to the combination of the Contribution and the Program if, at
+  the time the Contribution is added by the Contributor, such addition
+  of the Contribution causes such combination to be covered by the
+  Licensed Patents. The patent license shall not apply to any other
+  combinations which include the Contribution. No hardware per se is
+  licensed hereunder.
+
+  c) Recipient understands that although each Contributor grants the
+  licenses to its Contributions set forth herein, no assurances are
+  provided by any Contributor that the Program does not infringe the
+  patent or other intellectual property rights of any other entity.
+  Each Contributor disclaims any liability to Recipient for claims
+  brought by any other entity based on infringement of intellectual
+  property rights or otherwise. As a condition to exercising the
+  rights and licenses granted hereunder, each Recipient hereby
+  assumes sole responsibility to secure any other intellectual
+  property rights needed, if any. For example, if a third party
+  patent license is required to allow Recipient to Distribute the
+  Program, it is Recipient's responsibility to acquire that license
+  before distributing the Program.
+
+  d) Each Contributor represents that to its knowledge it has
+  sufficient copyright rights in its Contribution, if any, to grant
+  the copyright license set forth in this Agreement.
+
+  e) Notwithstanding the terms of any Secondary License, no
+  Contributor makes additional grants to any Recipient (other than
+  those set forth in this Agreement) as a result of such Recipient's
+  receipt of the Program under the terms of a Secondary License
+  (if permitted under the terms of Section 3).
+
+3. REQUIREMENTS
+
+3.1 If a Contributor Distributes the Program in any form, then:
+
+  a) the Program must also be made available as Source Code, in
+  accordance with section 3.2, and the Contributor must accompany
+  the Program with a statement that the Source Code for the Program
+  is available under this Agreement, and informs Recipients how to
+  obtain it in a reasonable manner on or through a medium customarily
+  used for software exchange; and
+
+  b) the Contributor may Distribute the Program under a license
+  different than this Agreement, provided that such license:
+     i) effectively disclaims on behalf of all other Contributors all
+     warranties and conditions, express and implied, including
+     warranties or conditions of title and non-infringement, and
+     implied warranties or conditions of merchantability and fitness
+     for a particular purpose;
+
+     ii) effectively excludes on behalf of all other Contributors all
+     liability for damages, including direct, indirect, special,
+     incidental and consequential damages, such as lost profits;
+
+     iii) does not attempt to limit or alter the recipients' rights
+     in the Source Code under section 3.2; and
+
+     iv) requires any subsequent distribution of the Program by any
+     party to be under a license that satisfies the requirements
+     of this section 3.
+
+3.2 When the Program is Distributed as Source Code:
+
+  a) it must be made available under this Agreement, or if the
+  Program (i) is combined with other material in a separate file or
+  files made available under a Secondary License, and (ii) the initial
+  Contributor attached to the Source Code the notice described in
+  Exhibit A of this Agreement, then the Program may be made available
+  under the terms of such Secondary Licenses, and
+
+  b) a copy of this Agreement must be included with each copy of
+  the Program.
+
+3.3 Contributors may not remove or alter any copyright, patent,
+trademark, attribution notices, disclaimers of warranty, or limitations
+of liability ("notices") contained within the Program from any copy of
+the Program which they Distribute, provided that Contributors may add
+their own appropriate notices.
+
+4. COMMERCIAL DISTRIBUTION
+
+Commercial distributors of software may accept certain responsibilities
+with respect to end users, business partners and the like. While this
+license is intended to facilitate the commercial use of the Program,
+the Contributor who includes the Program in a commercial product
+offering should do so in a manner which does not create potential
+liability for other Contributors. Therefore, if a Contributor includes
+the Program in a commercial product offering, such Contributor
+("Commercial Contributor") hereby agrees to defend and indemnify every
+other Contributor ("Indemnified Contributor") against any losses,
+damages and costs (collectively "Losses") arising from claims, lawsuits
+and other legal actions brought by a third party against the Indemnified
+Contributor to the extent caused by the acts or omissions of such
+Commercial Contributor in connection with its distribution of the Program
+in a commercial product offering. The obligations in this section do not
+apply to any claims or Losses relating to any actual or alleged
+intellectual property infringement. In order to qualify, an Indemnified
+Contributor must: a) promptly notify the Commercial Contributor in
+writing of such claim, and b) allow the Commercial Contributor to control,
+and cooperate with the Commercial Contributor in, the defense and any
+related settlement negotiations. The Indemnified Contributor may
+participate in any such claim at its own expense.
+
+For example, a Contributor might include the Program in a commercial
+product offering, Product X. That Contributor is then a Commercial
+Contributor. If that Commercial Contributor then makes performance
+claims, or offers warranties related to Product X, those performance
+claims and warranties are such Commercial Contributor's responsibility
+alone. Under this section, the Commercial Contributor would have to
+defend claims against the other Contributors related to those performance
+claims and warranties, and if a court requires any other Contributor to
+pay any damages as a result, the Commercial Contributor must pay
+those damages.
+
+5. NO WARRANTY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT
+PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS"
+BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF
+TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
+PURPOSE. Each Recipient is solely responsible for determining the
+appropriateness of using and distributing the Program and assumes all
+risks associated with its exercise of rights under this Agreement,
+including but not limited to the risks and costs of program errors,
+compliance with applicable laws, damage to or loss of data, programs
+or equipment, and unavailability or interruption of operations.
+
+6. DISCLAIMER OF LIABILITY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT
+PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS
+SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
+PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
+EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+7. GENERAL
+
+If any provision of this Agreement is invalid or unenforceable under
+applicable law, it shall not affect the validity or enforceability of
+the remainder of the terms of this Agreement, and without further
+action by the parties hereto, such provision shall be reformed to the
+minimum extent necessary to make such provision valid and enforceable.
+
+If Recipient institutes patent litigation against any entity
+(including a cross-claim or counterclaim in a lawsuit) alleging that the
+Program itself (excluding combinations of the Program with other software
+or hardware) infringes such Recipient's patent(s), then such Recipient's
+rights granted under Section 2(b) shall terminate as of the date such
+litigation is filed.
+
+All Recipient's rights under this Agreement shall terminate if it
+fails to comply with any of the material terms or conditions of this
+Agreement and does not cure such failure in a reasonable period of
+time after becoming aware of such noncompliance. If all Recipient's
+rights under this Agreement terminate, Recipient agrees to cease use
+and distribution of the Program as soon as reasonably practicable.
+However, Recipient's obligations under this Agreement and any licenses
+granted by Recipient relating to the Program shall continue and survive.
+
+Everyone is permitted to copy and distribute copies of this Agreement,
+but in order to avoid inconsistency the Agreement is copyrighted and
+may only be modified in the following manner. The Agreement Steward
+reserves the right to publish new versions (including revisions) of
+this Agreement from time to time. No one other than the Agreement
+Steward has the right to modify this Agreement. The Eclipse Foundation
+is the initial Agreement Steward. The Eclipse Foundation may assign the
+responsibility to serve as the Agreement Steward to a suitable separate
+entity. Each new version of the Agreement will be given a distinguishing
+version number. The Program (including Contributions) may always be
+Distributed subject to the version of the Agreement under which it was
+received. In addition, after a new version of the Agreement is published,
+Contributor may elect to Distribute the Program (including its
+Contributions) under the new version.
+
+Except as expressly stated in Sections 2(a) and 2(b) above, Recipient
+receives no rights or licenses to the intellectual property of any
+Contributor under this Agreement, whether expressly, by implication,
+estoppel or otherwise. All rights in the Program not expressly granted
+under this Agreement are reserved. Nothing in this Agreement is intended
+to be enforceable by any entity that is not a Contributor or Recipient.
+No third-party beneficiary rights are created under this Agreement.
+
+Exhibit A - Form of Secondary Licenses Notice
+
+"This Source Code may also be made available under the following 
+Secondary Licenses when the conditions for such availability set forth 
+in the Eclipse Public License, v. 2.0 are satisfied: {name license(s),
+version(s), and exceptions or additional permissions here}."
+
+  Simply including a copy of this Agreement, including this Exhibit A
+  is not sufficient to license the Source Code under Secondary Licenses.
+
+  If it is not possible or desirable to put the notice in a particular
+  file, then You may include the notice in a location (such as a LICENSE
+  file in a relevant directory) where a recipient would be likely to
+  look for such a notice.
+
+  You may add additional accurate notices of copyright ownership.

package/README.md

@@ -0,0 +1,131 @@
+# @judo/auth
+
+> OIDC authentication layer for JUDO UI Runtime
+
+## Purpose
+
+A lightweight wrapper around `react-oidc-context` / `oidc-client-ts` that extracts auth configuration from ECore-based `Application` models, manages realm-based OIDC session caching, maps OIDC claims to principal data, and provides React components/hooks for gating and actor-switching.
+
+## Architecture Layer
+
+**Layer 3 (Infrastructure)** — consumed by `app-shell` and optionally by application-level code.
+
+## Dependencies
+
+- `@judo/model-api`, `@judo/model-loader` — model types and registry (dependency + peer)
+- `@mui/material ^7` — UI components (peer)
+- `oidc-client-ts ^3` — OIDC protocol client (peer)
+- `react-oidc-context ^3` — React OIDC integration (peer)
+- `react ^19` — React (peer)
+
+## File Structure
+
+```
+src/
+├── index.ts                              # Barrel re-export
+├── config/
+│   ├── auth-config.ts                    # Model → config extraction
+│   └── oidc-config.ts                    # OIDC UserManagerSettings builder
+├── provider/
+│   ├── auth-config-context.tsx           # React context for auth config
+│   ├── judo-auth-provider.tsx            # Top-level auth provider
+│   ├── principal-context.tsx             # Backend principal context + provider
+│   └── realm-cache.ts                    # Realm → UserManager cache
+├── hooks/
+│   ├── use-auth.ts                       # Main auth hook
+│   ├── use-require-auth.ts              # Redirect-guard hook
+│   └── use-actor-switch.ts              # Actor-switching hook
+├── components/
+│   ├── actor-auth-boundary.tsx           # Auth gate component
+│   └── actor-switch-dialog.tsx           # Confirmation dialog
+└── utils/
+    └── claim-mapping.ts                  # OIDC claim → principal mapping
+```
+
+## Exports Summary
+
+### Configuration
+
+| Export                             | Kind      | Description                                                                                                        |
+| ---------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------ |
+| `ClaimMapping`                     | interface | Maps a `ClaimType` enum to a model attribute name (`claimType`, `attributeName`).                                  |
+| `ActorAuthConfig`                  | interface | Actor-level auth config: `actorName`, `requiresAuth`, `realm?`, `clientId?`, `claims`.                             |
+| `getAuthConfig(app)`               | function  | Extracts an `ActorAuthConfig` from an `Application` model. Returns a no-auth stub when `authentication` is absent. |
+| `isSameRealm(a, b)`                | function  | Checks whether two `ActorAuthConfig`s share the same OIDC realm.                                                   |
+| `OidcConfig`                       | interface | Simplified config requiring only `issuerUrl`; other fields have defaults.                                          |
+| `OidcOptions`                      | interface | Full OIDC options: `issuerUrl`, `redirectUri`, `postLogoutRedirectUri`, `scope?`, `responseType?`.                 |
+| `createOidcOptions(config)`        | function  | Expands an `OidcConfig` into full `OidcOptions` by applying defaults (`window.location.origin`).                   |
+| `buildOidcConfig(config, options)` | function  | Constructs `UserManagerSettings`. Computes `authority` as `${issuerUrl}/auth/realms/${realm}`.                     |
+| `validateOidcOptions(options)`     | function  | Validates all required fields and URL parseability. Throws on failure.                                             |
+
+### React Providers
+
+| Export                    | Kind      | Description                                                                                                                                                                                                |
+| ------------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `AuthConfigProvider`      | component | Provides `ActorAuthConfig` + `OidcOptions` via React context.                                                                                                                                              |
+| `useAuthConfig()`         | hook      | Reads auth config context; **throws** if outside provider.                                                                                                                                                 |
+| `useAuthConfigOptional()` | hook      | Reads auth config context; returns `null` if outside provider.                                                                                                                                             |
+| `JudoAuthProvider`        | component | Top-level auth provider. If `requiresAuth` is false, renders children directly. If true, wraps in OIDC `AuthProvider` using a **cached** `UserManager` per realm. Strips `?code=&state=` on OIDC callback. |
+| `PrincipalProvider`       | component | Provides backend principal state with auto-fetch, refresh (`refreshPrincipal`), and local override (`setPrincipal`). Place inside auth boundary + API provider.                                            |
+| `usePrincipal()`          | hook      | Reads backend principal context; **throws** if outside `PrincipalProvider`.                                                                                                                                |
+| `usePrincipalOptional()`  | hook      | Reads backend principal context; returns `null` if outside provider.                                                                                                                                       |
+
+### Realm Cache
+
+| Export                                    | Kind     | Description                                                                   |
+| ----------------------------------------- | -------- | ----------------------------------------------------------------------------- |
+| `getOrCreateUserManager(realm, settings)` | function | Returns (or creates & caches) a `UserManager` instance keyed by realm string. |
+| `clearRealmCache(realm)`                  | function | Removes a specific realm from the cache.                                      |
+| `clearAllRealmCache()`                    | function | Clears the entire realm cache (test utility).                                 |
+| `hasRealmInCache(realm)`                  | function | Checks if a realm has a cached `UserManager`.                                 |
+| `getCachedRealmCount()`                   | function | Returns number of cached realms.                                              |
+
+### React Hooks
+
+| Export                                                             | Kind     | Description                                                                                                                                                                                                               |
+| ------------------------------------------------------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `useAuth()`                                                        | hook     | Main auth hook. Returns unified `JudoAuthContext` for both authenticated and unauthenticated actors. If no auth required, returns a no-op stub. Otherwise delegates to `react-oidc-context` and maps claims to principal. |
+| `useOidcAuthRequired()`                                            | hook     | Direct access to `react-oidc-context`'s `useAuth`. For internal use within OIDC provider.                                                                                                                                 |
+| `useRequireAuth()`                                                 | hook     | Guard hook — triggers `signinRedirect` via `useEffect` if auth required but user not authenticated.                                                                                                                       |
+| `useActorSwitch(currentApp, getApplication, setActiveApplication)` | hook     | Manages actor switching. Same-realm → direct switch. Different realms → populates `pendingSwitch` for confirmation.                                                                                                       |
+| `getSwitchConfigs(currentApp, targetApp)`                          | function | Returns `{ currentConfig, targetConfig }` — both `ActorAuthConfig`s for a switch dialog.                                                                                                                                  |
+
+### React Components
+
+| Export              | Kind      | Description                                                                                                                                                                                                                                                                 |
+| ------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ActorAuthBoundary` | component | Auth gate — renders children immediately for unauthenticated actors, shows loading spinner while OIDC loads, renders children once authenticated. Supports guest access mode (`supportGuestAccess` + `guestComponent` props) to show a guest page instead of OIDC redirect. |
+| `ActorSwitchDialog` | component | MUI Dialog confirmation for cross-realm actor switches. Displays current/target actor names and warns when realms differ.                                                                                                                                                   |
+
+### Utilities
+
+| Export                                    | Kind     | Description                                                                                                         |
+| ----------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------- |
+| `claimTypeToKey(claimType)`               | function | Maps `ClaimType` enum value to its OIDC profile claim key string (e.g., `EMAIL` → `'email'`).                       |
+| `mapClaimsToPrincipal(profile, mappings)` | function | Builds a principal data record from an OIDC profile. Maps 5 standard claims plus custom claim mappings from config. |
+
+### Type Exports
+
+| Type                      | Description                                                                        |
+| ------------------------- | ---------------------------------------------------------------------------------- |
+| `JudoAuthProviderProps`   | Props for `JudoAuthProvider`.                                                      |
+| `AuthConfigContextType`   | Shape of the auth config context value.                                            |
+| `AuthConfigProviderProps` | Props for `AuthConfigProvider`.                                                    |
+| `PrincipalContextType`    | Shape of the principal context value.                                              |
+| `PrincipalProviderProps`  | Props for `PrincipalProvider`.                                                     |
+| `JudoAuthContext`         | Return type of `useAuth()`.                                                        |
+| `PrincipalData`           | OIDC-claim-mapped principal shape (`email?`, `name?`, `preferredUsername?`, etc.). |
+| `PendingSwitch`           | Pending actor switch info (`targetActor`, `targetRealm?`, `requiresConfirmation`). |
+| `UseActorSwitchResult`    | Return type of `useActorSwitch()`.                                                 |
+| `ActorAuthBoundaryProps`  | Props for `ActorAuthBoundary`.                                                     |
+| `ActorSwitchDialogProps`  | Props for `ActorSwitchDialog`.                                                     |
+
+## Key Patterns
+
+- **Conditional OIDC wrapping**: `JudoAuthProvider` only mounts the OIDC provider when `requiresAuth` is true
+- **Realm-based session sharing**: A module-level `Map` ensures actors with the same realm share one `UserManager` (and thus one OIDC session)
+- **Model-driven configuration**: `getAuthConfig` derives everything from the `Application` model, keeping auth in sync with the ECore meta-model
+- **Graceful degradation**: Every hook handles the "no auth required" case cleanly, returning no-op stubs
+- **Two-phase actor switching**: Same-realm switches happen instantly; cross-realm switches require user confirmation
+- **Claim mapping pipeline**: Standard OIDC claims are always mapped, with model-defined custom claim entries on top
+- **Optional context access**: Dual hooks (`useAuthConfig` / `useAuthConfigOptional`, `usePrincipal` / `usePrincipalOptional`) follow the throw-vs-null pattern

package/dist/components/actor-auth-boundary.d.ts

@@ -0,0 +1,38 @@
+import { ReactNode } from 'react';
+/**
+ * Props for ActorAuthBoundary.
+ */
+export interface ActorAuthBoundaryProps {
+    children: ReactNode;
+    /** Custom loading component */
+    loadingComponent?: ReactNode;
+    /**
+     * When true, unauthenticated users see a guest page instead of being
+     * redirected to the OIDC provider. Typically derived from
+     * `Application.supportGuestAccess`.
+     */
+    supportGuestAccess?: boolean;
+    /**
+     * Component rendered when guest access is enabled and the user is
+     * not authenticated. When omitted, the default loading/redirect
+     * behavior applies even if `supportGuestAccess` is true (the
+     * calling layer should always provide a fallback).
+     */
+    guestComponent?: ReactNode;
+}
+/**
+ * Boundary component that gates children behind authentication.
+ *
+ * Mirrors react-oidc-context's `withAuthenticationRequired` HOC exactly:
+ * skip redirect when callback params are present, auth is loading,
+ * a navigator is active, or user is already authenticated.
+ * Otherwise trigger `signinRedirect()` — the browser navigates away.
+ *
+ * When `supportGuestAccess` is true and `guestComponent` is provided,
+ * unauthenticated users see the guest page instead of being redirected.
+ *
+ * The `JudoAuthProvider` handles callback processing and URL cleanup
+ * via its `onSigninCallback` prop.
+ */
+export declare function ActorAuthBoundary({ children, loadingComponent, supportGuestAccess, guestComponent, }: ActorAuthBoundaryProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=actor-auth-boundary.d.ts.map

package/dist/components/actor-auth-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor-auth-boundary.d.ts","sourceRoot":"","sources":["../../src/components/actor-auth-boundary.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,SAAS,EAAa,MAAM,OAAO,CAAC;AAIlD;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACtC,QAAQ,EAAE,SAAS,CAAC;IACpB,+BAA+B;IAC/B,gBAAgB,CAAC,EAAE,SAAS,CAAC;IAC7B;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;OAKG;IACH,cAAc,CAAC,EAAE,SAAS,CAAC;CAC3B;AAaD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAAC,EACjC,QAAQ,EACR,gBAAgB,EAChB,kBAAkB,EAClB,cAAc,GACd,EAAE,sBAAsB,2CA0BxB"}

package/dist/components/actor-switch-dialog.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Props for ActorSwitchDialog.
+ */
+export interface ActorSwitchDialogProps {
+    /** Whether dialog is open */
+    open: boolean;
+    /** Current actor name */
+    currentActor: string;
+    /** Target actor name to switch to */
+    targetActor: string;
+    /** Current realm (if authenticated) */
+    currentRealm?: string;
+    /** Target realm (if requires auth) */
+    targetRealm?: string;
+    /** Callback when user confirms switch */
+    onConfirm: () => void;
+    /** Callback when user cancels switch */
+    onCancel: () => void;
+}
+/**
+ * Confirmation dialog shown when switching actors between different realms.
+ * Warns user about potential logout.
+ *
+ * @example
+ * ```tsx
+ * <ActorSwitchDialog
+ *   open={pendingSwitch !== null}
+ *   currentActor="Admin"
+ *   targetActor="User"
+ *   currentRealm="admin-realm"
+ *   targetRealm="user-realm"
+ *   onConfirm={confirmSwitch}
+ *   onCancel={cancelSwitch}
+ * />
+ * ```
+ */
+export declare function ActorSwitchDialog({ open, currentActor, targetActor, currentRealm, targetRealm, onConfirm, onCancel, }: ActorSwitchDialogProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=actor-switch-dialog.d.ts.map

package/dist/components/actor-switch-dialog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor-switch-dialog.d.ts","sourceRoot":"","sources":["../../src/components/actor-switch-dialog.tsx"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACtC,6BAA6B;IAC7B,IAAI,EAAE,OAAO,CAAC;IACd,yBAAyB;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yCAAyC;IACzC,SAAS,EAAE,MAAM,IAAI,CAAC;IACtB,wCAAwC;IACxC,QAAQ,EAAE,MAAM,IAAI,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,iBAAiB,CAAC,EACjC,IAAI,EACJ,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,WAAW,EACX,SAAS,EACT,QAAQ,GACR,EAAE,sBAAsB,2CA2BxB"}

package/dist/components/index.d.ts

@@ -0,0 +1,3 @@
+export { ActorAuthBoundary, type ActorAuthBoundaryProps } from './actor-auth-boundary';
+export { ActorSwitchDialog, type ActorSwitchDialogProps } from './actor-switch-dialog';
+//# sourceMappingURL=index.d.ts.map

package/dist/components/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/components/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,KAAK,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AACvF,OAAO,EAAE,iBAAiB,EAAE,KAAK,sBAAsB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/config/auth-config.d.ts

@@ -0,0 +1,34 @@
+import { Application, ClaimType } from '@judo/model-api';
+/**
+ * Mapping of a claim to an attribute.
+ */
+export interface ClaimMapping {
+    claimType: ClaimType;
+    attributeName: string;
+}
+/**
+ * Actor authentication configuration extracted from Application model.
+ */
+export interface ActorAuthConfig {
+    actorName: string;
+    requiresAuth: boolean;
+    realm?: string;
+    clientId?: string;
+    claims: ClaimMapping[];
+}
+/**
+ * Extract authentication configuration from Application model.
+ *
+ * @param app - The Application model
+ * @returns ActorAuthConfig with authentication requirements
+ */
+export declare function getAuthConfig(app: Application): ActorAuthConfig;
+/**
+ * Check if two actors share the same authentication realm.
+ *
+ * @param config1 - First actor's auth config
+ * @param config2 - Second actor's auth config
+ * @returns true if both share same realm or neither requires auth
+ */
+export declare function isSameRealm(config1: ActorAuthConfig, config2: ActorAuthConfig): boolean;
+//# sourceMappingURL=auth-config.d.ts.map

package/dist/config/auth-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-config.d.ts","sourceRoot":"","sources":["../../src/config/auth-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,SAAS,EAAE,SAAS,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,OAAO,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,YAAY,EAAE,CAAC;CACvB;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,WAAW,GAAG,eAAe,CAqB/D;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,eAAe,GAAG,OAAO,CAavF"}

package/dist/config/index.d.ts

@@ -0,0 +1,3 @@
+export { getAuthConfig, isSameRealm, type ActorAuthConfig, type ClaimMapping } from './auth-config';
+export { buildOidcConfig, createOidcOptions, validateOidcOptions, type OidcConfig, type OidcOptions, } from './oidc-config';
+//# sourceMappingURL=index.d.ts.map

package/dist/config/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,KAAK,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC;AACpG,OAAO,EACN,eAAe,EACf,iBAAiB,EACjB,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,WAAW,GAChB,MAAM,eAAe,CAAC"}

package/dist/config/oidc-config.d.ts

@@ -0,0 +1,58 @@
+import { UserManagerSettings } from 'oidc-client-ts';
+import { ActorAuthConfig } from './auth-config';
+/**
+ * Simplified OIDC configuration requiring only the provider URL.
+ * All other fields have sensible defaults.
+ *
+ * The client ID is derived automatically from the active actor's Application.name
+ * in the model — it is not configurable here.
+ */
+export interface OidcConfig {
+    /** OIDC issuer base URL (e.g., 'https://auth.example.com'). The '/auth/realms/{realm}' path is appended from model. */
+    issuerUrl: string;
+    /** OAuth scopes. @default 'openid profile email' */
+    scope?: string;
+    /** Redirect URI after login. @default window.location.origin */
+    redirectUri?: string;
+    /** Redirect URI after logout. @default window.location.origin */
+    postLogoutRedirectUri?: string;
+}
+/**
+ * Create full OidcOptions from simplified OidcConfig with sensible defaults.
+ *
+ * @param config - Simplified OIDC config (only issuerUrl required)
+ * @returns Full OidcOptions with all fields populated
+ */
+export declare function createOidcOptions(config: OidcConfig): OidcOptions;
+/**
+ * Options for building OIDC configuration.
+ */
+export interface OidcOptions {
+    /** Base URL for the OIDC issuer */
+    issuerUrl: string;
+    /** URI to redirect after login */
+    redirectUri: string;
+    /** URI to redirect after logout */
+    postLogoutRedirectUri: string;
+    /** OAuth scopes (defaults to 'openid profile email') */
+    scope?: string;
+    /** Response type (defaults to 'code') */
+    responseType?: string;
+}
+/**
+ * Build OIDC client configuration from ActorAuthConfig.
+ *
+ * @param config - Actor authentication configuration
+ * @param options - OIDC options
+ * @returns UserManagerSettings for oidc-client-ts
+ * @throws Error if config doesn't require authentication
+ */
+export declare function buildOidcConfig(config: ActorAuthConfig, options: OidcOptions): UserManagerSettings;
+/**
+ * Validate OIDC options.
+ *
+ * @param options - OIDC options to validate
+ * @throws Error if options are invalid
+ */
+export declare function validateOidcOptions(options: OidcOptions): void;
+//# sourceMappingURL=oidc-config.d.ts.map

package/dist/config/oidc-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-config.d.ts","sourceRoot":"","sources":["../../src/config/oidc-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAErD;;;;;;GAMG;AACH,MAAM,WAAW,UAAU;IAC1B,uHAAuH;IACvH,SAAS,EAAE,MAAM,CAAC;IAClB,oDAAoD;IACpD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iEAAiE;IACjE,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,UAAU,GAAG,WAAW,CAQjE;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,wDAAwD;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,GAAG,mBAAmB,CAuBlG;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI,CAuB9D"}

package/dist/hooks/index.d.ts

@@ -0,0 +1,4 @@
+export { useAuth, useOidcAuthRequired, type JudoAuthContext, type PrincipalData } from './use-auth';
+export { useRequireAuth } from './use-require-auth';
+export { useActorSwitch, getSwitchConfigs, type PendingSwitch, type UseActorSwitchResult } from './use-actor-switch';
+//# sourceMappingURL=index.d.ts.map

package/dist/hooks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,YAAY,CAAC;AACpG,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,KAAK,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,oBAAoB,CAAC"}