@maravilla-labs/types 0.9.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,42 @@
1
1
  # @maravilla-labs/types
2
2
 
3
+ ## 0.10.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 3deff26: Add the **Connected Apps** auth surface (`platform.auth.*`) so apps can build a
8
+ "Connected apps / agents" settings page (the GitHub "Authorized OAuth Apps"
9
+ equivalent) over the runtime's OAuth/MCP grants.
10
+
11
+ New `AuthService` methods, all scoped to the **current authenticated user**
12
+ (resolved server-side; they take no `user_id`):
13
+ - `listConnectedClients()` / `revokeClient(clientId)` — authorized OAuth agents
14
+ (interactive `oc_…` clients + CIMD URL clients); revoke drops consent + all
15
+ refresh sessions.
16
+ - `listApiKeys()` / `mintApiKey({ name, scopes, expiresInDays? })` /
17
+ `revokeApiKey(id)` — headless `mk_…` API keys (`mintApiKey` returns the
18
+ plaintext key once).
19
+ - `listSessions()` / `revokeSession(id)` — the user's own browser-login sessions
20
+ ("where you're signed in").
21
+
22
+ New exported shapes: `ConnectedClient`, `ApiKeyInfo`, `LoginSession`. Field
23
+ names are snake_case to match the runtime op JSON exactly (`client_id`,
24
+ `active_sessions`, `granted_at`, `last_active_at`, `user_agent`, `last_used_at`,
25
+ `expires_at`, `created_at`).
26
+
27
+ `@maravilla-labs/platform`'s `RemoteAuthService` gains the matching dev-server
28
+ REST calls, so the API works identically under `maravilla dev` and in
29
+ production (both terminate at the same `TenantScopedAuthService` facade).
30
+
31
+ ## 0.9.1
32
+
33
+ ### Patch Changes
34
+
35
+ - f5a503e: Fix `npm run check` error in consumers: re-export the default `Platform` type
36
+ with `export type` (TS1205 under `verbatimModuleSyntax`). Was `export { Platform
37
+ as default }`; `Platform` is a type, so a strict consumer's type-check failed
38
+ inside `node_modules/@maravilla-labs/types`.
39
+
3
40
  ## 0.9.0
4
41
 
5
42
  ### Minor Changes
package/index.d.ts CHANGED
@@ -898,6 +898,56 @@ export interface CanCheck {
898
898
  resourceId: string;
899
899
  node?: Record<string, unknown> | null;
900
900
  }
901
+ /**
902
+ * One authorized OAuth agent (an interactive `oc_…` client or a CIMD-URL
903
+ * client) the current user has granted access to. Returned by
904
+ * {@link AuthService.listConnectedClients}.
905
+ */
906
+ export interface ConnectedClient {
907
+ /** `oc_…` (DCR) id or the CIMD URL that *is* the client identity. */
908
+ client_id: string;
909
+ /** Display name (client metadata, CIMD doc, URL host, or raw id fallback). */
910
+ name: string;
911
+ /** `'oauth'` for registered `oc_…` clients, `'cimd'` for URL clients. */
912
+ kind: 'oauth' | 'cimd';
913
+ /** Granted scopes (from `oauth_consents`). */
914
+ scopes: string[];
915
+ /** Count of live refresh sessions for this `(user, client)`. */
916
+ active_sessions: number;
917
+ /** When consent was granted (unix seconds). */
918
+ granted_at: number;
919
+ /** Newest refresh-issue time across live sessions, or `null` when none. */
920
+ last_active_at: number | null;
921
+ }
922
+ /**
923
+ * Headless API-key metadata (never the plaintext or hash). Returned by
924
+ * {@link AuthService.listApiKeys}.
925
+ */
926
+ export interface ApiKeyInfo {
927
+ id: string;
928
+ /** Optional human label; `null` when the key was minted without a name. */
929
+ name: string | null;
930
+ scopes: string[];
931
+ /** v1 fidelity is issue-time, not literal last-call; `null` when never set. */
932
+ last_used_at: number | null;
933
+ /** Expiry (unix seconds), or `null` for a non-expiring key. */
934
+ expires_at: number | null;
935
+ created_at: number;
936
+ revoked: boolean;
937
+ }
938
+ /**
939
+ * One browser-login session ("where you're signed in"). Returned by
940
+ * {@link AuthService.listSessions}.
941
+ */
942
+ export interface LoginSession {
943
+ id: string;
944
+ user_agent: string | null;
945
+ ip: string | null;
946
+ created_at: number;
947
+ expires_at: number;
948
+ /** `true` for the session backing the current request. */
949
+ current: boolean;
950
+ }
901
951
  /**
902
952
  * Auth service for end-user authentication and user management.
903
953
  * Implemented by the in-runtime native bridge and by the dev-server
@@ -1052,6 +1102,27 @@ export interface AuthService {
1052
1102
  listRelations(options: ListRelationsOptions): Promise<Relation[]>;
1053
1103
  getProfile(userId: string): Promise<Record<string, any>>;
1054
1104
  setProfile(userId: string, data: Record<string, any>): Promise<void>;
1105
+ /** List the OAuth agents (interactive + CIMD) authorized by the current user. */
1106
+ listConnectedClients(): Promise<ConnectedClient[]>;
1107
+ /** Revoke a client grant: drops consent + all refresh sessions for that client. */
1108
+ revokeClient(clientId: string): Promise<void>;
1109
+ /** List the current user's headless API keys (metadata only). */
1110
+ listApiKeys(): Promise<ApiKeyInfo[]>;
1111
+ /** Mint a headless API key. The plaintext `key` is returned **once**. */
1112
+ mintApiKey(opts: {
1113
+ name: string;
1114
+ scopes: string[];
1115
+ expiresInDays?: number;
1116
+ }): Promise<{
1117
+ id: string;
1118
+ key: string;
1119
+ }>;
1120
+ /** Revoke one of the current user's API keys. */
1121
+ revokeApiKey(id: string): Promise<void>;
1122
+ /** List the current user's own browser-login sessions ("where you're signed in"). */
1123
+ listSessions(): Promise<LoginSession[]>;
1124
+ /** Revoke one of the current user's login sessions (no-op if not owned). */
1125
+ revokeSession(id: string): Promise<void>;
1055
1126
  getAuthConfig(): Promise<AuthConfig>;
1056
1127
  setAuthConfig(config: AuthConfig): Promise<void>;
1057
1128
  readonly stewardship: AuthStewardshipApi;
@@ -1188,4 +1259,4 @@ export interface Platform {
1188
1259
  * /// <reference types="@maravilla-labs/types/global" />
1189
1260
  * ```
1190
1261
  */
1191
- export { Platform as default };
1262
+ export type { Platform as default };
package/index.ts CHANGED
@@ -1039,6 +1039,66 @@ export interface CanCheck {
1039
1039
  node?: Record<string, unknown> | null;
1040
1040
  }
1041
1041
 
1042
+ // ── Connected apps (profile-page surface) ──
1043
+ //
1044
+ // Field names match the runtime op JSON verbatim. The underlying Rust
1045
+ // structs (`crates/platform/src/auth/connected.rs`, `oauth/apikeys.rs`)
1046
+ // derive `serde::Serialize` with no `rename_all`, so every key is
1047
+ // **snake_case** — do not camelCase these.
1048
+
1049
+ /**
1050
+ * One authorized OAuth agent (an interactive `oc_…` client or a CIMD-URL
1051
+ * client) the current user has granted access to. Returned by
1052
+ * {@link AuthService.listConnectedClients}.
1053
+ */
1054
+ export interface ConnectedClient {
1055
+ /** `oc_…` (DCR) id or the CIMD URL that *is* the client identity. */
1056
+ client_id: string;
1057
+ /** Display name (client metadata, CIMD doc, URL host, or raw id fallback). */
1058
+ name: string;
1059
+ /** `'oauth'` for registered `oc_…` clients, `'cimd'` for URL clients. */
1060
+ kind: 'oauth' | 'cimd';
1061
+ /** Granted scopes (from `oauth_consents`). */
1062
+ scopes: string[];
1063
+ /** Count of live refresh sessions for this `(user, client)`. */
1064
+ active_sessions: number;
1065
+ /** When consent was granted (unix seconds). */
1066
+ granted_at: number;
1067
+ /** Newest refresh-issue time across live sessions, or `null` when none. */
1068
+ last_active_at: number | null;
1069
+ }
1070
+
1071
+ /**
1072
+ * Headless API-key metadata (never the plaintext or hash). Returned by
1073
+ * {@link AuthService.listApiKeys}.
1074
+ */
1075
+ export interface ApiKeyInfo {
1076
+ id: string;
1077
+ /** Optional human label; `null` when the key was minted without a name. */
1078
+ name: string | null;
1079
+ scopes: string[];
1080
+ /** v1 fidelity is issue-time, not literal last-call; `null` when never set. */
1081
+ last_used_at: number | null;
1082
+ /** Expiry (unix seconds), or `null` for a non-expiring key. */
1083
+ expires_at: number | null;
1084
+ created_at: number;
1085
+ revoked: boolean;
1086
+ }
1087
+
1088
+ /**
1089
+ * One browser-login session ("where you're signed in"). Returned by
1090
+ * {@link AuthService.listSessions}.
1091
+ */
1092
+ export interface LoginSession {
1093
+ id: string;
1094
+ user_agent: string | null;
1095
+ ip: string | null;
1096
+ created_at: number;
1097
+ expires_at: number;
1098
+ /** `true` for the session backing the current request. */
1099
+ current: boolean;
1100
+ }
1101
+
1042
1102
  /**
1043
1103
  * Auth service for end-user authentication and user management.
1044
1104
  * Implemented by the in-runtime native bridge and by the dev-server
@@ -1213,6 +1273,30 @@ export interface AuthService {
1213
1273
  getProfile(userId: string): Promise<Record<string, any>>;
1214
1274
  setProfile(userId: string, data: Record<string, any>): Promise<void>;
1215
1275
 
1276
+ // ── Connected apps (current-user-scoped) ──
1277
+ //
1278
+ // These operate ONLY on the current authenticated user, resolved
1279
+ // server-side from the bound request identity — they take no userId and
1280
+ // cannot enumerate or revoke another user's data. Anonymous requests
1281
+ // reject with `unauthenticated`.
1282
+
1283
+ /** List the OAuth agents (interactive + CIMD) authorized by the current user. */
1284
+ listConnectedClients(): Promise<ConnectedClient[]>;
1285
+ /** Revoke a client grant: drops consent + all refresh sessions for that client. */
1286
+ revokeClient(clientId: string): Promise<void>;
1287
+
1288
+ /** List the current user's headless API keys (metadata only). */
1289
+ listApiKeys(): Promise<ApiKeyInfo[]>;
1290
+ /** Mint a headless API key. The plaintext `key` is returned **once**. */
1291
+ mintApiKey(opts: { name: string; scopes: string[]; expiresInDays?: number }): Promise<{ id: string; key: string }>;
1292
+ /** Revoke one of the current user's API keys. */
1293
+ revokeApiKey(id: string): Promise<void>;
1294
+
1295
+ /** List the current user's own browser-login sessions ("where you're signed in"). */
1296
+ listSessions(): Promise<LoginSession[]>;
1297
+ /** Revoke one of the current user's login sessions (no-op if not owned). */
1298
+ revokeSession(id: string): Promise<void>;
1299
+
1216
1300
  // ── Auth config ──
1217
1301
 
1218
1302
  getAuthConfig(): Promise<AuthConfig>;
@@ -1381,4 +1465,4 @@ export interface Platform {
1381
1465
  * ```
1382
1466
  */
1383
1467
 
1384
- export { Platform as default };
1468
+ export type { Platform as default };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@maravilla-labs/types",
3
- "version": "0.9.0",
3
+ "version": "0.10.0",
4
4
  "description": "TypeScript definitions for Maravilla Runtime platform APIs",
5
5
  "main": "index.ts",
6
6
  "types": "index.ts",