@semiont/backend 0.5.8 → 0.5.9

package/dist/openapi.json

@@ -174,42 +174,6 @@
         }
       }
     },
-    "/api/tokens/mcp-generate": {
-      "post": {
-        "summary": "Generate MCP Token",
-        "description": "Generate a short-lived token for MCP server",
-        "tags": [
-          "Authentication"
-        ],
-        "security": [
-          {
-            "bearerAuth": []
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "MCP token generated",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/MCPGenerateResponse"
-                }
-              }
-            }
-          },
-          "401": {
-            "description": "Unauthorized",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResponse"
-                }
-              }
-            }
-          }
-        }
-      }
-    },
     "/api/tokens/media": {
       "post": {
         "summary": "Generate Media Token",
@@ -426,7 +390,7 @@
     "/api/users/logout": {
       "post": {
         "summary": "Logout",
-        "description": "Logout the current user",
+        "description": "Log out the current user by revoking the per-user token epoch (SDK-AUTH-CORS Phase 2): the user's tokenVersion is incremented, so every outstanding access and refresh token for that user is rejected from here on. Returns 204 No Content — there is no session body to return.",
         "tags": [
           "Users"
         ],
@@ -436,15 +400,8 @@
           }
         ],
         "responses": {
-          "200": {
-            "description": "Logged out successfully",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/AcceptTermsResponse"
-                }
-              }
-            }
+          "204": {
+            "description": "Logged out — the user's tokens are revoked. No content."
           }
         }
       }
@@ -1168,66 +1125,6 @@
         }
       }
     },
-    "/api/tokens/mcp-setup": {
-      "get": {
-        "summary": "MCP Setup (browser-driven CLI handoff)",
-        "description": "Browser flow that generates a long-lived (30 day) MCP refresh token for the authenticated user and redirects to a localhost callback URL with the token as a query parameter. Used by CLI tooling (similar to Google's OAuth CLI flow).\n\nThe callback URL must match one of the localhost patterns (`http://localhost:<port>/...`, `http://127.0.0.1:<port>/...`, or `http://[::1]:<port>/...`).",
-        "tags": [
-          "Authentication"
-        ],
-        "security": [
-          {
-            "bearerAuth": []
-          }
-        ],
-        "parameters": [
-          {
-            "name": "callback",
-            "in": "query",
-            "required": true,
-            "description": "Localhost URL to redirect to with `?token=<refresh-token>` on success.",
-            "schema": {
-              "type": "string"
-            }
-          }
-        ],
-        "responses": {
-          "302": {
-            "description": "Redirect to the callback URL with the newly-issued refresh token appended as a `?token=` query parameter."
-          },
-          "400": {
-            "description": "Missing or non-localhost callback URL",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResponse"
-                }
-              }
-            }
-          },
-          "401": {
-            "description": "Authentication required",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResponse"
-                }
-              }
-            }
-          },
-          "500": {
-            "description": "Failed to generate refresh token",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResponse"
-                }
-              }
-            }
-          }
-        }
-      }
-    },
     "/bus/subscribe": {
       "get": {
         "summary": "Subscribe to the Semiont event bus (SSE)",
@@ -1600,7 +1497,7 @@
     "/api/resources/{id}": {
       "get": {
         "summary": "Get a resource's stored representation (browser-friendly alias)",
-        "description": "Identical pipe to GET /resources/{id} — verbatim bytes, stored media type in Content-Type, Accept never read. Exists only as the auth affordance for `<img>` / PDF.js / download links, which cannot carry Authorization headers: the `?token=` media token or the httpOnly semiont-token cookie ride along automatically.\n\nResponses carry `Cache-Control: public, max-age=31536000, immutable` — `public` is safe here, unlike the bearer-authenticated main route, because the `?token=` is part of the cache key.",
+        "description": "Identical pipe to GET /resources/{id} — verbatim bytes, stored media type in Content-Type, Accept never read. Exists only as the auth affordance for `<img>` / PDF.js / download links, which cannot carry Authorization headers: the `?token=` media token rides along automatically.\n\nResponses carry `Cache-Control: public, max-age=31536000, immutable` — `public` is safe here, unlike the bearer-authenticated main route, because the `?token=` is part of the cache key.",
         "tags": [
           "Resources"
         ],
@@ -4007,17 +3904,6 @@
           }
         }
       },
-      "MCPGenerateResponse": {
-        "type": "object",
-        "properties": {
-          "refresh_token": {
-            "type": "string"
-          }
-        },
-        "required": [
-          "refresh_token"
-        ]
-      },
       "Motivation": {
         "type": "string",
         "enum": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@semiont/backend",
-  "version": "0.5.8",
+  "version": "0.5.9",
   "type": "module",
   "description": "Semiont backend server - pre-built for npm consumption",
   "main": "dist/index.js",
@@ -29,9 +29,9 @@
     "@hono/swagger-ui": "^0.6.1",
     "@prisma/adapter-pg": "^7.8.0",
     "@prisma/client": "^7.8.0",
-    "@semiont/core": "0.5.8",
-    "@semiont/make-meaning": "0.5.8",
-    "@semiont/observability": "0.5.8",
+    "@semiont/core": "0.5.9",
+    "@semiont/make-meaning": "0.5.9",
+    "@semiont/observability": "0.5.9",
     "ajv": "^8.20.0",
     "ajv-formats": "^3.0.1",
     "argon2": "^0.44.0",

package/prisma/migrations/20260619120000_add_token_version/migration.sql

@@ -0,0 +1,3 @@
+-- AlterTable: per-user token revocation epoch (SDK-AUTH-CORS Phase 2).
+-- Bumped on logout to invalidate every outstanding token for the user.
+ALTER TABLE "users" ADD COLUMN "tokenVersion" INTEGER NOT NULL DEFAULT 0;

package/prisma/schema.prisma

@@ -24,6 +24,7 @@ model User {
   isModerator     Boolean   @default(false) // Moderator role for content governance
   termsAcceptedAt DateTime? // When user accepted terms of service
   lastLogin       DateTime?
+  tokenVersion    Int       @default(0) // bumped on logout to revoke all of this user's tokens (SDK-AUTH-CORS Phase 2)
   createdAt       DateTime  @default(now())
   updatedAt       DateTime  @updatedAt