@kaiz11/stack-client 0.0.14

package/dist/cli/file-token-store.js

@@ -0,0 +1,138 @@
+/**
+ * File-based token storage (for Node.js CLI applications)
+ *
+ * This module is intentionally separate from the main token-store.ts
+ * to avoid bundlers trying to resolve Node.js modules in browser builds.
+ */
+import * as fs from "node:fs";
+import * as path from "node:path";
+/**
+ * File-based token storage for CLI applications.
+ *
+ * Stores tokens in a JSON file with restricted permissions (0600).
+ * Only available from the /cli entry point to avoid breaking browser builds.
+ *
+ * Supports storing additional metadata alongside tokens via `setTokensWithData`.
+ *
+ * @example
+ * ```typescript
+ * import { FileTokenStore } from "@kaiz11/stack-client/cli";
+ *
+ * const store = new FileTokenStore("~/.myapp/tokens.json");
+ *
+ * // Basic usage
+ * store.setTokens(accessToken, refreshToken);
+ *
+ * // With metadata
+ * store.setTokensWithData(accessToken, refreshToken, {
+ *   expiresAt: 1234567890,
+ *   user: { id: "123", email: "user@example.com" }
+ * });
+ *
+ * // Retrieve full data
+ * const data = store.getData();
+ * console.log(data?.expiresAt, data?.user);
+ * ```
+ */
+export class FileTokenStore {
+    data = null;
+    loaded = false;
+    /** File path - protected so subclasses can access it */
+    filePath;
+    /**
+     * @param filePath - Absolute path to the token file
+     */
+    constructor(filePath) {
+        this.filePath = filePath;
+    }
+    /**
+     * Load data from file if not already loaded.
+     */
+    ensureLoaded() {
+        if (this.loaded)
+            return;
+        this.loaded = true;
+        try {
+            if (!fs.existsSync(this.filePath))
+                return;
+            const content = fs.readFileSync(this.filePath, "utf-8");
+            const parsed = JSON.parse(content);
+            // Validate required fields
+            if (typeof parsed.accessToken === "string" &&
+                typeof parsed.refreshToken === "string") {
+                this.data = parsed;
+            }
+        }
+        catch {
+            // File doesn't exist or is invalid - start fresh
+        }
+    }
+    /**
+     * Persist data to file.
+     */
+    persist() {
+        if (!this.data)
+            return;
+        try {
+            // Ensure parent directory exists
+            const dir = path.dirname(this.filePath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+            }
+            // Write with restricted permissions
+            fs.writeFileSync(this.filePath, JSON.stringify(this.data, null, 2), {
+                mode: 0o600,
+            });
+        }
+        catch {
+            // Silently fail - caller can check if tokens persist
+        }
+    }
+    getAccessToken() {
+        this.ensureLoaded();
+        return this.data?.accessToken ?? null;
+    }
+    getRefreshToken() {
+        this.ensureLoaded();
+        return this.data?.refreshToken ?? null;
+    }
+    /**
+     * Get all stored data including metadata.
+     */
+    getData() {
+        this.ensureLoaded();
+        return this.data;
+    }
+    setTokens(accessToken, refreshToken) {
+        this.setTokensWithData(accessToken, refreshToken, {});
+    }
+    /**
+     * Set tokens with additional metadata.
+     *
+     * @param accessToken - The access token
+     * @param refreshToken - The refresh token
+     * @param metadata - Additional data to store (expiresAt, user, etc.)
+     */
+    setTokensWithData(accessToken, refreshToken, metadata) {
+        this.data = {
+            ...metadata,
+            accessToken,
+            refreshToken,
+        };
+        this.loaded = true;
+        this.persist();
+    }
+    clearTokens() {
+        this.data = null;
+        this.loaded = true;
+        try {
+            if (fs.existsSync(this.filePath)) {
+                fs.unlinkSync(this.filePath);
+            }
+        }
+        catch {
+            // Silently fail
+        }
+    }
+}
+//# sourceMappingURL=file-token-store.js.map

package/dist/cli/file-token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-token-store.js","sourceRoot":"","sources":["../../src/cli/file-token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAalC;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,OAAO,cAAc;IACjB,IAAI,GAAyB,IAAI,CAAC;IAClC,MAAM,GAAG,KAAK,CAAC;IAEvB,wDAAwD;IACrC,QAAQ,CAAS;IAEpC;;OAEG;IACH,YAAY,QAAgB;QAC1B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACO,YAAY;QACpB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QAEnB,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAAE,OAAO;YAE1C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;YAE9D,2BAA2B;YAC3B,IACE,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;gBACtC,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,EACvC,CAAC;gBACD,IAAI,CAAC,IAAI,GAAG,MAAuB,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iDAAiD;QACnD,CAAC;IACH,CAAC;IAED;;OAEG;IACO,OAAO;QACf,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,OAAO;QAEvB,IAAI,CAAC;YACH,iCAAiC;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACtD,CAAC;YAED,oCAAoC;YACpC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;gBAClE,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qDAAqD;QACvD,CAAC;IACH,CAAC;IAED,cAAc;QACZ,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,IAAI,EAAE,WAAW,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,eAAe;QACb,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,SAAS,CAAC,WAAmB,EAAE,YAAoB;QACjD,IAAI,CAAC,iBAAiB,CAAC,WAAW,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;;;;;OAMG;IACH,iBAAiB,CACf,WAAmB,EACnB,YAAoB,EACpB,QAAiC;QAEjC,IAAI,CAAC,IAAI,GAAG;YACV,GAAG,QAAQ;YACX,WAAW;YACX,YAAY;SACb,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED,WAAW;QACT,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QAEnB,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gBAAgB;QAClB,CAAC;IACH,CAAC;CACF"}

package/dist/cli/index.d.ts

@@ -0,0 +1,33 @@
+/**
+ * CLI utilities for terminal-based OAuth authentication.
+ *
+ * This module provides Node.js-only utilities for CLI tools:
+ * - FileTokenStore: Persistent file-based token storage
+ * - CLI OAuth flow: Browser-based PKCE authentication
+ * - PKCE utilities: Code verifier/challenge generation
+ *
+ * @example
+ * ```typescript
+ * import { FileTokenStore, cliOAuthFlow } from "@kaiz11/stack-client/cli";
+ *
+ * // Setup file-based token storage
+ * const tokenStore = new FileTokenStore("~/.myapp/tokens.json");
+ *
+ * // Run OAuth flow if not authenticated
+ * if (!tokenStore.getAccessToken()) {
+ *   const session = await cliOAuthFlow(
+ *     { baseUrl: "https://stack.zenku.app", tenantId: "my-app" },
+ *     { provider: "github" }
+ *   );
+ *   tokenStore.setTokens(session.accessToken, session.refreshToken);
+ * }
+ * ```
+ *
+ * @module
+ */
+export { FileTokenStore, type FileTokenData } from "./file-token-store.js";
+export { openBrowser } from "./browser.js";
+export { startCallbackServer, type CallbackResult, type CallbackServerOptions, } from "./callback-server.js";
+export { generateCodeVerifier, generateCodeChallenge, generatePkceChallenge, type PkceChallenge, } from "./pkce.js";
+export { cliOAuthFlow, refreshSession, type CliOAuthOptions, type CliOAuthConfig, } from "./oauth.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAG3E,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAG3C,OAAO,EACL,mBAAmB,EACnB,KAAK,cAAc,EACnB,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,KAAK,aAAa,GACnB,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,YAAY,EACZ,cAAc,EACd,KAAK,eAAe,EACpB,KAAK,cAAc,GACpB,MAAM,YAAY,CAAC"}

package/dist/cli/index.js

@@ -0,0 +1,38 @@
+/**
+ * CLI utilities for terminal-based OAuth authentication.
+ *
+ * This module provides Node.js-only utilities for CLI tools:
+ * - FileTokenStore: Persistent file-based token storage
+ * - CLI OAuth flow: Browser-based PKCE authentication
+ * - PKCE utilities: Code verifier/challenge generation
+ *
+ * @example
+ * ```typescript
+ * import { FileTokenStore, cliOAuthFlow } from "@kaiz11/stack-client/cli";
+ *
+ * // Setup file-based token storage
+ * const tokenStore = new FileTokenStore("~/.myapp/tokens.json");
+ *
+ * // Run OAuth flow if not authenticated
+ * if (!tokenStore.getAccessToken()) {
+ *   const session = await cliOAuthFlow(
+ *     { baseUrl: "https://stack.zenku.app", tenantId: "my-app" },
+ *     { provider: "github" }
+ *   );
+ *   tokenStore.setTokens(session.accessToken, session.refreshToken);
+ * }
+ * ```
+ *
+ * @module
+ */
+// Token storage (Node.js only - separate from main token-store to avoid breaking browser builds)
+export { FileTokenStore } from "./file-token-store.js";
+// Browser opener
+export { openBrowser } from "./browser.js";
+// Callback server
+export { startCallbackServer, } from "./callback-server.js";
+// PKCE utilities
+export { generateCodeVerifier, generateCodeChallenge, generatePkceChallenge, } from "./pkce.js";
+// OAuth flow
+export { cliOAuthFlow, refreshSession, } from "./oauth.js";
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,iGAAiG;AACjG,OAAO,EAAE,cAAc,EAAsB,MAAM,uBAAuB,CAAC;AAE3E,iBAAiB;AACjB,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,kBAAkB;AAClB,OAAO,EACL,mBAAmB,GAGpB,MAAM,sBAAsB,CAAC;AAE9B,iBAAiB;AACjB,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,GAEtB,MAAM,WAAW,CAAC;AAEnB,aAAa;AACb,OAAO,EACL,YAAY,EACZ,cAAc,GAGf,MAAM,YAAY,CAAC"}

package/dist/cli/oauth.d.ts

@@ -0,0 +1,67 @@
+/**
+ * CLI OAuth flow for terminal applications.
+ *
+ * Implements the OAuth PKCE flow for CLI tools:
+ * 1. Generates PKCE challenge
+ * 2. Opens browser for user authentication
+ * 3. Listens on local callback server for code
+ * 4. Exchanges code for tokens
+ */
+import type { OAuthProvider, Session } from "../auth/types.js";
+/**
+ * Options for CLI OAuth flow
+ */
+export interface CliOAuthOptions {
+    /** OAuth provider to use */
+    provider: OAuthProvider;
+    /** Port for local callback server (default: 14550) */
+    port?: number;
+    /** Timeout in milliseconds (default: 120000 = 2 minutes) */
+    timeout?: number;
+    /** Optional callback when browser is opened */
+    onBrowserOpen?: (url: string) => void;
+    /** Optional callback for status updates */
+    onStatus?: (status: string) => void;
+}
+/**
+ * Configuration for CLI OAuth
+ */
+export interface CliOAuthConfig {
+    /** Base URL of the Stack platform (e.g., "https://stack.zenku.app") */
+    baseUrl: string;
+    /** Tenant ID */
+    tenantId: string;
+}
+/**
+ * Execute a complete CLI OAuth flow.
+ *
+ * This function:
+ * 1. Starts a local callback server
+ * 2. Generates PKCE challenge
+ * 3. Opens the browser for authentication
+ * 4. Waits for OAuth callback
+ * 5. Exchanges auth code for session tokens
+ *
+ * @param config - Stack platform configuration
+ * @param options - OAuth flow options
+ * @returns Session with tokens and user info
+ *
+ * @example
+ * ```typescript
+ * const session = await cliOAuthFlow(
+ *   { baseUrl: "https://stack.zenku.app", tenantId: "my-app" },
+ *   { provider: "github" }
+ * );
+ * console.log(`Logged in as ${session.user.email}`);
+ * ```
+ */
+export declare function cliOAuthFlow(config: CliOAuthConfig, options: CliOAuthOptions): Promise<Session>;
+/**
+ * Refresh a session using a refresh token.
+ *
+ * @param config - Stack platform configuration
+ * @param refreshToken - The refresh token
+ * @returns New session with fresh tokens
+ */
+export declare function refreshSession(config: CliOAuthConfig, refreshToken: string): Promise<Session>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/cli/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../../src/cli/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,OAAO,EAER,MAAM,kBAAkB,CAAC;AAS1B;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,QAAQ,EAAE,aAAa,CAAC;IACxB,sDAAsD;IACtD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IACtC,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,uEAAuE;IACvE,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,OAAO,CAAC,CAwDlB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,cAAc,EACtB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAiBlB"}

package/dist/cli/oauth.js

@@ -0,0 +1,101 @@
+/**
+ * CLI OAuth flow for terminal applications.
+ *
+ * Implements the OAuth PKCE flow for CLI tools:
+ * 1. Generates PKCE challenge
+ * 2. Opens browser for user authentication
+ * 3. Listens on local callback server for code
+ * 4. Exchanges code for tokens
+ */
+import { normalizeSession } from "../auth/types.js";
+import { openBrowser } from "./browser.js";
+import { startCallbackServer, } from "./callback-server.js";
+import { generatePkceChallenge } from "./pkce.js";
+/**
+ * Execute a complete CLI OAuth flow.
+ *
+ * This function:
+ * 1. Starts a local callback server
+ * 2. Generates PKCE challenge
+ * 3. Opens the browser for authentication
+ * 4. Waits for OAuth callback
+ * 5. Exchanges auth code for session tokens
+ *
+ * @param config - Stack platform configuration
+ * @param options - OAuth flow options
+ * @returns Session with tokens and user info
+ *
+ * @example
+ * ```typescript
+ * const session = await cliOAuthFlow(
+ *   { baseUrl: "https://stack.zenku.app", tenantId: "my-app" },
+ *   { provider: "github" }
+ * );
+ * console.log(`Logged in as ${session.user.email}`);
+ * ```
+ */
+export async function cliOAuthFlow(config, options) {
+    const { provider, port = 14550, timeout = 120000, onBrowserOpen, onStatus, } = options;
+    const { baseUrl, tenantId } = config;
+    // Generate PKCE challenge
+    const pkce = generatePkceChallenge();
+    // Build callback URL
+    const callbackUrl = `http://localhost:${port}/callback`;
+    // Build authorization URL
+    const authUrl = new URL(`${baseUrl}/auth/${tenantId}/authorize`);
+    authUrl.searchParams.set("provider", provider);
+    authUrl.searchParams.set("redirect_to", callbackUrl);
+    authUrl.searchParams.set("code_challenge", pkce.codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", pkce.codeChallengeMethod);
+    // Start callback server (before opening browser)
+    const serverOptions = { port, timeout };
+    const callbackPromise = startCallbackServer(serverOptions);
+    // Open browser
+    onStatus?.("Opening browser for authentication...");
+    const urlString = authUrl.toString();
+    onBrowserOpen?.(urlString);
+    await openBrowser(urlString);
+    // Wait for callback
+    onStatus?.("Waiting for authentication...");
+    const { code } = await callbackPromise;
+    // Exchange code for tokens
+    onStatus?.("Exchanging code for session...");
+    const tokenUrl = `${baseUrl}/auth/${tenantId}/token?grant_type=pkce`;
+    const tokenResponse = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            auth_code: code,
+            code_verifier: pkce.codeVerifier,
+        }),
+    });
+    if (!tokenResponse.ok) {
+        const error = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${error}`);
+    }
+    const tokenData = (await tokenResponse.json());
+    return normalizeSession(tokenData);
+}
+/**
+ * Refresh a session using a refresh token.
+ *
+ * @param config - Stack platform configuration
+ * @param refreshToken - The refresh token
+ * @returns New session with fresh tokens
+ */
+export async function refreshSession(config, refreshToken) {
+    const { baseUrl, tenantId } = config;
+    const tokenUrl = `${baseUrl}/auth/${tenantId}/token?grant_type=refresh_token`;
+    const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ refresh_token: refreshToken }),
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token refresh failed: ${error}`);
+    }
+    const tokenData = (await response.json());
+    return normalizeSession(tokenData);
+}
+//# sourceMappingURL=oauth.js.map

package/dist/cli/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/cli/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAOH,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EACL,mBAAmB,GAEpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AA4BlD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAsB,EACtB,OAAwB;IAExB,MAAM,EACJ,QAAQ,EACR,IAAI,GAAG,KAAK,EACZ,OAAO,GAAG,MAAM,EAChB,aAAa,EACb,QAAQ,GACT,GAAG,OAAO,CAAC;IACZ,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;IAErC,0BAA0B;IAC1B,MAAM,IAAI,GAAG,qBAAqB,EAAE,CAAC;IAErC,qBAAqB;IACrB,MAAM,WAAW,GAAG,oBAAoB,IAAI,WAAW,CAAC;IAExD,0BAA0B;IAC1B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,OAAO,SAAS,QAAQ,YAAY,CAAC,CAAC;IACjE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC/C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IAC/D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAE5E,iDAAiD;IACjD,MAAM,aAAa,GAA0B,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC/D,MAAM,eAAe,GAAG,mBAAmB,CAAC,aAAa,CAAC,CAAC;IAE3D,eAAe;IACf,QAAQ,EAAE,CAAC,uCAAuC,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;IACrC,aAAa,EAAE,CAAC,SAAS,CAAC,CAAC;IAC3B,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;IAE7B,oBAAoB;IACpB,QAAQ,EAAE,CAAC,+BAA+B,CAAC,CAAC;IAC5C,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,eAAe,CAAC;IAEvC,2BAA2B;IAC3B,QAAQ,EAAE,CAAC,gCAAgC,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,GAAG,OAAO,SAAS,QAAQ,wBAAwB,CAAC;IACrE,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QAC1C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,SAAS,EAAE,IAAI;YACf,aAAa,EAAE,IAAI,CAAC,YAAY;SACjC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAwB,CAAC;IACtE,OAAO,gBAAgB,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAsB,EACtB,YAAoB;IAEpB,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;IAErC,MAAM,QAAQ,GAAG,GAAG,OAAO,SAAS,QAAQ,iCAAiC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;KACtD,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;IACjE,OAAO,gBAAgB,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC"}

package/dist/cli/pkce.d.ts

@@ -0,0 +1,35 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities for OAuth.
+ */
+/**
+ * PKCE challenge data
+ */
+export interface PkceChallenge {
+    /** Random code verifier */
+    codeVerifier: string;
+    /** SHA256 hash of verifier, base64url encoded */
+    codeChallenge: string;
+    /** Challenge method (always S256) */
+    codeChallengeMethod: "S256";
+}
+/**
+ * Generate a cryptographically random code verifier.
+ *
+ * @param length - Length of verifier in bytes (default: 32, produces 43 char string)
+ * @returns Base64url-encoded random string
+ */
+export declare function generateCodeVerifier(length?: number): string;
+/**
+ * Generate a code challenge from a verifier.
+ *
+ * @param verifier - The code verifier
+ * @returns Base64url-encoded SHA256 hash
+ */
+export declare function generateCodeChallenge(verifier: string): string;
+/**
+ * Generate a complete PKCE challenge.
+ *
+ * @returns PKCE challenge data with verifier and challenge
+ */
+export declare function generatePkceChallenge(): PkceChallenge;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/cli/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/cli/pkce.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qCAAqC;IACrC,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,SAAK,GAAG,MAAM,CAOxD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,aAAa,CASrD"}

package/dist/cli/pkce.js

@@ -0,0 +1,43 @@
+/**
+ * PKCE (Proof Key for Code Exchange) utilities for OAuth.
+ */
+import { randomBytes, createHash } from "node:crypto";
+/**
+ * Generate a cryptographically random code verifier.
+ *
+ * @param length - Length of verifier in bytes (default: 32, produces 43 char string)
+ * @returns Base64url-encoded random string
+ */
+export function generateCodeVerifier(length = 32) {
+    const buffer = randomBytes(length);
+    return buffer
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+/**
+ * Generate a code challenge from a verifier.
+ *
+ * @param verifier - The code verifier
+ * @returns Base64url-encoded SHA256 hash
+ */
+export function generateCodeChallenge(verifier) {
+    const hash = createHash("sha256").update(verifier).digest("base64");
+    return hash.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/**
+ * Generate a complete PKCE challenge.
+ *
+ * @returns PKCE challenge data with verifier and challenge
+ */
+export function generatePkceChallenge() {
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    return {
+        codeVerifier,
+        codeChallenge,
+        codeChallengeMethod: "S256",
+    };
+}
+//# sourceMappingURL=pkce.js.map

package/dist/cli/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/cli/pkce.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AActD;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAM,GAAG,EAAE;IAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,MAAM;SACV,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpE,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAE1D,OAAO;QACL,YAAY;QACZ,aAAa;QACb,mBAAmB,EAAE,MAAM;KAC5B,CAAC;AACJ,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,22 @@
+import type { PostgrestClient } from "@supabase/postgrest-js";
+import { type IAuthClient } from "./auth/index.js";
+import { type IStorageClient } from "./storage/index.js";
+import { type IAccountsClient } from "./accounts/index.js";
+import { type ClientConfig } from "./types.js";
+export declare class StackClient<Database = Record<string, unknown>> {
+    readonly auth: IAuthClient;
+    readonly storage: IStorageClient;
+    readonly accounts: IAccountsClient;
+    readonly db: PostgrestClient<Database>;
+    private readonly http;
+    private readonly tokenManager;
+    private readonly isMock;
+    constructor(config: ClientConfig);
+    destroy(): void;
+}
+export declare function createClient<Database = Record<string, unknown>>(config: ClientConfig): StackClient<Database>;
+export declare function createTenantClient<Database = Record<string, unknown>>(config: ClientConfig & {
+    tenantId: string;
+}): StackClient<Database>;
+export declare function createPlatformClient<Database = Record<string, unknown>>(config: ClientConfig): StackClient<Database>;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAG9D,OAAO,EAA8B,KAAK,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAG/E,OAAO,EAGL,KAAK,cAAc,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAGL,KAAK,eAAe,EACrB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAEL,KAAK,YAAY,EAElB,MAAM,YAAY,CAAC;AASpB,qBAAa,WAAW,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACzD,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC,QAAQ,CAAC,CAAC;IAEvC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAoB;IACzC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;gBAErB,MAAM,EAAE,YAAY;IA6EhC,OAAO,IAAI,IAAI;CAMhB;AAED,wBAAgB,YAAY,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7D,MAAM,EAAE,YAAY,GACnB,WAAW,CAAC,QAAQ,CAAC,CAEvB;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnE,MAAM,EAAE,YAAY,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC1C,WAAW,CAAC,QAAQ,CAAC,CAEvB;AAED,wBAAgB,oBAAoB,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACrE,MAAM,EAAE,YAAY,GACnB,WAAW,CAAC,QAAQ,CAAC,CAEvB"}

package/dist/client.js

@@ -0,0 +1,99 @@
+import { HttpClient } from "./lib/http.js";
+import { createTokenStore } from "./lib/token-store.js";
+import { AuthClient, MockAuthClient } from "./auth/index.js";
+import { TokenManager } from "./auth/token-manager.js";
+import { mockState } from "./mocks/state.js";
+import { MockStorageClient, StorageClient, } from "./storage/index.js";
+import { AccountsClient, MockAccountsClient, } from "./accounts/index.js";
+import { MockDbClient, createDbClient } from "./db/index.js";
+import { PLATFORM_TENANT_ID, } from "./types.js";
+function resolveConfig(config) {
+    return {
+        ...config,
+        tenantId: config.tenantId ?? PLATFORM_TENANT_ID,
+    };
+}
+export class StackClient {
+    auth;
+    storage;
+    accounts;
+    db;
+    http;
+    tokenManager;
+    isMock;
+    constructor(config) {
+        const resolved = resolveConfig(config);
+        this.isMock = resolved.mock ?? false;
+        const tokenStore = createTokenStore(resolved.tokenStore ?? "memory", resolved.storagePrefix);
+        if (resolved.accessToken) {
+            tokenStore.setTokens(resolved.accessToken, "");
+        }
+        if (this.isMock && resolved.mockOptions) {
+            if (resolved.mockOptions.latency !== undefined) {
+                mockState.latency = resolved.mockOptions.latency;
+            }
+        }
+        if (this.isMock) {
+            this.http = null;
+            this.tokenManager = new TokenManager({
+                tokenStore,
+                tenantId: resolved.tenantId,
+            });
+            this.auth = new MockAuthClient({
+                tokenManager: this.tokenManager,
+            });
+            this.storage = new MockStorageClient({
+                baseUrl: resolved.baseUrl,
+            });
+            this.accounts = new MockAccountsClient();
+            this.db = new MockDbClient();
+        }
+        else {
+            this.http = new HttpClient({
+                baseUrl: resolved.baseUrl,
+                tokenStore,
+                timeout: resolved.timeout,
+            });
+            this.tokenManager = new TokenManager({
+                http: this.http,
+                tokenStore,
+                tenantId: resolved.tenantId,
+            });
+            this.auth = new AuthClient({
+                http: this.http,
+                tokenManager: this.tokenManager,
+                tenantId: resolved.tenantId,
+            });
+            this.storage = new StorageClient({
+                http: this.http,
+                tenantId: resolved.tenantId,
+                accountId: resolved.accountId,
+            });
+            this.accounts = new AccountsClient({
+                http: this.http,
+                tenantId: resolved.tenantId,
+            });
+            this.db = createDbClient({
+                baseUrl: resolved.baseUrl,
+                tenantId: resolved.tenantId,
+                tokenStore,
+            });
+        }
+    }
+    destroy() {
+        this.tokenManager.destroy();
+        if (this.isMock) {
+            mockState.reset();
+        }
+    }
+}
+export function createClient(config) {
+    return new StackClient(config);
+}
+export function createTenantClient(config) {
+    return new StackClient(config);
+}
+export function createPlatformClient(config) {
+    return new StackClient({ ...config, tenantId: PLATFORM_TENANT_ID });
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,cAAc,EAAoB,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EACL,iBAAiB,EACjB,aAAa,GAEd,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,cAAc,EACd,kBAAkB,GAEnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,EACL,kBAAkB,GAGnB,MAAM,YAAY,CAAC;AAEpB,SAAS,aAAa,CAAC,MAAoB;IACzC,OAAO;QACL,GAAG,MAAM;QACT,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,kBAAkB;KAChD,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,WAAW;IACb,IAAI,CAAc;IAClB,OAAO,CAAiB;IACxB,QAAQ,CAAkB;IAC1B,EAAE,CAA4B;IAEtB,IAAI,CAAoB;IACxB,YAAY,CAAe;IAC3B,MAAM,CAAU;IAEjC,YAAY,MAAoB;QAC9B,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAEvC,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC,IAAI,IAAI,KAAK,CAAC;QAErC,MAAM,UAAU,GAAG,gBAAgB,CACjC,QAAQ,CAAC,UAAU,IAAI,QAAQ,EAC/B,QAAQ,CAAC,aAAa,CACvB,CAAC;QAEF,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YACzB,UAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YACxC,IAAI,QAAQ,CAAC,WAAW,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;gBAC/C,SAAS,CAAC,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,OAAO,CAAC;YACnD,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;YAEjB,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC;gBACnC,UAAU;gBACV,QAAQ,EAAE,QAAQ,CAAC,QAAQ;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,IAAI,GAAG,IAAI,cAAc,CAAC;gBAC7B,YAAY,EAAE,IAAI,CAAC,YAAY;aAChC,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,GAAG,IAAI,iBAAiB,CAAC;gBACnC,OAAO,EAAE,QAAQ,CAAC,OAAO;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;YAEzC,IAAI,CAAC,EAAE,GAAG,IAAI,YAAY,EAA0C,CAAC;QACvE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,CAAC;gBACzB,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,UAAU;gBACV,OAAO,EAAE,QAAQ,CAAC,OAAO;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC;gBACnC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU;gBACV,QAAQ,EAAE,QAAQ,CAAC,QAAQ;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,IAAI,GAAG,IAAI,UAAU,CAAC;gBACzB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,GAAG,IAAI,aAAa,CAAC;gBAC/B,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;aAC9B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,CAAC;gBACjC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,QAAQ,CAAC,QAAQ;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,GAAG,cAAc,CAAW;gBACjC,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,UAAU;aACX,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;QAC5B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,SAAS,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,YAAY,CAC1B,MAAoB;IAEpB,OAAO,IAAI,WAAW,CAAW,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,MAA2C;IAE3C,OAAO,IAAI,WAAW,CAAW,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,MAAoB;IAEpB,OAAO,IAAI,WAAW,CAAW,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAChF,CAAC"}

package/dist/db/client.d.ts

@@ -0,0 +1,9 @@
+import { PostgrestClient } from "@supabase/postgrest-js";
+import type { TokenStore } from "../lib/token-store.js";
+export interface DbClientConfig {
+    baseUrl: string;
+    tenantId: string;
+    tokenStore: TokenStore;
+}
+export declare function createDbClient<Database = Record<string, unknown>>(config: DbClientConfig): PostgrestClient<Database>;
+//# sourceMappingURL=client.d.ts.map

package/dist/db/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/db/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAExD,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,wBAAgB,cAAc,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/D,MAAM,EAAE,cAAc,GACrB,eAAe,CAAC,QAAQ,CAAC,CAmB3B"}

package/dist/db/client.js

@@ -0,0 +1,19 @@
+import { PostgrestClient } from "@supabase/postgrest-js";
+export function createDbClient(config) {
+    const { baseUrl, tenantId, tokenStore } = config;
+    const postgrestUrl = `${baseUrl.replace(/\/$/, "")}/rest/${tenantId}`;
+    return new PostgrestClient(postgrestUrl, {
+        fetch: (input, init) => {
+            const accessToken = tokenStore.getAccessToken();
+            const headers = new Headers(init?.headers);
+            if (accessToken) {
+                headers.set("Authorization", `Bearer ${accessToken}`);
+            }
+            return fetch(input, {
+                ...init,
+                headers,
+            });
+        },
+    });
+}
+//# sourceMappingURL=client.js.map