@palbase/web 1.0.0 → 1.0.1

package/dist/{analytics-facade-t6UrFdn7.d.cts → analytics-facade-DV2uAiSg.d.cts}

@@ -1,7 +1,509 @@
-import { HttpClient, TokenManager, Session } from '@palbase/core';
-import { AuthClient } from '@palbase/auth';
 import { S as SessionStorageAdapter } from './storage-BPaeSG8K.cjs';
-import { FlagValue } from '@palbase/flags';
+import { F } from './pooled-flags-Bwq4usn0.js';
+
+declare class PalbaseError$1 extends Error {
+    readonly code: string;
+    readonly status: number;
+    readonly details?: unknown;
+    constructor(code: string, message: string, status: number, details?: unknown);
+}
+
+interface PalbaseResponse$1<T> {
+    data: T | null;
+    error: PalbaseError$1 | null;
+    count?: number;
+    status: number;
+}
+interface HttpClientOptions$1 {
+    url?: string;
+    headers?: Record<string, string>;
+}
+interface RequestOptions$1 {
+    headers?: Record<string, string>;
+    body?: unknown;
+    signal?: AbortSignal;
+}
+interface Session$1 {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+}
+type AuthStateEvent$1 = 'SESSION_SET' | 'SESSION_CLEARED';
+type AuthStateCallback$1 = (event: AuthStateEvent$1, session: Session$1 | null) => void;
+type Unsubscribe$2 = () => void;
+
+declare class TokenManager$1 {
+    private session;
+    private listeners;
+    private refreshPromise;
+    private refreshing;
+    refreshFunction: ((refreshToken: string) => Promise<Session$1>) | null;
+    setSession(session: Session$1): void;
+    getAccessToken(): string | null;
+    getRefreshToken(): string | null;
+    clearSession(): void;
+    isExpired(): boolean;
+    refreshSession(): Promise<void>;
+    onAuthStateChange(callback: AuthStateCallback$1): Unsubscribe$2;
+    private executeRefresh;
+    private notify;
+}
+
+/**
+ * Request interceptor. Runs before every HTTP request.
+ * Can modify headers, body, or reject the request.
+ */
+type RequestInterceptor$1 = (request: {
+    headers: Record<string, string>;
+    method: string;
+    path: string;
+}) => void | Promise<void>;
+declare class HttpClient$1 {
+    protected readonly apiKey: string;
+    protected readonly options?: HttpClientOptions$1;
+    tokenManager: TokenManager$1 | null;
+    /**
+     * Admin JWT used for platform admin endpoints (/admin/*).
+     * When set, takes precedence over tokenManager access token in the
+     * Authorization header.
+     */
+    adminToken: string | null;
+    private readonly interceptors;
+    constructor(apiKey: string, options?: HttpClientOptions$1);
+    /** Set (or clear) the admin JWT used on admin endpoints. */
+    setAdminToken(token: string | null): void;
+    /**
+     * Create a scoped HttpClient that adds the given extra headers to every
+     * request. The returned client shares the admin token and token manager
+     * with the parent at runtime — later changes on the parent propagate to
+     * the scope and vice versa.
+     *
+     * Typical use: tagging admin calls with `x-palbase-project: <ref>` so the
+     * gateway can route them to the correct project's data plane.
+     */
+    withHeaders(extra: Record<string, string>): HttpClient$1;
+    /** Add a request interceptor. Runs before every request. */
+    addInterceptor(interceptor: RequestInterceptor$1): void;
+    request<T>(method: string, path: string, options?: RequestOptions$1): Promise<PalbaseResponse$1<T>>;
+    private getBaseUrl;
+    private buildHeaders;
+    private executeWithRetry;
+    private delay;
+}
+
+declare class PalbaseError extends Error {
+    readonly code: string;
+    readonly status: number;
+    readonly details?: unknown;
+    constructor(code: string, message: string, status: number, details?: unknown);
+}
+
+interface PalbaseResponse<T> {
+    data: T | null;
+    error: PalbaseError | null;
+    count?: number;
+    status: number;
+}
+interface HttpClientOptions {
+    url?: string;
+    headers?: Record<string, string>;
+}
+interface RequestOptions {
+    headers?: Record<string, string>;
+    body?: unknown;
+    signal?: AbortSignal;
+}
+interface Session {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+}
+type AuthStateEvent = 'SESSION_SET' | 'SESSION_CLEARED';
+type AuthStateCallback = (event: AuthStateEvent, session: Session | null) => void;
+type Unsubscribe$1 = () => void;
+
+declare class TokenManager {
+    private session;
+    private listeners;
+    private refreshPromise;
+    private refreshing;
+    refreshFunction: ((refreshToken: string) => Promise<Session>) | null;
+    setSession(session: Session): void;
+    getAccessToken(): string | null;
+    getRefreshToken(): string | null;
+    clearSession(): void;
+    isExpired(): boolean;
+    refreshSession(): Promise<void>;
+    onAuthStateChange(callback: AuthStateCallback): Unsubscribe$1;
+    private executeRefresh;
+    private notify;
+}
+
+/**
+ * Request interceptor. Runs before every HTTP request.
+ * Can modify headers, body, or reject the request.
+ */
+type RequestInterceptor = (request: {
+    headers: Record<string, string>;
+    method: string;
+    path: string;
+}) => void | Promise<void>;
+declare class HttpClient {
+    protected readonly apiKey: string;
+    protected readonly options?: HttpClientOptions;
+    tokenManager: TokenManager | null;
+    /**
+     * Admin JWT used for platform admin endpoints (/admin/*).
+     * When set, takes precedence over tokenManager access token in the
+     * Authorization header.
+     */
+    adminToken: string | null;
+    private readonly interceptors;
+    constructor(apiKey: string, options?: HttpClientOptions);
+    /** Set (or clear) the admin JWT used on admin endpoints. */
+    setAdminToken(token: string | null): void;
+    /**
+     * Create a scoped HttpClient that adds the given extra headers to every
+     * request. The returned client shares the admin token and token manager
+     * with the parent at runtime — later changes on the parent propagate to
+     * the scope and vice versa.
+     *
+     * Typical use: tagging admin calls with `x-palbase-project: <ref>` so the
+     * gateway can route them to the correct project's data plane.
+     */
+    withHeaders(extra: Record<string, string>): HttpClient;
+    /** Add a request interceptor. Runs before every request. */
+    addInterceptor(interceptor: RequestInterceptor): void;
+    request<T>(method: string, path: string, options?: RequestOptions): Promise<PalbaseResponse<T>>;
+    private getBaseUrl;
+    private buildHeaders;
+    private executeWithRetry;
+    private delay;
+}
+
+interface User {
+    id: string;
+    email: string;
+    emailVerified: boolean;
+    createdAt: string;
+    updatedAt: string;
+    metadata?: Record<string, unknown>;
+}
+interface TokenResponse {
+    access_token: string;
+    refresh_token: string;
+    token_type: string;
+    expires_in: number;
+}
+interface AuthSession {
+    id: string;
+    ip?: string;
+    user_agent?: string;
+    acr: string;
+    amr: string[];
+    last_activity: string;
+    created_at: string;
+    current: boolean;
+}
+interface SignUpCredentials {
+    email: string;
+    password: string;
+}
+interface SignInCredentials {
+    email: string;
+    password: string;
+}
+interface VerifyEmailParams {
+    token?: string;
+    code?: string;
+    email?: string;
+}
+interface PasswordResetParams {
+    email: string;
+}
+interface PasswordResetConfirmParams {
+    token: string;
+    new_password: string;
+}
+interface PasswordChangeParams {
+    current_password: string;
+    new_password: string;
+}
+interface MFAEnrollParams {
+    type: 'totp' | 'email';
+}
+interface MFAEnrollResult {
+    enrollment_id?: string;
+    secret?: string;
+    otp_url?: string;
+    qr_code?: string;
+    recovery_codes?: string[];
+    status?: string;
+}
+interface MFAChallengeParams {
+    mfa_token: string;
+    type: 'totp' | 'email';
+    code: string;
+}
+interface MFARecoveryParams {
+    mfa_token: string;
+    code: string;
+}
+interface MFAFactor {
+    id: string;
+    type: string;
+    verified: boolean;
+    created_at: string;
+}
+interface MFAEmailChallengeParams {
+    mfa_token: string;
+}
+interface MFAEmailVerifyParams {
+    mfa_token: string;
+    code: string;
+}
+interface OAuthOptions {
+    provider: string;
+    redirectTo?: string;
+}
+interface Identity {
+    id: string;
+    provider: string;
+    provider_user_id: string;
+    created_at: string;
+}
+interface CredentialExchangeParams {
+    provider: string;
+    credential: string;
+}
+interface LinkIdentityParams {
+    provider: string;
+    credential: string;
+}
+interface MagicLinkParams {
+    email: string;
+}
+interface MagicLinkVerifyParams {
+    token: string;
+    fingerprint_hash?: string;
+}
+interface RegisterTrustedDeviceParams {
+    fingerprint_hash: string;
+    device_name?: string;
+}
+interface TrustedDevice {
+    id: string;
+    device_name?: string;
+    created_at: string;
+    last_used_at: string;
+    expires_at: string;
+}
+interface DeviceInfo {
+    id: string;
+    platform: string;
+    attestation_status: string;
+    bound: boolean;
+    created_at: string;
+}
+interface AttestAndroidParams {
+    verdict_token: string;
+}
+interface AttestAndroidResult {
+    device_id: string;
+    attestation_status: string;
+    device_integrity?: string;
+}
+interface AttestiOSParams {
+    attestation_object: string;
+    key_id: string;
+    challenge: string;
+}
+interface AttestiOSResult {
+    device_id: string;
+    attestation_status: string;
+}
+interface BindDeviceParams {
+    device_id: string;
+    public_key: string;
+    platform_attestation?: string;
+}
+interface VerifyRequestSignatureParams {
+    payload: string;
+    signature: string;
+}
+type AuthEvent = 'SIGNED_IN' | 'SIGNED_OUT' | 'TOKEN_REFRESHED';
+type AuthStateChangeCallback = (event: AuthEvent, session: Session | null) => void;
+
+/**
+ * Device attestation client.
+ * Handles device challenge/attestation/bind and App Check JWT cache.
+ */
+declare class DeviceClient {
+    private readonly httpClient;
+    private cachedToken;
+    private refreshTimer;
+    constructor(httpClient: HttpClient);
+    /** Generate a device attestation challenge. */
+    generateChallenge(): Promise<PalbaseResponse<{
+        challenge: string;
+    }>>;
+    /** Attest an Android device with a Play Integrity verdict token. */
+    attestAndroid(params: AttestAndroidParams): Promise<PalbaseResponse<AttestAndroidResult>>;
+    /** Attest an iOS device with App Attest attestation data. */
+    attestiOS(params: AttestiOSParams): Promise<PalbaseResponse<AttestiOSResult>>;
+    /** Bind a verified device with a public key for request signing. */
+    bind(params: BindDeviceParams): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    /** List all devices for the current user. */
+    list(): Promise<PalbaseResponse<{
+        devices: DeviceInfo[];
+    }>>;
+    /** Delete a device by ID. */
+    delete(deviceId: string): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    /**
+     * Verify a request signature from a device (server-only).
+     * Should NOT be exposed in client SDK.
+     */
+    verifyRequestSignature(deviceId: string, params: VerifyRequestSignatureParams): Promise<PalbaseResponse<{
+        verified: boolean;
+    }>>;
+    /** Get the cached App Check token, or null if not available / expired. */
+    getToken(): string | null;
+    /** Whether App Check is active (token cached and not expired). */
+    get isActive(): boolean;
+    /** Set a cached App Check token manually (e.g. after attest flow). */
+    setCachedToken(token: string, expiresInMs: number): void;
+    /** Clean up timers and cached state. */
+    dispose(): void;
+    private scheduleRefresh;
+}
+
+/** Reserved for future user-scope options. Admin surface is in @palbase/server. */
+type AuthClientOptions = Record<string, never>;
+declare class AuthClient {
+    private readonly httpClient;
+    private readonly tokenManager;
+    private readonly apiKey;
+    private readonly baseUrl;
+    private currentSession;
+    private hasSession;
+    private _mfa;
+    /** Device attestation */
+    readonly device: DeviceClient;
+    constructor(httpClient: HttpClient, tokenManager: TokenManager, apiKey?: string, baseUrl?: string, _options?: AuthClientOptions);
+    signUp(credentials: SignUpCredentials): Promise<PalbaseResponse<{
+        user: User;
+        session: Session;
+    }>>;
+    signIn(credentials: SignInCredentials): Promise<PalbaseResponse<{
+        user: User;
+        session: Session;
+    }>>;
+    signOut(): Promise<PalbaseResponse<void>>;
+    verifyEmail(params: VerifyEmailParams): Promise<PalbaseResponse<{
+        status: string;
+    }>>;
+    resendVerification(email: string): Promise<PalbaseResponse<{
+        verification_token?: string;
+        verification_code?: string;
+    }>>;
+    requestPasswordReset(params: PasswordResetParams): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    confirmPasswordReset(params: PasswordResetConfirmParams): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    changePassword(params: PasswordChangeParams): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    refresh(): Promise<PalbaseResponse<TokenResponse>>;
+    getAccessToken(): string | null;
+    onTokenChange(callback: (tokens: {
+        accessToken: string | null;
+        refreshToken: string | null;
+    }) => void): () => void;
+    setTokens(accessToken: string, refreshToken: string, expiresIn?: number): void;
+    listSessions(): Promise<PalbaseResponse<AuthSession[]>>;
+    revokeSession(sessionId: string): Promise<PalbaseResponse<void>>;
+    revokeAllSessions(): Promise<PalbaseResponse<void>>;
+    get mfa(): {
+        enroll: (params: MFAEnrollParams) => Promise<PalbaseResponse<MFAEnrollResult>>;
+        verifyEnrollment: (code: string) => Promise<PalbaseResponse<{
+            status: string;
+        }>>;
+        challenge: (params: MFAChallengeParams) => Promise<PalbaseResponse<TokenResponse>>;
+        recovery: (params: MFARecoveryParams) => Promise<PalbaseResponse<TokenResponse>>;
+        listFactors: () => Promise<PalbaseResponse<{
+            factors: MFAFactor[];
+        }>>;
+        removeFactor: (factorId: string, currentPassword: string) => Promise<PalbaseResponse<{
+            status: string;
+        }>>;
+        regenerateRecoveryCodes: () => Promise<PalbaseResponse<{
+            recovery_codes: string[];
+        }>>;
+        emailEnroll: () => Promise<PalbaseResponse<{
+            status: string;
+        }>>;
+        emailChallenge: (params: MFAEmailChallengeParams) => Promise<PalbaseResponse<{
+            status: string;
+        }>>;
+        emailVerify: (params: MFAEmailVerifyParams) => Promise<PalbaseResponse<TokenResponse>>;
+    };
+    private buildMfa;
+    getOAuthURL(options: OAuthOptions): Promise<PalbaseResponse<{
+        url: string;
+    }>>;
+    signInWithCredential(params: CredentialExchangeParams): Promise<PalbaseResponse<{
+        user: User;
+        session: Session;
+    }>>;
+    listIdentities(): Promise<PalbaseResponse<{
+        identities: Identity[];
+    }>>;
+    linkIdentity(params: LinkIdentityParams): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    unlinkIdentity(identityId: string): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    requestMagicLink(params: MagicLinkParams): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    verifyMagicLink(params: MagicLinkVerifyParams): Promise<PalbaseResponse<{
+        user: User;
+        session: Session;
+    }>>;
+    listTrustedDevices(): Promise<PalbaseResponse<{
+        trusted_devices: TrustedDevice[];
+    }>>;
+    registerTrustedDevice(params: RegisterTrustedDeviceParams): Promise<PalbaseResponse<{
+        trusted_device_token: string;
+    }>>;
+    revokeTrustedDevice(deviceId: string): Promise<PalbaseResponse<{
+        success: boolean;
+    }>>;
+    getSession(): {
+        data: Session | null;
+        error: null;
+    };
+    onAuthStateChange(callback: AuthStateChangeCallback): {
+        data: {
+            subscription: {
+                unsubscribe: () => void;
+            };
+        };
+    };
+    /**
+     * Verify a user's JWT token by calling GET /auth/user with their token.
+     * Server-only — should NOT be exposed in client SDK.
+     */
+    verifyUserToken(jwt: string): Promise<PalbaseResponse<User>>;
+    private setSessionAndWireRefresh;
+}
 
 interface PalbeOAuthConfig {
     google?: {
@@ -26,7 +528,7 @@ interface PalbeConfig {
 }
 
 /** Frozen view of all cached flag values (what `all()` returns / `changes()` yields). */
-type FlagsView = Readonly<Record<string, FlagValue>>;
+type FlagsView = Readonly<Record<string, F>>;
 /**
  * `pb.flags` — iOS-parity facade over `FlagsPool` (cache + delta polling +
  * auth binding) and `FlagsClient` (stateless transport).
@@ -53,7 +555,7 @@ declare class PalbeFlags {
     /** Frozen snapshot of all cached values (identity-stable until a change). */
     all(): FlagsView;
     /** Raw cached value for `key`, or `undefined` when not in the cache. */
-    get(key: string): FlagValue | undefined;
+    get(key: string): F | undefined;
     /** `true` only when the cached value is strictly `true`; `fallback` when the key is absent. */
     isEnabled(key: string, fallback?: boolean): boolean;
     /** Alias of {@link isEnabled} (iOS parity). */
@@ -83,7 +585,7 @@ declare class PalbeFlags {
      * (per {@link sameFlagValue} — structural compare for objects), with the
      * new value (`undefined` = deleted). P5 React-hook substrate.
      */
-    subscribeKey(key: string, callback: (value: FlagValue | undefined) => void): Unsubscribe;
+    subscribeKey(key: string, callback: (value: F | undefined) => void): Unsubscribe;
     /**
      * Async iteration over flag changes: yields the new {@link all} view on
      * every pool change notification. The listener is detached when the
@@ -193,8 +695,8 @@ declare class PalbeRealtime {
 
 interface PalbeRuntime {
     config: PalbeConfig;
-    http: HttpClient;
-    tokenManager: TokenManager;
+    http: HttpClient$1;
+    tokenManager: TokenManager$1;
     authClient: AuthClient;
     auth: PalbeAuth;
     flags: PalbeFlags;
@@ -233,7 +735,7 @@ interface AuthUser {
 }
 interface AuthSuccess {
     user: AuthUser;
-    session: Session;
+    session: Session$1;
 }
 type AuthState = {
     status: 'signedIn';

package/dist/{chunk-JVT65V4E.js → chunk-AVEXGXRQ.js}

@@ -3043,7 +3043,7 @@ function defaultSessionStorage(key) {
 }
 
 // src/version.ts
-var VERSION = "1.0.0";
+var VERSION = "1.0.1";
 
 // src/runtime.ts
 function buildRuntime(config) {
@@ -3381,4 +3381,4 @@ export {
   pb,
   createBoundClient
 };
-//# sourceMappingURL=chunk-JVT65V4E.js.map
+//# sourceMappingURL=chunk-AVEXGXRQ.js.map