@saacms/core 0.1.0

package/dist/schema/plugin-trust.d.ts

@@ -0,0 +1,144 @@
+/**
+ * Plugin trust & capability model — ADR 0029 (refines ADR 0027 §6's `DEFERRED`
+ * capability-scoping sub-decision; ADR 0027 stays, ADR 0029 supersedes only that
+ * row).
+ *
+ * v1 trust reality (restated from ADR 0027 §6, honestly): plugins are FULLY
+ * TRUSTED. `definePlugin` packages run in-process with the runtime; the npm
+ * install step already runs arbitrary code. There is no sandbox here and this
+ * module does NOT add one. Capability *enforcement* is therefore NOT a v1
+ * security boundary — it stays `DEFERRED` (the v2 Effect-services capability
+ * redesign ADR 0027 names).
+ *
+ * What this module DOES add is the cheap, in-process, convenient→secure move
+ * (ADR 0026 Load-Bearing Rule; SRS §Ch.4 "make the insecure path noisier",
+ * §Ch.5 least privilege): a plugin may *declare* the capabilities it intends to
+ * use, and `assertPluginCapabilities` *detects* — purely, deterministically, no
+ * I/O — when a plugin's actual contributed surface exceeds its declaration. This
+ * is the exact discipline of `assertTenantIsolation` (ADR 0026 §O9 / ADR 0027
+ * §8): an additive, opt-in declare+assert affordance that makes the trap loud
+ * and cheap to avoid without changing any existing plugin/runtime behaviour.
+ *
+ * Detection ≠ enforcement. A declared-but-exceeded capability is *reported*, not
+ * *blocked*. The value is provenance/intent transparency, a supply-chain review
+ * surface, and the on-ramp to v2 enforcement — not a runtime sandbox.
+ *
+ * `capabilities` is an OPTIONAL field on `PluginDef`; an existing plugin with no
+ * declaration keeps byte-identical behaviour and is merely *listed* as
+ * undeclared (CI chooses strictness — see `strict`).
+ */
+import type { PluginDef, SaacmsConfig } from "./index.ts";
+/**
+ * The closed set of capability tags a plugin may declare. Each tag is justified
+ * by a real `PluginDef` contribution surface (ADR 0029 §Capability Vocabulary):
+ *
+ * - `collections`     — registers Collections (schema + generated CRUD surface).
+ * - `blocks`          — registers Blocks (editor/render surface).
+ * - `pages`           — registers Pages and/or Page Templates (route surface).
+ * - `routes`          — mounts custom HTTP routes under the plugin namespace.
+ * - `hooks`           — registers lifecycle hooks on Collection moments.
+ * - `services`        — publishes Effect service factories into the runtime.
+ * - `storage:read`    — reads stored rows (implied by contributing Collections).
+ * - `storage:write`   — writes stored rows (implied by Collections and/or an
+ *                        opaque one-shot `init` install effect).
+ * - `admin-pages`     — registers admin UI pages / menu entries.
+ * - `migrations`      — ships db and/or content migrations.
+ *
+ * Closed by construction so CI exhaustiveness checks and v2 enforcement have a
+ * finite, auditable surface.
+ */
+export type PluginCapability = "collections" | "blocks" | "pages" | "routes" | "hooks" | "services" | "storage:read" | "storage:write" | "admin-pages" | "migrations";
+/**
+ * The closed vocabulary as a value, ordered. Exported so CI / tests can assert
+ * exhaustiveness against the `PluginCapability` union.
+ */
+export declare const PLUGIN_CAPABILITIES: ReadonlyArray<PluginCapability>;
+/**
+ * Derive the capabilities a plugin ACTUALLY contributes from its `PluginDef`
+ * shape alone — pure, structural, no runtime introspection, no I/O.
+ *
+ * Derivation is *presence-based*: we read which `PluginDef` categories the
+ * plugin populates, not what the code inside them does (the bodies of
+ * `routes` / `hooks` / `services` / `init` are opaque `unknown` and cannot be
+ * inspected without the v2 runtime redesign — see ADR 0029 §Honest Limits).
+ * This boundary is exactly what is derivable WITHOUT a contract change, so the
+ * detector is well-defined and not BLOCKED.
+ *
+ * Mapping (ADR 0029 §Surface Derivation):
+ * - non-empty `collections`  → `collections`, `storage:read`, `storage:write`
+ * - non-empty `blocks`       → `blocks`
+ * - non-empty `pages`        → `pages`
+ * - non-empty `pageTemplates`→ `pages`
+ * - non-empty `routes`       → `routes`
+ * - non-empty `hooks`        → `hooks`
+ * - non-empty `services`     → `services`
+ * - `admin.pages`/`admin.menu` present → `admin-pages`
+ * - `migrations.db`/`.content` present → `migrations`
+ * - `init` present (opaque effect) → `storage:write`
+ *   (conservative/fail-closed: an opaque install effect cannot be proven inert,
+ *    so it is attributed the broadest data-affecting tag; declaring it is the
+ *    cheap secure move — ADR 0026 Load-Bearing Rule.)
+ */
+export declare function deriveContributedCapabilities(plugin: PluginDef): ReadonlyArray<PluginCapability>;
+export interface AssertPluginCapabilitiesOpts {
+    /**
+     * Strict mode (fail-closed): when `true`, a plugin that contributes any
+     * surface but declares NO `capabilities` at all also fails the check
+     * (`ok: false`).
+     *
+     * Default `false` for additive back-compat: existing plugins/configs with no
+     * `capabilities` declaration keep byte-identical behaviour — they are merely
+     * *listed* in `undeclared` and `ok` is unaffected by them. CI opts into the
+     * convenient→secure posture with `{ strict: true }`.
+     */
+    readonly strict?: boolean;
+}
+/**
+ * A single declared-capability escalation: `plugin` contributes `used` but did
+ * not list it among its declared `capabilities`. `declared` is always `false`
+ * for a finding (a finding *is* the absence) — it is kept on the shape so the
+ * record is self-describing for CI logs and future severity tiers.
+ */
+export interface PluginCapabilityFinding {
+    readonly plugin: string;
+    readonly used: PluginCapability;
+    readonly declared: boolean;
+}
+export interface PluginCapabilityReport {
+    /**
+     * `true` when no plugin's contributed surface exceeds its declared
+     * `capabilities`. In `strict` mode, also requires every surface-contributing
+     * plugin to have declared a `capabilities` array.
+     */
+    readonly ok: boolean;
+    /** Declared-but-exceeded escalations. Empty when no declared plugin over-reaches. */
+    readonly violations: ReadonlyArray<PluginCapabilityFinding>;
+    /**
+     * Names of plugins that contributed surface but declared NO `capabilities`.
+     * Reported regardless of `strict` so CI can choose its own policy; only
+     * affects `ok` when `strict` is `true`.
+     */
+    readonly undeclared: ReadonlyArray<string>;
+}
+/**
+ * Pure, deterministic detector. For each plugin in `config.plugins`, derive the
+ * actual contributed surface from its `PluginDef` and flag any contributed
+ * capability not present in its declared `capabilities`.
+ *
+ * - Plugin declares `capabilities`: each contributed capability NOT in the
+ *   declared set → a `violation` (`ok: false`). Declaring exactly (or a
+ *   superset of) its surface → passes.
+ * - Plugin declares NO `capabilities` (field absent): listed in `undeclared`.
+ *   Non-strict (default) ⇒ does not affect `ok` (additive back-compat). Strict
+ *   ⇒ contributes to `ok: false`.
+ *
+ * No I/O, no mutation of inputs, constant-ish time over the plugin set.
+ * Integrate into CI exactly like `assertTenantIsolation`:
+ *
+ * ```typescript
+ * const r = assertPluginCapabilities(config, { strict: true })
+ * if (!r.ok) throw new Error(`Plugin capability escalation: ${JSON.stringify(r)}`)
+ * ```
+ */
+export declare function assertPluginCapabilities(config: Pick<SaacmsConfig, "plugins">, opts?: AssertPluginCapabilitiesOpts): PluginCapabilityReport;
+//# sourceMappingURL=plugin-trust.d.ts.map

package/dist/schema/plugin-trust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-trust.d.ts","sourceRoot":"","sources":["../../src/schema/plugin-trust.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAMzD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,MAAM,gBAAgB,GACxB,aAAa,GACb,QAAQ,GACR,OAAO,GACP,QAAQ,GACR,OAAO,GACP,UAAU,GACV,cAAc,GACd,eAAe,GACf,aAAa,GACb,YAAY,CAAA;AAEhB;;;GAGG;AACH,eAAO,MAAM,mBAAmB,EAAE,aAAa,CAAC,gBAAgB,CAWtD,CAAA;AAMV;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,SAAS,GAChB,aAAa,CAAC,gBAAgB,CAAC,CAgCjC;AAMD,MAAM,WAAW,4BAA4B;IAC3C;;;;;;;;;OASG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,IAAI,EAAE,gBAAgB,CAAA;IAC/B,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAA;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAA;IACpB,qFAAqF;IACrF,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,uBAAuB,CAAC,CAAA;IAC3D;;;;OAIG;IACH,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAC3C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,CAAC,EACrC,IAAI,GAAE,4BAAiC,GACtC,sBAAsB,CAyBxB"}

package/dist/signals/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Cross-framework reactive primitive per ADR 0023 Part A.
+ *
+ * `@preact/signals-core` is the v1 polyfill for the TC39 Signals proposal.
+ * Block authors importing `signal` / `computed` / `effect` from `@saacms/core`
+ * get a primitive that works inside Web Component Blocks today and will swap to
+ * native `globalThis.Signal` once browsers ship it without any Block code change.
+ */
+export { signal, computed, effect } from "@preact/signals-core";
+//# sourceMappingURL=index.d.ts.map

package/dist/signals/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/signals/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA"}

package/dist/signals/index.js

@@ -0,0 +1,10 @@
+import {
+  computed,
+  effect,
+  signal
+} from "../index-172n82sz.js";
+export {
+  signal,
+  effect,
+  computed
+};

package/dist/storage/index.d.ts

@@ -0,0 +1,120 @@
+/**
+ * Storage adapter interface per ADR 0009 (Media as a Collection kind).
+ *
+ * Implementations (`@saacms/storage-r2`, `@saacms/storage-vercel-blob`,
+ * `@saacms/storage-s3`) provide the binary-bucket primitives used by Media
+ * Collections in `bucket` storage mode. `repo`-mode collections do not go
+ * through a StorageAdapter — they're committed to the host's static-asset folder
+ * on Publish.
+ *
+ * The interface uses Web standard `Request` / `Response` shapes so the same
+ * adapter runs unchanged on Vercel Edge, Cloudflare Workers, Bun, and Node.
+ */
+/**
+ * Per-`put` options surfaced to the adapter.
+ * `contentType` and `cacheControl` map directly to the corresponding upstream
+ * object metadata (R2 / Blob / S3 all expose them).
+ */
+export interface StoragePutOptions {
+    readonly contentType?: string;
+    readonly cacheControl?: string;
+    readonly contentDisposition?: string;
+    readonly metadata?: Readonly<Record<string, string>>;
+}
+export interface StoragePutResult {
+    readonly key: string;
+    readonly etag?: string;
+    readonly size?: number;
+}
+/**
+ * Body shapes accepted by `put`. Matches the Web `BodyInit` set so callers can
+ * stream a `ReadableStream`, hand off a `Blob`, or pass a buffer.
+ */
+export type StoragePutBody = ReadableStream<Uint8Array> | Blob | ArrayBuffer | ArrayBufferView | string;
+/**
+ * Options for generating a signed URL — adapters that don't support a given
+ * verb may return a non-functional URL or throw at `signedUrl` time.
+ */
+export interface SignedUrlOptions {
+    readonly method?: "GET" | "PUT" | "DELETE";
+    /** Seconds until the signed URL expires. */
+    readonly expiresIn?: number;
+    readonly contentType?: string;
+}
+export interface StorageAdapter {
+    readonly name: string;
+    /** Upload an object. Returns the canonical key the adapter chose to store it under. */
+    put(key: string, body: StoragePutBody, opts?: StoragePutOptions): Promise<StoragePutResult>;
+    /**
+     * Fetch an object as a Web `Response`. Caller may stream the body, read it
+     * as an `ArrayBuffer`, or proxy it directly back to the user.
+     */
+    get(key: string): Promise<Response>;
+    /** Remove an object. Idempotent — removing a missing key is not an error. */
+    delete(key: string): Promise<void>;
+    /** Pre-signed URL for direct client → bucket transfer. */
+    signedUrl(key: string, opts?: SignedUrlOptions): Promise<string>;
+}
+/**
+ * Cursor-based pagination + filter options for `list`.
+ * `where` is a column→value AND-conjoined predicate set; richer expressions
+ * land in v1.x. `cursor` is opaque to the caller and adapter-defined.
+ */
+export interface ListOpts {
+    readonly limit?: number;
+    readonly cursor?: string;
+    readonly where?: Readonly<Record<string, unknown>>;
+    readonly orderBy?: ReadonlyArray<{
+        readonly col: string;
+        readonly dir: "asc" | "desc";
+    }>;
+}
+export interface ListResult<T> {
+    readonly rows: ReadonlyArray<T>;
+    readonly nextCursor: string | null;
+}
+/**
+ * Tagged error for row-storage operations. Bubbles up to the runtime which
+ * converts to RFC 9457 Problem Details (ADR 0018).
+ */
+export declare class RowStorageError extends Error {
+    readonly code: "NOT_FOUND" | "INSERT_FAILED" | "UPDATE_FAILED" | "DELETE_FAILED" | "QUERY_FAILED" | "NOT_IMPLEMENTED" | "MISCONFIGURED";
+    readonly cause?: unknown | undefined;
+    readonly name = "RowStorageError";
+    constructor(code: "NOT_FOUND" | "INSERT_FAILED" | "UPDATE_FAILED" | "DELETE_FAILED" | "QUERY_FAILED" | "NOT_IMPLEMENTED" | "MISCONFIGURED", message: string, cause?: unknown | undefined);
+}
+/**
+ * Per ADR 0030 + ADR 0020 — thrown by the storage adapter (the anti-corruption
+ * boundary) when a DB unique-constraint violation is detected. Routes check
+ * `instanceof UniqueConstraintError` to map it to a 409 response; no route
+ * ever inspects raw DB error messages.
+ */
+export declare class UniqueConstraintError extends Error {
+    readonly table: string;
+    readonly name = "UniqueConstraintError";
+    constructor(table: string, cause?: unknown);
+}
+/**
+ * Row-storage adapter — the Collection-record equivalent of `StorageAdapter`.
+ * Implementations: `@saacms/storage-d1` (v1.0); postgres / sqlite-local follow.
+ *
+ * Per ADR 0020 — the Storage bounded context fronts both binary (`StorageAdapter`)
+ * and tabular (`RowStorageAdapter`) backing stores.
+ */
+export interface RowStorageAdapter {
+    getById<T>(table: string, id: string): Promise<T | null>;
+    list<T>(table: string, opts?: ListOpts): Promise<ListResult<T>>;
+    insert<T>(table: string, row: T): Promise<{
+        id: string;
+    }>;
+    update<T>(table: string, id: string, patch: Partial<T>): Promise<void>;
+    delete(table: string, id: string): Promise<void>;
+}
+/** The shape `SaacmsConfig.storage` accepts. */
+export interface SaacmsStorageConfig {
+    /** Row store for Collection records (D1 in v1.0). */
+    readonly rows?: RowStorageAdapter;
+    /** Binary blob store for Media Collections (R2 in v1.0). */
+    readonly media?: StorageAdapter;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/storage/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/storage/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAA;IAC9B,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAA;IACpC,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAA;CACrD;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CACvB;AAED;;;GAGG;AACH,MAAM,MAAM,cAAc,GACtB,cAAc,CAAC,UAAU,CAAC,GAC1B,IAAI,GACJ,WAAW,GACX,eAAe,GACf,MAAM,CAAA;AAEV;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK,GAAG,QAAQ,CAAA;IAC1C,4CAA4C;IAC5C,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IAErB,uFAAuF;IACvF,GAAG,CACD,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,cAAc,EACpB,IAAI,CAAC,EAAE,iBAAiB,GACvB,OAAO,CAAC,gBAAgB,CAAC,CAAA;IAE5B;;;OAGG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAEnC,6EAA6E;IAC7E,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAElC,0DAA0D;IAC1D,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;CACjE;AAMD;;;;GAIG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;IAClD,QAAQ,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC;QAC/B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;QACpB,QAAQ,CAAC,GAAG,EAAE,KAAK,GAAG,MAAM,CAAA;KAC7B,CAAC,CAAA;CACH;AAED,MAAM,WAAW,UAAU,CAAC,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC,CAAA;IAC/B,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CACnC;AAED;;;GAGG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IAGtC,QAAQ,CAAC,IAAI,EACT,WAAW,GACX,eAAe,GACf,eAAe,GACf,eAAe,GACf,cAAc,GACd,iBAAiB,GACjB,eAAe;IAEnB,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO;IAX1B,SAAkB,IAAI,qBAAoB;gBAE/B,IAAI,EACT,WAAW,GACX,eAAe,GACf,eAAe,GACf,eAAe,GACf,cAAc,GACd,iBAAiB,GACjB,eAAe,EACnB,OAAO,EAAE,MAAM,EACN,KAAK,CAAC,EAAE,OAAO,YAAA;CAI3B;AAED;;;;;GAKG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;IAG5C,QAAQ,CAAC,KAAK,EAAE,MAAM;IAFxB,SAAkB,IAAI,2BAA0B;gBAErC,KAAK,EAAE,MAAM,EACtB,KAAK,CAAC,EAAE,OAAO;CAKlB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IACxD,IAAI,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAA;IAC/D,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACzD,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACjD;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IAClC,qDAAqD;IACrD,QAAQ,CAAC,IAAI,CAAC,EAAE,iBAAiB,CAAA;IACjC,4DAA4D;IAC5D,QAAQ,CAAC,KAAK,CAAC,EAAE,cAAc,CAAA;CAChC"}

package/dist/storage/index.js

@@ -0,0 +1,13 @@
+/**
+ * Storage adapter interface per ADR 0009 (Media as a Collection kind).
+ *
+ * Implementations (`@saacms/storage-r2`, `@saacms/storage-vercel-blob`,
+ * `@saacms/storage-s3`) provide the binary-bucket primitives used by Media
+ * Collections in `bucket` storage mode. `repo`-mode collections do not go
+ * through a StorageAdapter — they're committed to the host's static-asset folder
+ * on Publish.
+ *
+ * The interface uses Web standard `Request` / `Response` shapes so the same
+ * adapter runs unchanged on Vercel Edge, Cloudflare Workers, Bun, and Node.
+ */
+export {};

package/dist/tenant/index.d.ts

@@ -0,0 +1,105 @@
+/**
+ * App multi-tenancy sugar — ADR 0015 + ADR 0026 §O9.
+ *
+ * ADR 0015 defers app multi-tenancy to user code via two ADR-0006 primitives:
+ *   1. A `read` predicate returning `{ where: { [recordField]: user.claims[userField] } }`
+ *      scopes every list/read to the caller's tenant.
+ *   2. A `beforeChange` hook injecting `recordField = user.claims[userField]` on
+ *      every create/update ensures tenant ownership is set at write time.
+ *
+ * This module provides ADR-0015-consistent SUGAR — NOT a new access grain (ADR
+ * 0006 is unchanged). `tenantScoped` produces the exact shape that
+ * `defineCollection({ access, hooks })` expects. `assertTenantIsolation` is a
+ * pure CI detector that surfaces Collections whose schema has a tenant field but
+ * lacks an `access.read` predicate, making the dangerous path loud and cheap to
+ * catch (SRS §Ch.4 "Design Tradeoffs": make the insecure path noisier).
+ *
+ * If `tenantScoped` or `assertTenantIsolation` cannot be added without modifying
+ * existing access/runtime/storage behaviour, that would be a BLOCKED finding.
+ * Neither touches existing route handlers, access evaluators, or storage adapters.
+ */
+import type { AccessPredicate } from "../access/index.ts";
+import type { HookFn } from "../hooks/index.ts";
+import type { AnySchema, SaacmsConfig } from "../schema/index.ts";
+export interface TenantScopedOpts {
+    /**
+     * Key in `user.claims` that holds the tenant identifier.
+     * E.g. `"tenantId"` reads `user.claims["tenantId"]`.
+     */
+    readonly userField: string;
+    /**
+     * Record field to scope on. Defaults to `userField` when omitted.
+     * E.g. `recordField: "tenantId"` produces `{ where: { tenantId: claimValue } }`.
+     */
+    readonly recordField?: string;
+}
+export interface TenantScopedResult {
+    /**
+     * Drop into `defineCollection({ access: { read: ts.read } })`.
+     *
+     * Returns `{ where: { [recordField]: user.claims[userField] } }` for
+     * authenticated callers (scopes list + per-record read to the caller's tenant).
+     * Returns `false` (deny) for anonymous callers — anonymous cannot read
+     * tenant-scoped data.
+     */
+    readonly read: AccessPredicate;
+    readonly hooks: {
+        /**
+         * Drop into `defineCollection({ hooks: { beforeChange: ts.hooks.beforeChange } })`.
+         *
+         * Injects `recordField = user.claims[userField]` into `ctx.data` before
+         * every create/update, ensuring tenant ownership is set at write time without
+         * requiring the caller to supply it.
+         */
+        readonly beforeChange: HookFn<AnySchema>;
+    };
+}
+/**
+ * ADR-0015-consistent sugar for app multi-tenancy. Returns the `{ read, hooks }`
+ * pair that drops directly into a `defineCollection`. No new access grain.
+ *
+ * @example
+ * ```typescript
+ * const ts = tenantScoped({ userField: "tenantId" })
+ * export const Orders = defineCollection({
+ *   slug: "orders",
+ *   schema: OrderSchema,
+ *   access: { read: ts.read, create: ts.read, update: ts.read, delete: ts.read },
+ *   hooks:  { beforeChange: ts.hooks.beforeChange },
+ * })
+ * ```
+ */
+export declare function tenantScoped(opts: TenantScopedOpts): TenantScopedResult;
+export interface AssertTenantIsolationOpts {
+    /**
+     * The schema field name that carries the tenant identifier. Collections that
+     * have this field in their Effect Schema but lack an `access.read` predicate
+     * are reported as "unscoped" — they would expose data across tenants.
+     */
+    readonly tenantField: string;
+    /**
+     * Collection slugs exempt from the check (e.g. shared/public data).
+     */
+    readonly exempt?: ReadonlyArray<string>;
+}
+export interface TenantIsolationResult {
+    /** `true` when all tenant-capable collections have an `access.read` predicate. */
+    readonly ok: boolean;
+    /** Slugs of collections flagged as unscoped. Empty when `ok` is `true`. */
+    readonly unscoped: ReadonlyArray<string>;
+}
+/**
+ * Pure detector: inspects `config.collections` and returns any collection whose
+ * Effect Schema has a property named `opts.tenantField` but lacks an
+ * `access.read` predicate. Runs in constant time with no I/O.
+ *
+ * Integrate into CI:
+ * ```typescript
+ * const check = assertTenantIsolation(config, { tenantField: "tenantId" })
+ * if (!check.ok) {
+ *   throw new Error(`Missing tenant predicate on: ${check.unscoped.join(", ")}`)
+ * }
+ * ```
+ */
+export declare function assertTenantIsolation(config: SaacmsConfig, opts: AssertTenantIsolationOpts): TenantIsolationResult;
+//# sourceMappingURL=index.d.ts.map

package/dist/tenant/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tenant/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAA;AACzD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAMjE,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC9B;AAED,MAAM,WAAW,kBAAkB;IACjC;;;;;;;OAOG;IACH,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAA;IAC9B,QAAQ,CAAC,KAAK,EAAE;QACd;;;;;;WAMG;QACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,SAAS,CAAC,CAAA;KACzC,CAAA;CACF;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,kBAAkB,CA0BvE;AAMD,MAAM,WAAW,yBAAyB;IACxC;;;;OAIG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACxC;AAED,MAAM,WAAW,qBAAqB;IACpC,kFAAkF;IAClF,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAA;IACpB,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACzC;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,YAAY,EACpB,IAAI,EAAE,yBAAyB,GAC9B,qBAAqB,CAevB"}

package/dist/theme/index.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Theme & Scheme primitive — ADR 0033.
+ *
+ * Theme = Developer-defined token contract (Structure / Zone-2).
+ * Scheme = Owner-operated named value set (Instance / Zone-1).
+ *
+ * `defineTheme` is the additive sibling of `defineCollection` / `defineBlock` /
+ * `definePlugin`. When absent from `SaacmsConfig` ⇒ zero behaviour change.
+ *
+ * `themeFingerprint` is the pure, deterministic cache-key contribution that
+ * composes with the access fingerprint at the host adapter's cache site,
+ * preventing the saastarter cross-tenant/cross-scheme CDN bleed (ADR 0033 §5).
+ */
+/** One of the four presentation token groups. */
+export type ThemeTokenGroup = "colour" | "typography" | "radius" | "motion";
+/** Declaration of a single CSS custom-property slot in the theme contract. */
+export interface ThemeTokenDef {
+    /** CSS custom-property name WITHOUT the leading `--`. E.g. `"color-primary"`. */
+    readonly name: string;
+    readonly group: ThemeTokenGroup;
+    /** When true, a Scheme may supply a `darkTokens[name]` override. */
+    readonly dark?: boolean;
+    readonly description?: string;
+}
+/**
+ * The Developer-authored token contract. Additive optional: when absent from
+ * `SaacmsConfig` no new behaviour is introduced and all existing routes and
+ * cache keys are byte-identical (ADR 0033 §8).
+ */
+export interface ThemeDef {
+    readonly tokens: ReadonlyArray<ThemeTokenDef>;
+}
+/**
+ * Identity-function declaration — lets downstream code hold a typed reference
+ * and the codegen walk a canonical shape. Mirror of `defineCollection` et al.
+ */
+export declare function defineTheme(opts: ThemeDef): ThemeDef;
+/**
+ * Pure, deterministic cache-key contribution from the active theme context.
+ *
+ * Returns a stable opaque string that MUST be combined with the access
+ * fingerprint (e.g. `role:${role}`) to form a complete themed cache key:
+ *
+ *   `const key = `role:${role}:${themeFingerprint(schemeId, darkMode, tenant)}`
+ *
+ * Properties guaranteed (invariant 18 in security-invariants.test.ts):
+ *  - Deterministic: same inputs → same output, always.
+ *  - Stable: no random or time-based components.
+ *  - Composable: append to the access fingerprint, do not replace it.
+ *  - Discriminating: distinct across schemes, dark/light, and tenants.
+ *
+ * When `schemeId` is null (no active scheme) the fingerprint is still defined
+ * and stable — it discriminates "no scheme" from any named scheme.
+ */
+export declare function themeFingerprint(schemeId: string | null, darkMode: boolean, tenantScope?: string): string;
+//# sourceMappingURL=index.d.ts.map

package/dist/theme/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/theme/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,iDAAiD;AACjD,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAA;AAE3E,8EAA8E;AAC9E,MAAM,WAAW,aAAa;IAC5B,iFAAiF;IACjF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,KAAK,EAAE,eAAe,CAAA;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAA;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC9B;AAED;;;;GAIG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,aAAa,CAAC,CAAA;CAC9C;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,QAAQ,GAAG,QAAQ,CAEpD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,GAAG,IAAI,EACvB,QAAQ,EAAE,OAAO,EACjB,WAAW,CAAC,EAAE,MAAM,GACnB,MAAM,CAMR"}

package/dist/types/ids.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Branded ID types so the type system catches "I passed a UserID where a SessionID was expected".
+ * Per ADR 0020 (each aggregate has its own identity).
+ */
+declare const __brand: unique symbol;
+export type UserID = string & {
+    readonly [__brand]: "UserID";
+};
+export type SessionID = string & {
+    readonly [__brand]: "SessionID";
+};
+export type CollectionSlug = string & {
+    readonly [__brand]: "CollectionSlug";
+};
+export type RecordID = string & {
+    readonly [__brand]: "RecordID";
+};
+export type PageID = string & {
+    readonly [__brand]: "PageID";
+};
+export type BlockSlug = string & {
+    readonly [__brand]: "BlockSlug";
+};
+export type DraftID = string & {
+    readonly [__brand]: "DraftID";
+};
+export type PublicationID = string & {
+    readonly [__brand]: "PublicationID";
+};
+export type MigrationID = string & {
+    readonly [__brand]: "MigrationID";
+};
+export declare const id: {
+    user: (s: string) => UserID;
+    session: (s: string) => SessionID;
+    collection: (s: string) => CollectionSlug;
+    record: (s: string) => RecordID;
+    page: (s: string) => PageID;
+    block: (s: string) => BlockSlug;
+    draft: (s: string) => DraftID;
+    publication: (s: string) => PublicationID;
+    migration: (s: string) => MigrationID;
+};
+export {};
+//# sourceMappingURL=ids.d.ts.map

package/dist/types/ids.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ids.d.ts","sourceRoot":"","sources":["../../src/types/ids.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,CAAC,MAAM,OAAO,EAAE,OAAO,MAAM,CAAA;AAEpC,MAAM,MAAM,MAAM,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAA;CAAE,CAAA;AAC9D,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,WAAW,CAAA;CAAE,CAAA;AACpE,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,gBAAgB,CAAA;CAAE,CAAA;AAC9E,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,UAAU,CAAA;CAAE,CAAA;AAClE,MAAM,MAAM,MAAM,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAA;CAAE,CAAA;AAC9D,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,WAAW,CAAA;CAAE,CAAA;AACpE,MAAM,MAAM,OAAO,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,CAAA;CAAE,CAAA;AAChE,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,eAAe,CAAA;CAAE,CAAA;AAC5E,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,aAAa,CAAA;CAAE,CAAA;AAExE,eAAO,MAAM,EAAE;cACH,MAAM,KAAU,MAAM;iBACnB,MAAM,KAAU,SAAS;oBACtB,MAAM,KAAU,cAAc;gBAClC,MAAM,KAAU,QAAQ;cAC1B,MAAM,KAAU,MAAM;eACrB,MAAM,KAAU,SAAS;eACzB,MAAM,KAAU,OAAO;qBACjB,MAAM,KAAU,aAAa;mBAC/B,MAAM,KAAU,WAAW;CAC3C,CAAA"}

package/dist/types/ids.js

@@ -0,0 +1,15 @@
+/**
+ * Branded ID types so the type system catches "I passed a UserID where a SessionID was expected".
+ * Per ADR 0020 (each aggregate has its own identity).
+ */
+export const id = {
+    user: (s) => s,
+    session: (s) => s,
+    collection: (s) => s,
+    record: (s) => s,
+    page: (s) => s,
+    block: (s) => s,
+    draft: (s) => s,
+    publication: (s) => s,
+    migration: (s) => s,
+};

package/dist/types/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./ids.ts";
+export * from "./user.ts";
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAA;AACxB,cAAc,WAAW,CAAA"}

package/dist/types/index.js

@@ -0,0 +1,6 @@
+import {
+  id
+} from "../index-r0at8zaw.js";
+export {
+  id
+};

package/dist/types/user.d.ts

@@ -0,0 +1,14 @@
+import type { UserID } from "./ids.ts";
+/**
+ * The user projection passed to access predicates and hooks.
+ * Per ADR 0020 — this is NOT the Better Auth row; it's the Identity-context
+ * projection of it that the Content/Authoring/Publishing contexts may see.
+ */
+export interface User {
+    readonly id: UserID;
+    readonly email: string | null;
+    readonly role: Role;
+    readonly claims: Readonly<Record<string, unknown>>;
+}
+export type Role = "admin" | "editor" | "viewer" | "user" | (string & {});
+//# sourceMappingURL=user.d.ts.map

package/dist/types/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/types/user.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AAEtC;;;;GAIG;AACH,MAAM,WAAW,IAAI;IACnB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IAC7B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAA;IACnB,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;CACnD;AAED,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA"}

package/dist/types/user.js

@@ -0,0 +1 @@
+export {};