@nbt-dev/nbt 0.0.8 → 0.0.10

package/dist/nbt.js

@@ -3439,7 +3439,8 @@ function corsOriginsFromNbtJson() {
       try {
         const cfg = JSON.parse(fs2.readFileSync(candidate, "utf8"));
         const c = cfg?.cors;
-        if (Array.isArray(c)) return c.filter((x) => typeof x === "string");
+        if (Array.isArray(c))
+          return c.filter((x) => typeof x === "string");
         if (typeof c === "string") return [c];
       } catch {
       }
@@ -3484,8 +3485,18 @@ function forwardToNative(argv2) {
   }
   process.exit(r.status === null ? 1 : r.status);
 }
+function packageVersion() {
+  try {
+    const pkg = JSON.parse(
+      fs2.readFileSync(path3.join(__dirname, "..", "package.json"), "utf8")
+    );
+    return typeof pkg?.version === "string" ? pkg.version : "unknown";
+  } catch {
+    return "unknown";
+  }
+}
 var program2 = new Command();
-program2.name("nbt").description("nbt CLI + console daemon for the nbt-dev console (linux/x64).");
+program2.name("nbt").description("nbt.dev CLI").version(packageVersion(), "-v, --version", "Print the @nbt-dev/nbt version");
 var NBT = [
   ["install", "Install a cartridge on a live instance"],
   ["generate", "Generate a typed client from contracts"],
@@ -3503,12 +3514,17 @@ for (const [name, summary] of [...NBT, ...CONSOLE]) {
 }
 var customCommands = /* @__PURE__ */ new Set();
 customCommands.add("init");
-program2.command("init").description("Scaffold an nbt project (nbt.json, nbt/, generated/)").argument("[dir]", "directory to create the project in (default: current directory)").option("-y, --yes", "skip prompts; include the hello-world example").option("--no-example", "skip the hello-world example cartridge").action((dir, opts) => {
-  runInit(dir, opts).catch((e) => {
-    console.error(`nbt init: ${e?.message ?? e}`);
-    process.exit(1);
-  });
-});
+program2.command("init").description("Scaffold an nbt project (nbt.json, nbt/, generated/)").argument(
+  "[dir]",
+  "directory to create the project in (default: current directory)"
+).option("-y, --yes", "skip prompts; include the hello-world example").option("--no-example", "skip the hello-world example cartridge").action(
+  (dir, opts) => {
+    runInit(dir, opts).catch((e) => {
+      console.error(`nbt init: ${e?.message ?? e}`);
+      process.exit(1);
+    });
+  }
+);
 var NBT_JSON_TEMPLATE = `{
   "carts": "nbt",
   "generated": "generated",
@@ -3537,13 +3553,17 @@ async function runInit(dir, opts) {
   const root = dir ? path3.resolve(process.cwd(), dir) : process.cwd();
   if (dir) fs2.mkdirSync(root, { recursive: true });
   if (fs2.existsSync(path3.join(root, "nbt.json"))) {
-    throw new Error(`nbt.json already exists ${dir ? `in ${dir}` : "here"} \u2014 this is already an nbt project`);
+    throw new Error(
+      `nbt.json already exists ${dir ? `in ${dir}` : "here"} \u2014 this is already an nbt project`
+    );
   }
   if (!fs2.existsSync(path3.join(STDLIB, "auth", "schema.nbt"))) {
     throw new Error("bundled auth cartridge is missing (broken install)");
   }
   if (fs2.existsSync(path3.join(root, "nbt", "auth"))) {
-    throw new Error("nbt/auth already exists; refusing to overwrite it during init");
+    throw new Error(
+      "nbt/auth already exists; refusing to overwrite it during init"
+    );
   }
   fs2.writeFileSync(path3.join(root, "nbt.json"), NBT_JSON_TEMPLATE);
   fs2.mkdirSync(path3.join(root, "nbt"), { recursive: true });
@@ -3559,16 +3579,27 @@ async function runInit(dir, opts) {
     console.log("\nCreated example cartridge nbt/hello/ (entity Note).");
     console.log("\nNext:");
     if (dir) console.log(`  cd ${dir}`);
-    console.log("  nbt dev            # boot the console + live-reload on save");
+    console.log(
+      "  nbt dev            # boot the console + live-reload on save"
+    );
   } else {
-    if (dir) console.log(`
-Next: cd ${dir}, then run \`nbt dev\` or add a standard cartridge with \`nbt add <name>\`.`);
-    else console.log("\nNext: run `nbt dev`, or add another standard cartridge with `nbt add <name>`.");
+    if (dir)
+      console.log(
+        `
+Next: cd ${dir}, then run \`nbt dev\` or add a standard cartridge with \`nbt add <name>\`.`
+      );
+    else
+      console.log(
+        "\nNext: run `nbt dev`, or add another standard cartridge with `nbt add <name>`."
+      );
   }
 }
 async function wantExample() {
   if (!process.stdin.isTTY) return true;
-  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
   try {
     const ans = (await rl.question("Add a hello-world example cartridge? [Y/n] ")).trim().toLowerCase();
     return ans === "" || ans === "y" || ans === "yes";
@@ -3585,10 +3616,16 @@ program2.command("add").description("Vendor standard-library cartridges into thi
   try {
     const proj = loadNbtProject();
     for (const name of cartridges) {
-      const dest = addStandardCartridge(name, proj.cartsDir, opts.overwrite === true);
+      const dest = addStandardCartridge(
+        name,
+        proj.cartsDir,
+        opts.overwrite === true
+      );
       console.log(`Added ${name} -> ${path3.relative(proj.rootDir, dest)}`);
     }
-    console.log("Run `nbt migrate deploy` to deploy the local cartridge set.");
+    console.log(
+      "Run `nbt migrate deploy` to deploy the local cartridge set."
+    );
   } catch (e) {
     console.error(`nbt add: ${e?.message ?? e}`);
     process.exit(1);
@@ -3607,7 +3644,8 @@ function addStandardCartridge(name, cartsDir, overwrite) {
   }
   const dest = path3.join(cartsDir, name);
   if (fs2.existsSync(dest)) {
-    if (!overwrite) throw new Error(`${dest} already exists; use --overwrite to replace it`);
+    if (!overwrite)
+      throw new Error(`${dest} already exists; use --overwrite to replace it`);
     fs2.rmSync(dest, { recursive: true, force: true });
   }
   fs2.mkdirSync(cartsDir, { recursive: true });
@@ -3623,12 +3661,16 @@ program2.command("list").description("List available standard-library modules").
   const proj = loadNbtProject();
   const names = fs2.readdirSync(STDLIB, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name).filter((n) => fs2.existsSync(path3.join(STDLIB, n, "schema.nbt"))).sort();
   for (const n of names) {
-    const installed = fs2.existsSync(path3.join(proj.cartsDir, n, "schema.nbt"));
+    const installed = fs2.existsSync(
+      path3.join(proj.cartsDir, n, "schema.nbt")
+    );
     console.log(installed ? `${n} (installed)` : n);
   }
 });
 customCommands.add("update");
-program2.command("update").description("Update vendored standard-library modules from the bundled stdlib").argument("<module...>", "standard module name(s)").action((modules) => {
+program2.command("update").description(
+  "Update vendored standard-library modules from the bundled stdlib"
+).argument("<module...>", "standard module name(s)").action((modules) => {
   try {
     const proj = loadNbtProject();
     for (const name of modules) {
@@ -3638,13 +3680,18 @@ program2.command("update").description("Update vendored standard-library modules
       }
       const dest = path3.join(proj.cartsDir, name);
       if (!fs2.existsSync(path3.join(dest, "schema.nbt"))) {
-        throw new Error(`'${name}' is not installed in this project \u2014 run: nbt add ${name}`);
+        throw new Error(
+          `'${name}' is not installed in this project \u2014 run: nbt add ${name}`
+        );
       }
       const written = copyStdlibOver(src, dest);
-      for (const f of written) console.log(`  wrote ${path3.relative(proj.rootDir, f)}`);
+      for (const f of written)
+        console.log(`  wrote ${path3.relative(proj.rootDir, f)}`);
       console.log(`Updated ${name}.`);
     }
-    console.log("Run `nbt migrate create <module>` to capture any schema changes, then `nbt migrate deploy`.");
+    console.log(
+      "Run `nbt migrate create <module>` to capture any schema changes, then `nbt migrate deploy`."
+    );
   } catch (e) {
     console.error(`nbt update: ${e?.message ?? e}`);
     process.exit(1);
@@ -3668,7 +3715,10 @@ function copyStdlibOver(src, dest) {
   return written;
 }
 customCommands.add("dev");
-program2.command("dev").description("Boot the console and live-reload local carts on .nbt change").option("-p, --port <port>", "console HTTP port (default: nbt.json dev env, else 8080)").option("-d, --data-dir <dir>", "console data dir (default: ./data)").action((opts) => {
+program2.command("dev").description("Boot the console and live-reload local carts on .nbt change").option(
+  "-p, --port <port>",
+  "console HTTP port (default: nbt.json dev env, else 8080)"
+).option("-d, --data-dir <dir>", "console data dir (default: ./data)").action((opts) => {
   runDev(opts).catch((e) => {
     console.error(`nbt dev: ${e?.message ?? e}`);
     process.exit(1);
@@ -3692,10 +3742,16 @@ function loadNbtProject() {
     if (parent === dir) break;
     dir = parent;
   }
-  return { rootDir: process.cwd(), cartsDir: path3.resolve(process.cwd(), "nbt"), port: 8080 };
+  return {
+    rootDir: process.cwd(),
+    cartsDir: path3.resolve(process.cwd(), "nbt"),
+    port: 8080
+  };
 }
 function withProjectUpDefaults(argv2) {
-  const hasPort = argv2.some((arg) => arg === "--port" || arg === "-p" || arg.startsWith("--port="));
+  const hasPort = argv2.some(
+    (arg) => arg === "--port" || arg === "-p" || arg.startsWith("--port=")
+  );
   if (hasPort) return argv2;
   return [...argv2, "--port", String(loadNbtProject().port)];
 }
@@ -3744,20 +3800,28 @@ function tcpUp(port, host = "127.0.0.1") {
 }
 var sleep = (ms) => new Promise((r) => setTimeout(r, ms));
 function installCart(cartDir, port) {
-  const r = (0, import_node_child_process2.spawnSync)(NBT_BIN, ["install", "--path", cartDir, "--port", String(port)], {
-    stdio: "inherit",
-    env: nativeEnv()
-  });
+  const r = (0, import_node_child_process2.spawnSync)(
+    NBT_BIN,
+    ["install", "--path", cartDir, "--port", String(port)],
+    {
+      stdio: "inherit",
+      env: nativeEnv()
+    }
+  );
   return r.status === 0;
 }
 async function runDev(opts) {
   const proj = loadNbtProject();
   const port = opts.port ? Number(opts.port) : proj.port;
-  if (!Number.isFinite(port) || port <= 0) throw new Error(`invalid port '${opts.port}'`);
+  if (!Number.isFinite(port) || port <= 0)
+    throw new Error(`invalid port '${opts.port}'`);
   const upArgs = ["up", "--port", String(port)];
   if (opts.dataDir) upArgs.push("--data-dir", opts.dataDir);
   console.log(`nbt dev: starting console on :${port}`);
-  const daemon = (0, import_node_child_process2.spawn)(CONSOLE_BIN, upArgs, { stdio: "inherit", env: consoleEnv() });
+  const daemon = (0, import_node_child_process2.spawn)(CONSOLE_BIN, upArgs, {
+    stdio: "inherit",
+    env: consoleEnv()
+  });
   let shuttingDown = false;
   const shutdown = (code = 0) => {
     if (shuttingDown) return;
@@ -3790,7 +3854,9 @@ async function runDev(opts) {
   }
   const carts = discoverCarts(proj.cartsDir);
   if (carts.length === 0) {
-    console.warn(`nbt dev: no carts found under ${proj.cartsDir} (nothing to watch)`);
+    console.warn(
+      `nbt dev: no carts found under ${proj.cartsDir} (nothing to watch)`
+    );
   }
   const applied = /* @__PURE__ */ new Map();
   for (const c of carts) {
@@ -3798,7 +3864,9 @@ async function runDev(opts) {
     installCart(c, port);
     applied.set(c, newestNbtMtime(c));
   }
-  console.log(`nbt dev: watching ${proj.cartsDir} \u2014 edit .nbt to reload (Ctrl-C to stop)`);
+  console.log(
+    `nbt dev: watching ${proj.cartsDir} \u2014 edit .nbt to reload (Ctrl-C to stop)`
+  );
   let busy = false;
   setInterval(async () => {
     if (busy || shuttingDown) return;
@@ -3828,11 +3896,17 @@ program2.command("bundle").description("Bundle TypeScript workflow code via esbu
   }
   bundleWorkflows({ entryPoints: entry, outfile: opts.outfile });
 });
+customCommands.add("version");
+program2.command("version").description("Print the @nbt-dev/nbt version").action(() => {
+  process.stdout.write(packageVersion() + "\n");
+});
 customCommands.add("completions");
 program2.command("completions").description("Emit a shell completion script (bash | zsh | fish)").argument("<shell>", "bash | zsh | fish").action((shell) => {
   const script = completionScript(shell);
   if (!script) {
-    console.error(`completions: unknown shell '${shell}' (want bash|zsh|fish)`);
+    console.error(
+      `completions: unknown shell '${shell}' (want bash|zsh|fish)`
+    );
     process.exit(1);
   }
   process.stdout.write(script);
@@ -3881,7 +3955,10 @@ function runCompletion(words) {
   const isConsole = consoleCommands.has(first2);
   const bin = isConsole ? CONSOLE_BIN : NBT_BIN;
   const env = isConsole ? consoleEnv() : nativeEnv();
-  const r = (0, import_node_child_process2.spawnSync)(bin, ["__complete__", ...words], { stdio: "inherit", env });
+  const r = (0, import_node_child_process2.spawnSync)(bin, ["__complete__", ...words], {
+    stdio: "inherit",
+    env
+  });
   process.exit(r.status === null ? 0 : r.status);
 }
 var argv = process.argv.slice(2);
@@ -3893,6 +3970,10 @@ if (!first || first === "-h" || first === "--help" || first === "help") {
   program2.outputHelp();
   process.exit(first ? 0 : 1);
 }
+if (first === "-v" || first === "--version") {
+  process.stdout.write(packageVersion() + "\n");
+  process.exit(0);
+}
 if (customCommands.has(first)) {
   program2.parse(process.argv);
 } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nbt-dev/nbt",
-  "version": "0.0.8",
+  "version": "0.0.10",
   "description": "The nbt CLI and console daemon for the nbt-dev console — a fixed-target OS for web development. Linux/x64 prebuilt binaries.",
   "bin": {
     "nbt": "dist/nbt.js"

package/stdlib/auth/migrations/20260614000000_add_user_devtools_settings/migration.nbt

@@ -0,0 +1,4 @@
+migration add_user_devtools_settings {
+  add_field User devtoolsSettings string default("")
+  set_optional User devtoolsSettings true
+}

package/stdlib/auth/migrations/20260614000000_add_user_devtools_settings/schema_snapshot.nbt

@@ -0,0 +1,59 @@
+entity User {
+  name: string
+  username?: string
+  email?: string
+  emailVerified: bool
+  externalId?: string
+  capsVersion: u32
+  devtoolsSettings?: string
+  @@index([email])
+  @@index([externalId])
+  @@unique([email])
+}
+
+entity UserRole {
+  userId: string
+  cart: string
+  role: string
+  @@index([userId])
+}
+
+entity Session {
+  userId: string
+  token: string
+  expiresAt: DateTime
+  ipAddress?: string
+  userAgent?: string
+  @@index([token])
+  @@index([userId])
+}
+
+entity Account {
+  userId: string
+  providerId: string
+  password: string
+  accessToken: string
+  refreshToken: string
+  idToken: string
+  accessTokenExpiresAt: DateTime
+  refreshTokenExpiresAt: DateTime
+  scope: string
+  @@index([userId])
+}
+
+entity Verification {
+  identifier: string
+  value: string
+  expiresAt: DateTime
+  @@index([identifier])
+}
+
+entity ApiKey {
+  name: string
+  projectId: string
+  start: string
+  prefix: string
+  key: string
+  permissions: string
+  roles: string
+}

package/stdlib/auth/schema.nbt

@@ -1,6 +1,6 @@
 import crypto from "crypto"
 
-# Auth policy for the hand-written routes in native/runtime.jai (formerly the
+# Auth policy for the hand-written routes in modules/cart/auth.jai (formerly the
 # @public actions + the `authenticate` middleware block). These keep the
 # daemon's public-route + middleware manifest correct: public routes bypass the
 # /api/* auth gate; @middleware tells the proxy this cart exports the global
@@ -25,7 +25,8 @@ export entity User {
   email?: string
   emailVerified: bool
   externalId?: string
-  capsVersion: u32 # what is this?
+  capsVersion: u32  # capability version; bumped on every role change so cached authorizations invalidate
+  devtoolsSettings?: string  # per-operator devtools UI preferences, stored as a JSON blob
 
   @@index([email])
   @@index([externalId])
@@ -101,8 +102,8 @@ entity ApiKey {
 }
 
 # Console-operator SSH public keys. The console daemon authenticates SSH
-# connections by looking up rows here via modules/auth_lookup/ (in-process,
-# direct storage read — auth cart liveness is not required).
+# connections by reading these rows directly from storage (in-process —
+# auth cart liveness is not required).
 entity SshKey {
   id: ulid
   createdAt: DateTime @default(now())
@@ -114,29 +115,3 @@ entity SshKey {
   @@index([userId])
   @@unique([blob])
 }
-
-jai {
-find_synced_user :: (requestedId: string, email: string) -> (User, bool) {
-  if requestedId.count > 0 {
-    by_id, by_id_ok := get_user(requestedId);
-    if by_id_ok return by_id, true;
-
-    by_external := find_users_by_externalId(requestedId);
-    if by_external.count > 0 {
-      u, ok := get_user(by_external[0].id);
-      if ok return u, true;
-    }
-  }
-
-  if email.count > 0 {
-    by_email := find_users_by_email(email);
-    if by_email.count > 0 {
-      u, ok := get_user(by_email[0].id);
-      if ok return u, true;
-    }
-  }
-
-  empty: User;
-  return empty, false;
-}
-}

package/stdlib/calendar/schema.nbt

@@ -45,9 +45,8 @@ export entity Appointment {
 
   # Rendered embedding-template text. Persisted alongside the Appointment so
   # similarity search can score (target_text, candidate_text) pairs without
-  # re-rendering the customer's @embed template on every query. Populated at
-  # ingest by the customer's @embed binding
-  # (D09.10c). Generic surface — every customer composing similarity search
+  # re-rendering on every query. Populated at ingest by the customer's
+  # pipeline. Generic surface — every customer composing similarity search
   # over Appointments needs it; the *content* of the text is customer policy.
   embedText?: string
 

package/stdlib/crm/schema.nbt

@@ -77,11 +77,10 @@ export entity Deal {
   customData: document
 
   # Append-only suffix — fields below this comment must stay at the end
-  # of the entity declaration. Codegen serializes in declaration order;
+  # of the entity declaration. The row codec serializes in declaration order;
   # newly-added fields go *after* existing fields so the on-disk byte
   # layout stays forward-compatible (old records deserialize cleanly with
-  # trailing fields default-initialised). See the EOF-tolerant deserialize
-  # codegen in modules/nbt/codegen_serial.jai.
+  # trailing fields default-initialised).
 
   # D09.02 — generic lifecycle status, customer-domain. mylocalpro reacts
   # to `deal.status == "won"` to mark the source Appointment positive.
@@ -101,7 +100,7 @@ export entity Deal {
 
   # Date the deal closed (won or lost). Resolved at GHL adapter ingest
   # from Contact custom field "Date Sold" via CONTACT_LATEST_OPEN_DEAL.
-  # Append-only field — codegen serializes in declaration order, so
+  # Append-only field — the row codec serializes in declaration order, so
   # existing rows deserialize cleanly with this trailing default.
   closedDate?: DateTime
 }

package/stdlib/design/schema.nbt

@@ -136,5 +136,5 @@ entity Page {
 }
 
 # Behavior (former Design.create/save_version/get_head/list_versions actions +
-# tasks/parse.nbt @task) moved to native/runtime.jai over the generated ORM —
-# see design_register_extra_routes.
+# tasks/parse.nbt @task) moved to hand-written Jai over the generated ORM,
+# which also registers the HTTP routes.

package/stdlib/dns/schema.nbt

@@ -10,8 +10,8 @@
 #   - Future: TLS cart, custom gateway-domains cart.
 #
 # Schema only. All behavior (token verify, CF API calls, DNS record CRUD,
-# TXT verify polling) lives in native/runtime.jai as regular Jai over the
-# generated ORM — see domains_register_extra_routes.
+# TXT verify polling) lives in hand-written Jai over the generated ORM, which
+# also registers the HTTP routes.
 
 
 
@@ -21,7 +21,7 @@ entity DnsProvider {
   updatedAt: DateTime @updatedAt
   type: string               # "cloudflare"
   label: string              # user-facing name ("my CF account")
-  apiToken: string           # raw token (TODO: encrypt at rest — same status as phone cart's authToken)
+  apiToken: string           # provider API token (stored as-is)
   accountId: string          # CF account_id, needed for add_zone + registrar calls (optional)
   status: string             # "ACTIVE" | "INVALID" | "DISCONNECTED"
   lastCheckedAt: u64         # ms epoch — updated on connect + test

package/stdlib/email/schema.nbt

@@ -1,7 +1,7 @@
 # Email cartridge — transactional send + synthetic inboxes.
 #
-# Provider: SendGrid (modules/sendgrid). Nothing in the user-facing surface
-# mentions SendGrid; the cart is branded "Email".
+# Provider: SendGrid. Nothing in the user-facing surface mentions SendGrid;
+# the cart is branded "Email".
 #
 # Per-console model:
 #   - Every console auto-provisions `<console>.nbt.dev` as the default mail
@@ -13,21 +13,22 @@
 #     register with SendGrid Inbound Parse + Domain Authentication, poll
 #     until everything is green.
 #
-# Ops prerequisites (one-time, see plans/squishy-puzzling-spindle.md):
-#   - SENDGRID_API_KEY in console env.
-#   - SENDGRID_EVENT_PUBKEY in console env (base64 SPKI for event webhook verification).
+# Ops prerequisites (one-time):
+#   - Provider API key in console env.
+#   - Provider event-webhook public key in console env (base64 SPKI for event
+#     webhook signature verification).
 #   - `*.nbt.dev MX 10 mx.sendgrid.net` at zone level.
 #   - SendGrid Inbound Parse wildcard entry + per-console entries (latter are
 #     created programmatically by MailDomain.ensure_default).
 
-# Behavior (the former main.nbt actions) lives in native/runtime.jai over the
-# generated ORM — see email_register_extra_routes. These imports trigger the
-# #load of the native files into the cart module scope.
+# Behavior (the former main.nbt actions) lives in hand-written Jai over the
+# generated ORM, which also registers the HTTP routes. The import below pulls
+# the crypto module into the cart scope.
 import crypto from "crypto"
 
-# Auth policy for the hand-written routes (formerly @public actions). The
-# handlers live in native/runtime.jai; these keep the daemon's public-route
-# manifest correct so the /api/* auth gate is bypassed for SendGrid webhooks.
+# Auth policy for the hand-written routes (formerly @public actions). These
+# keep the daemon's public-route manifest correct so the /api/* auth gate is
+# bypassed for SendGrid webhooks.
 @public_route "/api/email/inbound"
 @public_route "/api/email/events"
 

package/stdlib/ingest/schema.nbt

@@ -1,7 +1,7 @@
-# Behavior (the former main.nbt actions) lives in native/runtime.jai over the
-# generated ORM — see
-# ingest_register_extra_routes. All routes stay auth-gated by the daemon
-# middleware (no @public_route), matching the pre-migration manifest.
+# Behavior (the former main.nbt actions) lives in hand-written Jai over the
+# generated ORM, which also registers the HTTP routes. All routes stay
+# auth-gated by the daemon middleware (no @public_route), matching the
+# pre-migration manifest.
 
 entity Endpoint {
   id: ulid

package/stdlib/notifications/schema.nbt

@@ -2,8 +2,8 @@
 # subscriptions. The portal owns browser permission prompts and service worker
 # registration; this cartridge owns the resulting state.
 #
-# Behavior (the former main.nbt actions) lives in native/runtime.jai as regular
-# Jai over the generated ORM — see notifications_register_extra_routes.
+# Behavior (the former main.nbt actions) lives in hand-written Jai over the
+# generated ORM, which also registers the HTTP routes.
 
 
 entity Notification {

package/stdlib/phone/schema.nbt

@@ -1,21 +1,20 @@
 # Phone cartridge — Twilio number management, SMS, click-to-call.
 #
-# Per-tenant model (see modules/twilio/module.jai for the rationale):
-#   - One master Twilio account owned by the platform (SID + auth token in
-#     env: TWILIO_MASTER_SID, TWILIO_MASTER_TOKEN).
+# Per-tenant model:
+#   - One master Twilio account owned by the platform (master SID + auth token
+#     supplied via env).
 #   - Each tenant gets a TwilioAccount row with its own subaccount SID and
 #     auth token. All per-tenant API calls authenticate as the subaccount.
 #   - Webhooks are configured to URLs under the tenant's public base
 #     (TwilioAccount.publicUrlBase), which the gateway routes back to this
 #     cart. Signature verification uses the subaccount's auth token.
 
-# Behavior (the former jai{} helper blocks + actions) lives in
-# native/runtime.jai over the generated ORM — see phone_register_extra_routes,
-# which registers the HTTP routes.
+# Behavior (the former actions) lives in hand-written Jai over the generated
+# ORM, which also registers the HTTP routes.
 
-# Auth policy for the hand-written routes (formerly @public actions). The
-# handlers live in native/runtime.jai; these keep the daemon's public-route
-# manifest correct so the /api/* auth gate is bypassed for Twilio webhooks.
+# Auth policy for the hand-written routes (formerly @public actions). These
+# keep the daemon's public-route manifest correct so the /api/* auth gate is
+# bypassed for Twilio webhooks.
 @public_route "/api/phone/webhook/sms"
 @public_route "/api/phone/webhook/status"
 
@@ -25,7 +24,7 @@ entity TwilioAccount {
   updatedAt: DateTime @updatedAt
   name: string               # operator-facing label
   subAccountSid: string      # AC... — populated by provision()
-  authToken: string          # subaccount auth token (TODO: encrypt at rest)
+  authToken: string          # subaccount auth token (stored as-is)
   publicUrlBase: string      # e.g. "https://acme.console.app"
   status: string             # PENDING | ACTIVE | SUSPENDED | CLOSED
   retentionDays: s32         # 0 = keep message bodies forever; N = null body after N days

package/stdlib/workflows/schema.nbt

@@ -1,6 +1,3 @@
-
-# Question: How do we tie in cartridge metadata and workflow side effects into all this?
-
 enum WorkerStatus {
   WAITING
   RUNNING
@@ -14,7 +11,6 @@ entity Worker {
   source: blob
   contentHash: string
   queue?: string
-  # TODO: We need some sort of termination options like a restart policy
 }
 
 # Stub — flesh out execution lifecycle fields later.

package/vendor/linux-x64/cartridges/auth/migrations/20260614000000_add_user_devtools_settings/migration.nbt

@@ -0,0 +1,4 @@
+migration add_user_devtools_settings {
+  add_field User devtoolsSettings string default("")
+  set_optional User devtoolsSettings true
+}

package/vendor/linux-x64/cartridges/auth/migrations/20260614000000_add_user_devtools_settings/schema_snapshot.nbt

@@ -0,0 +1,59 @@
+entity User {
+  name: string
+  username?: string
+  email?: string
+  emailVerified: bool
+  externalId?: string
+  capsVersion: u32
+  devtoolsSettings?: string
+  @@index([email])
+  @@index([externalId])
+  @@unique([email])
+}
+
+entity UserRole {
+  userId: string
+  cart: string
+  role: string
+  @@index([userId])
+}
+
+entity Session {
+  userId: string
+  token: string
+  expiresAt: DateTime
+  ipAddress?: string
+  userAgent?: string
+  @@index([token])
+  @@index([userId])
+}
+
+entity Account {
+  userId: string
+  providerId: string
+  password: string
+  accessToken: string
+  refreshToken: string
+  idToken: string
+  accessTokenExpiresAt: DateTime
+  refreshTokenExpiresAt: DateTime
+  scope: string
+  @@index([userId])
+}
+
+entity Verification {
+  identifier: string
+  value: string
+  expiresAt: DateTime
+  @@index([identifier])
+}
+
+entity ApiKey {
+  name: string
+  projectId: string
+  start: string
+  prefix: string
+  key: string
+  permissions: string
+  roles: string
+}

package/vendor/linux-x64/cartridges/auth/schema.nbt

@@ -1,6 +1,6 @@
 import crypto from "crypto"
 
-# Auth policy for the hand-written routes in native/runtime.jai (formerly the
+# Auth policy for the hand-written routes in modules/cart/auth.jai (formerly the
 # @public actions + the `authenticate` middleware block). These keep the
 # daemon's public-route + middleware manifest correct: public routes bypass the
 # /api/* auth gate; @middleware tells the proxy this cart exports the global
@@ -25,7 +25,8 @@ export entity User {
   email?: string
   emailVerified: bool
   externalId?: string
-  capsVersion: u32 # what is this?
+  capsVersion: u32  # capability version; bumped on every role change so cached authorizations invalidate
+  devtoolsSettings?: string  # per-operator devtools UI preferences, stored as a JSON blob
 
   @@index([email])
   @@index([externalId])
@@ -101,8 +102,8 @@ entity ApiKey {
 }
 
 # Console-operator SSH public keys. The console daemon authenticates SSH
-# connections by looking up rows here via modules/auth_lookup/ (in-process,
-# direct storage read — auth cart liveness is not required).
+# connections by reading these rows directly from storage (in-process —
+# auth cart liveness is not required).
 entity SshKey {
   id: ulid
   createdAt: DateTime @default(now())
@@ -114,29 +115,3 @@ entity SshKey {
   @@index([userId])
   @@unique([blob])
 }
-
-jai {
-find_synced_user :: (requestedId: string, email: string) -> (User, bool) {
-  if requestedId.count > 0 {
-    by_id, by_id_ok := get_user(requestedId);
-    if by_id_ok return by_id, true;
-
-    by_external := find_users_by_externalId(requestedId);
-    if by_external.count > 0 {
-      u, ok := get_user(by_external[0].id);
-      if ok return u, true;
-    }
-  }
-
-  if email.count > 0 {
-    by_email := find_users_by_email(email);
-    if by_email.count > 0 {
-      u, ok := get_user(by_email[0].id);
-      if ok return u, true;
-    }
-  }
-
-  empty: User;
-  return empty, false;
-}
-}

package/vendor/linux-x64/cartridges/calendar/schema.nbt

@@ -45,9 +45,8 @@ export entity Appointment {
 
   # Rendered embedding-template text. Persisted alongside the Appointment so
   # similarity search can score (target_text, candidate_text) pairs without
-  # re-rendering the customer's @embed template on every query. Populated at
-  # ingest by the customer's @embed binding
-  # (D09.10c). Generic surface — every customer composing similarity search
+  # re-rendering on every query. Populated at ingest by the customer's
+  # pipeline. Generic surface — every customer composing similarity search
   # over Appointments needs it; the *content* of the text is customer policy.
   embedText?: string
 

package/vendor/linux-x64/cartridges/crm/schema.nbt

@@ -77,11 +77,10 @@ export entity Deal {
   customData: document
 
   # Append-only suffix — fields below this comment must stay at the end
-  # of the entity declaration. Codegen serializes in declaration order;
+  # of the entity declaration. The row codec serializes in declaration order;
   # newly-added fields go *after* existing fields so the on-disk byte
   # layout stays forward-compatible (old records deserialize cleanly with
-  # trailing fields default-initialised). See the EOF-tolerant deserialize
-  # codegen in modules/nbt/codegen_serial.jai.
+  # trailing fields default-initialised).
 
   # D09.02 — generic lifecycle status, customer-domain. mylocalpro reacts
   # to `deal.status == "won"` to mark the source Appointment positive.
@@ -101,7 +100,7 @@ export entity Deal {
 
   # Date the deal closed (won or lost). Resolved at GHL adapter ingest
   # from Contact custom field "Date Sold" via CONTACT_LATEST_OPEN_DEAL.
-  # Append-only field — codegen serializes in declaration order, so
+  # Append-only field — the row codec serializes in declaration order, so
   # existing rows deserialize cleanly with this trailing default.
   closedDate?: DateTime
 }

package/vendor/linux-x64/cartridges/design/schema.nbt

@@ -136,5 +136,5 @@ entity Page {
 }
 
 # Behavior (former Design.create/save_version/get_head/list_versions actions +
-# tasks/parse.nbt @task) moved to native/runtime.jai over the generated ORM —
-# see design_register_extra_routes.
+# tasks/parse.nbt @task) moved to hand-written Jai over the generated ORM,
+# which also registers the HTTP routes.

package/vendor/linux-x64/cartridges/dns/schema.nbt

@@ -10,8 +10,8 @@
 #   - Future: TLS cart, custom gateway-domains cart.
 #
 # Schema only. All behavior (token verify, CF API calls, DNS record CRUD,
-# TXT verify polling) lives in native/runtime.jai as regular Jai over the
-# generated ORM — see domains_register_extra_routes.
+# TXT verify polling) lives in hand-written Jai over the generated ORM, which
+# also registers the HTTP routes.
 
 
 
@@ -21,7 +21,7 @@ entity DnsProvider {
   updatedAt: DateTime @updatedAt
   type: string               # "cloudflare"
   label: string              # user-facing name ("my CF account")
-  apiToken: string           # raw token (TODO: encrypt at rest — same status as phone cart's authToken)
+  apiToken: string           # provider API token (stored as-is)
   accountId: string          # CF account_id, needed for add_zone + registrar calls (optional)
   status: string             # "ACTIVE" | "INVALID" | "DISCONNECTED"
   lastCheckedAt: u64         # ms epoch — updated on connect + test

package/vendor/linux-x64/cartridges/email/schema.nbt

@@ -1,7 +1,7 @@
 # Email cartridge — transactional send + synthetic inboxes.
 #
-# Provider: SendGrid (modules/sendgrid). Nothing in the user-facing surface
-# mentions SendGrid; the cart is branded "Email".
+# Provider: SendGrid. Nothing in the user-facing surface mentions SendGrid;
+# the cart is branded "Email".
 #
 # Per-console model:
 #   - Every console auto-provisions `<console>.nbt.dev` as the default mail
@@ -13,21 +13,22 @@
 #     register with SendGrid Inbound Parse + Domain Authentication, poll
 #     until everything is green.
 #
-# Ops prerequisites (one-time, see plans/squishy-puzzling-spindle.md):
-#   - SENDGRID_API_KEY in console env.
-#   - SENDGRID_EVENT_PUBKEY in console env (base64 SPKI for event webhook verification).
+# Ops prerequisites (one-time):
+#   - Provider API key in console env.
+#   - Provider event-webhook public key in console env (base64 SPKI for event
+#     webhook signature verification).
 #   - `*.nbt.dev MX 10 mx.sendgrid.net` at zone level.
 #   - SendGrid Inbound Parse wildcard entry + per-console entries (latter are
 #     created programmatically by MailDomain.ensure_default).
 
-# Behavior (the former main.nbt actions) lives in native/runtime.jai over the
-# generated ORM — see email_register_extra_routes. These imports trigger the
-# #load of the native files into the cart module scope.
+# Behavior (the former main.nbt actions) lives in hand-written Jai over the
+# generated ORM, which also registers the HTTP routes. The import below pulls
+# the crypto module into the cart scope.
 import crypto from "crypto"
 
-# Auth policy for the hand-written routes (formerly @public actions). The
-# handlers live in native/runtime.jai; these keep the daemon's public-route
-# manifest correct so the /api/* auth gate is bypassed for SendGrid webhooks.
+# Auth policy for the hand-written routes (formerly @public actions). These
+# keep the daemon's public-route manifest correct so the /api/* auth gate is
+# bypassed for SendGrid webhooks.
 @public_route "/api/email/inbound"
 @public_route "/api/email/events"
 

package/vendor/linux-x64/cartridges/ingest/schema.nbt

@@ -1,7 +1,7 @@
-# Behavior (the former main.nbt actions) lives in native/runtime.jai over the
-# generated ORM — see
-# ingest_register_extra_routes. All routes stay auth-gated by the daemon
-# middleware (no @public_route), matching the pre-migration manifest.
+# Behavior (the former main.nbt actions) lives in hand-written Jai over the
+# generated ORM, which also registers the HTTP routes. All routes stay
+# auth-gated by the daemon middleware (no @public_route), matching the
+# pre-migration manifest.
 
 entity Endpoint {
   id: ulid

package/vendor/linux-x64/cartridges/notifications/schema.nbt

@@ -2,8 +2,8 @@
 # subscriptions. The portal owns browser permission prompts and service worker
 # registration; this cartridge owns the resulting state.
 #
-# Behavior (the former main.nbt actions) lives in native/runtime.jai as regular
-# Jai over the generated ORM — see notifications_register_extra_routes.
+# Behavior (the former main.nbt actions) lives in hand-written Jai over the
+# generated ORM, which also registers the HTTP routes.
 
 
 entity Notification {

package/vendor/linux-x64/cartridges/phone/schema.nbt

@@ -1,21 +1,20 @@
 # Phone cartridge — Twilio number management, SMS, click-to-call.
 #
-# Per-tenant model (see modules/twilio/module.jai for the rationale):
-#   - One master Twilio account owned by the platform (SID + auth token in
-#     env: TWILIO_MASTER_SID, TWILIO_MASTER_TOKEN).
+# Per-tenant model:
+#   - One master Twilio account owned by the platform (master SID + auth token
+#     supplied via env).
 #   - Each tenant gets a TwilioAccount row with its own subaccount SID and
 #     auth token. All per-tenant API calls authenticate as the subaccount.
 #   - Webhooks are configured to URLs under the tenant's public base
 #     (TwilioAccount.publicUrlBase), which the gateway routes back to this
 #     cart. Signature verification uses the subaccount's auth token.
 
-# Behavior (the former jai{} helper blocks + actions) lives in
-# native/runtime.jai over the generated ORM — see phone_register_extra_routes,
-# which registers the HTTP routes.
+# Behavior (the former actions) lives in hand-written Jai over the generated
+# ORM, which also registers the HTTP routes.
 
-# Auth policy for the hand-written routes (formerly @public actions). The
-# handlers live in native/runtime.jai; these keep the daemon's public-route
-# manifest correct so the /api/* auth gate is bypassed for Twilio webhooks.
+# Auth policy for the hand-written routes (formerly @public actions). These
+# keep the daemon's public-route manifest correct so the /api/* auth gate is
+# bypassed for Twilio webhooks.
 @public_route "/api/phone/webhook/sms"
 @public_route "/api/phone/webhook/status"
 
@@ -25,7 +24,7 @@ entity TwilioAccount {
   updatedAt: DateTime @updatedAt
   name: string               # operator-facing label
   subAccountSid: string      # AC... — populated by provision()
-  authToken: string          # subaccount auth token (TODO: encrypt at rest)
+  authToken: string          # subaccount auth token (stored as-is)
   publicUrlBase: string      # e.g. "https://acme.console.app"
   status: string             # PENDING | ACTIVE | SUSPENDED | CLOSED
   retentionDays: s32         # 0 = keep message bodies forever; N = null body after N days

package/vendor/linux-x64/cartridges/workflows/schema.nbt

@@ -1,6 +1,3 @@
-
-# Question: How do we tie in cartridge metadata and workflow side effects into all this?
-
 enum WorkerStatus {
   WAITING
   RUNNING
@@ -14,7 +11,6 @@ entity Worker {
   source: blob
   contentHash: string
   queue?: string
-  # TODO: We need some sort of termination options like a restart policy
 }
 
 # Stub — flesh out execution lifecycle fields later.