@soulcraft/sdk 3.7.6 → 3.8.0

package/dist/index.d.ts

@@ -21,7 +21,7 @@ export { isWriteMethod, WRITE_METHODS } from './read-only.js';
 export type { VfsModule } from './modules/vfs/types.js';
 export type { VersionsModule } from './modules/versions/types.js';
 export type { HallModule, HallRoom, HallRoomHandle, HallPubsubHandle, HallRoomEvents, HallRoomHandleEvents, HallPubsubHandleEvents, HallPubsubEvents, HallConnectionOptions, HallPeerRole, ScreenShareMode, RoomOptions, ConceptInput, RecordingManifest, RoleChangedEvent, TranscriptEvent, ConceptMentionEvent, RelationProposedEvent, SpeakerChangedEvent, PeerJoinedEvent, PeerLeftEvent, PeerPromotedEvent, PeerDemotedEvent, ViewerCountEvent, ScreenShareThumbnailEvent, ChatMessage as HallChatMessage, ChatHistoryEvent, MediaInfo as HallMediaInfo, MediaReadyEvent, MediaErrorEvent, TranscodeTarget, ReplayEntry, TopicSubscribedEvent, TopicUnsubscribedEvent, TopicMessageEvent, PresenceUpdateEvent, PresenceEntry, PresenceSnapshotEvent, } from './modules/hall/types.js';
-export type { AuthModule, PlatformRole, SoulcraftAuthProvider, SoulcraftOrganization, SoulcraftUserFields, SoulcraftSessionUser, SoulcraftSession, OIDCClientConfig, AuthMode, } from './modules/auth/types.js';
+export type { AuthModule, PlatformRole, SoulcraftAuthProvider, SoulcraftOrganization, SoulcraftUserFields, SoulcraftSessionUser, SoulcraftSession, } from './modules/auth/types.js';
 export { SOULCRAFT_USER_FIELDS, SOULCRAFT_SESSION_CONFIG, } from './modules/auth/config.js';
 export type { AiModule, AiCompleteOptions, AiCompleteResult, AiStreamOptions, AiStreamEvent, AiToolCall, AiMessage, AiContentBlock, AiTool, AiModel, } from './modules/ai/types.js';
 export { AI_MODELS } from './modules/ai/types.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC5E,YAAY,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAGlE,YAAY,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAChE,YAAY,EACV,MAAM,EACN,QAAQ,EACR,MAAM,EACN,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,gBAAgB,EAChB,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,2BAA2B,CAAA;AAClC,YAAY,EACV,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,QAAQ,EACR,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,sBAAsB,GACvB,MAAM,4BAA4B,CAAA;AAGnC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAG7D,YAAY,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAA;AAGvD,YAAY,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAGjE,YAAY,EACV,UAAU,EACV,QAAQ,EACR,cAAc,EACd,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,EACrB,YAAY,EACZ,eAAe,EACf,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,yBAAyB,EACzB,WAAW,IAAI,eAAe,EAC9B,gBAAgB,EAChB,SAAS,IAAI,aAAa,EAC1B,eAAe,EACf,eAAe,EACf,eAAe,EACf,WAAW,EACX,oBAAoB,EACpB,sBAAsB,EACtB,iBAAiB,EACjB,mBAAmB,EACnB,aAAa,EACb,qBAAqB,GACtB,MAAM,yBAAyB,CAAA;AAGhC,YAAY,EACV,UAAU,EACV,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,QAAQ,GACT,MAAM,yBAAyB,CAAA;AAIhC,OAAO,EACL,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AAGjC,YAAY,EACV,QAAQ,EACR,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,UAAU,EACV,SAAS,EACT,cAAc,EACd,MAAM,EACN,OAAO,GACR,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AAGjD,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,cAAc,GACf,MAAM,2BAA2B,CAAA;AAGlC,YAAY,EACV,YAAY,EACZ,KAAK,EACL,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAGlC,YAAY,EACV,aAAa,EACb,aAAa,EACb,eAAe,EACf,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,gBAAgB,GACjB,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EACV,UAAU,EACV,kBAAkB,GACnB,MAAM,yBAAyB,CAAA;AAGhC,YAAY,EACV,YAAY,EACZ,UAAU,EACV,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,QAAQ,EACR,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,QAAQ,EACR,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,mBAAmB,EACnB,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,uBAAuB,EACvB,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,EAChB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,uBAAuB,GACxB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9D,YAAY,EACV,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,UAAU,EACV,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,eAAe,GAChB,MAAM,kCAAkC,CAAA;AAGzC,YAAY,EACV,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,EAC1B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,UAAU,CAAA;AAGjB,YAAY,EACV,mBAAmB,EAEnB,aAAa,EACb,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,gBAAgB,EAChB,gBAAgB,EAEhB,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,sBAAsB,EACtB,SAAS,EACT,SAAS,EACT,SAAS,EACT,UAAU,EACV,YAAY,EACZ,cAAc,EACd,UAAU,EACV,aAAa,EACb,eAAe,EACf,aAAa,EACb,cAAc,EACd,YAAY,EACZ,cAAc,EACd,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,YAAY,EACZ,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,sBAAsB,EACtB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,iBAAiB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAC5E,YAAY,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA;AAGlE,YAAY,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAChE,YAAY,EACV,MAAM,EACN,QAAQ,EACR,MAAM,EACN,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,gBAAgB,EAChB,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,2BAA2B,CAAA;AAClC,YAAY,EACV,4BAA4B,EAC5B,qBAAqB,GACtB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EACL,QAAQ,EACR,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,sBAAsB,GACvB,MAAM,4BAA4B,CAAA;AAGnC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAG7D,YAAY,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAA;AAGvD,YAAY,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAGjE,YAAY,EACV,UAAU,EACV,QAAQ,EACR,cAAc,EACd,gBAAgB,EAChB,cAAc,EACd,oBAAoB,EACpB,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,EACrB,YAAY,EACZ,eAAe,EACf,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,mBAAmB,EACnB,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,yBAAyB,EACzB,WAAW,IAAI,eAAe,EAC9B,gBAAgB,EAChB,SAAS,IAAI,aAAa,EAC1B,eAAe,EACf,eAAe,EACf,eAAe,EACf,WAAW,EACX,oBAAoB,EACpB,sBAAsB,EACtB,iBAAiB,EACjB,mBAAmB,EACnB,aAAa,EACb,qBAAqB,GACtB,MAAM,yBAAyB,CAAA;AAGhC,YAAY,EACV,UAAU,EACV,YAAY,EACZ,qBAAqB,EACrB,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,yBAAyB,CAAA;AAGhC,OAAO,EACL,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AAGjC,YAAY,EACV,QAAQ,EACR,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,UAAU,EACV,SAAS,EACT,cAAc,EACd,MAAM,EACN,OAAO,GACR,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AAGjD,YAAY,EACV,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EAClB,aAAa,EACb,cAAc,EACd,cAAc,GACf,MAAM,2BAA2B,CAAA;AAGlC,YAAY,EACV,YAAY,EACZ,KAAK,EACL,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,2BAA2B,CAAA;AAGlC,YAAY,EACV,aAAa,EACb,aAAa,EACb,eAAe,EACf,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,gBAAgB,GACjB,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EACV,UAAU,EACV,kBAAkB,GACnB,MAAM,yBAAyB,CAAA;AAGhC,YAAY,EACV,YAAY,EACZ,UAAU,EACV,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,QAAQ,EACR,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,QAAQ,EACR,kBAAkB,EAClB,gBAAgB,EAChB,mBAAmB,EACnB,aAAa,EACb,mBAAmB,EACnB,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,uBAAuB,EACvB,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,EAChB,YAAY,EACZ,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,uBAAuB,GACxB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA;AAG9D,YAAY,EACV,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,UAAU,EACV,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,0BAA0B,GAC3B,MAAM,4BAA4B,CAAA;AAGnC,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,eAAe,GAChB,MAAM,kCAAkC,CAAA;AAGzC,YAAY,EACV,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,EAC1B,yBAAyB,EACzB,oBAAoB,GACrB,MAAM,UAAU,CAAA;AAGjB,YAAY,EACV,mBAAmB,EAEnB,aAAa,EACb,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,eAAe,EACf,iBAAiB,EACjB,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,gBAAgB,EAChB,gBAAgB,EAEhB,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,sBAAsB,EACtB,SAAS,EACT,SAAS,EACT,SAAS,EACT,UAAU,EACV,YAAY,EACZ,cAAc,EACd,UAAU,EACV,aAAa,EACb,eAAe,EACf,aAAa,EACb,cAAc,EACd,YAAY,EACZ,cAAc,EACd,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,SAAS,EACT,YAAY,EACZ,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,sBAAsB,EACtB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,iBAAiB,CAAA"}

package/dist/index.js

@@ -17,8 +17,7 @@ export { SDKError, SDKDisconnectedError, SDKTimeoutError, SDKAuthError, SDKForbi
 // ── Read-only enforcement (shared registry) ─────────────────────────────────
 export { isWriteMethod, WRITE_METHODS } from './read-only.js';
 // SOULCRAFT_USER_FIELDS and SOULCRAFT_SESSION_CONFIG are pure constants — safe on shared entry.
-// computeEmailHash, getAuthMode, getOIDCClientConfig use node:crypto / process.env.
-// Import those from @soulcraft/sdk/server.
+// computeEmailHash uses node:crypto — import from @soulcraft/sdk/server.
 export { SOULCRAFT_USER_FIELDS, SOULCRAFT_SESSION_CONFIG, } from './modules/auth/config.js';
 export { AI_MODELS } from './modules/ai/types.js';
 export { SOULCRAFT_FORMATS } from './modules/formats/types.js';

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AA+BH,iFAAiF;AACjF,qCAAqC;AACrC,OAAO,EACL,QAAQ,EACR,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,sBAAsB,GACvB,MAAM,4BAA4B,CAAA;AAEnC,+EAA+E;AAC/E,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AA8D7D,gGAAgG;AAChG,oFAAoF;AACpF,2CAA2C;AAC3C,OAAO,EACL,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AAejC,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AAoFjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AA+BH,iFAAiF;AACjF,qCAAqC;AACrC,OAAO,EACL,QAAQ,EACR,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,sBAAsB,GACvB,MAAM,4BAA4B,CAAA;AAEnC,+EAA+E;AAC/E,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AA4D7D,gGAAgG;AAChG,yEAAyE;AACzE,OAAO,EACL,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,0BAA0B,CAAA;AAejC,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AAoFjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAA"}

package/dist/modules/auth/config.d.ts

@@ -38,7 +38,6 @@
  * })
  * ```
  */
-import type { AuthMode, OIDCClientConfig } from './types.js';
 /**
  * Additional fields to register on the better-auth `user` table.
  *
@@ -90,33 +89,4 @@ export declare const SOULCRAFT_SESSION_CONFIG: {
  * // → 'b4c9a289522dd28a04617a41d7b14cf18d43d06febe513d9e27b5da67c17e52e'
  */
 export declare function computeEmailHash(email: string): string;
-/**
- * Determine the authentication mode from environment variables.
- *
- * - `'standalone'`  — each product runs its own better-auth instance with a local
- *   SQLite database. No cross-product SSO. Default before `auth.soulcraft.com` is live.
- * - `'oidc-client'` — set `SOULCRAFT_IDP_URL` to activate. The product's better-auth
- *   instance delegates all authentication to the central IdP.
- *
- * @returns The current auth mode derived from `SOULCRAFT_IDP_URL`.
- */
-export declare function getAuthMode(): AuthMode;
-/**
- * Read OIDC client configuration from environment variables.
- *
- * Returns `null` in standalone mode (when `SOULCRAFT_IDP_URL` is unset).
- * Throws with a descriptive message if the URL is set but required variables
- * are missing — prevents silent misconfiguration.
- *
- * | Variable                     | Required | Description                             |
- * |------------------------------|----------|-----------------------------------------|
- * | `SOULCRAFT_IDP_URL`          | Yes      | Central IdP base URL                    |
- * | `SOULCRAFT_OIDC_CLIENT_ID`   | Yes      | This product's registered client ID     |
- * | `SOULCRAFT_OIDC_CLIENT_SECRET` | Yes    | This product's registered client secret |
- * | `SOULCRAFT_OIDC_REDIRECT_URI`  | No     | Deprecated — auto-derived from BETTER_AUTH_URL |
- *
- * @returns OIDC client config or null in standalone mode.
- * @throws {Error} If `SOULCRAFT_IDP_URL` is set but client ID or secret are missing.
- */
-export declare function getOIDCClientConfig(): OIDCClientConfig | null;
 //# sourceMappingURL=config.d.ts.map

package/dist/modules/auth/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAM5D;;;;;;;;GAQG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;CAWxB,CAAA;AAMV;;;;;;;GAOG;AACH,eAAO,MAAM,wBAAwB;;;CAG3B,CAAA;AAMV;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAItD;AAMD;;;;;;;;;GASG;AACH,wBAAgB,WAAW,IAAI,QAAQ,CAEtC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAuB7D"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAQH;;;;;;;;GAQG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;CAWxB,CAAA;AAMV;;;;;;;GAOG;AACH,eAAO,MAAM,wBAAwB;;;CAG3B,CAAA;AAMV;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAItD"}

package/dist/modules/auth/config.js

@@ -103,56 +103,4 @@ export function computeEmailHash(email) {
         .update(email.toLowerCase().trim())
         .digest('hex');
 }
-// ─────────────────────────────────────────────────────────────────────────────
-// SSO / OIDC environment helpers
-// ─────────────────────────────────────────────────────────────────────────────
-/**
- * Determine the authentication mode from environment variables.
- *
- * - `'standalone'`  — each product runs its own better-auth instance with a local
- *   SQLite database. No cross-product SSO. Default before `auth.soulcraft.com` is live.
- * - `'oidc-client'` — set `SOULCRAFT_IDP_URL` to activate. The product's better-auth
- *   instance delegates all authentication to the central IdP.
- *
- * @returns The current auth mode derived from `SOULCRAFT_IDP_URL`.
- */
-export function getAuthMode() {
-    return process.env['SOULCRAFT_IDP_URL'] ? 'oidc-client' : 'standalone';
-}
-/**
- * Read OIDC client configuration from environment variables.
- *
- * Returns `null` in standalone mode (when `SOULCRAFT_IDP_URL` is unset).
- * Throws with a descriptive message if the URL is set but required variables
- * are missing — prevents silent misconfiguration.
- *
- * | Variable                     | Required | Description                             |
- * |------------------------------|----------|-----------------------------------------|
- * | `SOULCRAFT_IDP_URL`          | Yes      | Central IdP base URL                    |
- * | `SOULCRAFT_OIDC_CLIENT_ID`   | Yes      | This product's registered client ID     |
- * | `SOULCRAFT_OIDC_CLIENT_SECRET` | Yes    | This product's registered client secret |
- * | `SOULCRAFT_OIDC_REDIRECT_URI`  | No     | Deprecated — auto-derived from BETTER_AUTH_URL |
- *
- * @returns OIDC client config or null in standalone mode.
- * @throws {Error} If `SOULCRAFT_IDP_URL` is set but client ID or secret are missing.
- */
-export function getOIDCClientConfig() {
-    const idpUrl = process.env['SOULCRAFT_IDP_URL'];
-    if (!idpUrl)
-        return null;
-    const clientId = process.env['SOULCRAFT_OIDC_CLIENT_ID'];
-    const clientSecret = process.env['SOULCRAFT_OIDC_CLIENT_SECRET'];
-    if (!clientId || !clientSecret) {
-        const missing = [
-            !clientId && 'SOULCRAFT_OIDC_CLIENT_ID',
-            !clientSecret && 'SOULCRAFT_OIDC_CLIENT_SECRET',
-        ].filter(Boolean).join(', ');
-        throw new Error(`SOULCRAFT_IDP_URL is set to "${idpUrl}" but the following required OIDC ` +
-            `client environment variables are missing: ${missing}. ` +
-            `Either set both variables for OIDC client mode, or unset SOULCRAFT_IDP_URL ` +
-            `to run in standalone mode.`);
-    }
-    const redirectUri = process.env['SOULCRAFT_OIDC_REDIRECT_URI'];
-    return { idpUrl, clientId, clientSecret, ...(redirectUri ? { redirectUri } : {}) };
-}
 //# sourceMappingURL=config.js.map

package/dist/modules/auth/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/modules/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAGxC,gFAAgF;AAChF,gCAAgC;AAChC,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,YAAY,EAAE;QACZ,IAAI,EAAE,QAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,SAAS;KACxB;IACD,SAAS,EAAE;QACT,IAAI,EAAE,QAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,EAAE;KACjB;CACO,CAAA;AAEV,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;IAC5B,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE;CACf,CAAA;AAEV,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;SAClC,MAAM,CAAC,KAAK,CAAC,CAAA;AAClB,CAAC;AAED,gFAAgF;AAChF,iCAAiC;AACjC,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAA;AACxE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAA;IAC/C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAExB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAA;IACxD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAA;IAEhE,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG;YACd,CAAC,QAAQ,IAAI,0BAA0B;YACvC,CAAC,YAAY,IAAI,8BAA8B;SAChD,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE5B,MAAM,IAAI,KAAK,CACb,gCAAgC,MAAM,oCAAoC;YAC1E,6CAA6C,OAAO,IAAI;YACxD,6EAA6E;YAC7E,4BAA4B,CAC7B,CAAA;IACH,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAA;IAC9D,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAA;AACpF,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/modules/auth/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAExC,gFAAgF;AAChF,gCAAgC;AAChC,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,YAAY,EAAE;QACZ,IAAI,EAAE,QAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,SAAS;KACxB;IACD,SAAS,EAAE;QACT,IAAI,EAAE,QAAiB;QACvB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,EAAE;KACjB;CACO,CAAA;AAEV,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;IAC5B,SAAS,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE;CACf,CAAA;AAEV,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;SAClC,MAAM,CAAC,KAAK,CAAC,CAAA;AAClB,CAAC"}

package/dist/modules/auth/products.d.ts

@@ -1,34 +1,29 @@
 /**
  * @module modules/auth/products
- * @description Centralized registry of all Soulcraft platform products and their
- * auth configuration. This is the single source of truth for:
+ * @description Centralized registry of all Soulcraft platform products.
+ * Single source of truth for:
  *
  * - Which products exist on the platform
  * - Their production domains and local dev ports
- * - Their OIDC client IDs and redirect callback paths
- * - Whether they require backchannel logout support
- * - Which env var holds their OIDC client secret
+ * - Their product identifiers
  *
- * The auth server (`auth.soulcraft.com`) consumes this registry to derive all
- * its registration arrays — trusted origins, CORS, OIDC trusted clients, and
- * backchannel logout recipients — instead of maintaining five parallel hardcoded lists.
+ * The auth server (`auth.soulcraft.com`) consumes this registry to derive
+ * trusted origins and CORS allowlists. Products authenticate via shared
+ * `.soulcraft.com` session cookies — no OIDC, no client secrets.
  *
  * ## Adding a new product
  *
- * 1. Add an entry to `SOULCRAFT_PRODUCTS` below (TypeScript enforces completeness).
- * 2. Add `{PRODUCT}_OIDC_CLIENT_SECRET` (or equivalent) to the auth server's
- *    `.env.production`. Generate with: `openssl rand -hex 32`
- * 3. Publish a new version of `@soulcraft/sdk`.
- * 4. Deploy the auth server — it will pick up the new product automatically.
- * 5. Set `SOULCRAFT_IDP_URL` in the product's own `.env.production`.
- *
- * @see ADR-002-product-registry.md for design rationale.
+ * 1. Add an entry to `SOULCRAFT_PRODUCTS` below.
+ * 2. Publish a new version of `@soulcraft/sdk`.
+ * 3. Deploy the auth server — it picks up the new product automatically.
+ * 4. Set `SOULCRAFT_AUTH_URL` in the product's `.env.production`.
  */
 /**
- * Full auth configuration for a single Soulcraft platform product.
+ * Auth configuration for a single Soulcraft platform product.
  *
- * Consumed by the auth server to derive trusted origins, CORS origins, OIDC
- * client registrations, and backchannel logout recipients.
+ * Consumed by the auth server to derive trusted origins and CORS origins.
+ * Products authenticate via shared `.soulcraft.com` session cookie — no OIDC,
+ * no client secrets, no token exchange.
  */
 export interface ProductRegistration {
     /** Human-readable display name, e.g. `"Soulcraft Workshop"`. */
@@ -41,43 +36,10 @@ export interface ProductRegistration {
     /** Local development port. Used to derive `http://localhost:{devPort}` origins. */
     devPort: number;
     /**
-     * OIDC client ID registered on the auth server.
+     * Product identifier. Used in login URLs and session metadata.
      * Must be unique across all products. e.g. `"workshop"`.
      */
     clientId: string;
-    /**
-     * Name of the environment variable that holds this product's OIDC client secret
-     * (or backchannel secret for cookie-proxy products). e.g. `"WORKSHOP_OIDC_CLIENT_SECRET"`.
-     */
-    secretEnvVar: string;
-    /**
-     * How this product authenticates users:
-     * - `'oidc-redirect'` — full OIDC authorization code flow with redirect callbacks
-     * - `'cookie-proxy'` — validates the shared `.soulcraft.com` session cookie directly
-     *   against `GET /api/auth/get-session`; no OIDC redirect involved
-     */
-    authMode: 'oidc-redirect' | 'cookie-proxy';
-    /**
-     * Paths on this product's origin that the auth server should register as OIDC
-     * redirect URIs. Empty array for cookie-proxy products. Both production and dev
-     * variants are derived automatically via `deriveRedirectUrls`.
-     */
-    callbackPaths: string[];
-    /**
-     * Additional paths to include as OIDC redirect URIs beyond the callback paths.
-     * Typically the homepage (`"/"`) which is used as `post_logout_redirect_uri`.
-     * Defaults to `["/"]` when omitted.
-     */
-    extraRedirectPaths?: string[];
-    /**
-     * When `true`, the auth server includes this product in its OIDC backchannel
-     * logout registry. The product's `{domain}/api/auth/backchannel-logout` endpoint
-     * will be notified on every sign-out so it can terminate local sessions immediately.
-     *
-     * Set to `false` only for products that do not implement a backchannel endpoint
-     * (e.g. read-only dashboards, analytics tools).
-     */
-    backchannelRequired: boolean;
 }
 /**
  * Central registry of all Soulcraft platform products.
@@ -97,66 +59,36 @@ export declare const SOULCRAFT_PRODUCTS: {
         readonly domain: "workshop.soulcraft.com";
         readonly devPort: 5001;
         readonly clientId: "workshop";
-        readonly secretEnvVar: "WORKSHOP_OIDC_CLIENT_SECRET";
-        readonly authMode: "oidc-redirect";
-        readonly callbackPaths: ["/api/auth/oauth2/callback/soulcraft-idp", "/api/auth/callback/soulcraft-idp"];
-        readonly extraRedirectPaths: ["/"];
-        readonly backchannelRequired: true;
     };
     readonly venue: {
         readonly name: "Soulcraft Venue";
         readonly domain: "venue.soulcraft.com";
         readonly devPort: 5174;
         readonly clientId: "venue";
-        readonly secretEnvVar: "VENUE_OIDC_CLIENT_SECRET";
-        readonly authMode: "oidc-redirect";
-        readonly callbackPaths: ["/api/auth/callback/soulcraft-idp"];
-        readonly extraRedirectPaths: ["/"];
-        readonly backchannelRequired: true;
     };
     readonly portal: {
         readonly name: "Soulcraft Portal";
         readonly domain: "soulcraft.com";
         readonly devPort: 8080;
         readonly clientId: "portal";
-        readonly secretEnvVar: "PORTAL_OIDC_CLIENT_SECRET";
-        readonly authMode: "oidc-redirect";
-        readonly callbackPaths: ["/api/auth/callback/soulcraft-idp", "/auth/callback"];
-        readonly extraRedirectPaths: ["/"];
-        readonly backchannelRequired: true;
     };
     readonly academy: {
         readonly name: "Soulcraft Academy";
         readonly domain: "academy.soulcraft.com";
         readonly devPort: 5002;
         readonly clientId: "academy";
-        readonly secretEnvVar: "ACADEMY_OIDC_CLIENT_SECRET";
-        readonly authMode: "oidc-redirect";
-        readonly callbackPaths: ["/api/auth/callback/soulcraft-idp"];
-        readonly extraRedirectPaths: ["/"];
-        readonly backchannelRequired: true;
     };
     readonly pulse: {
         readonly name: "Soulcraft Pulse";
         readonly domain: "pulse.soulcraft.com";
         readonly devPort: 5004;
         readonly clientId: "pulse";
-        readonly secretEnvVar: "PULSE_BACKCHANNEL_SECRET";
-        readonly authMode: "cookie-proxy";
-        readonly callbackPaths: [];
-        readonly extraRedirectPaths: ["/"];
-        readonly backchannelRequired: false;
     };
     readonly imagine: {
         readonly name: "Soulcraft Imagine";
         readonly domain: "imagine.soulcraft.com";
         readonly devPort: 5005;
         readonly clientId: "imagine";
-        readonly secretEnvVar: "IMAGINE_OIDC_SECRET";
-        readonly authMode: "oidc-redirect";
-        readonly callbackPaths: ["/api/auth/callback/soulcraft-idp"];
-        readonly extraRedirectPaths: ["/"];
-        readonly backchannelRequired: false;
     };
 };
 /**
@@ -195,25 +127,30 @@ export type SoulcraftProduct = keyof typeof SOULCRAFT_PRODUCTS;
  */
 export declare function deriveOrigins(): string[];
 /**
- * Derive all OIDC redirect URIs for a single product registration.
+ * Build a login URL that redirects the user to auth.soulcraft.com.
  *
- * Combines callback paths and extra redirect paths, generating both production
- * and local development variants for each. Results are ordered: production paths
- * first (all), then dev paths (all), matching the ordering in the auth server.
+ * After authentication, the user is redirected back to the `redirect` URL
+ * with the `.soulcraft.com` session cookie set. For custom domains, the
+ * auth server uses a one-time code exchange instead.
  *
- * @param p - A `ProductRegistration` from `SOULCRAFT_PRODUCTS`.
- * @returns List of fully-qualified redirect URI strings.
+ * @param options - Login URL parameters.
+ * @returns Fully-qualified login URL string.
  *
  * @example
- * deriveRedirectUrls(SOULCRAFT_PRODUCTS.workshop)
- * // → [
- * //   'https://workshop.soulcraft.com/api/auth/oauth2/callback/soulcraft-idp',
- * //   'https://workshop.soulcraft.com/api/auth/callback/soulcraft-idp',
- * //   'https://workshop.soulcraft.com/',
- * //   'http://localhost:5001/api/auth/oauth2/callback/soulcraft-idp',
- * //   'http://localhost:5001/api/auth/callback/soulcraft-idp',
- * //   'http://localhost:5001/',
- * // ]
+ * getLoginUrl({ product: 'venue', redirect: 'https://venue.soulcraft.com/dashboard' })
+ * // → 'https://auth.soulcraft.com/login?product=venue&redirect=https%3A%2F%2Fvenue.soulcraft.com%2Fdashboard'
+ *
+ * getLoginUrl({ product: 'venue', redirect: '/book', tenant: 'wicks-and-whiskers' })
+ * // → 'https://auth.soulcraft.com/login?product=venue&redirect=%2Fbook&tenant=wicks-and-whiskers'
  */
-export declare function deriveRedirectUrls(p: ProductRegistration): string[];
+export declare function getLoginUrl(options: {
+    /** Product identifier. */
+    product: string;
+    /** URL to redirect to after successful authentication. */
+    redirect: string;
+    /** Venue tenant slug for branded login page. */
+    tenant?: string;
+    /** Auth server base URL. Defaults to SOULCRAFT_AUTH_URL env var or https://auth.soulcraft.com. */
+    authUrl?: string;
+}): string;
 //# sourceMappingURL=products.d.ts.map

package/dist/modules/auth/products.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"products.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/products.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAMH;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAA;IACZ;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IACd,mFAAmF;IACnF,OAAO,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAA;IACpB;;;;;OAKG;IACH,QAAQ,EAAE,eAAe,GAAG,cAAc,CAAA;IAC1C;;;;OAIG;IACH,aAAa,EAAE,MAAM,EAAE,CAAA;IACvB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC7B;;;;;;;OAOG;IACH,mBAAmB,EAAE,OAAO,CAAA;CAC7B;AAMD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0EyB,CAAA;AAExD;;;;;;;;;;GAUG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,OAAO,kBAAkB,CAAA;AAM9D;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,IAAI,MAAM,EAAE,CAcxC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,EAAE,mBAAmB,GAAG,MAAM,EAAE,CAanE"}
+{"version":3,"file":"products.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/products.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAMH;;;;;;GAMG;AACH,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,IAAI,EAAE,MAAM,CAAA;IACZ;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IACd,mFAAmF;IACnF,OAAO,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAA;CACjB;AAMD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCyB,CAAA;AAExD;;;;;;;;;;GAUG;AACH,MAAM,MAAM,gBAAgB,GAAG,MAAM,OAAO,kBAAkB,CAAA;AAM9D;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,IAAI,MAAM,EAAE,CAcxC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE;IACnC,0BAA0B;IAC1B,OAAO,EAAE,MAAM,CAAA;IACf,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAA;IAChB,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kGAAkG;IAClG,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,GAAG,MAAM,CAUT"}

package/dist/modules/auth/products.js

@@ -1,28 +1,22 @@
 /**
  * @module modules/auth/products
- * @description Centralized registry of all Soulcraft platform products and their
- * auth configuration. This is the single source of truth for:
+ * @description Centralized registry of all Soulcraft platform products.
+ * Single source of truth for:
  *
  * - Which products exist on the platform
  * - Their production domains and local dev ports
- * - Their OIDC client IDs and redirect callback paths
- * - Whether they require backchannel logout support
- * - Which env var holds their OIDC client secret
+ * - Their product identifiers
  *
- * The auth server (`auth.soulcraft.com`) consumes this registry to derive all
- * its registration arrays — trusted origins, CORS, OIDC trusted clients, and
- * backchannel logout recipients — instead of maintaining five parallel hardcoded lists.
+ * The auth server (`auth.soulcraft.com`) consumes this registry to derive
+ * trusted origins and CORS allowlists. Products authenticate via shared
+ * `.soulcraft.com` session cookies — no OIDC, no client secrets.
  *
  * ## Adding a new product
  *
- * 1. Add an entry to `SOULCRAFT_PRODUCTS` below (TypeScript enforces completeness).
- * 2. Add `{PRODUCT}_OIDC_CLIENT_SECRET` (or equivalent) to the auth server's
- *    `.env.production`. Generate with: `openssl rand -hex 32`
- * 3. Publish a new version of `@soulcraft/sdk`.
- * 4. Deploy the auth server — it will pick up the new product automatically.
- * 5. Set `SOULCRAFT_IDP_URL` in the product's own `.env.production`.
- *
- * @see ADR-002-product-registry.md for design rationale.
+ * 1. Add an entry to `SOULCRAFT_PRODUCTS` below.
+ * 2. Publish a new version of `@soulcraft/sdk`.
+ * 3. Deploy the auth server — it picks up the new product automatically.
+ * 4. Set `SOULCRAFT_AUTH_URL` in the product's `.env.production`.
  */
 // ─────────────────────────────────────────────────────────────────────────────
 // Registry
@@ -45,73 +39,36 @@ export const SOULCRAFT_PRODUCTS = {
         domain: 'workshop.soulcraft.com',
         devPort: 5001,
         clientId: 'workshop',
-        secretEnvVar: 'WORKSHOP_OIDC_CLIENT_SECRET',
-        authMode: 'oidc-redirect',
-        callbackPaths: [
-            '/api/auth/oauth2/callback/soulcraft-idp',
-            // Legacy path kept for in-flight sessions during transitions
-            '/api/auth/callback/soulcraft-idp',
-        ],
-        extraRedirectPaths: ['/'],
-        backchannelRequired: true,
     },
     venue: {
         name: 'Soulcraft Venue',
         domain: 'venue.soulcraft.com',
         devPort: 5174,
         clientId: 'venue',
-        secretEnvVar: 'VENUE_OIDC_CLIENT_SECRET',
-        authMode: 'oidc-redirect',
-        callbackPaths: ['/api/auth/callback/soulcraft-idp'],
-        extraRedirectPaths: ['/'],
-        backchannelRequired: true,
     },
     portal: {
         name: 'Soulcraft Portal',
         domain: 'soulcraft.com',
         devPort: 8080,
         clientId: 'portal',
-        secretEnvVar: 'PORTAL_OIDC_CLIENT_SECRET',
-        authMode: 'oidc-redirect',
-        callbackPaths: ['/api/auth/callback/soulcraft-idp', '/auth/callback'],
-        extraRedirectPaths: ['/'],
-        backchannelRequired: true,
     },
     academy: {
         name: 'Soulcraft Academy',
         domain: 'academy.soulcraft.com',
         devPort: 5002,
         clientId: 'academy',
-        secretEnvVar: 'ACADEMY_OIDC_CLIENT_SECRET',
-        authMode: 'oidc-redirect',
-        callbackPaths: ['/api/auth/callback/soulcraft-idp'],
-        extraRedirectPaths: ['/'],
-        backchannelRequired: true,
     },
     pulse: {
         name: 'Soulcraft Pulse',
         domain: 'pulse.soulcraft.com',
         devPort: 5004,
         clientId: 'pulse',
-        // Pulse uses cookie-proxy; PULSE_BACKCHANNEL_SECRET doubles as the OIDC client
-        // secret for the minimal OIDC client entry that registers the homepage as a valid
-        // post_logout_redirect_uri. Backchannel is best-effort; no startup failure if absent.
-        secretEnvVar: 'PULSE_BACKCHANNEL_SECRET',
-        authMode: 'cookie-proxy',
-        callbackPaths: [],
-        extraRedirectPaths: ['/'],
-        backchannelRequired: false,
     },
     imagine: {
         name: 'Soulcraft Imagine',
         domain: 'imagine.soulcraft.com',
         devPort: 5005,
         clientId: 'imagine',
-        secretEnvVar: 'IMAGINE_OIDC_SECRET',
-        authMode: 'oidc-redirect',
-        callbackPaths: ['/api/auth/callback/soulcraft-idp'],
-        extraRedirectPaths: ['/'],
-        backchannelRequired: false,
     },
 };
 // ─────────────────────────────────────────────────────────────────────────────
@@ -152,35 +109,32 @@ export function deriveOrigins() {
     return origins;
 }
 /**
- * Derive all OIDC redirect URIs for a single product registration.
+ * Build a login URL that redirects the user to auth.soulcraft.com.
  *
- * Combines callback paths and extra redirect paths, generating both production
- * and local development variants for each. Results are ordered: production paths
- * first (all), then dev paths (all), matching the ordering in the auth server.
+ * After authentication, the user is redirected back to the `redirect` URL
+ * with the `.soulcraft.com` session cookie set. For custom domains, the
+ * auth server uses a one-time code exchange instead.
  *
- * @param p - A `ProductRegistration` from `SOULCRAFT_PRODUCTS`.
- * @returns List of fully-qualified redirect URI strings.
+ * @param options - Login URL parameters.
+ * @returns Fully-qualified login URL string.
  *
  * @example
- * deriveRedirectUrls(SOULCRAFT_PRODUCTS.workshop)
- * // → [
- * //   'https://workshop.soulcraft.com/api/auth/oauth2/callback/soulcraft-idp',
- * //   'https://workshop.soulcraft.com/api/auth/callback/soulcraft-idp',
- * //   'https://workshop.soulcraft.com/',
- * //   'http://localhost:5001/api/auth/oauth2/callback/soulcraft-idp',
- * //   'http://localhost:5001/api/auth/callback/soulcraft-idp',
- * //   'http://localhost:5001/',
- * // ]
+ * getLoginUrl({ product: 'venue', redirect: 'https://venue.soulcraft.com/dashboard' })
+ * // → 'https://auth.soulcraft.com/login?product=venue&redirect=https%3A%2F%2Fvenue.soulcraft.com%2Fdashboard'
+ *
+ * getLoginUrl({ product: 'venue', redirect: '/book', tenant: 'wicks-and-whiskers' })
+ * // → 'https://auth.soulcraft.com/login?product=venue&redirect=%2Fbook&tenant=wicks-and-whiskers'
  */
-export function deriveRedirectUrls(p) {
-    const extraPaths = p.extraRedirectPaths ?? ['/'];
-    const allPaths = [...p.callbackPaths, ...extraPaths];
-    const prod = allPaths.map((path) => `https://${p.domain}${path}`);
-    const dev = allPaths.map((path) => `http://localhost:${p.devPort}${path}`);
-    // Auth gateway callback — enables custom/dynamic domain auth flows.
-    // The gateway verifies the target domain with the product before redirecting.
-    const gateway = `https://auth.soulcraft.com/auth/gateway/${p.clientId}/callback`;
-    const gatewayDev = `http://localhost:8080/auth/gateway/${p.clientId}/callback`;
-    return [...prod, ...dev, gateway, gatewayDev];
+export function getLoginUrl(options) {
+    const base = options.authUrl
+        ?? process.env['SOULCRAFT_AUTH_URL']
+        ?? 'https://auth.soulcraft.com';
+    const params = new URLSearchParams({
+        product: options.product,
+        redirect: options.redirect,
+    });
+    if (options.tenant)
+        params.set('tenant', options.tenant);
+    return `${base}/login?${params}`;
 }
 //# sourceMappingURL=products.js.map

package/dist/modules/auth/products.js.map

@@ -1 +1 @@
-{"version":3,"file":"products.js","sourceRoot":"","sources":["../../../src/modules/auth/products.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AA8DH,gFAAgF;AAChF,WAAW;AACX,gFAAgF;AAEhF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,QAAQ,EAAE;QACR,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,wBAAwB;QAChC,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,UAAU;QACpB,YAAY,EAAE,6BAA6B;QAC3C,QAAQ,EAAE,eAAe;QACzB,aAAa,EAAE;YACb,yCAAyC;YACzC,6DAA6D;YAC7D,kCAAkC;SACnC;QACD,kBAAkB,EAAE,CAAC,GAAG,CAAC;QACzB,mBAAmB,EAAE,IAAI;KAC1B;IACD,KAAK,EAAE;QACL,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,OAAO;QACjB,YAAY,EAAE,0BAA0B;QACxC,QAAQ,EAAE,eAAe;QACzB,aAAa,EAAE,CAAC,kCAAkC,CAAC;QACnD,kBAAkB,EAAE,CAAC,GAAG,CAAC;QACzB,mBAAmB,EAAE,IAAI;KAC1B;IACD,MAAM,EAAE;QACN,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,eAAe;QACvB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,2BAA2B;QACzC,QAAQ,EAAE,eAAe;QACzB,aAAa,EAAE,CAAC,kCAAkC,EAAE,gBAAgB,CAAC;QACrE,kBAAkB,EAAE,CAAC,GAAG,CAAC;QACzB,mBAAmB,EAAE,IAAI;KAC1B;IACD,OAAO,EAAE;QACP,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,uBAAuB;QAC/B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,SAAS;QACnB,YAAY,EAAE,4BAA4B;QAC1C,QAAQ,EAAE,eAAe;QACzB,aAAa,EAAE,CAAC,kCAAkC,CAAC;QACnD,kBAAkB,EAAE,CAAC,GAAG,CAAC;QACzB,mBAAmB,EAAE,IAAI;KAC1B;IACD,KAAK,EAAE;QACL,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,OAAO;QACjB,+EAA+E;QAC/E,kFAAkF;QAClF,sFAAsF;QACtF,YAAY,EAAE,0BAA0B;QACxC,QAAQ,EAAE,cAAc;QACxB,aAAa,EAAE,EAAE;QACjB,kBAAkB,EAAE,CAAC,GAAG,CAAC;QACzB,mBAAmB,EAAE,KAAK;KAC3B;IACD,OAAO,EAAE;QACP,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,uBAAuB;QAC/B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,SAAS;QACnB,YAAY,EAAE,qBAAqB;QACnC,QAAQ,EAAE,eAAe;QACzB,aAAa,EAAE,CAAC,kCAAkC,CAAC;QACnD,kBAAkB,EAAE,CAAC,GAAG,CAAC;QACzB,mBAAmB,EAAE,KAAK;KAC3B;CACqD,CAAA;AAexD,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,aAAa;IAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC/D,WAAW,CAAC,CAAC,MAAM,EAAE;QACrB,oBAAoB,CAAC,CAAC,OAAO,EAAE;KAChC,CAAC,CAAA;IAEF,+DAA+D;IAC/D,OAAO,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAA;IAC1C,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAErC,uCAAuC;IACvC,OAAO,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAA;IAE3C,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,kBAAkB,CAAC,CAAsB;IACvD,MAAM,UAAU,GAAG,CAAC,CAAC,kBAAkB,IAAI,CAAC,GAAG,CAAC,CAAA;IAChD,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,GAAG,UAAU,CAAC,CAAA;IAEpD,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC,CAAA;IACjE,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,oBAAoB,CAAC,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC,CAAA;IAE1E,oEAAoE;IACpE,8EAA8E;IAC9E,MAAM,OAAO,GAAG,2CAA2C,CAAC,CAAC,QAAQ,WAAW,CAAA;IAChF,MAAM,UAAU,GAAG,sCAAsC,CAAC,CAAC,QAAQ,WAAW,CAAA;IAE9E,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,UAAU,CAAC,CAAA;AAC/C,CAAC"}
+{"version":3,"file":"products.js","sourceRoot":"","sources":["../../../src/modules/auth/products.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AA8BH,gFAAgF;AAChF,WAAW;AACX,gFAAgF;AAEhF;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,QAAQ,EAAE;QACR,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,wBAAwB;QAChC,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,UAAU;KACrB;IACD,KAAK,EAAE;QACL,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,OAAO;KAClB;IACD,MAAM,EAAE;QACN,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,eAAe;QACvB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,QAAQ;KACnB;IACD,OAAO,EAAE;QACP,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,uBAAuB;QAC/B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,SAAS;KACpB;IACD,KAAK,EAAE;QACL,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,qBAAqB;QAC7B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,OAAO;KAClB;IACD,OAAO,EAAE;QACP,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,uBAAuB;QAC/B,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,SAAS;KACpB;CACqD,CAAA;AAexD,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,aAAa;IAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAC/D,WAAW,CAAC,CAAC,MAAM,EAAE;QACrB,oBAAoB,CAAC,CAAC,OAAO,EAAE;KAChC,CAAC,CAAA;IAEF,+DAA+D;IAC/D,OAAO,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAA;IAC1C,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAErC,uCAAuC;IACvC,OAAO,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAA;IAE3C,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,WAAW,CAAC,OAS3B;IACC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO;WACvB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;WACjC,4BAA4B,CAAA;IACjC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAA;IACF,IAAI,OAAO,CAAC,MAAM;QAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;IACxD,OAAO,GAAG,IAAI,UAAU,MAAM,EAAE,CAAA;AAClC,CAAC"}