@sovecom/module-sdk 1.0.0-rc.1

package/dist/http.d.ts

@@ -0,0 +1,43 @@
+/**
+ * the module HTTP endpoint contract types, EXTRACTED here as
+ * the single source of truth (was `apps/api/src/modules/runtime/module-http.ts`). These are the
+ * wire shapes an author's `sdk.serve(handler)` deals with; core shapes the request and BOUNDS
+ * the response. The byte caps / header allowlists / media-type policy stay core-side (they are
+ * enforcement, not contract) and are intentionally NOT exported from the public SDK.
+ */
+/** Which mounted surface the request arrived on. `store` is public; `admin` is RBAC-gated. */
+export type ModuleHttpSurface = 'store' | 'admin';
+export interface ModuleHttpRequest {
+    readonly surface: ModuleHttpSurface;
+    readonly method: string;
+    /** The path UNDER the module mount, e.g. `/items/42` for `/store/v1/modules/foo/items/42`. */
+    readonly path: string;
+    readonly query: Record<string, string | string[]>;
+    /** Already-sanitized request headers (core strips hop-by-hop + auth/cookie). */
+    readonly headers: Record<string, string>;
+    readonly body?: string;
+    /** The tenant the request is scoped to (the module cannot widen it). */
+    readonly tenantId: string;
+    /**
+     * The CORE-VERIFIED customer principal for this request, or `undefined` for an anonymous call.
+     *
+     * Set ONLY by the core proxy from a customer JWT it verified itself (the store mount runs an
+     * optional customer-auth guard). It is NEVER read from client input — a `customer` field in the
+     * request body, headers, or query cannot influence it, and the raw token is still stripped before
+     * the request reaches the module. Absent (`undefined`) when no valid customer token was presented.
+     *
+     * The `id` is the same tenant-scoped customer id the JWT verification resolved against the DB;
+     * a customer-scoped module endpoint should return 401/empty when this is absent.
+     */
+    readonly customer?: {
+        readonly id: string;
+    };
+}
+export interface ModuleHttpResponse {
+    readonly status: number;
+    readonly headers?: Record<string, string>;
+    readonly body?: string;
+}
+/** A module's request handler, registered via `sdk.serve(...)`. */
+export type ModuleHttpHandler = (req: ModuleHttpRequest) => ModuleHttpResponse | Promise<ModuleHttpResponse>;
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,8FAA8F;AAC9F,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,OAAO,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAC;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,8FAA8F;IAC9F,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC;IAClD,gFAAgF;IAChF,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,wEAAwE;IACxE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,mEAAmE;AACnE,MAAM,MAAM,iBAAiB,GAAG,CAC9B,GAAG,EAAE,iBAAiB,KACnB,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC"}

package/dist/http.js

@@ -0,0 +1,10 @@
+"use strict";
+/**
+ * the module HTTP endpoint contract types, EXTRACTED here as
+ * the single source of truth (was `apps/api/src/modules/runtime/module-http.ts`). These are the
+ * wire shapes an author's `sdk.serve(handler)` deals with; core shapes the request and BOUNDS
+ * the response. The byte caps / header allowlists / media-type policy stay core-side (they are
+ * enforcement, not contract) and are intentionally NOT exported from the public SDK.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=http.js.map

package/dist/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG"}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * `@sovecom/module-sdk` — the public, semver-pinned author-facing contract for the SovEcom
+ * module ecosystem. This package is the SINGLE SOURCE OF TRUTH for the
+ * module trust boundary: the capability interfaces, DTOs, manifest validators, and author
+ * ergonomics. `apps/api` (the core runtime) imports these definitions FROM here, so the
+ * published SDK can never drift from what the broker actually enforces.
+ *
+ * It is a CONTRACT package, not a code-execution surface: ALL permission / tenant / refusal
+ * enforcement lives in the core-side broker. Nothing exported here can disable or weaken it.
+ */
+/** SDK package version (independent of the core API contract version below). */
+export declare const MODULE_SDK_VERSION = "1.0.0-rc.1";
+export { defineModule } from './module.js';
+export type { SovecomModule, DefineModuleConfig } from './module.js';
+export { defineSlots } from './slots.js';
+export { createNamespacedTable } from './tables.js';
+export type { ModuleSdk, StoreClient, AdminClient, CommerceClient, HttpClient, TablesClient, EventsClient, EmailClient, } from './capabilities.js';
+export { EMAIL_TO_MAX, EMAIL_SUBJECT_MAX, EMAIL_TEXT_MAX, EMAIL_HTML_MAX } from './email.js';
+export type { ModuleEmailMessage, ModuleCustomerEmailMessage, ModuleEmailSendResult, } from './email.js';
+export type { ListQuery, ListResult, ModuleProductDto, ModuleProductCategory, ModuleCategoryDto, ModuleOrderDto, ModuleCustomerDto, } from './dto.js';
+export type { ProductPriceChangedPayload, ProductStockChangedPayload } from './events.js';
+export type { ModuleHttpSurface, ModuleHttpRequest, ModuleHttpResponse, ModuleHttpHandler, } from './http.js';
+export { MODULE_PERMISSION_ALLOWLIST, MANIFEST_MAX_BYTES, MODULE_NAME_RE, SLOT_SLUG_RE, TABLE_SUFFIX_RE, moduleManifestSchema, parseAndVerifyManifest, assertCoreCompatible, } from './manifest.js';
+export type { ModulePermission, ModuleManifest, ModuleSlotEntry } from './manifest.js';
+export { CORE_API_VERSION } from './core-version.js';
+export { RpcErrorCode } from './errors.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,eAAe,CAAC;AAG/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD,YAAY,EACV,SAAS,EACT,WAAW,EACX,WAAW,EACX,cAAc,EACd,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC7F,YAAY,EACV,kBAAkB,EAClB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAGpB,YAAY,EACV,SAAS,EACT,UAAU,EACV,gBAAgB,EAChB,qBAAqB,EACrB,iBAAiB,EACjB,cAAc,EACd,iBAAiB,GAClB,MAAM,UAAU,CAAC;AAGlB,YAAY,EAAE,0BAA0B,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAG1F,YAAY,EACV,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,2BAA2B,EAC3B,kBAAkB,EAClB,cAAc,EACd,YAAY,EACZ,eAAe,EACf,oBAAoB,EACpB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,gBAAgB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGvF,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAGrD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,45 @@
+"use strict";
+/**
+ * `@sovecom/module-sdk` — the public, semver-pinned author-facing contract for the SovEcom
+ * module ecosystem. This package is the SINGLE SOURCE OF TRUTH for the
+ * module trust boundary: the capability interfaces, DTOs, manifest validators, and author
+ * ergonomics. `apps/api` (the core runtime) imports these definitions FROM here, so the
+ * published SDK can never drift from what the broker actually enforces.
+ *
+ * It is a CONTRACT package, not a code-execution surface: ALL permission / tenant / refusal
+ * enforcement lives in the core-side broker. Nothing exported here can disable or weaken it.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RpcErrorCode = exports.CORE_API_VERSION = exports.assertCoreCompatible = exports.parseAndVerifyManifest = exports.moduleManifestSchema = exports.TABLE_SUFFIX_RE = exports.SLOT_SLUG_RE = exports.MODULE_NAME_RE = exports.MANIFEST_MAX_BYTES = exports.MODULE_PERMISSION_ALLOWLIST = exports.EMAIL_HTML_MAX = exports.EMAIL_TEXT_MAX = exports.EMAIL_SUBJECT_MAX = exports.EMAIL_TO_MAX = exports.createNamespacedTable = exports.defineSlots = exports.defineModule = exports.MODULE_SDK_VERSION = void 0;
+/** SDK package version (independent of the core API contract version below). */
+exports.MODULE_SDK_VERSION = '1.0.0-rc.1';
+// ── author ergonomics ───────────────────────────────────────────────────────────
+var module_js_1 = require("./module.js");
+Object.defineProperty(exports, "defineModule", { enumerable: true, get: function () { return module_js_1.defineModule; } });
+var slots_js_1 = require("./slots.js");
+Object.defineProperty(exports, "defineSlots", { enumerable: true, get: function () { return slots_js_1.defineSlots; } });
+var tables_js_1 = require("./tables.js");
+Object.defineProperty(exports, "createNamespacedTable", { enumerable: true, get: function () { return tables_js_1.createNamespacedTable; } });
+// ── email:send message DTO + bounds (3.10-i) ─────────────────────────────────────
+var email_js_1 = require("./email.js");
+Object.defineProperty(exports, "EMAIL_TO_MAX", { enumerable: true, get: function () { return email_js_1.EMAIL_TO_MAX; } });
+Object.defineProperty(exports, "EMAIL_SUBJECT_MAX", { enumerable: true, get: function () { return email_js_1.EMAIL_SUBJECT_MAX; } });
+Object.defineProperty(exports, "EMAIL_TEXT_MAX", { enumerable: true, get: function () { return email_js_1.EMAIL_TEXT_MAX; } });
+Object.defineProperty(exports, "EMAIL_HTML_MAX", { enumerable: true, get: function () { return email_js_1.EMAIL_HTML_MAX; } });
+// ── manifest types + validators (single source of truth) ─────────────────────────
+var manifest_js_1 = require("./manifest.js");
+Object.defineProperty(exports, "MODULE_PERMISSION_ALLOWLIST", { enumerable: true, get: function () { return manifest_js_1.MODULE_PERMISSION_ALLOWLIST; } });
+Object.defineProperty(exports, "MANIFEST_MAX_BYTES", { enumerable: true, get: function () { return manifest_js_1.MANIFEST_MAX_BYTES; } });
+Object.defineProperty(exports, "MODULE_NAME_RE", { enumerable: true, get: function () { return manifest_js_1.MODULE_NAME_RE; } });
+Object.defineProperty(exports, "SLOT_SLUG_RE", { enumerable: true, get: function () { return manifest_js_1.SLOT_SLUG_RE; } });
+Object.defineProperty(exports, "TABLE_SUFFIX_RE", { enumerable: true, get: function () { return manifest_js_1.TABLE_SUFFIX_RE; } });
+Object.defineProperty(exports, "moduleManifestSchema", { enumerable: true, get: function () { return manifest_js_1.moduleManifestSchema; } });
+Object.defineProperty(exports, "parseAndVerifyManifest", { enumerable: true, get: function () { return manifest_js_1.parseAndVerifyManifest; } });
+Object.defineProperty(exports, "assertCoreCompatible", { enumerable: true, get: function () { return manifest_js_1.assertCoreCompatible; } });
+// ── core API contract version ───────────────────────────────────────────────────
+var core_version_js_1 = require("./core-version.js");
+Object.defineProperty(exports, "CORE_API_VERSION", { enumerable: true, get: function () { return core_version_js_1.CORE_API_VERSION; } });
+// ── RPC error codes (for author error-handling) ──────────────────────────────────
+var errors_js_1 = require("./errors.js");
+Object.defineProperty(exports, "RpcErrorCode", { enumerable: true, get: function () { return errors_js_1.RpcErrorCode; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH,gFAAgF;AACnE,QAAA,kBAAkB,GAAG,YAAY,CAAC;AAE/C,mFAAmF;AACnF,yCAA2C;AAAlC,yGAAA,YAAY,OAAA;AAErB,uCAAyC;AAAhC,uGAAA,WAAW,OAAA;AACpB,yCAAoD;AAA3C,kHAAA,qBAAqB,OAAA;AAc9B,oFAAoF;AACpF,uCAA6F;AAApF,wGAAA,YAAY,OAAA;AAAE,6GAAA,iBAAiB,OAAA;AAAE,0GAAA,cAAc,OAAA;AAAE,0GAAA,cAAc,OAAA;AA6BxE,oFAAoF;AACpF,6CASuB;AARrB,0HAAA,2BAA2B,OAAA;AAC3B,iHAAA,kBAAkB,OAAA;AAClB,6GAAA,cAAc,OAAA;AACd,2GAAA,YAAY,OAAA;AACZ,8GAAA,eAAe,OAAA;AACf,mHAAA,oBAAoB,OAAA;AACpB,qHAAA,sBAAsB,OAAA;AACtB,mHAAA,oBAAoB,OAAA;AAItB,mFAAmF;AACnF,qDAAqD;AAA5C,mHAAA,gBAAgB,OAAA;AAEzB,oFAAoF;AACpF,yCAA2C;AAAlC,yGAAA,YAAY,OAAA"}

package/dist/manifest.d.ts

@@ -0,0 +1,82 @@
+import { z } from 'zod';
+/**
+ * Module manifest verification — the single source of truth for manifest validation. Exported from
+ * `@sovecom/module-sdk`, so the published author SDK, the core runtime, and the contract-test suite
+ * all share ONE validator — it is structurally impossible for them to drift.
+ *
+ * PURE functions — no Nest, no DB, no filesystem, NO code execution. These parse and validate a
+ * `sovecom.module.json` already read off disk. The headline security properties are enforced here
+ * as data validation:
+ * - a closed, default-deny permission allowlist;
+ * - every declared table must be namespaced `mod_<name>_*`;
+ * - `.strict()` so unknown top-level keys are rejected (supply-chain hygiene);
+ * - a byte cap on the raw manifest;
+ * - a semver MAJOR gate against `CORE_API_VERSION`.
+ */
+/**
+ * The closed module-capability permission vocabulary. DISTINCT from the
+ * RBAC `PERMISSIONS` that gate admin users — this is what a module may REQUEST. A manifest
+ * declaring anything outside this set is rejected at verification (default-deny). v1 set:
+ */
+export declare const MODULE_PERMISSION_ALLOWLIST: readonly ["read:products", "read:categories", "read:orders", "read:customers", "write:own_tables", "emit:events", "subscribe:events", "http:outbound", "email:send"];
+export type ModulePermission = (typeof MODULE_PERMISSION_ALLOWLIST)[number];
+/** Hard cap on the raw `sovecom.module.json` byte length (64 KiB). */
+export declare const MANIFEST_MAX_BYTES: number;
+/** Module name: a slug that forms the `mod_<name>_*` prefix and a URL segment. */
+export declare const MODULE_NAME_RE: RegExp;
+/** A slot slug AND a component-id slug (same lowercase-slug shape). */
+export declare const SLOT_SLUG_RE: RegExp;
+/** The suffix after the `mod_<name>_` table prefix: lowercase, [a-z0-9_]. */
+export declare const TABLE_SUFFIX_RE: RegExp;
+/**
+ * A single slot DECLARATION: the slot this module FILLS + the component id the
+ * storefront maps to the module's UI. Fully declarative metadata; the slot registry is DERIVED from
+ * these across all ENABLED modules. `.strict()` so unknown keys are rejected; both fields are
+ * bounded lowercase slugs.
+ */
+declare const slotEntrySchema: z.ZodObject<{
+    slot: z.ZodString;
+    component: z.ZodString;
+}, z.core.$strict>;
+export declare const moduleManifestSchema: z.ZodObject<{
+    name: z.ZodString;
+    displayName: z.ZodString;
+    version: z.ZodString;
+    compatibleCore: z.ZodString;
+    permissions: z.ZodArray<z.ZodEnum<{
+        "read:products": "read:products";
+        "read:categories": "read:categories";
+        "read:orders": "read:orders";
+        "read:customers": "read:customers";
+        "write:own_tables": "write:own_tables";
+        "emit:events": "emit:events";
+        "subscribe:events": "subscribe:events";
+        "http:outbound": "http:outbound";
+        "email:send": "email:send";
+    }>>;
+    slots: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        slot: z.ZodString;
+        component: z.ZodString;
+    }, z.core.$strict>>>;
+    settings: z.ZodOptional<z.ZodObject<{
+        schema: z.ZodString;
+    }, z.core.$strict>>;
+    tables: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strict>;
+export type ModuleManifest = z.infer<typeof moduleManifestSchema>;
+/** A single declared slot target — `{ slot, component }`. */
+export type ModuleSlotEntry = z.infer<typeof slotEntrySchema>;
+/**
+ * Parse + verify a raw `sovecom.module.json` string. Enforces the byte cap, parses JSON
+ * (mapping a parse failure to a clear error), then runs the Zod schema. Returns the typed
+ * manifest or throws a descriptive `Error`. PURE — no I/O, no code execution.
+ */
+export declare function parseAndVerifyManifest(raw: string): ModuleManifest;
+/**
+ * Semver gate. The module's `compatibleCore` range must accept the current `CORE_API_VERSION`, AND
+ * must do so on the SAME MAJOR — a major bump in core means modules pinned to an old major refuse
+ * to load. Throws a clear `Error` on mismatch; the caller maps it to HTTP 422.
+ */
+export declare function assertCoreCompatible(manifest: Pick<ModuleManifest, 'compatibleCore'>): void;
+export {};
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB;;;;;;;;;;;;;GAaG;AAEH;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,sKAU9B,CAAC;AAKX,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,2BAA2B,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E,sEAAsE;AACtE,eAAO,MAAM,kBAAkB,QAAY,CAAC;AAY5C,kFAAkF;AAClF,eAAO,MAAM,cAAc,QAAsB,CAAC;AAClD,uEAAuE;AACvE,eAAO,MAAM,YAAY,QAAsB,CAAC;AAChD,6EAA6E;AAC7E,eAAO,MAAM,eAAe,QAAiB,CAAC;AAE9C;;;;;GAKG;AACH,QAAA,MAAM,eAAe;;;kBASV,CAAC;AAmCZ,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;kBAiC/B,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE,6DAA6D;AAC7D,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAuBlE;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,EAAE,gBAAgB,CAAC,GAAG,IAAI,CAsB3F"}

package/dist/manifest.js

@@ -0,0 +1,219 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.moduleManifestSchema = exports.TABLE_SUFFIX_RE = exports.SLOT_SLUG_RE = exports.MODULE_NAME_RE = exports.MANIFEST_MAX_BYTES = exports.MODULE_PERMISSION_ALLOWLIST = void 0;
+exports.parseAndVerifyManifest = parseAndVerifyManifest;
+exports.assertCoreCompatible = assertCoreCompatible;
+const semver = __importStar(require("semver"));
+const zod_1 = require("zod");
+const core_version_js_1 = require("./core-version.js");
+/**
+ * Module manifest verification — the single source of truth for manifest validation. Exported from
+ * `@sovecom/module-sdk`, so the published author SDK, the core runtime, and the contract-test suite
+ * all share ONE validator — it is structurally impossible for them to drift.
+ *
+ * PURE functions — no Nest, no DB, no filesystem, NO code execution. These parse and validate a
+ * `sovecom.module.json` already read off disk. The headline security properties are enforced here
+ * as data validation:
+ * - a closed, default-deny permission allowlist;
+ * - every declared table must be namespaced `mod_<name>_*`;
+ * - `.strict()` so unknown top-level keys are rejected (supply-chain hygiene);
+ * - a byte cap on the raw manifest;
+ * - a semver MAJOR gate against `CORE_API_VERSION`.
+ */
+/**
+ * The closed module-capability permission vocabulary. DISTINCT from the
+ * RBAC `PERMISSIONS` that gate admin users — this is what a module may REQUEST. A manifest
+ * declaring anything outside this set is rejected at verification (default-deny). v1 set:
+ */
+exports.MODULE_PERMISSION_ALLOWLIST = [
+    'read:products',
+    'read:categories',
+    'read:orders',
+    'read:customers',
+    'write:own_tables',
+    'emit:events',
+    'subscribe:events',
+    'http:outbound',
+    'email:send',
+];
+/** Hard cap on the raw `sovecom.module.json` byte length (64 KiB). */
+exports.MANIFEST_MAX_BYTES = 64 * 1024;
+/** Bounds — generous but finite, to reject pathological manifests up front. */
+const MAX_NAME_LEN = 64;
+const MAX_DISPLAY_NAME_LEN = 128;
+const MAX_PERMISSIONS = exports.MODULE_PERMISSION_ALLOWLIST.length;
+const MAX_SLOTS = 64;
+const MAX_SLOT_LEN = 128;
+const MAX_TABLES = 64;
+const MAX_TABLE_LEN = 128;
+const MAX_SETTINGS_SCHEMA_LEN = 256;
+/** Module name: a slug that forms the `mod_<name>_*` prefix and a URL segment. */
+exports.MODULE_NAME_RE = /^[a-z][a-z0-9-]*$/;
+/** A slot slug AND a component-id slug (same lowercase-slug shape). */
+exports.SLOT_SLUG_RE = /^[a-z][a-z0-9-]*$/;
+/** The suffix after the `mod_<name>_` table prefix: lowercase, [a-z0-9_]. */
+exports.TABLE_SUFFIX_RE = /^[a-z0-9_]+$/;
+/**
+ * A single slot DECLARATION: the slot this module FILLS + the component id the
+ * storefront maps to the module's UI. Fully declarative metadata; the slot registry is DERIVED from
+ * these across all ENABLED modules. `.strict()` so unknown keys are rejected; both fields are
+ * bounded lowercase slugs.
+ */
+const slotEntrySchema = zod_1.z
+    .object({
+    slot: zod_1.z.string().min(1).max(MAX_SLOT_LEN).regex(exports.SLOT_SLUG_RE, 'slot must be a lowercase slug'),
+    component: zod_1.z
+        .string()
+        .min(1)
+        .max(MAX_SLOT_LEN)
+        .regex(exports.SLOT_SLUG_RE, 'component must be a lowercase slug'),
+})
+    .strict();
+const permissionEnum = zod_1.z.enum(exports.MODULE_PERMISSION_ALLOWLIST);
+/**
+ * The manifest Zod schema. `.strict()` rejects unknown top-level keys. `tables` are
+ * validated for shape here and re-checked against the parsed `name` in a `superRefine`
+ * below (the namespace prefix depends on the name).
+ */
+const baseManifestSchema = zod_1.z
+    .object({
+    name: zod_1.z
+        .string()
+        .min(1)
+        .max(MAX_NAME_LEN)
+        .regex(exports.MODULE_NAME_RE, 'name must be a lowercase slug like "wishlist"'),
+    displayName: zod_1.z.string().min(1).max(MAX_DISPLAY_NAME_LEN),
+    version: zod_1.z
+        .string()
+        .max(64)
+        .refine((v) => semver.valid(v) !== null, 'version must be a valid semver'),
+    compatibleCore: zod_1.z
+        .string()
+        .max(256)
+        .refine((v) => semver.validRange(v) !== null, 'compatibleCore must be a valid semver range'),
+    permissions: zod_1.z.array(permissionEnum).max(MAX_PERMISSIONS),
+    slots: zod_1.z.array(slotEntrySchema).max(MAX_SLOTS).optional(),
+    settings: zod_1.z
+        .object({ schema: zod_1.z.string().min(1).max(MAX_SETTINGS_SCHEMA_LEN) })
+        .strict()
+        .optional(),
+    tables: zod_1.z.array(zod_1.z.string().min(1).max(MAX_TABLE_LEN)).max(MAX_TABLES).optional(),
+})
+    .strict();
+exports.moduleManifestSchema = baseManifestSchema.superRefine((manifest, ctx) => {
+    // Every declared table must be namespaced to THIS module: `mod_<name>_<suffix>` (modules never
+    // touch core tables). The prefix is derived from the parsed name, so this cross-field check lives
+    // here. We compare the prefix as a LITERAL string and validate the suffix with a STATIC regex —
+    // never build a dynamic `RegExp` from `manifest.name`. (The slug `MODULE_NAME_RE` already forbids
+    // regex metacharacters, so interpolation would be safe today, but a literal compare is
+    // injection-proof regardless of how the slug rule evolves.)
+    const prefix = `mod_${manifest.name}_`;
+    (manifest.tables ?? []).forEach((table, i) => {
+        if (!(table.startsWith(prefix) && exports.TABLE_SUFFIX_RE.test(table.slice(prefix.length)))) {
+            ctx.addIssue({
+                code: zod_1.z.ZodIssueCode.custom,
+                path: ['tables', i],
+                message: `table "${table}" must be namespaced "${prefix}<name>" (lowercase, [a-z0-9_])`,
+            });
+        }
+    });
+    // A module fills any given slot at most once. Declaring the same slot twice (with different
+    // components) is meaningless and would otherwise be read as a one-module self-"conflict" the
+    // registry can only resolve by silently keeping the first component (the registry derives one
+    // component per (module, slot)). Reject the duplicate at the boundary.
+    const seenSlots = new Set();
+    (manifest.slots ?? []).forEach((entry, i) => {
+        if (seenSlots.has(entry.slot)) {
+            ctx.addIssue({
+                code: zod_1.z.ZodIssueCode.custom,
+                path: ['slots', i, 'slot'],
+                message: `slot "${entry.slot}" is declared more than once; a module may target a slot at most once`,
+            });
+        }
+        seenSlots.add(entry.slot);
+    });
+});
+/**
+ * Parse + verify a raw `sovecom.module.json` string. Enforces the byte cap, parses JSON
+ * (mapping a parse failure to a clear error), then runs the Zod schema. Returns the typed
+ * manifest or throws a descriptive `Error`. PURE — no I/O, no code execution.
+ */
+function parseAndVerifyManifest(raw) {
+    const byteLen = Buffer.byteLength(raw, 'utf8');
+    if (byteLen > exports.MANIFEST_MAX_BYTES) {
+        throw new Error(`module manifest too large: ${byteLen} bytes exceeds the ${exports.MANIFEST_MAX_BYTES}-byte cap`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        throw new Error('module manifest is not valid JSON');
+    }
+    const result = exports.moduleManifestSchema.safeParse(parsed);
+    if (!result.success) {
+        const detail = result.error.issues
+            .map((issue) => `${issue.path.join('.') || '(root)'}: ${issue.message}`)
+            .join('; ');
+        throw new Error(`invalid module manifest: ${detail}`);
+    }
+    return result.data;
+}
+/**
+ * Semver gate. The module's `compatibleCore` range must accept the current `CORE_API_VERSION`, AND
+ * must do so on the SAME MAJOR — a major bump in core means modules pinned to an old major refuse
+ * to load. Throws a clear `Error` on mismatch; the caller maps it to HTTP 422.
+ */
+function assertCoreCompatible(manifest) {
+    const range = manifest.compatibleCore;
+    const satisfies = semver.satisfies(core_version_js_1.CORE_API_VERSION, range);
+    const coreMajor = semver.major(core_version_js_1.CORE_API_VERSION);
+    // Confirm the range's LOWER BOUND shares the core MAJOR. Combined with the `satisfies`
+    // check above this means: the current core must fall inside the range AND the range may not
+    // begin below/above the core major. So `^1.0.0`/`>=1.0.0`/`1.x` pass on a 1.x core, while a
+    // module pinned to an old major (`^0.x`, `<=0.9`) or a future-only major (`>=2`, `^2.0.0`)
+    // is refused. A range whose lower bound is the core major but whose UPPER bound spills into
+    // a later major (e.g. `>=1.0.0 <3.0.0`) is still accepted — the module legitimately supports
+    // this core; it will be re-gated (and refused) once core itself bumps to that later major,
+    // because the lower-bound-major check then no longer matches.
+    const min = semver.minVersion(range);
+    const sameMajor = min !== null && semver.major(min) === coreMajor;
+    if (!satisfies || !sameMajor) {
+        throw new Error(`module is not compatible with this core: requires "${range}" but core API is ` +
+            `${core_version_js_1.CORE_API_VERSION} (major ${coreMajor})`);
+    }
+}
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4JA,wDAuBC;AAOD,oDAsBC;AAhND,+CAAiC;AACjC,6BAAwB;AACxB,uDAAqD;AAErD;;;;;;;;;;;;;GAaG;AAEH;;;;GAIG;AACU,QAAA,2BAA2B,GAAG;IACzC,eAAe;IACf,iBAAiB;IACjB,aAAa;IACb,gBAAgB;IAChB,kBAAkB;IAClB,aAAa;IACb,kBAAkB;IAClB,eAAe;IACf,YAAY;CACJ,CAAC;AAOX,sEAAsE;AACzD,QAAA,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC;AAE5C,+EAA+E;AAC/E,MAAM,YAAY,GAAG,EAAE,CAAC;AACxB,MAAM,oBAAoB,GAAG,GAAG,CAAC;AACjC,MAAM,eAAe,GAAG,mCAA2B,CAAC,MAAM,CAAC;AAC3D,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,YAAY,GAAG,GAAG,CAAC;AACzB,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,uBAAuB,GAAG,GAAG,CAAC;AAEpC,kFAAkF;AACrE,QAAA,cAAc,GAAG,mBAAmB,CAAC;AAClD,uEAAuE;AAC1D,QAAA,YAAY,GAAG,mBAAmB,CAAC;AAChD,6EAA6E;AAChE,QAAA,eAAe,GAAG,cAAc,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,eAAe,GAAG,OAAC;KACtB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,oBAAY,EAAE,+BAA+B,CAAC;IAC9F,SAAS,EAAE,OAAC;SACT,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,YAAY,CAAC;SACjB,KAAK,CAAC,oBAAY,EAAE,oCAAoC,CAAC;CAC7D,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,cAAc,GAAG,OAAC,CAAC,IAAI,CAAC,mCAA2B,CAAC,CAAC;AAE3D;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,OAAC;KACzB,MAAM,CAAC;IACN,IAAI,EAAE,OAAC;SACJ,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,YAAY,CAAC;SACjB,KAAK,CAAC,sBAAc,EAAE,+CAA+C,CAAC;IACzE,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACxD,OAAO,EAAE,OAAC;SACP,MAAM,EAAE;SACR,GAAG,CAAC,EAAE,CAAC;SACP,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,gCAAgC,CAAC;IAC5E,cAAc,EAAE,OAAC;SACd,MAAM,EAAE;SACR,GAAG,CAAC,GAAG,CAAC;SACR,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,6CAA6C,CAAC;IAC9F,WAAW,EAAE,OAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC;IACzD,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE;IACzD,QAAQ,EAAE,OAAC;SACR,MAAM,CAAC,EAAE,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,uBAAuB,CAAC,EAAE,CAAC;SAClE,MAAM,EAAE;SACR,QAAQ,EAAE;IACb,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE;CACjF,CAAC;KACD,MAAM,EAAE,CAAC;AAEC,QAAA,oBAAoB,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE;IACnF,+FAA+F;IAC/F,kGAAkG;IAClG,gGAAgG;IAChG,kGAAkG;IAClG,uFAAuF;IACvF,4DAA4D;IAC5D,MAAM,MAAM,GAAG,OAAO,QAAQ,CAAC,IAAI,GAAG,CAAC;IACvC,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC3C,IAAI,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,uBAAe,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;YACpF,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACnB,OAAO,EAAE,UAAU,KAAK,yBAAyB,MAAM,gCAAgC;aACxF,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4FAA4F;IAC5F,6FAA6F;IAC7F,8FAA8F;IAC9F,uEAAuE;IACvE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1C,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC,EAAE,MAAM,CAAC;gBAC1B,OAAO,EAAE,SAAS,KAAK,CAAC,IAAI,uEAAuE;aACpG,CAAC,CAAC;QACL,CAAC;QACD,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAOH;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,GAAW;IAChD,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC/C,IAAI,OAAO,GAAG,0BAAkB,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,8BAA8B,OAAO,sBAAsB,0BAAkB,WAAW,CACzF,CAAC;IACJ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,MAAM,GAAG,4BAAoB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aAC/B,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;aACvE,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,MAAM,EAAE,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,QAAgD;IACnF,MAAM,KAAK,GAAG,QAAQ,CAAC,cAAc,CAAC;IACtC,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,kCAAgB,EAAE,KAAK,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,kCAAgB,CAAC,CAAC;IAEjD,uFAAuF;IACvF,4FAA4F;IAC5F,4FAA4F;IAC5F,2FAA2F;IAC3F,4FAA4F;IAC5F,6FAA6F;IAC7F,2FAA2F;IAC3F,8DAA8D;IAC9D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,GAAG,KAAK,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC;IAElE,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,sDAAsD,KAAK,oBAAoB;YAC7E,GAAG,kCAAgB,WAAW,SAAS,GAAG,CAC7C,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/module.d.ts

@@ -0,0 +1,29 @@
+/**
+ * the author-facing module contract + `defineModule` helper.
+ *
+ * `SovecomModule` is the shape the forked worker loader validates
+ * (`apps/api/src/modules/runtime/worker-entry.ts`: `typeof resolved.activate === 'function'`).
+ * It is EXTRACTED here so authors and the loader share one definition.
+ *
+ * `defineModule(config)` is the ergonomic entrypoint: the author writes their `activate(sdk)`
+ * body and this returns the exact `{ activate }` object the loader expects. The shape is
+ * validated at the boundary (defence in depth — the loader also re-checks) so a misconfigured
+ * module fails fast with a clear message at author build time, not as an opaque worker crash.
+ */
+import type { ModuleSdk } from './capabilities.js';
+/** The contract a module must satisfy: a single `activate(sdk)` entrypoint. */
+export interface SovecomModule {
+    activate(sdk: ModuleSdk): void | Promise<void>;
+}
+/** Author-supplied config for {@link defineModule}. v1: just the `activate` body. */
+export interface DefineModuleConfig {
+    /** The module body. Called once by core, inside the worker, with the capability SDK. */
+    activate(sdk: ModuleSdk): void | Promise<void>;
+}
+/**
+ * Wrap an author's `activate` into the `{ activate }` object the worker loader expects.
+ * Validates the config shape at the boundary and throws a clear error if `activate` is missing
+ * or not a function — never let a malformed module reach the runtime as a silent no-op.
+ */
+export declare function defineModule(config: DefineModuleConfig): SovecomModule;
+//# sourceMappingURL=module.d.ts.map

package/dist/module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAEnD,+EAA+E;AAC/E,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,GAAG,EAAE,SAAS,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAED,qFAAqF;AACrF,MAAM,WAAW,kBAAkB;IACjC,wFAAwF;IACxF,QAAQ,CAAC,GAAG,EAAE,SAAS,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,aAAa,CAStE"}

package/dist/module.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defineModule = defineModule;
+/**
+ * Wrap an author's `activate` into the `{ activate }` object the worker loader expects.
+ * Validates the config shape at the boundary and throws a clear error if `activate` is missing
+ * or not a function — never let a malformed module reach the runtime as a silent no-op.
+ */
+function defineModule(config) {
+    if (config === null || typeof config !== 'object') {
+        throw new TypeError('defineModule(config): config must be an object');
+    }
+    if (typeof config.activate !== 'function') {
+        throw new TypeError('defineModule(config): config.activate must be a function');
+    }
+    const { activate } = config;
+    return { activate: (sdk) => activate(sdk) };
+}
+//# sourceMappingURL=module.js.map

package/dist/module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.js","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":";;AA8BA,oCASC;AAdD;;;;GAIG;AACH,SAAgB,YAAY,CAAC,MAA0B;IACrD,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAClD,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC1C,MAAM,IAAI,SAAS,CAAC,0DAA0D,CAAC,CAAC;IAClF,CAAC;IACD,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;IAC5B,OAAO,EAAE,QAAQ,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;AAC9C,CAAC"}

package/dist/slots.d.ts

@@ -0,0 +1,20 @@
+/**
+ * a typed AUTHORING helper for the manifest's
+ * declarative `slots: { slot, component }[]` array.
+ *
+ * Slots are DECLARATIVE metadata; the slot registry is DERIVED from enabled modules' manifests.
+ * This helper is NOT an RPC and there is NO runtime `registerSlot()` (the `register:slot`
+ * capability was removed). It exists purely so an author can build a typed, validated slot array
+ * at author time, mirroring the same rules the manifest schema enforces (lowercase slug shape;
+ * a module fills any given slot at most once). Its output is dropped verbatim into the manifest.
+ */
+import { type ModuleSlotEntry } from './manifest.js';
+/**
+ * Validate + return a slot-declaration array for the manifest. Enforces the SAME rules as
+ * `moduleManifestSchema`:
+ *   - `slot` and `component` are non-empty lowercase slugs (`^[a-z][a-z0-9-]*$`);
+ *   - no slot is declared more than once.
+ * Throws a clear `Error` on the first violation. Returns a fresh, frozen array.
+ */
+export declare function defineSlots(entries: ReadonlyArray<ModuleSlotEntry>): readonly ModuleSlotEntry[];
+//# sourceMappingURL=slots.d.ts.map

package/dist/slots.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"slots.d.ts","sourceRoot":"","sources":["../src/slots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAgB,KAAK,eAAe,EAAE,MAAM,eAAe,CAAC;AAEnE;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,aAAa,CAAC,eAAe,CAAC,GAAG,SAAS,eAAe,EAAE,CA0B/F"}

package/dist/slots.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defineSlots = defineSlots;
+/**
+ * a typed AUTHORING helper for the manifest's
+ * declarative `slots: { slot, component }[]` array.
+ *
+ * Slots are DECLARATIVE metadata; the slot registry is DERIVED from enabled modules' manifests.
+ * This helper is NOT an RPC and there is NO runtime `registerSlot()` (the `register:slot`
+ * capability was removed). It exists purely so an author can build a typed, validated slot array
+ * at author time, mirroring the same rules the manifest schema enforces (lowercase slug shape;
+ * a module fills any given slot at most once). Its output is dropped verbatim into the manifest.
+ */
+const manifest_js_1 = require("./manifest.js");
+/**
+ * Validate + return a slot-declaration array for the manifest. Enforces the SAME rules as
+ * `moduleManifestSchema`:
+ *   - `slot` and `component` are non-empty lowercase slugs (`^[a-z][a-z0-9-]*$`);
+ *   - no slot is declared more than once.
+ * Throws a clear `Error` on the first violation. Returns a fresh, frozen array.
+ */
+function defineSlots(entries) {
+    if (!Array.isArray(entries)) {
+        throw new TypeError('defineSlots(entries): entries must be an array');
+    }
+    const seen = new Set();
+    const out = [];
+    for (const entry of entries) {
+        if (entry === null || typeof entry !== 'object') {
+            throw new TypeError('defineSlots: each entry must be an object { slot, component }');
+        }
+        const { slot, component } = entry;
+        if (typeof slot !== 'string' || !manifest_js_1.SLOT_SLUG_RE.test(slot)) {
+            throw new Error(`defineSlots: slot "${String(slot)}" must be a lowercase slug`);
+        }
+        if (typeof component !== 'string' || !manifest_js_1.SLOT_SLUG_RE.test(component)) {
+            throw new Error(`defineSlots: component "${String(component)}" must be a lowercase slug`);
+        }
+        if (seen.has(slot)) {
+            throw new Error(`defineSlots: slot "${slot}" is declared more than once; a module may target a slot at most once`);
+        }
+        seen.add(slot);
+        out.push({ slot, component });
+    }
+    return Object.freeze(out);
+}
+//# sourceMappingURL=slots.js.map

package/dist/slots.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"slots.js","sourceRoot":"","sources":["../src/slots.ts"],"names":[],"mappings":";;AAmBA,kCA0BC;AA7CD;;;;;;;;;GASG;AACH,+CAAmE;AAEnE;;;;;;GAMG;AACH,SAAgB,WAAW,CAAC,OAAuC;IACjE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChD,MAAM,IAAI,SAAS,CAAC,+DAA+D,CAAC,CAAC;QACvF,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC;QAClC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,0BAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,0BAAY,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,uEAAuE,CAClG,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACf,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC"}

package/dist/tables.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Build the namespaced DDL identifier `mod_<module>_<suffix>` for an author's own table.
+ *
+ * @param moduleName the module's manifest `name` (lowercase slug, `^[a-z][a-z0-9-]*$`).
+ * @param suffix the table's local name within the module (lowercase, `[a-z0-9_]+`).
+ * @returns the fully-namespaced table name, e.g. `createNamespacedTable('wishlist', 'items')`
+ *          → `'mod_wishlist_items'`.
+ * @throws if `moduleName` is not a valid module slug or `suffix` is empty/invalid.
+ */
+export declare function createNamespacedTable(moduleName: string, suffix: string): string;
+//# sourceMappingURL=tables.d.ts.map

package/dist/tables.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tables.d.ts","sourceRoot":"","sources":["../src/tables.ts"],"names":[],"mappings":"AAgBA;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAkBhF"}