@marianmeres/ownsuite 2.1.0 → 2.2.1

package/AGENTS.md

@@ -160,9 +160,9 @@ export type { MockAuthStore } from "./adapters/mod.ts";
 
 When `adapters.auth` is supplied, `createOwnsuite` instantiates three extra managers and attaches them as readonly suite properties:
 
-- **`suite.session: SessionManager`** — reactive `{ status, subject, jwt, expiresAt }` persisted via pluggable `SessionStorage` (`"local"` / `"session"` / `"memory"` / custom object). Hydrates on construction; discards expired sessions. Exposes `subscribe` (Svelte-compatible), `get()`, and state-mutation methods (`setAuthenticated`, `setUnverified`, `clear`, `patchSubject`). Writes are driven by `AuthManager`, not consumers directly.
+- **`suite.session: SessionManager`** — reactive `{ status, subject, jwt, expiresAt }` persisted via pluggable `SessionStorage` (`"local"` / `"session"` / `"memory"` / custom object). With a built-in string backend, hydrates by probing in order `local → session → memory` and adopts the first non-expired payload as the active backend for the instance's lifetime (losing backends are wiped). `setAuthenticated({ storage })` pins the session to a specific built-in backend per login ("Remember me"); subsequent `patchSubject` / `setUnverified` writes land on the same backend. `clear()` wipes every built-in backend so stale blobs from a previous toggle don't leak back in. Exposes `subscribe` (Svelte-compatible), `get()`, and state-mutation methods (`setAuthenticated`, `setUnverified`, `clear`, `patchSubject`). Writes are driven by `AuthManager`, not consumers directly.
 
-- **`suite.auth: AuthManager`** — verbs only, no state. `register` / `login` / `logout` / `resendVerification` / `requestPasswordReset` / `changePassword` / `deleteAccount` / `initiateOAuth` (`mode: "popup" | "redirect"`) / `handleOAuthCallback` (redirect mode). Each call pipes the result into the session and fires an `onIdentityChanged` hook that resets + re-initializes every owner-scoped domain with the fresh context.
+- **`suite.auth: AuthManager`** — verbs only, no state. `register(input, options?)` / `login(input, options?)` / `logout` / `resendVerification` / `requestPasswordReset` / `changePassword` / `deleteAccount` / `initiateOAuth(provider, opts)` (`mode: "popup" | "redirect"`) / `handleOAuthCallback(options?)` (redirect mode). The `options.remember` boolean (`true` → localStorage, `false` → sessionStorage, `undefined` → session manager default; same field on `OAuthInitOptions`) pins the resulting session's storage backend. Each call pipes the result into the session and fires an `onIdentityChanged` hook that resets + re-initializes every owner-scoped domain with the fresh context.
 
 - **`suite.profile: ProfileManager`** — singleton (one-row) `/me` CRUD. `fetch` / `update` / `listOAuth` / `unlinkOAuth`. Every successful fetch/update patches the session subject in place so consumers reading `suite.session` see email / roles / verification / connections without a second fetch. Update emits `profile:updated`.
 

package/API.md

@@ -593,10 +593,12 @@ Current JWT, or `null` when anonymous.
 
 Shorthand reads.
 
-#### `session.setAuthenticated({ jwt, subject, expiresAt? })`
+#### `session.setAuthenticated({ jwt, subject, expiresAt?, storage? })`
 
 Enter the `authenticated` state. Normally called by `AuthManager`, not consumers.
 
+- `storage` (`SessionStorageType`, optional) — per-login storage pin. When `"local"` / `"session"` / `"memory"`, switches the active built-in backend for this session (and for subsequent `patchSubject` / `setUnverified` writes). The previously-active built-in backend's blob is wiped as part of the switch so "Remember me" toggles don't leave stale data. Silently ignored when the manager was constructed with a custom `SessionStorage` object, or when the override is itself an object.
+
 #### `session.setUnverified(email)` / `session.clear()` / `session.patchSubject(patch)`
 
 Mutation helpers — typically driven by `AuthManager` / `ProfileManager`.
@@ -613,15 +615,15 @@ Verbs only. Attached as `suite.auth`. No state of its own — results flow into
 
 | Method | Purpose |
 |---|---|
-| `register({ email, password, password_confirm, roles?, extras? })` | Create account. Returns an `AuthTokenResult`. When the server's verification gate is on, the result carries `requiresVerification: true` and the session flips to `"unverified"` — no JWT yet. |
-| `login({ email, password })` | Exchange credentials for a JWT. Session flips to `"authenticated"` on success, `"unverified"` if the server reports the gate. |
+| `register({ email, password, password_confirm, roles?, extras? }, options?)` | Create account. Returns an `AuthTokenResult`. When the server's verification gate is on, the result carries `requiresVerification: true` and the session flips to `"unverified"` — no JWT yet. `options.remember` pins the resulting session to `localStorage` (`true`) or `sessionStorage` (`false`); omit to use the `SessionManager` default. |
+| `login({ email, password }, options?)` | Exchange credentials for a JWT. Session flips to `"authenticated"` on success, `"unverified"` if the server reports the gate. `options.remember` selects per-login storage (see `register`). |
 | `logout()` | Best-effort server revoke + local clear. Idempotent. |
 | `resendVerification({ email, lang? })` | Trigger a fresh verification email. Anti-enumeration: always resolves. |
 | `requestPasswordReset({ email, lang? })` | Trigger a password-reset email. Anti-enumeration. |
 | `changePassword({ current_password?, new_password, confirm_password, token? })` | Authenticated self-change (with `current_password`) or token-based reset. |
 | `deleteAccount({ password?, confirm? })` | Irreversible server delete + local session clear + identity-changed hook. |
-| `initiateOAuth(provider, opts)` | Start an OAuth flow. `mode: "popup"` (default) resolves with the auth result from the popup's `postMessage`; `mode: "redirect"` navigates the top window. |
-| `handleOAuthCallback()` | For `mode: "redirect"` apps, call from your callback route to extract the result from the URL (delegated to `adapter.handleOAuthCallback`). |
+| `initiateOAuth(provider, opts)` | Start an OAuth flow. `mode: "popup"` (default) resolves with the auth result from the popup's `postMessage`; `mode: "redirect"` navigates the top window. `opts.remember` pins the resulting session's storage backend (only meaningful for `action: "login"`). |
+| `handleOAuthCallback(options?)` | For `mode: "redirect"` apps, call from your callback route to extract the result from the URL (delegated to `adapter.handleOAuthCallback`). `options.remember` pins the resulting session's storage — pass the same value the user picked before the redirect. |
 
 Successful identity changes (register-with-autologin, login, OAuth login, logout, deleteAccount) fire the orchestrator's `onIdentityChanged` hook, which resets every owner-scoped domain and re-initializes them with the new context.
 
@@ -735,6 +737,14 @@ interface OAuthInitOptions {
     redirect?: string;
     lang?: string;
     mode?: "popup" | "redirect";  // default "popup"
+    remember?: boolean;           // same semantics as AuthActionOptions.remember
+}
+
+interface AuthActionOptions {
+    /** true → localStorage; false → sessionStorage; undefined → default.
+     *  Ignored when SessionManager was constructed with a custom
+     *  SessionStorage object. */
+    remember?: boolean;
 }
 
 interface OAuthConnection {

package/README.md

@@ -67,7 +67,10 @@ await suite.auth!.register({
 // suite.session!.get().status === "unverified"
 
 // After the user clicks the email link and the server flips isVerified:
-await suite.auth!.login({ email: "alice@example.com", password: "mysecretpassword" });
+await suite.auth!.login(
+  { email: "alice@example.com", password: "mysecretpassword" },
+  { remember: true }, // true → localStorage; false → sessionStorage (per-login override)
+);
 // suite.session!.get().status === "authenticated"
 // Every registered owner-scoped domain is re-initialized with the new JWT.
 
@@ -86,7 +89,7 @@ await suite.profile!.update({
 await suite.auth!.logout();
 ```
 
-Session state is persisted through a pluggable `SessionStorage` backend (`"local"` / `"session"` / `"memory"` / custom object with `get`/`set`/`del`). Expired stored sessions are discarded on construction so a reload after the JWT lapses starts anonymous.
+Session state is persisted through a pluggable `SessionStorage` backend (`"local"` / `"session"` / `"memory"` / custom object with `get`/`set`/`del`). Expired stored sessions are discarded on construction so a reload after the JWT lapses starts anonymous. With a built-in string backend, hydration probes `local → session → memory` and adopts whichever holds a non-expired payload — the per-login `remember` flag on `auth.login` / `auth.register` / `auth.initiateOAuth` (`true` → `localStorage`, `false` → `sessionStorage`) switches the active backend for that session, and `session.clear()` wipes all built-in backends so toggles can't leak stale data.
 
 Tests can use the in-memory mock adapters (`createMockAuthAdapter`, `createMockProfileAdapter`, `createMockAuthStore`, `verifyMockAccount`) and the injectable popup host for deterministic OAuth dances.
 

package/dist/domains/auth.d.ts

@@ -12,7 +12,7 @@
  * management.
  */
 import { type PubSub } from "@marianmeres/pubsub";
-import type { AuthAdapter, AuthTokenResult, OAuthInitOptions, OAuthProvider, OwnsuiteContext, ProfileAdapter } from "../types/mod.js";
+import type { AuthActionOptions, AuthAdapter, AuthTokenResult, OAuthInitOptions, OAuthProvider, OwnsuiteContext, ProfileAdapter } from "../types/mod.js";
 import type { SessionManager } from "./session.js";
 import type { ProfileManager } from "./profile.js";
 export interface AuthManagerOptions {
@@ -46,11 +46,11 @@ export declare class AuthManager {
         password_confirm: string;
         roles?: string[];
         extras?: Record<string, unknown>;
-    }): Promise<AuthTokenResult>;
+    }, options?: AuthActionOptions): Promise<AuthTokenResult>;
     login(input: {
         email: string;
         password: string;
-    }): Promise<AuthTokenResult>;
+    }, options?: AuthActionOptions): Promise<AuthTokenResult>;
     logout(): Promise<void>;
     resendVerification(input: {
         email: string;
@@ -78,6 +78,8 @@ export declare class AuthManager {
      */
     initiateOAuth(provider: OAuthProvider, opts: OAuthInitOptions): Promise<AuthTokenResult | void>;
     /** For the redirect-mode callback page: delegate to the adapter if
-     *  available to extract the result from the current URL/page state. */
-    handleOAuthCallback(): Promise<AuthTokenResult | void>;
+     *  available to extract the result from the current URL/page state.
+     *  `options.remember` pins the resulting session to local/session
+     *  storage — pass the same value the user picked before the redirect. */
+    handleOAuthCallback(options?: AuthActionOptions): Promise<AuthTokenResult | void>;
 }

package/dist/domains/auth.js

@@ -46,8 +46,13 @@ export class AuthManager {
      *  present, we pull the profile to build a complete subject. When the
      *  server returned requiresVerification, we surface the "unverified"
      *  status without any profile fetch. Triggers identity-change hook on
-     *  actual login. */
-    async #applyAuthResult(result) {
+     *  actual login.
+     *
+     *  `remember` translates to a per-login storage pin on the session:
+     *  `true` → `"local"`, `false` → `"session"`, `undefined` → session
+     *  manager's configured default. Silently no-op in the verification-gate
+     *  branch (no JWT yet → nothing to persist). */
+    async #applyAuthResult(result, remember) {
         if (result.requiresVerification || !result.jwt) {
             this.#session.setUnverified(result.email);
             this.#pubsub.publish("auth:verification:required", {
@@ -66,10 +71,16 @@ export class AuthManager {
             isVerified: result.isVerified ?? false,
             hasPassword: true, // corrected by profile fetch below
         };
+        const storage = remember === true
+            ? "local"
+            : remember === false
+                ? "session"
+                : undefined;
         this.#session.setAuthenticated({
             jwt: result.jwt,
             subject: provisional,
             expiresAt: result.validUntil ?? null,
+            ...(storage ? { storage } : {}),
         });
         // Best-effort hydrate the subject from /me. If this fails we keep the
         // provisional subject; consumers can retry via profile.fetch().
@@ -90,7 +101,7 @@ export class AuthManager {
         return result;
     }
     // ─────────────────────── verbs ──────────────────────────────────────────
-    async register(input) {
+    async register(input, options) {
         const result = await this.#adapter.register(input, this.#ctx());
         this.#pubsub.publish("auth:register", {
             type: "auth:register",
@@ -98,16 +109,16 @@ export class AuthManager {
             email: input.email,
             requiresVerification: Boolean(result.requiresVerification),
         });
-        return await this.#applyAuthResult(result);
+        return await this.#applyAuthResult(result, options?.remember);
     }
-    async login(input) {
+    async login(input, options) {
         const result = await this.#adapter.login(input, this.#ctx());
         this.#pubsub.publish("auth:login", {
             type: "auth:login",
             timestamp: Date.now(),
             email: input.email,
         });
-        return await this.#applyAuthResult(result);
+        return await this.#applyAuthResult(result, options?.remember);
     }
     async logout() {
         const subjectId = this.#session.get().subject?.id;
@@ -197,15 +208,17 @@ export class AuthManager {
             roles: message.roles ?? [],
             isVerified: true,
         };
-        return await this.#applyAuthResult(result);
+        return await this.#applyAuthResult(result, opts.remember);
     }
     /** For the redirect-mode callback page: delegate to the adapter if
-     *  available to extract the result from the current URL/page state. */
-    async handleOAuthCallback() {
+     *  available to extract the result from the current URL/page state.
+     *  `options.remember` pins the resulting session to local/session
+     *  storage — pass the same value the user picked before the redirect. */
+    async handleOAuthCallback(options) {
         if (!this.#adapter.handleOAuthCallback) {
             throw new Error("AuthManager: handleOAuthCallback is not implemented by the adapter");
         }
         const result = await this.#adapter.handleOAuthCallback(this.#ctx());
-        return await this.#applyAuthResult(result);
+        return await this.#applyAuthResult(result, options?.remember);
     }
 }

package/dist/domains/session.d.ts

@@ -34,9 +34,14 @@ export interface SessionManagerOptions {
 /**
  * Session manager — pure reactive state + persistence, no HTTP.
  *
- * Writes are driven by the AuthManager. On construction it hydrates from
- * storage; if the stored JWT has expired, it transitions to anonymous and
- * clears the storage.
+ * Writes are driven by the AuthManager. On construction it hydrates by
+ * probing the built-in backends in order `local → session → memory` and
+ * adopting whichever holds a non-expired payload as the active backend for
+ * the rest of the instance's lifetime (until `clear()`). Stale blobs on the
+ * other built-in backends are wiped on adoption.
+ *
+ * When constructed with a custom `SessionStorage` object, there is a single
+ * backend and per-login `remember` choices are silently ignored.
  */
 export declare class SessionManager {
     #private;
@@ -51,23 +56,37 @@ export declare class SessionManager {
     /** JWT for adapter `Authorization` headers, or null when anonymous. */
     getJwt(): string | null;
     /** Transition to authenticated. Called after login/register/OAuth succeed
-     *  and the subject has been loaded. */
+     *  and the subject has been loaded.
+     *
+     *  When `opts.storage` is one of `"local"` / `"session"` / `"memory"`,
+     *  pins this session to that built-in backend; subsequent
+     *  `patchSubject` / `setUnverified` writes land on the same backend.
+     *  The previously-active backend's blob is wiped as part of the switch
+     *  so "Remember me" toggles don't leave stale data behind.
+     *
+     *  Ignored when the manager was constructed with a custom `SessionStorage`
+     *  object (single backend) or when `opts.storage` is itself an object
+     *  (no multi-backend custom storage by design). */
     setAuthenticated(opts: {
         jwt: string;
         subject: SessionSubject;
         expiresAt?: number | null;
+        storage?: SessionStorageType;
     }): void;
     /** Server confirmed credentials but refuses login until email is
      *  verified. Expose the email so the UI can prompt "check your inbox"
      *  without a second server call. No JWT in this state. */
     setUnverified(email: string): void;
-    /** Drop the session. Storage is cleared; downstream domains should be
-     *  reset by the suite orchestrator. */
+    /** Drop the session. Every built-in backend (local + session + memory)
+     *  is wiped — not just the active one — so stale blobs from a previous
+     *  "Remember me" toggle can't leak back in on the next construction.
+     *  Resets the active backend to the manager's configured default.
+     *  Downstream domains should be reset by the suite orchestrator. */
     clear(): void;
     /** Patch the subject in place without touching the JWT. Used when the
      *  profile manager changes email / linked providers / etc. */
     patchSubject(patch: Partial<SessionSubject>): void;
-    /** Test / reset hook — clears storage AND in-memory state without
+    /** Test / reset hook — clears every backend AND in-memory state without
      *  emitting. Used by teardown. */
     destroy(): void;
 }

package/dist/domains/session.js

@@ -16,6 +16,11 @@
 import { createStore } from "@marianmeres/store";
 import { createPubSub } from "@marianmeres/pubsub";
 const DEFAULT_STORAGE_KEY = "ownsuite:session";
+const BUILT_IN_ORDER = [
+    "local",
+    "session",
+    "memory",
+];
 const EMPTY = {
     status: "anonymous",
     subject: null,
@@ -82,56 +87,114 @@ export function resolveSessionStorage(type = "local") {
 /**
  * Session manager — pure reactive state + persistence, no HTTP.
  *
- * Writes are driven by the AuthManager. On construction it hydrates from
- * storage; if the stored JWT has expired, it transitions to anonymous and
- * clears the storage.
+ * Writes are driven by the AuthManager. On construction it hydrates by
+ * probing the built-in backends in order `local → session → memory` and
+ * adopting whichever holds a non-expired payload as the active backend for
+ * the rest of the instance's lifetime (until `clear()`). Stale blobs on the
+ * other built-in backends are wiped on adoption.
+ *
+ * When constructed with a custom `SessionStorage` object, there is a single
+ * backend and per-login `remember` choices are silently ignored.
  */
 export class SessionManager {
     #store;
     #pubsub;
-    #storage;
     #storageKey;
+    /** Set only when the consumer passed a `SessionStorage` object at
+     *  construction — then there is one backend and no toggling. */
+    #customStorage;
+    /** Resolved eagerly in the string-storage case so `clear()` can wipe
+     *  every backend and per-login overrides can switch between them. */
+    #builtIn;
+    #defaultStorageType;
+    #activeStorage;
+    #activeStorageType;
     constructor(options = {}) {
         this.#pubsub = options.pubsub ?? createPubSub();
-        this.#storage = resolveSessionStorage(options.storage ?? "local");
         this.#storageKey = options.storageKey ?? DEFAULT_STORAGE_KEY;
         this.#store = createStore({ ...EMPTY });
+        const configured = options.storage ?? "local";
+        if (typeof configured === "string") {
+            this.#customStorage = null;
+            this.#builtIn = {
+                local: resolveSessionStorage("local"),
+                session: resolveSessionStorage("session"),
+                memory: createMemorySessionStorage(),
+            };
+            this.#defaultStorageType = configured;
+            this.#activeStorage = this.#builtIn[configured];
+            this.#activeStorageType = configured;
+        }
+        else {
+            this.#customStorage = configured;
+            this.#builtIn = null;
+            this.#defaultStorageType = "local";
+            this.#activeStorage = configured;
+            this.#activeStorageType = "custom";
+        }
         this.#hydrate();
     }
-    /** Read from storage and populate the store. Expired sessions are wiped. */
-    #hydrate() {
-        const raw = this.#storage.get(this.#storageKey);
+    /** Try to parse a payload and validate shape + expiry. Returns the state
+     *  on success, or `null` (and deletes the stored blob) on any failure. */
+    #readCandidate(storage) {
+        const raw = storage.get(this.#storageKey);
         if (!raw)
-            return;
+            return null;
         try {
             const parsed = JSON.parse(raw);
-            // Basic shape check.
             if (typeof parsed !== "object" ||
                 parsed === null ||
                 typeof parsed.status !== "string") {
-                this.#storage.del(this.#storageKey);
-                return;
+                storage.del(this.#storageKey);
+                return null;
             }
-            // Expiry check (only meaningful when expiresAt is set).
             if (parsed.expiresAt !== null &&
                 parsed.expiresAt !== undefined &&
                 parsed.expiresAt * 1000 <= Date.now()) {
-                this.#storage.del(this.#storageKey);
-                return;
+                storage.del(this.#storageKey);
+                return null;
             }
-            this.#store.set(parsed);
+            return parsed;
         }
         catch {
-            this.#storage.del(this.#storageKey);
+            storage.del(this.#storageKey);
+            return null;
+        }
+    }
+    /** Read from storage and populate the store. Expired sessions are wiped.
+     *  In the built-in case, probes `local → session → memory` and wipes
+     *  the losing backends so stale blobs can't leak back in. */
+    #hydrate() {
+        if (this.#customStorage) {
+            const parsed = this.#readCandidate(this.#customStorage);
+            if (parsed)
+                this.#store.set(parsed);
+            return;
+        }
+        const builtIn = this.#builtIn;
+        for (const type of BUILT_IN_ORDER) {
+            const parsed = this.#readCandidate(builtIn[type]);
+            if (!parsed)
+                continue;
+            // Adopt this backend; wipe the others so a later login-with-toggle
+            // can't accidentally re-hydrate a stale blob.
+            for (const other of BUILT_IN_ORDER) {
+                if (other !== type)
+                    builtIn[other].del(this.#storageKey);
+            }
+            this.#activeStorage = builtIn[type];
+            this.#activeStorageType = type;
+            this.#store.set(parsed);
+            return;
         }
     }
     #persist() {
         const s = this.#store.get();
         if (s.status === "anonymous") {
-            this.#storage.del(this.#storageKey);
+            this.#activeStorage.del(this.#storageKey);
         }
         else {
-            this.#storage.set(this.#storageKey, JSON.stringify(s));
+            this.#activeStorage.set(this.#storageKey, JSON.stringify(s));
         }
     }
     #emitChange() {
@@ -163,9 +226,26 @@ export class SessionManager {
         return this.#store.get().jwt;
     }
     /** Transition to authenticated. Called after login/register/OAuth succeed
-     *  and the subject has been loaded. */
+     *  and the subject has been loaded.
+     *
+     *  When `opts.storage` is one of `"local"` / `"session"` / `"memory"`,
+     *  pins this session to that built-in backend; subsequent
+     *  `patchSubject` / `setUnverified` writes land on the same backend.
+     *  The previously-active backend's blob is wiped as part of the switch
+     *  so "Remember me" toggles don't leave stale data behind.
+     *
+     *  Ignored when the manager was constructed with a custom `SessionStorage`
+     *  object (single backend) or when `opts.storage` is itself an object
+     *  (no multi-backend custom storage by design). */
     setAuthenticated(opts) {
-        const { jwt, subject, expiresAt = null } = opts;
+        const { jwt, subject, expiresAt = null, storage } = opts;
+        if (typeof storage === "string" && this.#builtIn) {
+            if (this.#activeStorage !== this.#builtIn[storage]) {
+                this.#activeStorage.del(this.#storageKey);
+                this.#activeStorage = this.#builtIn[storage];
+                this.#activeStorageType = storage;
+            }
+        }
         this.#store.set({
             status: "authenticated",
             subject,
@@ -194,15 +274,32 @@ export class SessionManager {
         this.#persist();
         this.#emitChange();
     }
-    /** Drop the session. Storage is cleared; downstream domains should be
-     *  reset by the suite orchestrator. */
+    /** Drop the session. Every built-in backend (local + session + memory)
+     *  is wiped — not just the active one — so stale blobs from a previous
+     *  "Remember me" toggle can't leak back in on the next construction.
+     *  Resets the active backend to the manager's configured default.
+     *  Downstream domains should be reset by the suite orchestrator. */
     clear() {
+        this.#wipeAllBackends();
+        if (this.#builtIn) {
+            this.#activeStorage = this.#builtIn[this.#defaultStorageType];
+            this.#activeStorageType = this.#defaultStorageType;
+        }
         if (this.#store.get().status === "anonymous")
             return;
         this.#store.set({ ...EMPTY });
-        this.#persist();
         this.#emitChange();
     }
+    #wipeAllBackends() {
+        if (this.#customStorage) {
+            this.#customStorage.del(this.#storageKey);
+            return;
+        }
+        const builtIn = this.#builtIn;
+        for (const type of BUILT_IN_ORDER) {
+            builtIn[type].del(this.#storageKey);
+        }
+    }
     /** Patch the subject in place without touching the JWT. Used when the
      *  profile manager changes email / linked providers / etc. */
     patchSubject(patch) {
@@ -217,10 +314,10 @@ export class SessionManager {
         this.#persist();
         this.#emitChange();
     }
-    /** Test / reset hook — clears storage AND in-memory state without
+    /** Test / reset hook — clears every backend AND in-memory state without
      *  emitting. Used by teardown. */
     destroy() {
-        this.#storage.del(this.#storageKey);
+        this.#wipeAllBackends();
         this.#store.set({ ...EMPTY });
     }
 }

package/dist/types/auth.d.ts

@@ -79,6 +79,26 @@ export interface OAuthInitOptions {
      *  whether to open a popup and wait for a postMessage, or redirect the
      *  top window. */
     mode?: "popup" | "redirect";
+    /** Same semantics as {@link AuthActionOptions.remember} — pins the
+     *  resulting session to `localStorage` (`true`) or `sessionStorage`
+     *  (`false`). Only meaningful for `action: "login"`. */
+    remember?: boolean;
+}
+/**
+ * Options accepted by `AuthManager.login` / `register` /
+ * `handleOAuthCallback` to express per-login storage preference
+ * ("Remember me").
+ */
+export interface AuthActionOptions {
+    /** `true` → persist the resulting session to `localStorage` (survives
+     *  browser restart).
+     *  `false` → persist to `sessionStorage` (dies with the tab).
+     *  `undefined` → use the `SessionManager`'s configured default backend.
+     *
+     *  Silently ignored when the `SessionManager` was constructed with a
+     *  custom `SessionStorage` object — the single custom backend is used
+     *  regardless. */
+    remember?: boolean;
 }
 /**
  * Uniform result shape for `register` / `login` / OAuth success. When the

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@marianmeres/ownsuite",
-	"version": "2.1.0",
+	"version": "2.2.1",
 	"type": "module",
 	"main": "dist/mod.js",
 	"types": "dist/mod.d.ts",