@nsxbet/admin-sdk 0.7.1 → 0.8.1

package/dist/auth/client/in-memory.js

@@ -5,6 +5,7 @@
  * Users can be selected from a predefined list or created custom.
  */
 import { fetchGatewayToken } from './gateway-token';
+import { env } from '../../env';
 export { GatewayTimeoutError, GatewayFetchError } from './gateway-token';
 /**
  * Create mock users from a role configuration
@@ -71,10 +72,9 @@ const DEFAULT_STORAGE_KEY = '@nsxbet/auth';
 export function createInMemoryAuthClient(options) {
     const { users, storageKey = DEFAULT_STORAGE_KEY, tokenTimeout = 5000 } = options;
     const predefinedUsers = users;
-    // Resolve gatewayUrl: explicit option → env var → null (disabled)
     const resolvedGatewayUrl = options.gatewayUrl !== undefined
         ? options.gatewayUrl ?? null
-        : (typeof import.meta !== 'undefined' && import.meta.env?.VITE_ADMIN_GATEWAY_URL) || null;
+        : (env.adminGatewayUrl ?? null);
     // State
     let selectedUser = null;
     let tokenCache = null;

package/dist/auth/client/index.d.ts

@@ -3,4 +3,4 @@
  */
 export type { AuthClient, InMemoryAuthClient, MockUser, AuthState, AuthStateCallback, } from './interface';
 export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, type InMemoryAuthClientOptions, type MockUserRoles, } from './in-memory';
-export { createKeycloakAuthClient, type KeycloakAuthClientOptions, } from './keycloak';
+export { createBffAuthClient, clearLoggedOutFlag, isLoggedOutFlag, setLoggedOutFlag, type BffAuthClient, type BffAuthClientOptions, type BffMeResponse, } from './bff';

package/dist/auth/client/index.js

@@ -3,5 +3,5 @@
  */
 // In-memory client
 export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, } from './in-memory';
-// Keycloak client
-export { createKeycloakAuthClient, } from './keycloak';
+// BFF / Okta cookie auth
+export { createBffAuthClient, clearLoggedOutFlag, isLoggedOutFlag, setLoggedOutFlag, } from './bff';

package/dist/auth/client/interface.d.ts

@@ -2,7 +2,7 @@
  * Auth Client Interface
  *
  * Defines the interface for authentication operations.
- * Can be implemented by in-memory (mock) or Keycloak clients.
+ * Can be implemented by in-memory (mock) or BFF cookie auth.
  */
 import type { User } from '../../types/platform';
 /**
@@ -54,7 +54,7 @@ export interface AuthClient {
     /**
      * Client type identifier
      */
-    readonly type: 'in-memory' | 'keycloak';
+    readonly type: 'in-memory' | 'bff';
     /**
      * Initialize the auth client
      * @returns true if user is authenticated, false if login/selection is needed
@@ -69,9 +69,9 @@ export interface AuthClient {
      */
     getUser(): User | null;
     /**
-     * Get access token for API calls
+     * Get access token for API calls. BFF cookie auth returns `null` (HttpOnly cookie — use credentialed fetch).
      */
-    getAccessToken(): Promise<string>;
+    getAccessToken(): Promise<string | null>;
     /**
      * Check if user has a specific permission/role
      */

package/dist/auth/client/interface.js

@@ -2,6 +2,6 @@
  * Auth Client Interface
  *
  * Defines the interface for authentication operations.
- * Can be implemented by in-memory (mock) or Keycloak clients.
+ * Can be implemented by in-memory (mock) or BFF cookie auth.
  */
 export {};

package/dist/auth/components/LoginPage.d.ts

@@ -0,0 +1,8 @@
+/**
+ * BFF login landing — explicit user action starts OAuth (avoids IdP silent re-login after logout).
+ */
+export interface LoginPageProps {
+    /** Base URL of admin-bff (no trailing slash). */
+    bffBaseUrl: string;
+}
+export declare function LoginPage({ bffBaseUrl }: LoginPageProps): import("react/jsx-runtime").JSX.Element;

package/dist/auth/components/LoginPage.js

@@ -0,0 +1,32 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * BFF login landing — explicit user action starts OAuth (avoids IdP silent re-login after logout).
+ */
+import { useState, useCallback } from 'react';
+import { useTranslation } from 'react-i18next';
+import { ShieldCheck, LogIn, Check, Globe } from 'lucide-react';
+import { Button, DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger, } from '@nsxbet/admin-ui';
+import { clearLoggedOutFlag } from '../client/bff';
+import { SUPPORTED_LOCALES, DEFAULT_LOCALE, LOCALE_FLAGS, LOCALE_NAMES, saveLocale, } from '../../i18n/config';
+function normalizeBaseUrl(url) {
+    return url.replace(/\/+$/, '');
+}
+function NsxLogo() {
+    return (_jsx("div", { className: "inline-flex items-center justify-center w-[72px] h-[72px] rounded-2xl bg-primary text-primary-foreground shadow-lg shadow-primary/25", children: _jsx("span", { className: "text-2xl font-bold tracking-tighter select-none", "aria-hidden": true, children: "NSX" }) }));
+}
+export function LoginPage({ bffBaseUrl }) {
+    const base = normalizeBaseUrl(bffBaseUrl);
+    const { t, i18n } = useTranslation('shell');
+    const [locale, setLocale] = useState(i18n.language || DEFAULT_LOCALE);
+    const handleLocaleChange = useCallback((newLocale) => {
+        setLocale(newLocale);
+        i18n.changeLanguage(newLocale);
+        saveLocale(newLocale);
+    }, [i18n]);
+    const handleLogin = () => {
+        clearLoggedOutFlag();
+        const redirect = encodeURIComponent(window.location.origin);
+        window.location.assign(`${base}/auth/login?redirect_url=${redirect}`);
+    };
+    return (_jsxs("div", { className: "min-h-screen bg-muted/40 text-foreground flex flex-col", children: [_jsx("div", { className: "flex items-center justify-end px-4 py-3", children: _jsxs(DropdownMenu, { children: [_jsxs(DropdownMenuTrigger, { className: "flex items-center gap-1.5 rounded-md border border-border bg-background px-2.5 py-1.5 text-sm text-muted-foreground transition-colors hover:text-foreground focus:outline-none", "data-testid": "login-language-selector", children: [_jsx(Globe, { className: "h-4 w-4" }), _jsx("span", { children: LOCALE_FLAGS[locale] })] }), _jsx(DropdownMenuContent, { align: "end", className: "z-[101] min-w-[180px]", children: SUPPORTED_LOCALES.map((opt) => (_jsxs(DropdownMenuItem, { onClick: () => handleLocaleChange(opt), className: "flex items-center justify-between", children: [_jsxs("div", { className: "flex items-center", children: [_jsx("span", { className: "mr-2 text-lg", children: LOCALE_FLAGS[opt] }), _jsx("span", { children: LOCALE_NAMES[opt] })] }), locale === opt && _jsx(Check, { className: "h-4 w-4 text-primary" })] }, opt))) })] }) }), _jsx("div", { className: "flex flex-1 items-center justify-center px-4 pb-14", children: _jsxs("div", { className: "w-full max-w-[420px] flex flex-col items-center text-center gap-8", children: [_jsx(NsxLogo, {}), _jsxs("div", { className: "space-y-1.5", children: [_jsxs("h1", { className: "text-2xl font-semibold tracking-tight", children: [t('loginPage.welcomeTo'), ' ', _jsx("span", { className: "text-primary", children: t('loginPage.brandName') })] }), _jsx("p", { className: "text-muted-foreground text-[15px]", children: t('loginPage.subtitle') })] }), _jsxs("div", { className: "w-full flex flex-col gap-3", children: [_jsxs(Button, { type: "button", size: "lg", className: "w-full h-12 text-[15px] gap-2.5 font-medium", onClick: handleLogin, children: [_jsx(LogIn, { className: "h-[18px] w-[18px]", "aria-hidden": true }), t('loginPage.loginButton')] }), _jsxs("div", { className: "w-full flex items-center justify-center gap-2 rounded-lg border border-border bg-background py-2.5 px-4 text-sm text-muted-foreground", children: [_jsx(ShieldCheck, { className: "h-4 w-4 text-muted-foreground/70 shrink-0", "aria-hidden": true }), t('loginPage.secureAuth')] })] })] }) })] }));
+}

package/dist/auth/components/UserSelector.js

@@ -67,7 +67,7 @@ function UserCard({ user, isCustom, onClick, onDelete, }) {
             onDelete();
         }
     };
-    return (_jsxs("div", { className: "relative group", children: [_jsx("button", { onClick: onClick, className: "w-full p-4 rounded-xl border border-border bg-card hover:bg-muted/50 hover:border-muted-foreground/30 transition-all duration-200 text-left", children: _jsxs("div", { className: "flex items-start gap-4", children: [_jsx("div", { className: "flex-shrink-0", children: icon }), _jsxs("div", { className: "flex-1 min-w-0", children: [_jsxs("div", { className: "flex items-center gap-2", children: [_jsx("h3", { className: "font-semibold text-foreground group-hover:text-foreground transition-colors", children: user.displayName }), isCustom && (_jsx("span", { className: "text-xs px-1.5 py-0.5 rounded bg-primary/20 text-primary border border-primary/30", children: "custom" }))] }), _jsx("p", { className: "text-sm text-muted-foreground truncate", children: user.email }), _jsxs("div", { className: "flex flex-wrap gap-1.5 mt-2", children: [user.roles.length === 0 ? (_jsx("span", { className: "text-xs px-2 py-0.5 rounded-full border bg-destructive/20 text-destructive border-destructive/30", children: "no roles" })) : (user.roles.slice(0, 4).map((role) => (_jsx("span", { className: `text-xs px-2 py-0.5 rounded-full border ${getRoleBadgeColor(role)}`, children: role }, role)))), user.roles.length > 4 && (_jsxs("span", { className: "text-xs px-2 py-0.5 rounded-full border bg-muted text-muted-foreground border-border", children: ["+", user.roles.length - 4, " more"] }))] })] }), _jsx("div", { className: "text-muted-foreground group-hover:text-foreground transition-colors", children: _jsx(ChevronRight, { className: "h-5 w-5" }) })] }) }), isCustom && onDelete && (_jsx("button", { onClick: handleDelete, className: "absolute top-2 right-2 p-1.5 rounded-lg bg-destructive/10 text-destructive opacity-0 group-hover:opacity-100 hover:bg-destructive/20 transition-all", title: "Delete user", children: _jsx(Trash2, { className: "h-4 w-4" }) }))] }));
+    return (_jsxs("div", { className: "relative group", children: [_jsx("button", { type: "button", "data-testid": `user-${user.id}`, onClick: onClick, className: "w-full p-4 rounded-xl border border-border bg-card hover:bg-muted/50 hover:border-muted-foreground/30 transition-all duration-200 text-left", children: _jsxs("div", { className: "flex items-start gap-4", children: [_jsx("div", { className: "flex-shrink-0", children: icon }), _jsxs("div", { className: "flex-1 min-w-0", children: [_jsxs("div", { className: "flex items-center gap-2", children: [_jsx("h3", { className: "font-semibold text-foreground group-hover:text-foreground transition-colors", children: user.displayName }), isCustom && (_jsx("span", { className: "text-xs px-1.5 py-0.5 rounded bg-primary/20 text-primary border border-primary/30", children: "custom" }))] }), _jsx("p", { className: "text-sm text-muted-foreground truncate", children: user.email }), _jsxs("div", { className: "flex flex-wrap gap-1.5 mt-2", children: [user.roles.length === 0 ? (_jsx("span", { className: "text-xs px-2 py-0.5 rounded-full border bg-destructive/20 text-destructive border-destructive/30", children: "no roles" })) : (user.roles.slice(0, 4).map((role) => (_jsx("span", { className: `text-xs px-2 py-0.5 rounded-full border ${getRoleBadgeColor(role)}`, children: role }, role)))), user.roles.length > 4 && (_jsxs("span", { className: "text-xs px-2 py-0.5 rounded-full border bg-muted text-muted-foreground border-border", children: ["+", user.roles.length - 4, " more"] }))] })] }), _jsx("div", { className: "text-muted-foreground group-hover:text-foreground transition-colors", children: _jsx(ChevronRight, { className: "h-5 w-5" }) })] }) }), isCustom && onDelete && (_jsx("button", { onClick: handleDelete, className: "absolute top-2 right-2 p-1.5 rounded-lg bg-destructive/10 text-destructive opacity-0 group-hover:opacity-100 hover:bg-destructive/20 transition-all", title: "Delete user", children: _jsx(Trash2, { className: "h-4 w-4" }) }))] }));
 }
 /**
  * Custom User Form Component
@@ -214,7 +214,7 @@ export function UserSelector({ authClient, onUserSelected }) {
     if (loginState.status === 'timeout') {
         return (_jsx(LoginTimeoutScreen, { gatewayUrl: authClient.gatewayUrl, isLovable: isLovable, onRetry: handleRetry, onFallback: handleFallbackToMock, onBack: handleBack, retrying: false }));
     }
-    return (_jsx("div", { className: "min-h-screen bg-background flex items-center justify-center p-4", children: _jsxs("div", { className: "w-full max-w-md", children: [_jsxs("div", { className: "text-center mb-8", children: [_jsx("div", { className: "inline-flex items-center justify-center w-16 h-16 rounded-2xl bg-primary mb-4 shadow-lg shadow-primary/25", children: _jsx(Users, { className: "h-8 w-8 text-primary-foreground" }) }), _jsx("h1", { className: "text-2xl font-bold text-foreground mb-2", children: "Select User" }), _jsx("p", { className: "text-muted-foreground", children: "Choose a mock user to continue in development mode" })] }), _jsx("div", { className: "space-y-3 mb-6", children: users.map((user) => {
+    return (_jsx("div", { className: "min-h-screen bg-background flex items-center justify-center p-4", "data-testid": "user-selector", children: _jsxs("div", { className: "w-full max-w-md", children: [_jsxs("div", { className: "text-center mb-8", children: [_jsx("div", { className: "inline-flex items-center justify-center w-16 h-16 rounded-2xl bg-primary mb-4 shadow-lg shadow-primary/25", children: _jsx(Users, { className: "h-8 w-8 text-primary-foreground" }) }), _jsx("h1", { className: "text-2xl font-bold text-foreground mb-2", children: "Select User" }), _jsx("p", { className: "text-muted-foreground", children: "Choose a mock user to continue in development mode" })] }), _jsx("div", { className: "space-y-3 mb-6", children: users.map((user) => {
                         const isCustom = authClient.isCustomUser(user.id);
                         return (_jsx(UserCard, { user: user, isCustom: isCustom, onClick: () => handleSelectUser(user.id), onDelete: isCustom ? () => handleDeleteUser(user.id) : undefined }, user.id));
                     }) }), _jsxs("div", { className: "relative my-6", children: [_jsx("div", { className: "absolute inset-0 flex items-center", children: _jsx("div", { className: "w-full border-t border-border" }) }), _jsx("div", { className: "relative flex justify-center text-sm", children: _jsx("span", { className: "px-3 bg-background text-muted-foreground", children: "or" }) })] }), showCustomForm ? (_jsx(CustomUserForm, { onSubmit: handleCreateCustomUser, onCancel: () => setShowCustomForm(false) })) : (_jsxs("button", { onClick: () => setShowCustomForm(true), className: "w-full p-4 rounded-xl border border-dashed border-border text-muted-foreground hover:text-foreground hover:border-muted-foreground transition-colors flex items-center justify-center gap-2", children: [_jsx(Plus, { className: "h-5 w-5" }), "Create Custom User"] })), _jsxs("p", { className: "text-center text-xs text-muted-foreground mt-8 flex items-center justify-center gap-1", children: [_jsx(Wrench, { className: "h-3 w-3" }), "Development Mode \u2022 Data stored in localStorage"] })] }) }));

package/dist/auth/components/index.d.ts

@@ -2,3 +2,5 @@
  * Auth components exports
  */
 export { UserSelector } from './UserSelector';
+export { LoginPage } from './LoginPage';
+export type { LoginPageProps } from './LoginPage';

package/dist/auth/components/index.js

@@ -2,3 +2,4 @@
  * Auth components exports
  */
 export { UserSelector } from './UserSelector';
+export { LoginPage } from './LoginPage';

package/dist/auth/index.d.ts

@@ -2,5 +2,6 @@
  * Authentication module exports
  */
 export type { AuthClient, InMemoryAuthClient, MockUser, AuthState, AuthStateCallback, } from './client';
-export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createKeycloakAuthClient, type InMemoryAuthClientOptions, type MockUserRoles, type KeycloakAuthClientOptions, } from './client';
-export { UserSelector } from './components';
+export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createBffAuthClient, clearLoggedOutFlag, isLoggedOutFlag, setLoggedOutFlag, type InMemoryAuthClientOptions, type MockUserRoles, type BffAuthClient, type BffAuthClientOptions, type BffMeResponse, } from './client';
+export { UserSelector, LoginPage } from './components';
+export type { LoginPageProps } from './components';

package/dist/auth/index.js

@@ -2,6 +2,6 @@
  * Authentication module exports
  */
 // Auth client factories
-export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createKeycloakAuthClient, } from './client';
+export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createBffAuthClient, clearLoggedOutFlag, isLoggedOutFlag, setLoggedOutFlag, } from './client';
 // Auth components
-export { UserSelector } from './components';
+export { UserSelector, LoginPage } from './components';

package/dist/components/AuthProvider.d.ts

@@ -1,7 +1,7 @@
 /**
  * AuthProvider - Manages authentication state using AuthClient
  *
- * Works with both in-memory (mock) and Keycloak auth clients.
+ * Works with both in-memory (mock) and BFF cookie auth clients.
  * Shows user selection screen when in-memory client has no selected user.
  */
 import React from 'react';
@@ -15,8 +15,8 @@ interface AuthContextValue {
     isAuthenticated: boolean;
     /** Current user (null if not authenticated) */
     user: User | null;
-    /** Get access token for API calls */
-    getAccessToken: () => Promise<string>;
+    /** Get access token for API calls (null for BFF HttpOnly cookie auth) */
+    getAccessToken: () => Promise<string | null>;
     /** Check if user has a permission */
     hasPermission: (permission: string) => boolean;
     /** Log out current user */

package/dist/components/AuthProvider.js

@@ -1,13 +1,15 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
 /**
  * AuthProvider - Manages authentication state using AuthClient
  *
- * Works with both in-memory (mock) and Keycloak auth clients.
+ * Works with both in-memory (mock) and BFF cookie auth clients.
  * Shows user selection screen when in-memory client has no selected user.
  */
 import { createContext, useContext, useEffect, useState, useCallback, useMemo } from 'react';
 import { useCallbackRef } from '../hooks/useCallbackRef';
+import { isLoggedOutFlag } from '../auth/client/bff';
 import { UserSelector } from '../auth/components/UserSelector';
+import { LoginPage } from '../auth/components/LoginPage';
 const AuthContext = createContext(null);
 /**
  * Loading screen component - uses Brasa Design System tokens
@@ -23,8 +25,10 @@ export function AuthProvider({ children, authClient }) {
         isAuthenticated: false,
         user: null,
     });
-    const [isInitializing, setIsInitializing] = useState(true);
+    const bffLoggedOut = authClient.type === 'bff' && isLoggedOutFlag();
+    const [isInitializing, setIsInitializing] = useState(!bffLoggedOut);
     const [needsUserSelection, setNeedsUserSelection] = useState(false);
+    const [needsLogin, setNeedsLogin] = useState(bffLoggedOut);
     // Initialize auth client
     useEffect(() => {
         let mounted = true;
@@ -39,15 +43,22 @@ export function AuthProvider({ children, authClient }) {
                         user: authClient.getUser(),
                     });
                     setNeedsUserSelection(false);
+                    setNeedsLogin(false);
                 }
                 else if (authClient.type === 'in-memory') {
-                    // In-memory client needs user selection
                     setNeedsUserSelection(true);
+                    setNeedsLogin(false);
+                }
+                else if (authClient.type === 'bff') {
+                    setNeedsLogin(true);
+                    setNeedsUserSelection(false);
                 }
-                // Keycloak will redirect to login page, so we don't need to handle it here
             }
             catch (error) {
                 console.error('[AuthProvider] Initialization failed:', error);
+                if (authClient.type === 'bff') {
+                    setNeedsLogin(true);
+                }
             }
             finally {
                 if (mounted) {
@@ -62,9 +73,15 @@ export function AuthProvider({ children, authClient }) {
                 setAuthState(state);
                 if (!state.isAuthenticated && authClient.type === 'in-memory') {
                     setNeedsUserSelection(true);
+                    setNeedsLogin(false);
+                }
+                else if (!state.isAuthenticated && authClient.type === 'bff') {
+                    setNeedsLogin(true);
+                    setNeedsUserSelection(false);
                 }
                 else {
                     setNeedsUserSelection(false);
+                    setNeedsLogin(false);
                 }
             }
         });
@@ -96,11 +113,9 @@ export function AuthProvider({ children, authClient }) {
     if (isInitializing) {
         return _jsx(LoadingScreen, {});
     }
-    // Show user selector for in-memory auth when no user selected
-    if (needsUserSelection && authClient.type === 'in-memory') {
-        return (_jsx(UserSelector, { authClient: authClient, onUserSelected: handleUserSelected }));
-    }
-    return (_jsx(AuthContext.Provider, { value: contextValue, children: children }));
+    const bffLoginOverlay = needsLogin && authClient.type === 'bff' ? (_jsx("div", { className: "fixed inset-0 z-[100] bg-background", "data-testid": "bff-login-overlay", children: _jsx(LoginPage, { bffBaseUrl: authClient.bffBaseUrl }) })) : null;
+    const content = needsUserSelection && authClient.type === 'in-memory' ? (_jsx(UserSelector, { authClient: authClient, onUserSelected: handleUserSelected })) : (_jsxs(_Fragment, { children: [bffLoginOverlay, children] }));
+    return _jsx(AuthContext.Provider, { value: contextValue, children: content });
 }
 /**
  * Hook to access auth context

package/dist/env.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Runtime environment from `window.__ENV__` (set by `/env.js` from the shell or adminModule() dev server).
+ */
+declare global {
+    interface Window {
+        __ENV__?: Record<string, string | undefined>;
+    }
+}
+export interface EnvConfig {
+    /** Validated absolute URL, or `undefined` if missing/invalid */
+    adminGatewayUrl: string | undefined;
+    mockAuth: boolean;
+    environment: string;
+    /** Parsed from `REGISTRY_POLL_INTERVAL` in `window.__ENV__`, or `undefined` if missing/invalid */
+    registryPollInterval: number | undefined;
+}
+export declare const env: EnvConfig;

package/dist/env.js

@@ -0,0 +1,50 @@
+/**
+ * Runtime environment from `window.__ENV__` (set by `/env.js` from the shell or adminModule() dev server).
+ */
+function isValidUrl(value) {
+    try {
+        new URL(value);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function parseEnv() {
+    const raw = (typeof window !== "undefined" && window.__ENV__) || {};
+    let adminGatewayUrl;
+    if (typeof raw.ADMIN_GATEWAY_URL === "string" && raw.ADMIN_GATEWAY_URL) {
+        if (isValidUrl(raw.ADMIN_GATEWAY_URL)) {
+            adminGatewayUrl = raw.ADMIN_GATEWAY_URL;
+        }
+        else {
+            console.warn("[env] ADMIN_GATEWAY_URL is not a valid URL:", raw.ADMIN_GATEWAY_URL);
+        }
+    }
+    const mockAuthRaw = raw.MOCK_AUTH;
+    if (mockAuthRaw !== undefined &&
+        mockAuthRaw !== "true" &&
+        mockAuthRaw !== "false") {
+        console.warn('[env] MOCK_AUTH must be "true" or "false", got:', mockAuthRaw);
+    }
+    let registryPollInterval;
+    const rawPoll = raw.REGISTRY_POLL_INTERVAL;
+    if (rawPoll !== undefined && rawPoll !== null && rawPoll !== "") {
+        const parsed = Number(rawPoll);
+        if (!Number.isNaN(parsed)) {
+            registryPollInterval = parsed;
+        }
+        else {
+            console.warn("[env] REGISTRY_POLL_INTERVAL must be a number, got:", rawPoll);
+        }
+    }
+    return {
+        adminGatewayUrl,
+        mockAuth: mockAuthRaw === "true",
+        environment: typeof raw.ENVIRONMENT === "string" && raw.ENVIRONMENT
+            ? raw.ENVIRONMENT
+            : "local",
+        registryPollInterval,
+    };
+}
+export const env = parseEnv();

package/dist/hooks/useAuth.d.ts

@@ -3,8 +3,8 @@ import type { User } from '../types/platform';
  * Authentication methods available in all modes
  */
 export interface UseAuthResult {
-    /** Get the current access token */
-    getAccessToken: () => Promise<string>;
+    /** Get the current access token. Null when using BFF HttpOnly cookie auth. */
+    getAccessToken: () => Promise<string | null>;
     /** Check if user has a specific permission */
     hasPermission: (permission: string) => boolean;
     /** Get current user information */
@@ -15,6 +15,6 @@ export interface UseAuthResult {
 /**
  * useAuth provides authentication methods that work seamlessly across:
  * - Shell mode (using platform API)
- * - Standalone mode with AuthClient (Keycloak or in-memory)
+ * - Standalone mode with AuthClient (BFF cookie or in-memory)
  */
 export declare function useAuth(): UseAuthResult;

package/dist/hooks/useAuth.js

@@ -8,7 +8,7 @@ import { useOptionalAuthContext } from '../components/AuthProvider';
 /**
  * useAuth provides authentication methods that work seamlessly across:
  * - Shell mode (using platform API)
- * - Standalone mode with AuthClient (Keycloak or in-memory)
+ * - Standalone mode with AuthClient (BFF cookie or in-memory)
  */
 export function useAuth() {
     const { isShellMode, api } = usePlatformAPI();

package/dist/hooks/useFetch.js

@@ -18,8 +18,13 @@ export function useFetch() {
             // In shell mode, use platform fetch (handles auth automatically)
             return api.fetch(input, init);
         }
-        // In standalone mode, add auth header manually
         const token = await getAccessToken();
+        if (token === null) {
+            return fetch(input, {
+                ...init,
+                credentials: 'include',
+            });
+        }
         return fetch(input, {
             ...init,
             headers: {

package/dist/hooks/useI18n.js

@@ -4,7 +4,7 @@
 import { useEffect, useState, useCallback } from 'react';
 import { useTranslation } from 'react-i18next';
 import { usePlatformAPI } from './usePlatformAPI';
-import { saveLocale, isSupportedLocale, i18n } from '../i18n';
+import { saveLocale, isSupportedLocale, i18n, DEFAULT_LOCALE } from '../i18n';
 /**
  * useI18n provides internationalization methods and translation access
  *
@@ -37,7 +37,7 @@ import { saveLocale, isSupportedLocale, i18n } from '../i18n';
  */
 export function useI18n(namespace) {
     const { isShellMode, api } = usePlatformAPI();
-    const [standaloneLocale, setStandaloneLocale] = useState(i18n.language || 'pt-BR');
+    const [standaloneLocale, setStandaloneLocale] = useState(i18n.language || DEFAULT_LOCALE);
     // Use react-i18next's useTranslation for reactive updates
     const { t, i18n: i18nInstance } = useTranslation(namespace || 'shell');
     // Subscribe to platform locale changes in shell mode

package/dist/i18n/config.d.ts

@@ -4,8 +4,9 @@
  * Supports: Portuguese (Brazil), Spanish, English (US), Romanian
  */
 import i18n from 'i18next';
-export declare const SUPPORTED_LOCALES: readonly ["pt-BR", "es", "en-US", "ro"];
+export declare const SUPPORTED_LOCALES: readonly ["en-US", "pt-BR", "es", "ro"];
 export type SupportedLocale = (typeof SUPPORTED_LOCALES)[number];
+export declare const DEFAULT_LOCALE: SupportedLocale;
 /**
  * Localized string value - one string per supported locale.
  * Used for manifest title, description, and command titles.

package/dist/i18n/config.js

@@ -9,7 +9,8 @@ import ptBR from './locales/pt-BR.json';
 import es from './locales/es.json';
 import enUS from './locales/en-US.json';
 import ro from './locales/ro.json';
-export const SUPPORTED_LOCALES = ['pt-BR', 'es', 'en-US', 'ro'];
+export const SUPPORTED_LOCALES = ['en-US', 'pt-BR', 'es', 'ro'];
+export const DEFAULT_LOCALE = 'en-US';
 /**
  * Resolves a localized string for the given locale.
  * Falls back to en-US if the locale is missing.
@@ -69,12 +70,12 @@ export function registerModuleTranslations(namespace, translations) {
  */
 function getSavedLocale() {
     if (typeof window === 'undefined')
-        return 'pt-BR';
+        return DEFAULT_LOCALE;
     const saved = localStorage.getItem(STORAGE_KEY);
     if (saved && SUPPORTED_LOCALES.includes(saved)) {
         return saved;
     }
-    return 'pt-BR';
+    return DEFAULT_LOCALE;
 }
 /**
  * Save locale to localStorage

package/dist/i18n/index.d.ts

@@ -1,5 +1,5 @@
 /**
  * i18n module exports
  */
-export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, LOCALE_FLAGS, LOCALE_NAMES, } from './config';
+export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, DEFAULT_LOCALE, LOCALE_FLAGS, LOCALE_NAMES, } from './config';
 export type { SupportedLocale, LocalizedField } from './config';

package/dist/i18n/index.js

@@ -1,4 +1,4 @@
 /**
  * i18n module exports
  */
-export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, LOCALE_FLAGS, LOCALE_NAMES, } from './config';
+export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, DEFAULT_LOCALE, LOCALE_FLAGS, LOCALE_NAMES, } from './config';

package/dist/i18n/locales/en-US.json

@@ -212,6 +212,13 @@
         "baseUrl": "Base URL",
         "id": "ID"
     },
+    "loginPage": {
+        "welcomeTo": "Welcome to",
+        "brandName": "NSXBet Admin",
+        "subtitle": "Administration Platform",
+        "loginButton": "Login with Corporate SSO",
+        "secureAuth": "Secure Authentication"
+    },
     "breadcrumbs": {
         "home": "Home",
         "registry": "Registry",

package/dist/i18n/locales/es.json

@@ -212,6 +212,13 @@
         "baseUrl": "URL Base",
         "id": "ID"
     },
+    "loginPage": {
+        "welcomeTo": "Bienvenido a",
+        "brandName": "NSXBet Admin",
+        "subtitle": "Plataforma de Administración",
+        "loginButton": "Iniciar sesión con SSO Corporativo",
+        "secureAuth": "Autenticación Segura"
+    },
     "breadcrumbs": {
         "home": "Inicio",
         "registry": "Registro",

package/dist/i18n/locales/pt-BR.json

@@ -212,6 +212,13 @@
         "baseUrl": "URL Base",
         "id": "ID"
     },
+    "loginPage": {
+        "welcomeTo": "Bem-vindo ao",
+        "brandName": "NSXBet Admin",
+        "subtitle": "Plataforma de Administração",
+        "loginButton": "Entrar com SSO Corporativo",
+        "secureAuth": "Autenticação Segura"
+    },
     "breadcrumbs": {
         "home": "Início",
         "registry": "Registro",

package/dist/i18n/locales/ro.json

@@ -212,6 +212,13 @@
         "baseUrl": "URL Bază",
         "id": "ID"
     },
+    "loginPage": {
+        "welcomeTo": "Bine ai venit la",
+        "brandName": "NSXBet Admin",
+        "subtitle": "Platformă de Administrare",
+        "loginButton": "Autentificare cu SSO Corporativ",
+        "secureAuth": "Autentificare Securizată"
+    },
     "breadcrumbs": {
         "home": "Acasă",
         "registry": "Registru",

package/dist/index.d.ts

@@ -4,6 +4,8 @@
  * SDK for building NSX Admin modules
  * Provides authentication, navigation, and platform integration
  */
+export { env, type EnvConfig } from "./env";
+export { SDK_PACKAGE_VERSION } from "./sdk-version";
 export { AuthProvider, useAuthContext, useOptionalAuthContext } from './components/AuthProvider';
 export { Timestamp } from './components/Timestamp';
 export type { TimestampProps } from './components/Timestamp';
@@ -14,19 +16,18 @@ export { useTelemetry } from './hooks/useTelemetry';
 export { useI18n } from './hooks/useI18n';
 export { useTimestamp } from './hooks/useTimestamp';
 export { useCallbackRef } from './hooks/useCallbackRef';
-export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createKeycloakAuthClient, UserSelector, } from './auth';
-export type { AuthClient, InMemoryAuthClient, MockUser, MockUserRoles, AuthState, AuthStateCallback, InMemoryAuthClientOptions, KeycloakAuthClientOptions, } from './auth';
+export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createBffAuthClient, clearLoggedOutFlag, isLoggedOutFlag, setLoggedOutFlag, UserSelector, LoginPage, } from './auth';
+export type { AuthClient, InMemoryAuthClient, MockUser, MockUserRoles, AuthState, AuthStateCallback, InMemoryAuthClientOptions, BffAuthClient, BffAuthClientOptions, BffMeResponse, LoginPageProps, } from './auth';
 export type { PlatformAPI, Breadcrumb, User, TimezoneMode, TimestampFormat } from './types/platform';
-export type { KeycloakConfig } from './types/keycloak';
 export type { UseAuthResult } from './hooks/useAuth';
 export type { UseTelemetryResult } from './hooks/useTelemetry';
 export type { UseI18nResult } from './hooks/useI18n';
 export type { UseTimestampResult } from './hooks/useTimestamp';
-export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, LOCALE_FLAGS, LOCALE_NAMES, } from './i18n';
+export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, DEFAULT_LOCALE, LOCALE_FLAGS, LOCALE_NAMES, } from './i18n';
 export type { SupportedLocale, LocalizedField } from './i18n';
 export { createInMemoryRegistryClient, clearInMemoryRegistry, createHttpRegistryClient, validateManifest, parseManifest, useRegistryPolling, AdminShellRegistry, useRegistry, useRegistryClient, } from './registry';
 export type { RegistryClient, ModuleOperations, CatalogOperations, InMemoryRegistryOptions, PreConfiguredModule, HttpRegistryOptions, AdminModuleManifest, ModuleCommand as RegistryModuleCommand, ModulePermissions, ModuleOwners, RegisteredModule, UpdateModuleDto, ReorderModuleDto, ModuleFilters, Catalog as RegistryCatalog, CatalogModule, CatalogVersion, ImportMap as RegistryImportMap, RegistryPollingState, UseRegistryPollingOptions, RegistryContextValue, AdminShellRegistryProps, } from './registry';
 export { AdminShell, TopBar, LeftNav, MainContent, CommandPalette, ThemeProvider, useTheme, initTelemetry, track, trackError, fuzzySearch, } from './shell';
 export { DynamicModule, ModuleLoading, ModuleErrorBoundary, } from './router';
 export type { ModuleInfo, ErrorBoundaryProps, } from './router';
-export type { AdminShellProps, TopBarProps, CommandPaletteProps, Module, ModuleCommand, ModuleStatus, NavigationSection, ModuleNavigation, Catalog, ImportMap, SearchableItem, SearchResult, SearchOptions, } from './shell';
+export type { AdminShellProps, AdminShellBffConfig, TopBarProps, CommandPaletteProps, Module, ModuleCommand, ModuleStatus, NavigationSection, ModuleNavigation, Catalog, ImportMap, SearchableItem, SearchResult, SearchOptions, } from './shell';

package/dist/index.js

@@ -4,6 +4,9 @@
  * SDK for building NSX Admin modules
  * Provides authentication, navigation, and platform integration
  */
+// Runtime env (`window.__ENV__` / `/env.js`)
+export { env } from "./env";
+export { SDK_PACKAGE_VERSION } from "./sdk-version";
 // Components
 export { AuthProvider, useAuthContext, useOptionalAuthContext } from './components/AuthProvider';
 export { Timestamp } from './components/Timestamp';
@@ -16,9 +19,9 @@ export { useI18n } from './hooks/useI18n';
 export { useTimestamp } from './hooks/useTimestamp';
 export { useCallbackRef } from './hooks/useCallbackRef';
 // Auth Client
-export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createKeycloakAuthClient, UserSelector, } from './auth';
+export { createInMemoryAuthClient, clearInMemoryAuth, createMockUsersFromRoles, createBffAuthClient, clearLoggedOutFlag, isLoggedOutFlag, setLoggedOutFlag, UserSelector, LoginPage, } from './auth';
 // i18n
-export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, LOCALE_FLAGS, LOCALE_NAMES, } from './i18n';
+export { initI18n, saveLocale, isSupportedLocale, resolveLocalizedString, registerModuleTranslations, i18n, SUPPORTED_LOCALES, DEFAULT_LOCALE, LOCALE_FLAGS, LOCALE_NAMES, } from './i18n';
 // Registry
 export { 
 // Client factory

package/dist/registry/client/http.js

@@ -4,6 +4,7 @@
  * Implementation of RegistryClient that communicates with the admin-api.
  * Used when running with MySQL backend.
  */
+import { SDK_PACKAGE_VERSION } from '../../sdk-version.js';
 /**
  * Create an HTTP registry client
  */
@@ -61,9 +62,13 @@ export function createHttpRegistryClient(options) {
             });
         },
         async registerFromManifest(manifest, baseUrl = '') {
+            const merged = {
+                ...manifest,
+                sdkVersion: manifest.sdkVersion ?? SDK_PACKAGE_VERSION,
+            };
             return request('/modules/manifest', {
                 method: 'POST',
-                body: JSON.stringify({ manifest, baseUrl }),
+                body: JSON.stringify({ manifest: merged, baseUrl }),
             });
         },
         async update(id, data) {