@possibl/rcrt-sdk 0.1.2 → 0.5.0

package/CHANGELOG.md

@@ -1,82 +1,119 @@
-# Changelog
+# @possibl/rcrt-sdk — Changelog
 
-All notable changes to `@possibl/rcrt-sdk` are documented here. The
-format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/);
-this package follows [SemVer](https://semver.org/spec/v2.0.0.html) once
-published.
+All notable changes are documented here. Follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) + [semver](https://semver.org/).
 
-## [0.1.2] — 2026-04-30
+## 0.5.0 — 2026-06-22
 
-Docs-only patch. Removes a customer reference from the README that
-shouldn't have been published — content of the package itself is
-unchanged from 0.1.1.
+Workspace membership + invitation management, plus self-serve signup and open-enrollment join. Additive only — no breaking changes.
 
-## [0.1.1] — 2026-04-30
+### Added
 
-Patch release. The SDK ships TypeScript source directly (`main:
-./src/index.ts`), which means consumer tsconfigs compile it. Stricter
-consumer settings (e.g. `noUnusedLocals: true` in
-`possibl-ai/ritual-app`) caught a stray unused import in `cards.ts`
-that the SDK's own tsconfig let pass.
+- **`client.members`** — `MembersModule`: workspace member + invitation
+  lifecycle against `/v1/tenants/{id}/members` and `/v1/tenants/{id}/invitations`.
+  Methods: `list`, `add`, `updateRole`, `remove`, `listInvitations`, `invite`,
+  `cancelInvitation`. Creating an invitation also sends the invite email
+  server-side (no separate resend endpoint — re-create to resend).
+- **`TenantMember`**, **`TenantInvitation`** types, exported from the package root.
+- **`auth.signup()`** — self-serve first-workspace provisioning
+  (`POST /v1/auth/signup`). Idempotent: returns the existing personal workspace
+  (200) when one already exists, 201 on creation. Call when `listTenants()` is
+  empty after first sign-in.
+- **`auth.joinTenant(tenantId)`** — open-enrollment self-join
+  (`POST /v1/tenants/{id}/join`). Any authenticated user may join a tenant that
+  has opted into `tenants.auto_enroll_role`; idempotent. No `X-Tenant-ID` header.
+- **`TenantMembership`** type, exported from the package root.
 
-### Fixed
+## 0.4.0 — 2026-06-18
 
-- Removed unused `ApiError` import in `src/cards.ts`. Consumers with
-  `noUnusedLocals: true` no longer fail the type-check on the SDK's
-  source.
+Chat file attachments (route-agnostic multimodal).
 
-### Internal
+### Added
 
-- Added `noUnusedLocals: true` + `noUnusedParameters: true` to the
-  SDK's own `tsconfig.json` so future bumps can't ship the same class
-  of issue. CI catches it before publish.
+- **`SendChatRequest.attachments`** — optional `ChatAttachmentRef[]`
+  (`{ file_breadcrumb_id, mime_type? }`). Upload via `client.files.upload(...)`
+  first, then pass the returned `FileRecord.id` as `file_breadcrumb_id`. The
+  server resolves the `gs://` URI + mime type and delivers the file to a
+  file-capable agent. Omitting it leaves the text-only body unchanged.
+- **`ChatAttachmentRef`** type, exported from the package root.
 
-## [0.1.0] — 2026-04-30
+## 0.3.0 — 2026-06-17
 
-First public release. Drops the `-alpha.1` suffix; signals the SDK is
-ready for frontend consumption (canonical RCRT mobile + web template
-imports it directly).
+The unified LLM model addressing release. LLM selection is now a single
+canonical `route/provider/model` address stored in the agent breadcrumb's
+`engine_config.model` (see `docs/design/LLM_PROVIDER_MODEL_RESOLUTION.md`).
+There is no runtime tier indirection, no org override layer, and no fallbacks.
 
-### Added — modules
+### Removed (breaking)
 
-- **`FilesModule`** (`client.files`) — multipart upload, list, get,
-  signed-URL download, server-side text extraction, soft delete.
-  Defaults to `tenant` scope; supports `org` / `user` for cross-
-  workspace assets.
-- **`SessionsModule`** (`client.sessions`) — `getConstellation()`
-  graph view of related sessions, `listParticipants` /
-  `addParticipant` / `removeParticipant` for multi-agent sessions.
-- **`CapabilitiesModule`** (`client.capabilities`) — `list(type)` for
-  tools / agents / services / knowledge, plus `getChattableAgents()`
-  helper that filters `interpret:promptable` to entries tagged
-  `interface:chat` / `interface:chat-default`.
-- **`IdentityModule.getUserProfile` / `updateUserProfile`** — workspace-
-  scoped editable profile breadcrumb. Returns `null` (instead of
-  throwing) when no profile has been written yet.
-- **`GrantsModule.resolveService(name)`** — server-side credential
-  resolution for tools that need to act on behalf of a workspace's
-  active service grant.
+- **`org.getLLMTiers` / `org.upsertLLMTier` / `org.deleteLLMTier`** and the
+  `OrgLLMTier` type — the `/v1/orgs/{org}/llm-tiers` endpoints and the
+  `org_intelligence_tier_overrides` layer are gone. Tiers are authoring sugar
+  expanded to a concrete address at publish time; there is no org tier override.
+- **`OrgLLMProvider.fallback_for_id`** — `org_llm_providers` is now purely a
+  credential store keyed by route. `is_default` is retained only as a
+  convenience flag for credential listing and does NOT influence resolution.
+  There is no `fallback` role and no fallback behaviour (fail loudly instead).
+
+### Added
+
+- **`EngineConfig` / `ModelAddress`** types plus `parseModelAddress`,
+  `formatModelAddress`, `isTierAddress`, and `ROUTE_TIER` — the typed mirror of
+  the Go `pkg/rcrt/types.go` `EngineConfig` and `internal/llm/address.go`
+  `ModelAddress`.
+- **`breadcrumbs.updateAgentEngineConfig(id, modelAddress, version)`** — typed
+  convenience that PATCHes an agent breadcrumb's `engine_config.model` to a
+  canonical address while preserving the rest of `content`.
+
+### Migration
+
+- `org.listLLMProviders` is unchanged (credential listing).
+- Replace any tier reads/writes with the per-agent breadcrumb address via
+  `breadcrumbs.updateAgentEngineConfig`.
+
+## 0.2.0 — 2026-06-12
+
+The convergence release: everything the MSP console reached past the SDK for is now typed surface. `@possibl/rcrt-api` consumers should migrate to this package — the legacy package is being deprecated.
+
+### Added
+
+- **`client.request(path, options)`** — public, typed escape hatch with the client's auth + tenant headers, 401/409/429 retry handling and error envelope. Apps are never blocked on an SDK release for a new gateway endpoint. `options.body` takes a plain object (SDK serialises); `options.rawBody` takes FormData/binary; `options.query` appends search params.
+- **`client.forTenant(tenantId)`** — cached, permanently-bound per-tenant client instances for parallel fleet fan-out. Replaces the mutate-one-client `setTenantId` pattern for multi-workspace reads (no shared-client races, no request serialisation).
+- **`client.marketplace`** — bundle catalogue + install lifecycle: `listBundles`, `getBundle`, `bundleStatus`, `listInstalledBundles`, `installBundle`, `updateBundle`, `repairBundle`, `pruneBundle`, `uninstallBundle`. Typed `BundleStatus` / `BundleItemResult` wire shapes matching the gateway's `/v1/marketplace/*` routes.
+- **`client.org`** — org admin surface: `get`, `listMembers`, `listTenants`, `createTenant`, `createCustomerOrg`, plus intelligence-tier overrides (`getLLMTiers`, `upsertLLMTier`, `deleteLLMTier`, `listLLMProviders`).
+- **`client.files`** — multipart `upload` (isomorphic `FormData`, no deps), `list`, `get`, `downloadUrl`, `getText`, `delete`.
+- **`client.chat`** — session utilities: `sessionBreadcrumbs`, `sessionParticipants`, `addSessionParticipant`, `removeSessionParticipant`; and `listAgents()` agent discovery (`interpret:promptable` + `interface:chat` filtering).
+- Internal fetch: `rawBody` request option for non-JSON payloads.
 
 ### Notes
 
-- `IdentityModule.listPendingInvitations` / `acceptInvitation` /
-  `declineInvitation` were already shipped in the alpha — no change.
-- Global-events SSE (`/v1/events`) is exposed as `chat.globalStream`
-  rather than its own module — an extra module would have meant a
-  duplicate config builder.
-- Tenant admin endpoints (members, resource overrides) deliberately
-  out of scope for `0.1.0`. Will land in a `0.2.x` once a consumer
-  needs them.
+- `chat.send` already supported `extra_tags` + `target_agent` — no change needed for App Control grounding tags.
+- No breaking changes; 0.1.x consumers upgrade cleanly.
+
+## 0.1.0-alpha.1 — 2026-04-23
+
+First publish. Breaking changes are expected during the `alpha` line — pin exact versions. Do not use in production until `0.1.0` stable.
+
+### Included
+
+- `RcrtClient` with auth, chat (send + stream), breadcrumbs (CRUD + tag query + semantic search), service grants, cards, identity modules.
+- Pluggable `TokenProvider` interface — SDK never touches Firebase / Auth0 / Clerk directly.
+- Pluggable `EventSource` — React Native consumers inject `react-native-sse`; browser + Node 18+ use native.
+- Typed error envelope via `ApiError.detail.code` / `KnownErrorCode`. Accepts both the canonical `{error: {code, message, details}}` and legacy `{error: "string"}` shapes during the migration window.
+- Domain types (`Card`, `Breadcrumb`, `Row`, `ChartSpec`, ...) under the main export.
+- OpenAPI-generated types (`paths`, `operations`, `components`) under `@possibl/rcrt-sdk/generated` for raw fetch-level type safety.
 
-### Dependencies
+### Known gaps
 
-- No runtime deps. The SDK is fetch + EventSource + plain TS. Bring
-  your own `EventSource` polyfill on React Native (see README).
+- No integration test suite against a live backend yet. Smoke tests (9/9) cover the mock surface. Integration harness is queued.
+- The backend's error-envelope migration is in progress (tracked in `packages/docs/guides/07-error-handling.md`). Any handler still returning `{error: "string"}` is normalised by the SDK's `parseErrorBody`.
+- React hooks / a card renderer are deliberately out of scope. See `packages/docs/recipes/react.md` for copy-pasteable patterns.
 
-### Compatibility
+### Support matrix
 
-- Node 18+ (native fetch + WHATWG URL).
-- Browsers with `fetch`, `URL`, `URLSearchParams`, `EventSource`.
-- React Native — pass an `eventSource` constructor in
-  `chat.sessionStream({ eventSource })` and bring a fetch polyfill if
-  using a runtime older than RN 0.74.
+| Runtime | Supported |
+| --- | --- |
+| Browser (Chrome 103+, Firefox 102+, Safari 16+) | Yes |
+| Node 18+ | Yes |
+| React Native + `react-native-sse` polyfill | Yes |
+| Deno 1.40+ | Untested, should work |
+| Bun 1.0+ | Untested, should work |

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Possibl AI Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -87,33 +87,47 @@ const stream = rcrt.chat.sessionStream(sessionId, handlers, {
 });
 ```
 
+## Fleet fan-out (multi-workspace apps)
+
+A console that reads dozens of workspaces in parallel should never
+mutate one client's tenant. Get a cheap, cached, permanently-bound
+client per workspace instead:
+
+```ts
+const reports = await Promise.all(
+  workspaces.map(async (ws) => {
+    const c = rcrt.forTenant(ws.tenantId);
+    return c.marketplace.listInstalledBundles();
+  }),
+);
+```
+
+## Escape hatch
+
+Any gateway endpoint the SDK hasn't wrapped yet is one call away —
+with the same auth, tenant header, retries and error envelope:
+
+```ts
+const res = await rcrt.request<{ items: unknown[] }>('/v1/some/new/endpoint', {
+  method: 'POST',
+  body: { plain: 'object' },         // SDK serialises JSON
+  query: { limit: 50 },
+});
+```
+
 ## What's exported
 
 | Symbol | Purpose |
 | --- | --- |
-| `RcrtClient` | The client. One instance per workspace session. |
+| `RcrtClient` | The client. One instance per workspace session; `forTenant()` for fan-out. |
 | `TokenProvider` | Interface — wire any IdP. |
 | `staticTokenProvider` | Static-token convenience (tests, `tk_*` workspace keys). |
 | `ApiError`, `SdkError` | Error classes. Typed + discriminable by `.status` and `.detail.code`. |
+| `MarketplaceModule`, `OrgModule`, `FilesModule` | Bundle lifecycle, org admin + LLM tiers, file upload. |
 | `Breadcrumb`, `Card`, `Row`, `ChartSpec`, ... | Every public type from the RCRT contract. Re-exportable as your UI types. |
 
 Browse `src/index.ts` for the full re-export list.
 
-### Module surface on `RcrtClient`
-
-```ts
-const rcrt = new RcrtClient({ apiUrl, tokenProvider });
-
-rcrt.auth          // identity, tenants, invitations, user profile
-rcrt.breadcrumbs   // CRUD + tag query + semantic search
-rcrt.chat          // send + sessionStream (per-session SSE) + globalStream (/v1/events)
-rcrt.cards         // JIT-UI card resolve + helpers
-rcrt.grants        // OAuth grants + initiate + resolveService
-rcrt.files         // upload / list / get / signed download / text extract / delete
-rcrt.sessions      // constellation + participants
-rcrt.capabilities  // tools / agents / services / knowledge discovery
-```
-
 ## Design notes
 
 - **Isomorphic**: zero DOM or Node-only APIs in the core. The only
@@ -142,11 +156,11 @@ Full narrative + concepts + operations playbook in
 
 ## Status
 
-**0.1.0** — first public release. Used by `possibl-ai/rcrt-template-mobile`
-and downstream apps (e.g. `possibl-ai/ritual-app`) as their canonical
-RCRT client. Surface stable; minor adjustments possible before 1.0.
-
-See [`CHANGELOG.md`](./CHANGELOG.md) for what's new in this release.
+**0.2.0** — the convergence release: marketplace/org/files modules,
+`forTenant()` fan-out and the `request()` escape hatch cover the full
+surface the production MSP console uses. `@possibl/rcrt-api` is
+deprecated in favour of this package. Shape is stable for the
+documented surface; minor adjustments possible before 1.0.
 
 ## Licence
 

package/dist/auth.d.ts

@@ -0,0 +1,45 @@
+/**
+ * TokenProvider — the seam between RCRT and your identity source.
+ *
+ * The SDK never talks to Firebase / Auth0 / Clerk directly. You wire
+ * up whichever IdP you use by implementing this interface once. On
+ * every request the SDK calls `getIdToken()` to get a fresh bearer.
+ *
+ * The provider owns refresh. If your IdP supports it (Firebase does),
+ * it should return a token that's valid for at least the next ~60s;
+ * the SDK doesn't track expiry itself.
+ *
+ * Example Firebase (web):
+ *
+ *     import { getAuth } from 'firebase/auth';
+ *     const auth = getAuth();
+ *     const tokenProvider: TokenProvider = {
+ *       async getIdToken() {
+ *         const u = auth.currentUser;
+ *         if (!u) throw new SdkError('NOT_SIGNED_IN', 'Sign in first');
+ *         return u.getIdToken(false);
+ *       },
+ *     };
+ *
+ * Example test stub:
+ *
+ *     const tokenProvider: TokenProvider = {
+ *       async getIdToken() { return 'tk_test_workspace_api_key'; },
+ *     };
+ */
+export interface TokenProvider {
+    /**
+     * Return a bearer token for the next request. Throws or rejects if
+     * the user isn't signed in / the key is missing.
+     *
+     * Implementations SHOULD refresh transparently if they know the
+     * token is close to expiry. The SDK calls this per-request and
+     * doesn't cache.
+     */
+    getIdToken(): Promise<string>;
+    /** Optional hook: called on 401. Implementations can force a refresh. */
+    onUnauthorized?(): Promise<void>;
+}
+/** Convenience: a provider that returns a static string. For workspace API keys or tests. */
+export declare function staticTokenProvider(token: string): TokenProvider;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAIH,MAAM,WAAW,aAAa;IAC5B;;;;;;;OAOG;IACH,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAE9B,yEAAyE;IACzE,cAAc,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAClC;AAED,6FAA6F;AAC7F,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAOhE"}

package/{src/auth.ts → dist/auth.js}

@@ -27,30 +27,15 @@
  *       async getIdToken() { return 'tk_test_workspace_api_key'; },
  *     };
  */
-
 import { SdkError } from './errors.js';
-
-export interface TokenProvider {
-  /**
-   * Return a bearer token for the next request. Throws or rejects if
-   * the user isn't signed in / the key is missing.
-   *
-   * Implementations SHOULD refresh transparently if they know the
-   * token is close to expiry. The SDK calls this per-request and
-   * doesn't cache.
-   */
-  getIdToken(): Promise<string>;
-
-  /** Optional hook: called on 401. Implementations can force a refresh. */
-  onUnauthorized?(): Promise<void>;
-}
-
 /** Convenience: a provider that returns a static string. For workspace API keys or tests. */
-export function staticTokenProvider(token: string): TokenProvider {
-  if (!token) throw new SdkError('EMPTY_TOKEN', 'staticTokenProvider called with empty token');
-  return {
-    async getIdToken() {
-      return token;
-    },
-  };
+export function staticTokenProvider(token) {
+    if (!token)
+        throw new SdkError('EMPTY_TOKEN', 'staticTokenProvider called with empty token');
+    return {
+        async getIdToken() {
+            return token;
+        },
+    };
 }
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAiBvC,6FAA6F;AAC7F,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,QAAQ,CAAC,aAAa,EAAE,6CAA6C,CAAC,CAAC;IAC7F,OAAO;QACL,KAAK,CAAC,UAAU;YACd,OAAO,KAAK,CAAC;QACf,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/authn.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Identity module — `/v1/auth/*` endpoints.
+ *
+ * Distinct from the TokenProvider abstraction: this is the server-side
+ * identity surface that runs _after_ you've presented a bearer token.
+ * See `packages/docs/guides/02-auth.md`.
+ */
+import type { FetchContext } from './internal/fetch.js';
+export interface MeResponse {
+    user: {
+        id: string;
+        email: string;
+        name?: string;
+        picture?: string;
+    };
+    is_platform_admin: boolean;
+    organizations: Array<{
+        id: string;
+        name: string;
+        role: string;
+    }>;
+    tenants: Array<{
+        id: string;
+        name: string;
+        role: string;
+    }>;
+    active_tenant?: {
+        id: string;
+        name: string;
+        role: string;
+    };
+    permissions?: string[];
+    grants?: unknown[];
+}
+export interface Tenant {
+    id: string;
+    name: string;
+    org_id?: string;
+    role?: string;
+}
+export interface TenantMembership {
+    user_id: string;
+    tenant_id: string;
+    role: string;
+}
+export interface PendingInvitation {
+    id: string;
+    org_id?: string | null;
+    tenant_id?: string | null;
+    email: string;
+    role: string;
+    status: 'pending' | 'accepted' | 'declined' | 'expired' | 'cancelled';
+    expires_at: string;
+    invited_by?: {
+        id: string;
+        name?: string;
+    };
+}
+export declare class IdentityModule {
+    private readonly ctx;
+    constructor(ctx: FetchContext);
+    /**
+     * `GET /v1/auth/me` — returns identity + all accessible workspaces.
+     *
+     * Creates the user row on first sign-in. Call this before any other
+     * RCRT endpoint for brand-new Firebase users.
+     */
+    me(): Promise<MeResponse>;
+    /** List workspaces the current user is a member of. */
+    listTenants(): Promise<Tenant[]>;
+    /**
+     * `POST /v1/auth/signup` — self-serve first-workspace provisioning.
+     *
+     * Creates a personal organisation + "Personal" workspace for an
+     * authenticated user with zero org memberships. Idempotent: returns
+     * the existing personal workspace (200) when one already exists,
+     * 201 on creation. Call when `listTenants()` comes back empty after
+     * first sign-in.
+     */
+    signup(): Promise<{
+        org_id: string;
+        tenant_id: string;
+    }>;
+    /**
+     * `POST /v1/tenants/{id}/join` — self-enroll into a tenant that has
+     * opted into open enrollment via `tenants.auto_enroll_role`.
+     *
+     * Unlike member management this needs NO existing membership: any
+     * authenticated user may join, and the gateway enrolls them with the
+     * tenant's configured read-only role. Idempotent — calling it again
+     * (or when already a member) is a no-op that returns the current
+     * role. The tenant id is in the URL, so no X-Tenant-ID header is
+     * sent.
+     */
+    joinTenant(tenantId: string): Promise<TenantMembership>;
+    /** Confirm workspace membership. Client code is still responsible for setting X-Tenant-ID. */
+    selectTenant(tenantId: string): Promise<void>;
+    /** `POST /v1/auth/logout` — server-side no-op; included for symmetry + audit. */
+    logout(): Promise<void>;
+    /**
+     * `POST /v1/auth/delete-account` — cascading account deletion.
+     *
+     * **NOT YET ON `development`** at publish time — pending a follow-up
+     * PR. The SDK method exists so consumer code can compile against the
+     * intended shape; invoking it against a gateway that lacks the
+     * handler returns 404.
+     */
+    deleteAccount(): Promise<void>;
+    /** Pending invitations keyed by the caller's email. */
+    listPendingInvitations(): Promise<PendingInvitation[]>;
+    acceptInvitation(token: string): Promise<void>;
+    declineInvitation(invitationId: string): Promise<void>;
+}
+//# sourceMappingURL=authn.d.ts.map

package/dist/authn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authn.d.ts","sourceRoot":"","sources":["../src/authn.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGxD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,iBAAiB,EAAE,OAAO,CAAC;IAC3B,aAAa,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjE,OAAO,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC3D,aAAa,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3D,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,GAAG,WAAW,CAAC;IACtE,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAC5C;AAED,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,YAAY;IAE9C;;;;;OAKG;IACG,EAAE,IAAI,OAAO,CAAC,UAAU,CAAC;IAI/B,uDAAuD;IACjD,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAOtC;;;;;;;;OAQG;IACG,MAAM,IAAI,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAO9D;;;;;;;;;;OAUG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAO7D,8FAA8F;IACxF,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOnD,iFAAiF;IAC3E,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAO7B;;;;;;;OAOG;IACG,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAOpC,uDAAuD;IACjD,sBAAsB,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAOtD,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO9C,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAK7D"}

package/dist/authn.js

@@ -0,0 +1,107 @@
+/**
+ * Identity module — `/v1/auth/*` endpoints.
+ *
+ * Distinct from the TokenProvider abstraction: this is the server-side
+ * identity surface that runs _after_ you've presented a bearer token.
+ * See `packages/docs/guides/02-auth.md`.
+ */
+import { request } from './internal/fetch.js';
+export class IdentityModule {
+    ctx;
+    constructor(ctx) {
+        this.ctx = ctx;
+    }
+    /**
+     * `GET /v1/auth/me` — returns identity + all accessible workspaces.
+     *
+     * Creates the user row on first sign-in. Call this before any other
+     * RCRT endpoint for brand-new Firebase users.
+     */
+    async me() {
+        return request(this.ctx, '/v1/auth/me', { skipTenant: true });
+    }
+    /** List workspaces the current user is a member of. */
+    async listTenants() {
+        const res = await request(this.ctx, '/v1/auth/tenants', {
+            skipTenant: true,
+        });
+        return Array.isArray(res) ? res : (res.tenants ?? []);
+    }
+    /**
+     * `POST /v1/auth/signup` — self-serve first-workspace provisioning.
+     *
+     * Creates a personal organisation + "Personal" workspace for an
+     * authenticated user with zero org memberships. Idempotent: returns
+     * the existing personal workspace (200) when one already exists,
+     * 201 on creation. Call when `listTenants()` comes back empty after
+     * first sign-in.
+     */
+    async signup() {
+        return request(this.ctx, '/v1/auth/signup', {
+            method: 'POST',
+            skipTenant: true,
+        });
+    }
+    /**
+     * `POST /v1/tenants/{id}/join` — self-enroll into a tenant that has
+     * opted into open enrollment via `tenants.auto_enroll_role`.
+     *
+     * Unlike member management this needs NO existing membership: any
+     * authenticated user may join, and the gateway enrolls them with the
+     * tenant's configured read-only role. Idempotent — calling it again
+     * (or when already a member) is a no-op that returns the current
+     * role. The tenant id is in the URL, so no X-Tenant-ID header is
+     * sent.
+     */
+    async joinTenant(tenantId) {
+        return request(this.ctx, `/v1/tenants/${tenantId}/join`, {
+            method: 'POST',
+            skipTenant: true,
+        });
+    }
+    /** Confirm workspace membership. Client code is still responsible for setting X-Tenant-ID. */
+    async selectTenant(tenantId) {
+        await request(this.ctx, `/v1/auth/tenants/${tenantId}/select`, {
+            method: 'POST',
+            skipTenant: true,
+        });
+    }
+    /** `POST /v1/auth/logout` — server-side no-op; included for symmetry + audit. */
+    async logout() {
+        await request(this.ctx, '/v1/auth/logout', {
+            method: 'POST',
+            skipTenant: true,
+        });
+    }
+    /**
+     * `POST /v1/auth/delete-account` — cascading account deletion.
+     *
+     * **NOT YET ON `development`** at publish time — pending a follow-up
+     * PR. The SDK method exists so consumer code can compile against the
+     * intended shape; invoking it against a gateway that lacks the
+     * handler returns 404.
+     */
+    async deleteAccount() {
+        await request(this.ctx, '/v1/auth/delete-account', {
+            method: 'POST',
+            skipTenant: true,
+        });
+    }
+    /** Pending invitations keyed by the caller's email. */
+    async listPendingInvitations() {
+        const res = await request(this.ctx, '/v1/invitations/pending');
+        return Array.isArray(res) ? res : (res.invitations ?? []);
+    }
+    async acceptInvitation(token) {
+        await request(this.ctx, '/v1/invitations/accept', {
+            method: 'POST',
+            body: { token },
+        });
+    }
+    async declineInvitation(invitationId) {
+        await request(this.ctx, `/v1/invitations/${invitationId}/decline`, {
+            method: 'POST',
+        });
+    }
+}
+//# sourceMappingURL=authn.js.map

package/dist/authn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authn.js","sourceRoot":"","sources":["../src/authn.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAyC9C,MAAM,OAAO,cAAc;IACI;IAA7B,YAA6B,GAAiB;QAAjB,QAAG,GAAH,GAAG,CAAc;IAAG,CAAC;IAElD;;;;;OAKG;IACH,KAAK,CAAC,EAAE;QACN,OAAO,OAAO,CAAa,IAAI,CAAC,GAAG,EAAE,aAAa,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,uDAAuD;IACvD,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,MAAM,OAAO,CAAmC,IAAI,CAAC,GAAG,EAAE,kBAAkB,EAAE;YACxF,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;QACH,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM;QACV,OAAO,OAAO,CAAwC,IAAI,CAAC,GAAG,EAAE,iBAAiB,EAAE;YACjF,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,UAAU,CAAC,QAAgB;QAC/B,OAAO,OAAO,CAAmB,IAAI,CAAC,GAAG,EAAE,eAAe,QAAQ,OAAO,EAAE;YACzE,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,8FAA8F;IAC9F,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,MAAM,OAAO,CAAO,IAAI,CAAC,GAAG,EAAE,oBAAoB,QAAQ,SAAS,EAAE;YACnE,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,iFAAiF;IACjF,KAAK,CAAC,MAAM;QACV,MAAM,OAAO,CAAO,IAAI,CAAC,GAAG,EAAE,iBAAiB,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa;QACjB,MAAM,OAAO,CAAO,IAAI,CAAC,GAAG,EAAE,yBAAyB,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,KAAK,CAAC,sBAAsB;QAC1B,MAAM,GAAG,GAAG,MAAM,OAAO,CAEvB,IAAI,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;QACvC,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,KAAa;QAClC,MAAM,OAAO,CAAO,IAAI,CAAC,GAAG,EAAE,wBAAwB,EAAE;YACtD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,EAAE,KAAK,EAAE;SAChB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,YAAoB;QAC1C,MAAM,OAAO,CAAO,IAAI,CAAC,GAAG,EAAE,mBAAmB,YAAY,UAAU,EAAE;YACvE,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;CACF"}