@maravilla-labs/types 0.9.0 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +37 -0
- package/index.d.ts +72 -1
- package/index.ts +85 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,42 @@
|
|
|
1
1
|
# @maravilla-labs/types
|
|
2
2
|
|
|
3
|
+
## 0.10.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- 3deff26: Add the **Connected Apps** auth surface (`platform.auth.*`) so apps can build a
|
|
8
|
+
"Connected apps / agents" settings page (the GitHub "Authorized OAuth Apps"
|
|
9
|
+
equivalent) over the runtime's OAuth/MCP grants.
|
|
10
|
+
|
|
11
|
+
New `AuthService` methods, all scoped to the **current authenticated user**
|
|
12
|
+
(resolved server-side; they take no `user_id`):
|
|
13
|
+
- `listConnectedClients()` / `revokeClient(clientId)` — authorized OAuth agents
|
|
14
|
+
(interactive `oc_…` clients + CIMD URL clients); revoke drops consent + all
|
|
15
|
+
refresh sessions.
|
|
16
|
+
- `listApiKeys()` / `mintApiKey({ name, scopes, expiresInDays? })` /
|
|
17
|
+
`revokeApiKey(id)` — headless `mk_…` API keys (`mintApiKey` returns the
|
|
18
|
+
plaintext key once).
|
|
19
|
+
- `listSessions()` / `revokeSession(id)` — the user's own browser-login sessions
|
|
20
|
+
("where you're signed in").
|
|
21
|
+
|
|
22
|
+
New exported shapes: `ConnectedClient`, `ApiKeyInfo`, `LoginSession`. Field
|
|
23
|
+
names are snake_case to match the runtime op JSON exactly (`client_id`,
|
|
24
|
+
`active_sessions`, `granted_at`, `last_active_at`, `user_agent`, `last_used_at`,
|
|
25
|
+
`expires_at`, `created_at`).
|
|
26
|
+
|
|
27
|
+
`@maravilla-labs/platform`'s `RemoteAuthService` gains the matching dev-server
|
|
28
|
+
REST calls, so the API works identically under `maravilla dev` and in
|
|
29
|
+
production (both terminate at the same `TenantScopedAuthService` facade).
|
|
30
|
+
|
|
31
|
+
## 0.9.1
|
|
32
|
+
|
|
33
|
+
### Patch Changes
|
|
34
|
+
|
|
35
|
+
- f5a503e: Fix `npm run check` error in consumers: re-export the default `Platform` type
|
|
36
|
+
with `export type` (TS1205 under `verbatimModuleSyntax`). Was `export { Platform
|
|
37
|
+
as default }`; `Platform` is a type, so a strict consumer's type-check failed
|
|
38
|
+
inside `node_modules/@maravilla-labs/types`.
|
|
39
|
+
|
|
3
40
|
## 0.9.0
|
|
4
41
|
|
|
5
42
|
### Minor Changes
|
package/index.d.ts
CHANGED
|
@@ -898,6 +898,56 @@ export interface CanCheck {
|
|
|
898
898
|
resourceId: string;
|
|
899
899
|
node?: Record<string, unknown> | null;
|
|
900
900
|
}
|
|
901
|
+
/**
|
|
902
|
+
* One authorized OAuth agent (an interactive `oc_…` client or a CIMD-URL
|
|
903
|
+
* client) the current user has granted access to. Returned by
|
|
904
|
+
* {@link AuthService.listConnectedClients}.
|
|
905
|
+
*/
|
|
906
|
+
export interface ConnectedClient {
|
|
907
|
+
/** `oc_…` (DCR) id or the CIMD URL that *is* the client identity. */
|
|
908
|
+
client_id: string;
|
|
909
|
+
/** Display name (client metadata, CIMD doc, URL host, or raw id fallback). */
|
|
910
|
+
name: string;
|
|
911
|
+
/** `'oauth'` for registered `oc_…` clients, `'cimd'` for URL clients. */
|
|
912
|
+
kind: 'oauth' | 'cimd';
|
|
913
|
+
/** Granted scopes (from `oauth_consents`). */
|
|
914
|
+
scopes: string[];
|
|
915
|
+
/** Count of live refresh sessions for this `(user, client)`. */
|
|
916
|
+
active_sessions: number;
|
|
917
|
+
/** When consent was granted (unix seconds). */
|
|
918
|
+
granted_at: number;
|
|
919
|
+
/** Newest refresh-issue time across live sessions, or `null` when none. */
|
|
920
|
+
last_active_at: number | null;
|
|
921
|
+
}
|
|
922
|
+
/**
|
|
923
|
+
* Headless API-key metadata (never the plaintext or hash). Returned by
|
|
924
|
+
* {@link AuthService.listApiKeys}.
|
|
925
|
+
*/
|
|
926
|
+
export interface ApiKeyInfo {
|
|
927
|
+
id: string;
|
|
928
|
+
/** Optional human label; `null` when the key was minted without a name. */
|
|
929
|
+
name: string | null;
|
|
930
|
+
scopes: string[];
|
|
931
|
+
/** v1 fidelity is issue-time, not literal last-call; `null` when never set. */
|
|
932
|
+
last_used_at: number | null;
|
|
933
|
+
/** Expiry (unix seconds), or `null` for a non-expiring key. */
|
|
934
|
+
expires_at: number | null;
|
|
935
|
+
created_at: number;
|
|
936
|
+
revoked: boolean;
|
|
937
|
+
}
|
|
938
|
+
/**
|
|
939
|
+
* One browser-login session ("where you're signed in"). Returned by
|
|
940
|
+
* {@link AuthService.listSessions}.
|
|
941
|
+
*/
|
|
942
|
+
export interface LoginSession {
|
|
943
|
+
id: string;
|
|
944
|
+
user_agent: string | null;
|
|
945
|
+
ip: string | null;
|
|
946
|
+
created_at: number;
|
|
947
|
+
expires_at: number;
|
|
948
|
+
/** `true` for the session backing the current request. */
|
|
949
|
+
current: boolean;
|
|
950
|
+
}
|
|
901
951
|
/**
|
|
902
952
|
* Auth service for end-user authentication and user management.
|
|
903
953
|
* Implemented by the in-runtime native bridge and by the dev-server
|
|
@@ -1052,6 +1102,27 @@ export interface AuthService {
|
|
|
1052
1102
|
listRelations(options: ListRelationsOptions): Promise<Relation[]>;
|
|
1053
1103
|
getProfile(userId: string): Promise<Record<string, any>>;
|
|
1054
1104
|
setProfile(userId: string, data: Record<string, any>): Promise<void>;
|
|
1105
|
+
/** List the OAuth agents (interactive + CIMD) authorized by the current user. */
|
|
1106
|
+
listConnectedClients(): Promise<ConnectedClient[]>;
|
|
1107
|
+
/** Revoke a client grant: drops consent + all refresh sessions for that client. */
|
|
1108
|
+
revokeClient(clientId: string): Promise<void>;
|
|
1109
|
+
/** List the current user's headless API keys (metadata only). */
|
|
1110
|
+
listApiKeys(): Promise<ApiKeyInfo[]>;
|
|
1111
|
+
/** Mint a headless API key. The plaintext `key` is returned **once**. */
|
|
1112
|
+
mintApiKey(opts: {
|
|
1113
|
+
name: string;
|
|
1114
|
+
scopes: string[];
|
|
1115
|
+
expiresInDays?: number;
|
|
1116
|
+
}): Promise<{
|
|
1117
|
+
id: string;
|
|
1118
|
+
key: string;
|
|
1119
|
+
}>;
|
|
1120
|
+
/** Revoke one of the current user's API keys. */
|
|
1121
|
+
revokeApiKey(id: string): Promise<void>;
|
|
1122
|
+
/** List the current user's own browser-login sessions ("where you're signed in"). */
|
|
1123
|
+
listSessions(): Promise<LoginSession[]>;
|
|
1124
|
+
/** Revoke one of the current user's login sessions (no-op if not owned). */
|
|
1125
|
+
revokeSession(id: string): Promise<void>;
|
|
1055
1126
|
getAuthConfig(): Promise<AuthConfig>;
|
|
1056
1127
|
setAuthConfig(config: AuthConfig): Promise<void>;
|
|
1057
1128
|
readonly stewardship: AuthStewardshipApi;
|
|
@@ -1188,4 +1259,4 @@ export interface Platform {
|
|
|
1188
1259
|
* /// <reference types="@maravilla-labs/types/global" />
|
|
1189
1260
|
* ```
|
|
1190
1261
|
*/
|
|
1191
|
-
export { Platform as default };
|
|
1262
|
+
export type { Platform as default };
|
package/index.ts
CHANGED
|
@@ -1039,6 +1039,66 @@ export interface CanCheck {
|
|
|
1039
1039
|
node?: Record<string, unknown> | null;
|
|
1040
1040
|
}
|
|
1041
1041
|
|
|
1042
|
+
// ── Connected apps (profile-page surface) ──
|
|
1043
|
+
//
|
|
1044
|
+
// Field names match the runtime op JSON verbatim. The underlying Rust
|
|
1045
|
+
// structs (`crates/platform/src/auth/connected.rs`, `oauth/apikeys.rs`)
|
|
1046
|
+
// derive `serde::Serialize` with no `rename_all`, so every key is
|
|
1047
|
+
// **snake_case** — do not camelCase these.
|
|
1048
|
+
|
|
1049
|
+
/**
|
|
1050
|
+
* One authorized OAuth agent (an interactive `oc_…` client or a CIMD-URL
|
|
1051
|
+
* client) the current user has granted access to. Returned by
|
|
1052
|
+
* {@link AuthService.listConnectedClients}.
|
|
1053
|
+
*/
|
|
1054
|
+
export interface ConnectedClient {
|
|
1055
|
+
/** `oc_…` (DCR) id or the CIMD URL that *is* the client identity. */
|
|
1056
|
+
client_id: string;
|
|
1057
|
+
/** Display name (client metadata, CIMD doc, URL host, or raw id fallback). */
|
|
1058
|
+
name: string;
|
|
1059
|
+
/** `'oauth'` for registered `oc_…` clients, `'cimd'` for URL clients. */
|
|
1060
|
+
kind: 'oauth' | 'cimd';
|
|
1061
|
+
/** Granted scopes (from `oauth_consents`). */
|
|
1062
|
+
scopes: string[];
|
|
1063
|
+
/** Count of live refresh sessions for this `(user, client)`. */
|
|
1064
|
+
active_sessions: number;
|
|
1065
|
+
/** When consent was granted (unix seconds). */
|
|
1066
|
+
granted_at: number;
|
|
1067
|
+
/** Newest refresh-issue time across live sessions, or `null` when none. */
|
|
1068
|
+
last_active_at: number | null;
|
|
1069
|
+
}
|
|
1070
|
+
|
|
1071
|
+
/**
|
|
1072
|
+
* Headless API-key metadata (never the plaintext or hash). Returned by
|
|
1073
|
+
* {@link AuthService.listApiKeys}.
|
|
1074
|
+
*/
|
|
1075
|
+
export interface ApiKeyInfo {
|
|
1076
|
+
id: string;
|
|
1077
|
+
/** Optional human label; `null` when the key was minted without a name. */
|
|
1078
|
+
name: string | null;
|
|
1079
|
+
scopes: string[];
|
|
1080
|
+
/** v1 fidelity is issue-time, not literal last-call; `null` when never set. */
|
|
1081
|
+
last_used_at: number | null;
|
|
1082
|
+
/** Expiry (unix seconds), or `null` for a non-expiring key. */
|
|
1083
|
+
expires_at: number | null;
|
|
1084
|
+
created_at: number;
|
|
1085
|
+
revoked: boolean;
|
|
1086
|
+
}
|
|
1087
|
+
|
|
1088
|
+
/**
|
|
1089
|
+
* One browser-login session ("where you're signed in"). Returned by
|
|
1090
|
+
* {@link AuthService.listSessions}.
|
|
1091
|
+
*/
|
|
1092
|
+
export interface LoginSession {
|
|
1093
|
+
id: string;
|
|
1094
|
+
user_agent: string | null;
|
|
1095
|
+
ip: string | null;
|
|
1096
|
+
created_at: number;
|
|
1097
|
+
expires_at: number;
|
|
1098
|
+
/** `true` for the session backing the current request. */
|
|
1099
|
+
current: boolean;
|
|
1100
|
+
}
|
|
1101
|
+
|
|
1042
1102
|
/**
|
|
1043
1103
|
* Auth service for end-user authentication and user management.
|
|
1044
1104
|
* Implemented by the in-runtime native bridge and by the dev-server
|
|
@@ -1213,6 +1273,30 @@ export interface AuthService {
|
|
|
1213
1273
|
getProfile(userId: string): Promise<Record<string, any>>;
|
|
1214
1274
|
setProfile(userId: string, data: Record<string, any>): Promise<void>;
|
|
1215
1275
|
|
|
1276
|
+
// ── Connected apps (current-user-scoped) ──
|
|
1277
|
+
//
|
|
1278
|
+
// These operate ONLY on the current authenticated user, resolved
|
|
1279
|
+
// server-side from the bound request identity — they take no userId and
|
|
1280
|
+
// cannot enumerate or revoke another user's data. Anonymous requests
|
|
1281
|
+
// reject with `unauthenticated`.
|
|
1282
|
+
|
|
1283
|
+
/** List the OAuth agents (interactive + CIMD) authorized by the current user. */
|
|
1284
|
+
listConnectedClients(): Promise<ConnectedClient[]>;
|
|
1285
|
+
/** Revoke a client grant: drops consent + all refresh sessions for that client. */
|
|
1286
|
+
revokeClient(clientId: string): Promise<void>;
|
|
1287
|
+
|
|
1288
|
+
/** List the current user's headless API keys (metadata only). */
|
|
1289
|
+
listApiKeys(): Promise<ApiKeyInfo[]>;
|
|
1290
|
+
/** Mint a headless API key. The plaintext `key` is returned **once**. */
|
|
1291
|
+
mintApiKey(opts: { name: string; scopes: string[]; expiresInDays?: number }): Promise<{ id: string; key: string }>;
|
|
1292
|
+
/** Revoke one of the current user's API keys. */
|
|
1293
|
+
revokeApiKey(id: string): Promise<void>;
|
|
1294
|
+
|
|
1295
|
+
/** List the current user's own browser-login sessions ("where you're signed in"). */
|
|
1296
|
+
listSessions(): Promise<LoginSession[]>;
|
|
1297
|
+
/** Revoke one of the current user's login sessions (no-op if not owned). */
|
|
1298
|
+
revokeSession(id: string): Promise<void>;
|
|
1299
|
+
|
|
1216
1300
|
// ── Auth config ──
|
|
1217
1301
|
|
|
1218
1302
|
getAuthConfig(): Promise<AuthConfig>;
|
|
@@ -1381,4 +1465,4 @@ export interface Platform {
|
|
|
1381
1465
|
* ```
|
|
1382
1466
|
*/
|
|
1383
1467
|
|
|
1384
|
-
export { Platform as default };
|
|
1468
|
+
export type { Platform as default };
|