@ogcio/sag-client 0.2.0

package/dist/react/use-onboarding-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-onboarding-guard.d.ts","sourceRoot":"","sources":["../../src/react/use-onboarding-guard.ts"],"names":[],"mappings":"AAuBA,iDAAiD;AACjD,MAAM,WAAW,yBAAyB;IACxC,qEAAqE;IACrE,UAAU,EAAE,MAAM,CAAA;IAElB;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAA;IAElB;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;IAE7B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAA;IAElB;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC;;;;;;;;;;;OAWG;IACH,QAAQ,EAAE,OAAO,CAAA;CAClB;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,yBAAyB,GACjC,wBAAwB,CA6G1B"}

package/dist/react/use-onboarding-guard.js

@@ -0,0 +1,140 @@
+"use client";
+import { useEffect, useRef, useState } from "react";
+import { buildOnboardingRedirectUrl, buildWrongLoginMethodRedirect, } from "../onboarding";
+import { ALLOWED_SIGNIN_METHODS, DEFAULT_PUBLIC_SERVANT_ROLES, isCitizen, isCitizenOnboarded, } from "../roles";
+import { useSagClient } from "./provider";
+import { useAuth } from "./use-auth";
+// ── Constants ───────────────────────────────────────────────
+const ONBOARDING_STORAGE_KEY = "sag_onboarding_ts";
+const DEFAULT_DEBOUNCE_MS = 30000; // 30 seconds
+// ── Hook ────────────────────────────────────────────────────
+/**
+ * Onboarding guard hook for citizen-facing applications.
+ *
+ * Must be used within a `SagClientProvider`.  Internally calls
+ * `useAuth()` for auth state and `useSagClient()` for the gateway
+ * URL and app name.
+ *
+ * **Behaviour:**
+ *
+ * 1. If the user is not a citizen → resolved (let them through).
+ * 2. If the user signed in with a wrong method → redirect to the
+ *    profile service's error page (checked for ALL citizens,
+ *    including onboarded ones).
+ * 3. If the user is onboarded (`isCitizenOnboarded`) → resolved.
+ * 4. If a redirect happened less than `debounceMs` ago → resolved
+ *    (prevents infinite loops).
+ * 5. If the user is a citizen who has not completed onboarding →
+ *    invalidate the server session and redirect to the profile
+ *    service's onboarding page.
+ *
+ * While the check is pending or a redirect is in flight, `resolved`
+ * remains `false`.  The consuming component should gate children
+ * behind `resolved` to prevent `useGatewayFetch` from firing.
+ *
+ * @example
+ * ```tsx
+ * function Shell({ children }) {
+ *   // publicServantRoles defaults to DEFAULT_PUBLIC_SERVANT_ROLES
+ *   // (["Organisation Admin", "Organisation Member"])
+ *   const { resolved } = useOnboardingGuard({
+ *     profileUrl: "http://localhost:3001",
+ *     appBaseUrl: "http://localhost:3000",
+ *     connector: CONNECTOR_MYGOVID,
+ *   })
+ *   const { user, signIn, signOut } = useAuth()
+ *
+ *   if (!resolved) return <Loading />
+ *   return user ? <App>{children}</App> : <SignInButton />
+ * }
+ * ```
+ */
+export function useOnboardingGuard(options) {
+    const { profileUrl, appBaseUrl, publicServantRoles, connector, debounceMs = DEFAULT_DEBOUNCE_MS, } = options;
+    // Keep the roles in a ref so the effect dependency list stays stable.
+    // A new array reference from the caller (or the default spread) won't
+    // re-trigger the effect — only the ref's `.current` is read inside.
+    const rolesRef = useRef(publicServantRoles !== null && publicServantRoles !== void 0 ? publicServantRoles : [...DEFAULT_PUBLIC_SERVANT_ROLES]);
+    rolesRef.current = publicServantRoles !== null && publicServantRoles !== void 0 ? publicServantRoles : [...DEFAULT_PUBLIC_SERVANT_ROLES];
+    const client = useSagClient();
+    const { user, claims, loading, invalidateSession } = useAuth();
+    const [resolved, setResolved] = useState(false);
+    // Once we've started redirecting (invalidate + location change),
+    // never allow resolved to flip back to true — even if the effect
+    // re-fires before the browser finishes navigating.
+    const redirectingRef = useRef(false);
+    useEffect(() => {
+        var _a;
+        if (loading)
+            return;
+        if (redirectingRef.current)
+            return;
+        // Not authenticated — no onboarding needed
+        if (!user || !claims) {
+            setResolved(true);
+            return;
+        }
+        const orgRoles = (_a = claims.organization_roles) !== null && _a !== void 0 ? _a : [];
+        // 1. Not a citizen — let them through (public servants use different
+        //    sign-in methods so the signinMethod check doesn't apply)
+        if (!isCitizen(orgRoles, rolesRef.current)) {
+            setResolved(true);
+            return;
+        }
+        // 2. Wrong login method — checked for ALL citizens (including
+        //    onboarded ones) to enforce that citizens always use MyGovID.
+        //    This mirrors the original authorisation package's ordering.
+        const signinMethod = claims.signinMethod;
+        if (signinMethod &&
+            !ALLOWED_SIGNIN_METHODS.includes(signinMethod)) {
+            redirectingRef.current = true;
+            sessionStorage.setItem(ONBOARDING_STORAGE_KEY, String(Date.now()));
+            window.location.href = buildWrongLoginMethodRedirect({
+                profileUrl,
+                currentUrl: window.location.href,
+            });
+            return;
+        }
+        // 3. Citizen who has completed onboarding — clear debounce, proceed
+        if (isCitizenOnboarded(claims.roles)) {
+            sessionStorage.removeItem(ONBOARDING_STORAGE_KEY);
+            setResolved(true);
+            return;
+        }
+        // 4. Debounce — if we recently redirected, don't loop
+        const lastTs = Number(sessionStorage.getItem(ONBOARDING_STORAGE_KEY) || "0");
+        if (Date.now() - lastTs < debounceMs) {
+            setResolved(true);
+            return;
+        }
+        // 5. Citizen not onboarded — invalidate session and redirect.
+        //    Lock the guard immediately so no subsequent effect run can
+        //    set resolved=true and allow children to render.
+        redirectingRef.current = true;
+        sessionStorage.setItem(ONBOARDING_STORAGE_KEY, String(Date.now()));
+        const url = buildOnboardingRedirectUrl({
+            profileUrl,
+            currentPath: window.location.pathname,
+            gatewayUrl: client.gatewayUrl,
+            appName: client.appName,
+            appBaseUrl,
+            connector,
+        });
+        invalidateSession().then(() => {
+            window.location.href = url;
+        });
+    }, [
+        loading,
+        user,
+        claims,
+        invalidateSession,
+        profileUrl,
+        appBaseUrl,
+        connector,
+        debounceMs,
+        client.gatewayUrl,
+        client.appName,
+    ]);
+    return { resolved };
+}
+//# sourceMappingURL=use-onboarding-guard.js.map

package/dist/react/use-onboarding-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-onboarding-guard.js","sourceRoot":"","sources":["../../src/react/use-onboarding-guard.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAA;AACnD,OAAO,EACL,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,eAAe,CAAA;AACtB,OAAO,EACL,sBAAsB,EACtB,4BAA4B,EAC5B,SAAS,EACT,kBAAkB,GACnB,MAAM,UAAU,CAAA;AACjB,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAEpC,+DAA+D;AAE/D,MAAM,sBAAsB,GAAG,mBAAmB,CAAA;AAClD,MAAM,mBAAmB,GAAG,KAAM,CAAA,CAAC,aAAa;AA0DhD,+DAA+D;AAE/D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC;IAElC,MAAM,EACJ,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,UAAU,GAAG,mBAAmB,GACjC,GAAG,OAAO,CAAA;IAEX,sEAAsE;IACtE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,QAAQ,GAAG,MAAM,CACrB,kBAAkB,aAAlB,kBAAkB,cAAlB,kBAAkB,GAAI,CAAC,GAAG,4BAA4B,CAAC,CACxD,CAAA;IACD,QAAQ,CAAC,OAAO,GAAG,kBAAkB,aAAlB,kBAAkB,cAAlB,kBAAkB,GAAI,CAAC,GAAG,4BAA4B,CAAC,CAAA;IAE1E,MAAM,MAAM,GAAG,YAAY,EAAE,CAAA;IAC7B,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,GAAG,OAAO,EAAE,CAAA;IAE9D,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;IAE/C,iEAAiE;IACjE,iEAAiE;IACjE,mDAAmD;IACnD,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IAEpC,SAAS,CAAC,GAAG,EAAE;;QACb,IAAI,OAAO;YAAE,OAAM;QACnB,IAAI,cAAc,CAAC,OAAO;YAAE,OAAM;QAElC,2CAA2C;QAC3C,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACrB,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,MAAM,QAAQ,GAAG,MAAA,MAAM,CAAC,kBAAkB,mCAAI,EAAE,CAAA;QAEhD,qEAAqE;QACrE,8DAA8D;QAC9D,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3C,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,8DAA8D;QAC9D,kEAAkE;QAClE,iEAAiE;QACjE,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAA;QACxC,IACE,YAAY;YACZ,CAAE,sBAA4C,CAAC,QAAQ,CAAC,YAAY,CAAC,EACrE,CAAC;YACD,cAAc,CAAC,OAAO,GAAG,IAAI,CAAA;YAC7B,cAAc,CAAC,OAAO,CAAC,sBAAsB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;YAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,6BAA6B,CAAC;gBACnD,UAAU;gBACV,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI;aACjC,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,oEAAoE;QACpE,IAAI,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACrC,cAAc,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAA;YACjD,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,sDAAsD;QACtD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,sBAAsB,CAAC,IAAI,GAAG,CAAC,CAAA;QAC5E,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,UAAU,EAAE,CAAC;YACrC,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,8DAA8D;QAC9D,gEAAgE;QAChE,qDAAqD;QACrD,cAAc,CAAC,OAAO,GAAG,IAAI,CAAA;QAC7B,cAAc,CAAC,OAAO,CAAC,sBAAsB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAElE,MAAM,GAAG,GAAG,0BAA0B,CAAC;YACrC,UAAU;YACV,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;YACrC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,UAAU;YACV,SAAS;SACV,CAAC,CAAA;QAEF,iBAAiB,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,CAAA;QAC5B,CAAC,CAAC,CAAA;IACJ,CAAC,EAAE;QACD,OAAO;QACP,IAAI;QACJ,MAAM;QACN,iBAAiB;QACjB,UAAU;QACV,UAAU;QACV,SAAS;QACT,UAAU;QACV,MAAM,CAAC,UAAU;QACjB,MAAM,CAAC,OAAO;KACf,CAAC,CAAA;IAEF,OAAO,EAAE,QAAQ,EAAE,CAAA;AACrB,CAAC"}

package/dist/react/use-public-servant-guard.d.ts

@@ -0,0 +1,70 @@
+/** Options for the `usePublicServantGuard` hook. */
+export interface UsePublicServantGuardOptions {
+    /**
+     * Role names that identify an active public servant.
+     *
+     * @default DEFAULT_PUBLIC_SERVANT_ROLES — `["Organisation Admin", "Organisation Member"]`
+     */
+    publicServantRoles?: string[];
+    /**
+     * URL to redirect inactive public servants to.
+     * When omitted, inactive PS users are allowed through (resolved)
+     * with `isInactive` set to `true`.
+     */
+    inactiveRedirectUrl?: string;
+    /**
+     * URL to redirect non-public-servant users to (e.g. citizens
+     * landing on an admin app). When omitted, non-PS users are
+     * allowed through with `authorized` set to `false`.
+     */
+    unauthorizedRedirectUrl?: string;
+}
+/** Return value of `usePublicServantGuard`. */
+export interface UsePublicServantGuardResult {
+    /**
+     * `true` once the guard check has completed — meaning the user is
+     * a PS, is not authenticated, or a redirect is not configured.
+     *
+     * `false` while auth is loading or a redirect is in flight.
+     */
+    resolved: boolean;
+    /**
+     * `true` when the authenticated user is an active public servant.
+     * `false` for citizens, inactive PS, or unauthenticated users.
+     */
+    authorized: boolean;
+    /**
+     * `true` when the user is an inactive public servant.
+     */
+    isInactive: boolean;
+}
+/**
+ * Access guard hook for public-servant-facing applications.
+ *
+ * Must be used within a `SagClientProvider`.  Internally calls
+ * `useAuth()` for auth state.
+ *
+ * **Behaviour:**
+ *
+ * 1. If the user is not authenticated -> resolved, not authorized.
+ * 2. If the user is an inactive public servant and `inactiveRedirectUrl`
+ *    is set -> redirect.  Otherwise resolved with `isInactive: true`.
+ * 3. If the user is an active public servant -> resolved, authorized.
+ * 4. If the user is not a PS (citizen) and `unauthorizedRedirectUrl`
+ *    is set -> redirect.  Otherwise resolved with `authorized: false`.
+ *
+ * @example
+ * ```tsx
+ * function AdminShell({ children }) {
+ *   const { resolved, authorized } = usePublicServantGuard({
+ *     unauthorizedRedirectUrl: "https://citizen-app.example.com",
+ *   })
+ *
+ *   if (!resolved) return <Loading />
+ *   if (!authorized) return <AccessDenied />
+ *   return <>{children}</>
+ * }
+ * ```
+ */
+export declare function usePublicServantGuard(options?: UsePublicServantGuardOptions): UsePublicServantGuardResult;
+//# sourceMappingURL=use-public-servant-guard.d.ts.map

package/dist/react/use-public-servant-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-public-servant-guard.d.ts","sourceRoot":"","sources":["../../src/react/use-public-servant-guard.ts"],"names":[],"mappings":"AAYA,oDAAoD;AACpD,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;IAE7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAE5B;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAA;CACjC;AAED,+CAA+C;AAC/C,MAAM,WAAW,2BAA2B;IAC1C;;;;;OAKG;IACH,QAAQ,EAAE,OAAO,CAAA;IAEjB;;;OAGG;IACH,UAAU,EAAE,OAAO,CAAA;IAEnB;;OAEG;IACH,UAAU,EAAE,OAAO,CAAA;CACpB;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,GAAE,4BAAiC,GACzC,2BAA2B,CAuD7B"}

package/dist/react/use-public-servant-guard.js

@@ -0,0 +1,79 @@
+"use client";
+import { useEffect, useState } from "react";
+import { DEFAULT_PUBLIC_SERVANT_ROLES, isInactivePublicServant, isPublicServant, } from "../roles";
+import { useAuth } from "./use-auth";
+// ── Hook ────────────────────────────────────────────────────
+/**
+ * Access guard hook for public-servant-facing applications.
+ *
+ * Must be used within a `SagClientProvider`.  Internally calls
+ * `useAuth()` for auth state.
+ *
+ * **Behaviour:**
+ *
+ * 1. If the user is not authenticated -> resolved, not authorized.
+ * 2. If the user is an inactive public servant and `inactiveRedirectUrl`
+ *    is set -> redirect.  Otherwise resolved with `isInactive: true`.
+ * 3. If the user is an active public servant -> resolved, authorized.
+ * 4. If the user is not a PS (citizen) and `unauthorizedRedirectUrl`
+ *    is set -> redirect.  Otherwise resolved with `authorized: false`.
+ *
+ * @example
+ * ```tsx
+ * function AdminShell({ children }) {
+ *   const { resolved, authorized } = usePublicServantGuard({
+ *     unauthorizedRedirectUrl: "https://citizen-app.example.com",
+ *   })
+ *
+ *   if (!resolved) return <Loading />
+ *   if (!authorized) return <AccessDenied />
+ *   return <>{children}</>
+ * }
+ * ```
+ */
+export function usePublicServantGuard(options = {}) {
+    const { publicServantRoles = [...DEFAULT_PUBLIC_SERVANT_ROLES], inactiveRedirectUrl, unauthorizedRedirectUrl, } = options;
+    const { user, claims, loading } = useAuth();
+    const [resolved, setResolved] = useState(false);
+    const [authorized, setAuthorized] = useState(false);
+    const [isInactive, setIsInactive] = useState(false);
+    useEffect(() => {
+        var _a;
+        if (loading)
+            return;
+        if (!user || !claims) {
+            setResolved(true);
+            return;
+        }
+        const orgRoles = (_a = claims.organization_roles) !== null && _a !== void 0 ? _a : [];
+        if (isInactivePublicServant(orgRoles)) {
+            setIsInactive(true);
+            if (inactiveRedirectUrl) {
+                window.location.href = inactiveRedirectUrl;
+                return;
+            }
+            setResolved(true);
+            return;
+        }
+        if (isPublicServant(orgRoles, publicServantRoles)) {
+            setAuthorized(true);
+            setResolved(true);
+            return;
+        }
+        // Not a public servant (citizen or unknown role)
+        if (unauthorizedRedirectUrl) {
+            window.location.href = unauthorizedRedirectUrl;
+            return;
+        }
+        setResolved(true);
+    }, [
+        loading,
+        user,
+        claims,
+        publicServantRoles,
+        inactiveRedirectUrl,
+        unauthorizedRedirectUrl,
+    ]);
+    return { resolved, authorized, isInactive };
+}
+//# sourceMappingURL=use-public-servant-guard.js.map

package/dist/react/use-public-servant-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"use-public-servant-guard.js","sourceRoot":"","sources":["../../src/react/use-public-servant-guard.ts"],"names":[],"mappings":"AAAA,YAAY,CAAA;AAEZ,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAA;AAC3C,OAAO,EACL,4BAA4B,EAC5B,uBAAuB,EACvB,eAAe,GAChB,MAAM,UAAU,CAAA;AACjB,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AAkDpC,+DAA+D;AAE/D;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,UAAU,qBAAqB,CACnC,UAAwC,EAAE;IAE1C,MAAM,EACJ,kBAAkB,GAAG,CAAC,GAAG,4BAA4B,CAAC,EACtD,mBAAmB,EACnB,uBAAuB,GACxB,GAAG,OAAO,CAAA;IAEX,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,EAAE,CAAA;IAE3C,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;IACnD,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;IAEnD,SAAS,CAAC,GAAG,EAAE;;QACb,IAAI,OAAO;YAAE,OAAM;QAEnB,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACrB,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,MAAM,QAAQ,GAAG,MAAA,MAAM,CAAC,kBAAkB,mCAAI,EAAE,CAAA;QAEhD,IAAI,uBAAuB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,aAAa,CAAC,IAAI,CAAC,CAAA;YACnB,IAAI,mBAAmB,EAAE,CAAC;gBACxB,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,mBAAmB,CAAA;gBAC1C,OAAM;YACR,CAAC;YACD,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,IAAI,eAAe,CAAC,QAAQ,EAAE,kBAAkB,CAAC,EAAE,CAAC;YAClD,aAAa,CAAC,IAAI,CAAC,CAAA;YACnB,WAAW,CAAC,IAAI,CAAC,CAAA;YACjB,OAAM;QACR,CAAC;QAED,iDAAiD;QACjD,IAAI,uBAAuB,EAAE,CAAC;YAC5B,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,uBAAuB,CAAA;YAC9C,OAAM;QACR,CAAC;QACD,WAAW,CAAC,IAAI,CAAC,CAAA;IACnB,CAAC,EAAE;QACD,OAAO;QACP,IAAI;QACJ,MAAM;QACN,kBAAkB;QAClB,mBAAmB;QACnB,uBAAuB;KACxB,CAAC,CAAA;IAEF,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,CAAA;AAC7C,CAAC"}

package/dist/roles.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Role detection utilities for the Secure API Gateway.
+ *
+ * Pure functions that derive citizen / public-servant / onboarding
+ * status from Logto ID-token claims.  These mirror the logic in the
+ * reference `authorisation` package so consuming apps get identical
+ * behaviour without duplicating the rules.
+ */
+/** Default organization role string for inactive public servants. */
+export declare const INACTIVE_PS_ORG_ROLE = "inactive-ps-org:Inactive Public Servant";
+/** Default Logto role name assigned after citizen onboarding. */
+export declare const ROLE_NAME_ONBOARDED_CITIZEN = "Onboarded citizen";
+/** Logto directSignIn value for MyGovID social connector. */
+export declare const CONNECTOR_MYGOVID = "social:mygovid";
+/** Logto directSignIn value for Entra ID social connector. */
+export declare const CONNECTOR_ENTRAID = "social:ogcio-entraid";
+/** Sign-in methods that are considered valid for citizen flows. */
+export declare const ALLOWED_SIGNIN_METHODS: readonly ["social:mygovid"];
+/** Organisation role name for organisation administrators. */
+export declare const ORG_ROLE_ADMIN = "Organisation Admin";
+/** Organisation role name for regular organisation members. */
+export declare const ORG_ROLE_MEMBER = "Organisation Member";
+/**
+ * Default set of public-servant organisation role names.
+ *
+ * Citizen-facing apps typically use this as the `publicServantRoles`
+ * value — any user holding one of these roles is considered a public
+ * servant (not a citizen).
+ *
+ * Admin apps may use a different, service-specific list.
+ */
+export declare const DEFAULT_PUBLIC_SERVANT_ROLES: readonly ["Organisation Admin", "Organisation Member"];
+/**
+ * Check whether the user is an *inactive* public servant.
+ *
+ * @param orgRoles  `organization_roles` claim from the ID token
+ *                  (format: `"orgId:roleName"`).
+ * @param inactiveOrgRole  Override the default inactive-PS org role string.
+ */
+export declare function isInactivePublicServant(orgRoles: string[] | null | undefined, inactiveOrgRole?: string): boolean;
+/**
+ * Check whether the user is an active public servant.
+ *
+ * A user is considered a public servant when they have at least one
+ * organisation role whose *role name* (the part after the colon) is
+ * listed in `expectedRoles`, **and** they are not an inactive PS.
+ *
+ * @param orgRoles       `organization_roles` claim from the ID token.
+ * @param expectedRoles  Role names that identify a public servant
+ *                       (e.g. `["Admin", "Editor"]`).
+ */
+export declare function isPublicServant(orgRoles: string[] | null | undefined, expectedRoles: string[]): boolean;
+/**
+ * Check whether the user is a citizen (i.e. not a public servant).
+ *
+ * A user is a citizen when they are neither an inactive public
+ * servant nor an active public servant.
+ */
+export declare function isCitizen(orgRoles: string[] | null | undefined, expectedPublicServantRoles: string[]): boolean;
+/**
+ * Check whether the citizen has completed onboarding.
+ *
+ * @param roles              `roles` claim from the ID token.
+ * @param onboardedRoleName  Override the default onboarded-citizen role name.
+ */
+export declare function isCitizenOnboarded(roles: string[] | null | undefined, onboardedRoleName?: string): boolean;
+//# sourceMappingURL=roles.d.ts.map

package/dist/roles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.d.ts","sourceRoot":"","sources":["../src/roles.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,qEAAqE;AACrE,eAAO,MAAM,oBAAoB,4CAA4C,CAAA;AAE7E,iEAAiE;AACjE,eAAO,MAAM,2BAA2B,sBAAsB,CAAA;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,iBAAiB,mBAAmB,CAAA;AAEjD,8DAA8D;AAC9D,eAAO,MAAM,iBAAiB,yBAAyB,CAAA;AAEvD,mEAAmE;AACnE,eAAO,MAAM,sBAAsB,6BAA8B,CAAA;AAQjE,8DAA8D;AAC9D,eAAO,MAAM,cAAc,uBAAuB,CAAA;AAElD,+DAA+D;AAC/D,eAAO,MAAM,eAAe,wBAAwB,CAAA;AAEpD;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,wDAG/B,CAAA;AAIV;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,SAAS,EACrC,eAAe,GAAE,MAA6B,GAC7C,OAAO,CAET;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,SAAS,EACrC,aAAa,EAAE,MAAM,EAAE,GACtB,OAAO,CAMT;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CACvB,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,SAAS,EACrC,0BAA0B,EAAE,MAAM,EAAE,GACnC,OAAO,CAKT;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,SAAS,EAClC,iBAAiB,GAAE,MAAoC,GACtD,OAAO,CAET"}

package/dist/roles.js

@@ -0,0 +1,93 @@
+/**
+ * Role detection utilities for the Secure API Gateway.
+ *
+ * Pure functions that derive citizen / public-servant / onboarding
+ * status from Logto ID-token claims.  These mirror the logic in the
+ * reference `authorisation` package so consuming apps get identical
+ * behaviour without duplicating the rules.
+ */
+// ── Constants (configurable defaults) ───────────────────────
+/** Default organization role string for inactive public servants. */
+export const INACTIVE_PS_ORG_ROLE = "inactive-ps-org:Inactive Public Servant";
+/** Default Logto role name assigned after citizen onboarding. */
+export const ROLE_NAME_ONBOARDED_CITIZEN = "Onboarded citizen";
+/** Logto directSignIn value for MyGovID social connector. */
+export const CONNECTOR_MYGOVID = "social:mygovid";
+/** Logto directSignIn value for Entra ID social connector. */
+export const CONNECTOR_ENTRAID = "social:ogcio-entraid";
+/** Sign-in methods that are considered valid for citizen flows. */
+export const ALLOWED_SIGNIN_METHODS = ["social:mygovid"];
+// ── Common public-servant organisation role names ───────────
+//
+// These are the standard Logto organisation role names used across
+// the govie platform.  Individual apps may use a subset or extend
+// this list (e.g. "Messaging Public Servant" for admin apps).
+/** Organisation role name for organisation administrators. */
+export const ORG_ROLE_ADMIN = "Organisation Admin";
+/** Organisation role name for regular organisation members. */
+export const ORG_ROLE_MEMBER = "Organisation Member";
+/**
+ * Default set of public-servant organisation role names.
+ *
+ * Citizen-facing apps typically use this as the `publicServantRoles`
+ * value — any user holding one of these roles is considered a public
+ * servant (not a citizen).
+ *
+ * Admin apps may use a different, service-specific list.
+ */
+export const DEFAULT_PUBLIC_SERVANT_ROLES = [
+    ORG_ROLE_ADMIN,
+    ORG_ROLE_MEMBER,
+];
+// ── Role detection ──────────────────────────────────────────
+/**
+ * Check whether the user is an *inactive* public servant.
+ *
+ * @param orgRoles  `organization_roles` claim from the ID token
+ *                  (format: `"orgId:roleName"`).
+ * @param inactiveOrgRole  Override the default inactive-PS org role string.
+ */
+export function isInactivePublicServant(orgRoles, inactiveOrgRole = INACTIVE_PS_ORG_ROLE) {
+    var _a;
+    return (_a = orgRoles === null || orgRoles === void 0 ? void 0 : orgRoles.includes(inactiveOrgRole)) !== null && _a !== void 0 ? _a : false;
+}
+/**
+ * Check whether the user is an active public servant.
+ *
+ * A user is considered a public servant when they have at least one
+ * organisation role whose *role name* (the part after the colon) is
+ * listed in `expectedRoles`, **and** they are not an inactive PS.
+ *
+ * @param orgRoles       `organization_roles` claim from the ID token.
+ * @param expectedRoles  Role names that identify a public servant
+ *                       (e.g. `["Admin", "Editor"]`).
+ */
+export function isPublicServant(orgRoles, expectedRoles) {
+    if (isInactivePublicServant(orgRoles) || !orgRoles)
+        return false;
+    return orgRoles.some((orgRole) => {
+        const [, role] = orgRole.split(":");
+        return expectedRoles.includes(role);
+    });
+}
+/**
+ * Check whether the user is a citizen (i.e. not a public servant).
+ *
+ * A user is a citizen when they are neither an inactive public
+ * servant nor an active public servant.
+ */
+export function isCitizen(orgRoles, expectedPublicServantRoles) {
+    return !(isInactivePublicServant(orgRoles) ||
+        isPublicServant(orgRoles, expectedPublicServantRoles));
+}
+/**
+ * Check whether the citizen has completed onboarding.
+ *
+ * @param roles              `roles` claim from the ID token.
+ * @param onboardedRoleName  Override the default onboarded-citizen role name.
+ */
+export function isCitizenOnboarded(roles, onboardedRoleName = ROLE_NAME_ONBOARDED_CITIZEN) {
+    var _a;
+    return (_a = roles === null || roles === void 0 ? void 0 : roles.includes(onboardedRoleName)) !== null && _a !== void 0 ? _a : false;
+}
+//# sourceMappingURL=roles.js.map

package/dist/roles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.js","sourceRoot":"","sources":["../src/roles.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,+DAA+D;AAE/D,qEAAqE;AACrE,MAAM,CAAC,MAAM,oBAAoB,GAAG,yCAAyC,CAAA;AAE7E,iEAAiE;AACjE,MAAM,CAAC,MAAM,2BAA2B,GAAG,mBAAmB,CAAA;AAE9D,6DAA6D;AAC7D,MAAM,CAAC,MAAM,iBAAiB,GAAG,gBAAgB,CAAA;AAEjD,8DAA8D;AAC9D,MAAM,CAAC,MAAM,iBAAiB,GAAG,sBAAsB,CAAA;AAEvD,mEAAmE;AACnE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,gBAAgB,CAAU,CAAA;AAEjE,+DAA+D;AAC/D,EAAE;AACF,mEAAmE;AACnE,kEAAkE;AAClE,8DAA8D;AAE9D,8DAA8D;AAC9D,MAAM,CAAC,MAAM,cAAc,GAAG,oBAAoB,CAAA;AAElD,+DAA+D;AAC/D,MAAM,CAAC,MAAM,eAAe,GAAG,qBAAqB,CAAA;AAEpD;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG;IAC1C,cAAc;IACd,eAAe;CACP,CAAA;AAEV,+DAA+D;AAE/D;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,QAAqC,EACrC,kBAA0B,oBAAoB;;IAE9C,OAAO,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,CAAC,eAAe,CAAC,mCAAI,KAAK,CAAA;AACrD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAqC,EACrC,aAAuB;IAEvB,IAAI,uBAAuB,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAA;IAChE,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC/B,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACnC,OAAO,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CACvB,QAAqC,EACrC,0BAAoC;IAEpC,OAAO,CAAC,CACN,uBAAuB,CAAC,QAAQ,CAAC;QACjC,eAAe,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CACtD,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAkC,EAClC,oBAA4B,2BAA2B;;IAEvD,OAAO,MAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,QAAQ,CAAC,iBAAiB,CAAC,mCAAI,KAAK,CAAA;AACpD,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,131 @@
+export type AuthUser = {
+    sub: string;
+    email?: string;
+    name?: string;
+};
+/** Claims returned from the gateway's enriched /auth/status endpoint. */
+export type AuthClaims = {
+    roles: string[];
+    organizations: string[];
+    organization_roles: string[];
+    /** How the user signed in (e.g. "social:mygovid"). Logto custom claim. */
+    signinMethod?: string;
+};
+export type AuthStatus = {
+    authenticated: true;
+    app: string;
+    user: AuthUser;
+    claims: AuthClaims;
+} | {
+    authenticated: false;
+    warning?: string;
+};
+/** Structured organization info returned by the gateway's /auth/organizations endpoint. */
+export interface OrganizationInfo {
+    id: string;
+    name: string;
+    description?: string;
+    roles: string[];
+}
+/** Options for the sign-in flow. */
+export interface SignInOptions {
+    /**
+     * Logto `directSignIn` value — bypass the sign-in screen and go
+     * directly to a specific social connector or SSO provider.
+     *
+     * @example "social:mygovid"
+     * @example "social:ogcio-entraid"
+     * @example "sso:connector-id"
+     */
+    connector?: string;
+    /**
+     * Explicit post-login redirect URL.
+     * Validated against the gateway's allowed-origin patterns.
+     */
+    redirectUrl?: string;
+}
+export interface SagClientConfig {
+    /** Secure API Gateway base URL (e.g. "http://localhost:3333") */
+    gatewayUrl: string;
+    /** Application name sent to the gateway (e.g. "cars", "weather") */
+    appName: string;
+    /**
+     * Called when the gateway returns 401 (session expired / invalid grant).
+     * Default: POST-redirect to the gateway's sign-in endpoint.
+     */
+    onSessionExpired?: () => void;
+}
+/**
+ * Extended Error thrown by the gateway fetcher.
+ * Carries the HTTP status code and the gateway error code (if any)
+ * so consumers can branch on error type.
+ */
+export declare class SagFetchError extends Error {
+    status: number;
+    code?: string;
+    constructor(message: string, status: number, code?: string);
+}
+/**
+ * HTTP header used to select user-token vs M2M-token flow on
+ * the Secure API Gateway.
+ */
+export declare const ACTOR_TYPE_HEADER = "X-Request-Actor-Type";
+/**
+ * HTTP header used to request an organization-scoped token.
+ * When present, the gateway uses `getOrganizationToken(orgId)`
+ * instead of `getAccessToken(resource)` for the proxy request.
+ */
+export declare const ORGANIZATION_ID_HEADER = "X-Organization-Id";
+/**
+ * Actor type sent to the gateway via `X-Request-Actor-Type`.
+ * - `"user"` (default) — proxy with the authenticated user's access token
+ * - `"m2m"` — proxy with the app's M2M client_credentials token
+ */
+export type ActorType = "user" | "m2m";
+/** Options accepted by gateway fetch helpers. */
+export interface GatewayFetchOptions {
+    /**
+     * Override the actor type for this request.
+     * When set to `"m2m"`, the fetcher sends `X-Request-Actor-Type: m2m`
+     * so the gateway uses client_credentials instead of the user token.
+     */
+    actorType?: ActorType;
+    /**
+     * Organization ID for organization-scoped requests.
+     * When set, the fetcher sends `X-Organization-Id: <id>` so the
+     * gateway uses `getOrganizationToken(orgId)` instead of the
+     * default `getAccessToken(resource)`.
+     */
+    organizationId?: string;
+}
+/** HTTP method for mutation requests. */
+export type MutationMethod = "POST" | "PUT" | "PATCH" | "DELETE";
+/** Options accepted by gateway mutation helpers. */
+export interface GatewayMutationOptions extends GatewayFetchOptions {
+    /** HTTP method for the mutation (defaults to `"POST"`). */
+    method?: MutationMethod;
+}
+/** Options for the `useOnboardingGuard` hook. */
+export type { UseOnboardingGuardOptions } from "./react/use-onboarding-guard";
+/** Return value of the `useOnboardingGuard` hook. */
+export type { UseOnboardingGuardResult } from "./react/use-onboarding-guard";
+/** Options for the `usePublicServantGuard` hook. */
+export type { UsePublicServantGuardOptions } from "./react/use-public-servant-guard";
+/** Return value of the `usePublicServantGuard` hook. */
+export type { UsePublicServantGuardResult } from "./react/use-public-servant-guard";
+export type UseAuthResult = {
+    authenticated: boolean;
+    user?: AuthUser;
+    claims?: AuthClaims;
+    app?: string;
+    loading: boolean;
+    warning?: string;
+    /** When false, sign-in / sign-out are disabled (Logto unreachable) */
+    logtoAvailable: boolean;
+    signIn: (options?: SignInOptions) => void;
+    signOut: () => void;
+    /** Invalidate the server session so the next sign-in fetches fresh claims. */
+    invalidateSession: () => Promise<void>;
+    refresh: () => void;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,QAAQ,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAA;AAErE,yEAAyE;AACzE,MAAM,MAAM,UAAU,GAAG;IACvB,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,aAAa,EAAE,MAAM,EAAE,CAAA;IACvB,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,0EAA0E;IAC1E,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB,CAAA;AAED,MAAM,MAAM,UAAU,GAClB;IAAE,aAAa,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,GACxE;IAAE,aAAa,EAAE,KAAK,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAA;AAI9C,2FAA2F;AAC3F,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,EAAE,CAAA;CAChB;AAID,oCAAoC;AACpC,MAAM,WAAW,aAAa;IAC5B;;;;;;;OAOG;IACH,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAID,MAAM,WAAW,eAAe;IAC9B,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAA;IAClB,oEAAoE;IACpE,OAAO,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,IAAI,CAAA;CAC9B;AAID;;;;GAIG;AACH,qBAAa,aAAc,SAAQ,KAAK;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;gBAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM;CAM3D;AAID;;;GAGG;AACH,eAAO,MAAM,iBAAiB,yBAAyB,CAAA;AAEvD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,sBAAsB,CAAA;AAEzD;;;;GAIG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,KAAK,CAAA;AAEtC,iDAAiD;AACjD,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,CAAA;IAErB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,yCAAyC;AACzC,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAA;AAEhE,oDAAoD;AACpD,MAAM,WAAW,sBAAuB,SAAQ,mBAAmB;IACjE,2DAA2D;IAC3D,MAAM,CAAC,EAAE,cAAc,CAAA;CACxB;AAID,iDAAiD;AACjD,YAAY,EAAE,yBAAyB,EAAE,MAAM,8BAA8B,CAAA;AAC7E,qDAAqD;AACrD,YAAY,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAA;AAE5E,oDAAoD;AACpD,YAAY,EAAE,4BAA4B,EAAE,MAAM,kCAAkC,CAAA;AACpF,wDAAwD;AACxD,YAAY,EAAE,2BAA2B,EAAE,MAAM,kCAAkC,CAAA;AAEnF,MAAM,MAAM,aAAa,GAAG;IAC1B,aAAa,EAAE,OAAO,CAAA;IACtB,IAAI,CAAC,EAAE,QAAQ,CAAA;IACf,MAAM,CAAC,EAAE,UAAU,CAAA;IACnB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,sEAAsE;IACtE,cAAc,EAAE,OAAO,CAAA;IACvB,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,aAAa,KAAK,IAAI,CAAA;IACzC,OAAO,EAAE,MAAM,IAAI,CAAA;IACnB,8EAA8E;IAC9E,iBAAiB,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IACtC,OAAO,EAAE,MAAM,IAAI,CAAA;CACpB,CAAA"}

package/dist/types.js

@@ -0,0 +1,28 @@
+// ── Auth types ───────────────────────────────────────────────
+// ── Fetch error ──────────────────────────────────────────────
+/**
+ * Extended Error thrown by the gateway fetcher.
+ * Carries the HTTP status code and the gateway error code (if any)
+ * so consumers can branch on error type.
+ */
+export class SagFetchError extends Error {
+    constructor(message, status, code) {
+        super(message);
+        this.name = "SagFetchError";
+        this.status = status;
+        this.code = code;
+    }
+}
+// ── M2M / Actor type ─────────────────────────────────────────
+/**
+ * HTTP header used to select user-token vs M2M-token flow on
+ * the Secure API Gateway.
+ */
+export const ACTOR_TYPE_HEADER = "X-Request-Actor-Type";
+/**
+ * HTTP header used to request an organization-scoped token.
+ * When present, the gateway uses `getOrganizationToken(orgId)`
+ * instead of `getAccessToken(resource)` for the proxy request.
+ */
+export const ORGANIZATION_ID_HEADER = "X-Organization-Id";
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,gEAAgE;AA6DhE,gEAAgE;AAEhE;;;;GAIG;AACH,MAAM,OAAO,aAAc,SAAQ,KAAK;IAItC,YAAY,OAAe,EAAE,MAAc,EAAE,IAAa;QACxD,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,IAAI,GAAG,eAAe,CAAA;QAC3B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACpB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;IAClB,CAAC;CACF;AAED,gEAAgE;AAEhE;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,sBAAsB,CAAA;AAEvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,mBAAmB,CAAA"}