npm - @treeseed/core - Versions diffs - 0.6.18 → 0.6.20 - Mend

@treeseed/core 0.6.18 → 0.6.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dist/api/app.js +29 -0
package/dist/api/auth/d1-database.js +4 -8
package/dist/api/auth/d1-provider.d.ts +12 -0
package/dist/api/auth/d1-provider.js +10 -2
package/dist/api/auth/d1-store.d.ts +16 -0
package/dist/api/auth/d1-store.js +255 -16
package/dist/api/auth/memory-provider.d.ts +5 -1
package/dist/api/auth/memory-provider.js +6 -1
package/dist/api/auth/rbac.js +1 -0
package/dist/api/config.js +8 -0
package/dist/api/providers.js +2 -1
package/dist/api/railway.d.ts +1 -0
package/dist/api/types.d.ts +15 -0
package/dist/dev.d.ts +42 -1
package/dist/dev.js +392 -27
package/dist/env.yaml +1 -0
package/dist/pages/api/form/submit.js +5 -7
package/dist/scripts/dev-platform.js +1 -0
package/dist/site.js +1 -0
package/dist/utils/forms/service.js +2 -2
package/dist/worker/forms-worker.js +1 -2
package/package.json +14 -3

package/dist/api/app.js CHANGED Viewed

@@ -235,6 +235,35 @@ function createTreeseedApiApp(options = {}) {
       await runtimeProviders.auth.revokePersonalAccessToken(principal.id, c.req.param("id"));
       return c.json({ ok: true });
     });
+    app.post("/auth/admin/users", async (c) => {
+      const unauthorized = requirePermission(c, "users:manage:global");
+      if (unauthorized) return unauthorized;
+      if (!runtimeProviders.auth.createUser) {
+        return jsonError(c, 501, "User management is unavailable for this auth provider.");
+      }
+      const body = await c.req.json().catch(() => ({}));
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.createUser({
+          email: body.email ?? null,
+          displayName: body.displayName ?? null,
+          metadata: typeof body.metadata === "object" && body.metadata ? body.metadata : {}
+        })
+      });
+    });
+    app.post("/auth/admin/users/:userId/roles", async (c) => {
+      const unauthorized = requirePermission(c, "roles:manage:global");
+      if (unauthorized) return unauthorized;
+      if (!runtimeProviders.auth.setUserRoles) {
+        return jsonError(c, 501, "Role management is unavailable for this auth provider.");
+      }
+      const body = await c.req.json().catch(() => ({}));
+      const roles = Array.isArray(body.roles) ? body.roles.map(String) : [];
+      return c.json({
+        ok: true,
+        payload: await runtimeProviders.auth.setUserRoles(c.req.param("userId"), roles)
+      });
+    });
   }
   app.post("/internal/auth/web/sync-user", async (c) => {
     if (c.get("actorType") !== "service") {

package/dist/api/auth/d1-database.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { CloudflareHttpD1Database } from "@treeseed/sdk";
-import { WranglerD1Database } from "@treeseed/sdk/wrangler-d1";
+import { NodeSqliteD1Database } from "@treeseed/sdk/db/node-sqlite";
 function resolveApiD1Database(config) {
   if (config.cloudflareAccountId && config.cloudflareApiToken && config.d1DatabaseId) {
     return new CloudflareHttpD1Database({
@@ -8,15 +8,11 @@ function resolveApiD1Database(config) {
       databaseId: config.d1DatabaseId
     });
   }
-  if (config.d1DatabaseName) {
-    return new WranglerD1Database(
-      config.d1DatabaseName,
-      config.repoRoot,
-      config.d1LocalPersistTo || void 0
-    );
+  if (config.d1LocalPersistTo || config.d1DatabaseName) {
+    return new NodeSqliteD1Database(config.d1LocalPersistTo);
   }
   throw new Error(
-    "Treeseed API auth requires either CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_API_TOKEN + TREESEED_API_D1_DATABASE_ID for remote D1 access, or TREESEED_API_D1_DATABASE_NAME for local Wrangler-backed D1 access."
+    "Treeseed API auth requires either CLOUDFLARE_ACCOUNT_ID + CLOUDFLARE_API_TOKEN + TREESEED_API_D1_DATABASE_ID for remote D1 access, or TREESEED_API_D1_LOCAL_PERSIST_TO for local SQLite-backed D1-compatible access."
   );
 }
 export {

package/dist/api/auth/d1-provider.d.ts CHANGED Viewed

@@ -47,6 +47,18 @@ export declare class D1AuthProvider implements ApiAuthProvider {
         principal: ApiPrincipal;
         userId: string;
     }>;
+    createUser(input: {
+        email?: string | null;
+        displayName?: string | null;
+        metadata?: Record<string, unknown>;
+    }): Promise<{
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    setUserRoles(userId: string, roles: string[]): Promise<{
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
     createServiceToken(input: {
         serviceId: string;
         name: string;

package/dist/api/auth/d1-provider.js CHANGED Viewed

@@ -1,5 +1,4 @@
 import { createHmac, timingSafeEqual } from "node:crypto";
-import { resolveApiD1Database } from "./d1-database.js";
 import { D1AuthStore } from "./d1-store.js";
 function encodePayload(payload) {
   return Buffer.from(JSON.stringify(payload)).toString("base64url");
@@ -18,7 +17,10 @@ function safeEqual(left, right) {
 class D1AuthProvider {
   constructor(config, options = {}) {
     this.config = config;
-    this.store = new D1AuthStore(config, options.db ?? resolveApiD1Database(config));
+    if (!options.db) {
+      throw new Error("D1AuthProvider requires an explicit database binding or adapter.");
+    }
+    this.store = new D1AuthStore(config, options.db);
   }
   config;
   id = "d1";
@@ -53,6 +55,12 @@ class D1AuthProvider {
   syncUserIdentity(identity) {
     return this.store.syncUser(identity);
   }
+  createUser(input) {
+    return this.store.createUser(input);
+  }
+  setUserRoles(userId, roles) {
+    return this.store.setUserRoles(userId, roles);
+  }
   createServiceToken(input) {
     return this.store.createServiceCredential(input);
   }

package/dist/api/auth/d1-store.d.ts CHANGED Viewed

@@ -1,5 +1,9 @@
 import type { D1DatabaseLike } from '@treeseed/sdk/types/cloudflare';
 import type { ApiConfig, ApiCredential, ApiPrincipal, DeviceCodeApproveRequest, DeviceCodePollRequest, DeviceCodePollResponse, DeviceCodeStartRequest, DeviceCodeStartResponse, TokenRefreshRequest, TokenRefreshResponse, TrustedUserAssertionClaims, UserIdentityProfileInput } from '../types.ts';
+type PrincipalRecord = {
+    principal: ApiPrincipal;
+    userId: string;
+};
 export interface PersonalAccessTokenResult {
     id: string;
     token: string;
@@ -21,23 +25,34 @@ export declare class D1AuthStore {
     private first;
     private all;
     private ensureInitialized;
+    private ensureAuthSchema;
     private seedCatalog;
     private seedConfiguredServices;
     private loadUser;
     private loadIdentityByProvider;
+    private loadUserByVerifiedEmail;
     private rolesForUser;
     private permissionsForUser;
     private permissionsForRoles;
     private scopesForPrincipal;
     private principalForUser;
     private assignRole;
+    private replaceRoles;
     private bootstrapRolesForUser;
     private writeAuditEvent;
+    private userMetadata;
     syncUser(identity: UserIdentityProfileInput): Promise<{
         identityId: string;
         principal: ApiPrincipal;
         userId: string;
     }>;
+    createUser(input: {
+        email?: string | null;
+        username?: string | null;
+        displayName?: string | null;
+        metadata?: Record<string, unknown>;
+    }): Promise<PrincipalRecord>;
+    setUserRoles(userId: string, roles: string[]): Promise<PrincipalRecord>;
     startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
     approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
         ok: true;
@@ -96,3 +111,4 @@ export declare class D1AuthStore {
         principal: ApiPrincipal;
     }>;
 }
+export {};

package/dist/api/auth/d1-store.js CHANGED Viewed

@@ -1,6 +1,136 @@
 import { createHash, randomUUID, timingSafeEqual } from "node:crypto";
 import { DEFAULT_PERMISSIONS, DEFAULT_ROLES } from "./rbac.js";
 import { createAccessToken, nextOpaqueToken, principalFromAccessTokenPayload, verifyAccessToken } from "./tokens.js";
+const AUTH_SCHEMA_SQL = [
+  `CREATE TABLE IF NOT EXISTS users (
+		id TEXT PRIMARY KEY,
+		email TEXT,
+		username TEXT UNIQUE,
+		display_name TEXT,
+		status TEXT NOT NULL DEFAULT 'active',
+		metadata_json TEXT,
+		created_at TEXT NOT NULL,
+		updated_at TEXT NOT NULL
+	)`,
+  `CREATE TABLE IF NOT EXISTS user_identities (
+		id TEXT PRIMARY KEY,
+		user_id TEXT NOT NULL,
+		provider TEXT NOT NULL,
+		provider_subject TEXT NOT NULL,
+		email TEXT,
+		email_verified INTEGER NOT NULL DEFAULT 0,
+		profile_json TEXT,
+		created_at TEXT NOT NULL,
+		updated_at TEXT NOT NULL,
+		FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+	)`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_user_identities_provider_subject
+		ON user_identities(provider, provider_subject)`,
+  `CREATE TABLE IF NOT EXISTS roles (
+		id TEXT PRIMARY KEY,
+		key TEXT NOT NULL UNIQUE,
+		description TEXT,
+		created_at TEXT NOT NULL
+	)`,
+  `CREATE TABLE IF NOT EXISTS permissions (
+		id TEXT PRIMARY KEY,
+		key TEXT NOT NULL UNIQUE,
+		resource TEXT NOT NULL,
+		action TEXT NOT NULL,
+		scope TEXT NOT NULL,
+		description TEXT,
+		created_at TEXT NOT NULL
+	)`,
+  `CREATE TABLE IF NOT EXISTS role_permissions (
+		role_id TEXT NOT NULL,
+		permission_id TEXT NOT NULL,
+		created_at TEXT NOT NULL,
+		PRIMARY KEY (role_id, permission_id),
+		FOREIGN KEY (role_id) REFERENCES roles(id) ON DELETE CASCADE,
+		FOREIGN KEY (permission_id) REFERENCES permissions(id) ON DELETE CASCADE
+	)`,
+  `CREATE TABLE IF NOT EXISTS user_role_bindings (
+		id TEXT PRIMARY KEY,
+		user_id TEXT NOT NULL,
+		role_id TEXT NOT NULL,
+		created_at TEXT NOT NULL,
+		FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
+		FOREIGN KEY (role_id) REFERENCES roles(id) ON DELETE CASCADE
+	)`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_user_role_bindings_user_role
+		ON user_role_bindings(user_id, role_id)`,
+  `CREATE TABLE IF NOT EXISTS api_tokens (
+		id TEXT PRIMARY KEY,
+		user_id TEXT NOT NULL,
+		kind TEXT NOT NULL,
+		name TEXT NOT NULL,
+		token_prefix TEXT NOT NULL,
+		token_hash TEXT NOT NULL,
+		scopes_json TEXT NOT NULL,
+		expires_at TEXT,
+		last_used_at TEXT,
+		revoked_at TEXT,
+		metadata_json TEXT,
+		created_at TEXT NOT NULL,
+		updated_at TEXT NOT NULL,
+		FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+	)`,
+  `CREATE INDEX IF NOT EXISTS idx_api_tokens_user_id
+		ON api_tokens(user_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_api_tokens_prefix
+		ON api_tokens(token_prefix)`,
+  `CREATE TABLE IF NOT EXISTS service_credentials (
+		id TEXT PRIMARY KEY,
+		service_id TEXT NOT NULL UNIQUE,
+		name TEXT NOT NULL,
+		secret_hash TEXT NOT NULL,
+		roles_json TEXT NOT NULL,
+		permissions_json TEXT NOT NULL,
+		revoked_at TEXT,
+		created_at TEXT NOT NULL,
+		updated_at TEXT NOT NULL,
+		last_used_at TEXT
+	)`,
+  `CREATE TABLE IF NOT EXISTS auth_sessions (
+		id TEXT PRIMARY KEY,
+		user_id TEXT NOT NULL,
+		session_type TEXT NOT NULL,
+		refresh_token_hash TEXT NOT NULL,
+		scopes_json TEXT NOT NULL,
+		expires_at TEXT NOT NULL,
+		revoked_at TEXT,
+		data_json TEXT,
+		created_at TEXT NOT NULL,
+		updated_at TEXT NOT NULL,
+		FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+	)`,
+  `CREATE INDEX IF NOT EXISTS idx_auth_sessions_user_id
+		ON auth_sessions(user_id)`,
+  `CREATE TABLE IF NOT EXISTS audit_events (
+		id TEXT PRIMARY KEY,
+		actor_type TEXT NOT NULL,
+		actor_id TEXT,
+		event_type TEXT NOT NULL,
+		target_type TEXT,
+		target_id TEXT,
+		data_json TEXT,
+		created_at TEXT NOT NULL
+	)`,
+  `CREATE INDEX IF NOT EXISTS idx_audit_events_target
+		ON audit_events(target_type, target_id)`,
+  `CREATE TABLE IF NOT EXISTS device_codes (
+		id TEXT PRIMARY KEY,
+		device_code TEXT NOT NULL UNIQUE,
+		user_code TEXT NOT NULL UNIQUE,
+		requested_scopes_json TEXT NOT NULL,
+		expires_at TEXT NOT NULL,
+		interval_seconds INTEGER NOT NULL,
+		status TEXT NOT NULL,
+		user_id TEXT,
+		created_at TEXT NOT NULL,
+		updated_at TEXT NOT NULL
+	)`
+];
 function now() {
   return /* @__PURE__ */ new Date();
 }
@@ -46,12 +176,30 @@ class D1AuthStore {
   }
   ensureInitialized() {
     if (!this.initializationPromise) {
-      this.initializationPromise = this.seedCatalog().then(() => this.seedConfiguredServices());
+      this.initializationPromise = this.ensureAuthSchema().then(() => this.seedCatalog()).then(() => this.seedConfiguredServices());
     }
     return this.initializationPromise;
   }
+  async ensureAuthSchema() {
+    for (const statement of AUTH_SCHEMA_SQL) await this.run(statement);
+    const result = await this.db.prepare("PRAGMA table_info(users)").all();
+    const columns = new Set((result.results ?? []).map((row) => row.name));
+    if (!columns.has("username")) {
+      await this.run("ALTER TABLE users ADD COLUMN username TEXT");
+    }
+    await this.run("CREATE UNIQUE INDEX IF NOT EXISTS idx_users_username ON users(username)");
+  }
   async seedCatalog() {
     const createdAt = isoNow();
+    const seeded = await this.first(
+      `SELECT key FROM permissions WHERE key = '*:*:*' LIMIT 1`
+    );
+    const adminRole = await this.first(
+      `SELECT key FROM roles WHERE key = 'platform_admin' LIMIT 1`
+    );
+    if (seeded?.key && adminRole?.key) {
+      return;
+    }
     for (const permission of DEFAULT_PERMISSIONS) {
       await this.run(
         `INSERT OR IGNORE INTO permissions (id, key, resource, action, scope, description, created_at)
@@ -98,6 +246,12 @@ class D1AuthStore {
       [provider, providerSubject]
     );
   }
+  async loadUserByVerifiedEmail(email) {
+    return this.first(
+      `SELECT * FROM users WHERE LOWER(email) = LOWER(?) AND status = 'active' LIMIT 1`,
+      [email]
+    );
+  }
   async rolesForUser(userId) {
     const rows = await this.all(
       `SELECT roles.key AS key
@@ -156,7 +310,10 @@ class D1AuthStore {
         roles,
         permissions,
         scopes: this.scopesForPrincipal(permissions),
-        metadata: parseJson(user.metadata_json, {})
+        metadata: {
+          ...parseJson(user.metadata_json, {}),
+          username: user.username ?? void 0
+        }
       }
     };
   }
@@ -169,6 +326,12 @@ class D1AuthStore {
       [randomUUID(), userId, role.id, isoNow()]
     );
   }
+  async replaceRoles(userId, roleKeys) {
+    await this.run(`DELETE FROM user_role_bindings WHERE user_id = ?`, [userId]);
+    for (const roleKey of roleKeys) {
+      await this.assignRole(userId, roleKey);
+    }
+  }
   async bootstrapRolesForUser(userId, identity) {
     await this.assignRole(userId, "member");
     if ((await this.rolesForUser(userId)).includes("platform_admin")) return;
@@ -203,25 +366,57 @@ class D1AuthStore {
       ]
     );
   }
+  userMetadata(identity, existingUsername = null) {
+    const profile = identity.profile ?? {};
+    return {
+      emailVerified: identity.emailVerified ?? false,
+      authProvider: identity.provider,
+      username: identity.username ?? existingUsername,
+      firstName: typeof profile.firstName === "string" ? profile.firstName : null,
+      lastName: typeof profile.lastName === "string" ? profile.lastName : null
+    };
+  }
   async syncUser(identity) {
     await this.ensureInitialized();
     const nowIso = isoNow();
     const existingIdentity = await this.loadIdentityByProvider(identity.provider, identity.providerSubject);
     let userId = existingIdentity?.user_id;
     if (!userId) {
-      userId = randomUUID();
-      await this.run(
-        `INSERT INTO users (id, email, display_name, status, metadata_json, created_at, updated_at)
-				 VALUES (?, ?, ?, 'active', ?, ?, ?)`,
-        [
-          userId,
-          identity.email ?? null,
-          identity.displayName ?? null,
-          JSON.stringify({ emailVerified: identity.emailVerified ?? false, authProvider: identity.provider }),
-          nowIso,
-          nowIso
-        ]
-      );
+      const linkedUser = identity.email && identity.emailVerified ? await this.loadUserByVerifiedEmail(identity.email) : null;
+      userId = linkedUser?.id ?? randomUUID();
+      if (linkedUser) {
+        await this.run(
+          `UPDATE users
+					 SET email = COALESCE(?, email),
+					     username = COALESCE(username, ?),
+					     display_name = COALESCE(?, display_name),
+					     metadata_json = ?,
+					     updated_at = ?
+					 WHERE id = ?`,
+          [
+            identity.email ?? null,
+            identity.username ?? null,
+            identity.displayName ?? null,
+            JSON.stringify(this.userMetadata(identity, linkedUser.username ?? null)),
+            nowIso,
+            userId
+          ]
+        );
+      } else {
+        await this.run(
+          `INSERT INTO users (id, email, username, display_name, status, metadata_json, created_at, updated_at)
+					 VALUES (?, ?, ?, ?, 'active', ?, ?, ?)`,
+          [
+            userId,
+            identity.email ?? null,
+            identity.username ?? null,
+            identity.displayName ?? null,
+            JSON.stringify(this.userMetadata(identity)),
+            nowIso,
+            nowIso
+          ]
+        );
+      }
       await this.run(
         `INSERT INTO user_identities (id, user_id, provider, provider_subject, email, email_verified, profile_json, created_at, updated_at)
 				 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`,
@@ -241,14 +436,16 @@ class D1AuthStore {
       await this.run(
         `UPDATE users
 				 SET email = COALESCE(?, email),
+				     username = COALESCE(username, ?),
 				     display_name = COALESCE(?, display_name),
 				     metadata_json = ?,
 				     updated_at = ?
 				 WHERE id = ?`,
         [
           identity.email ?? null,
+          identity.username ?? null,
           identity.displayName ?? null,
-          JSON.stringify({ emailVerified: identity.emailVerified ?? false, authProvider: identity.provider }),
+          JSON.stringify(this.userMetadata(identity)),
           nowIso,
           userId
         ]
@@ -283,6 +480,48 @@ class D1AuthStore {
       identityId: syncedIdentity?.id ?? null
     };
   }
+  async createUser(input) {
+    await this.ensureInitialized();
+    const timestamp = isoNow();
+    const userId = randomUUID();
+    await this.run(
+      `INSERT INTO users (id, email, username, display_name, status, metadata_json, created_at, updated_at)
+			 VALUES (?, ?, ?, ?, 'active', ?, ?, ?)`,
+      [
+        userId,
+        input.email?.trim() || null,
+        input.username?.trim().toLowerCase() || null,
+        input.displayName?.trim() || null,
+        JSON.stringify(input.metadata ?? {}),
+        timestamp,
+        timestamp
+      ]
+    );
+    await this.assignRole(userId, "member");
+    await this.writeAuditEvent({
+      actorType: "service",
+      actorId: this.config.webServiceId,
+      eventType: "auth.user_created",
+      targetType: "user",
+      targetId: userId,
+      data: { source: "admin" }
+    });
+    return this.principalForUser(userId);
+  }
+  async setUserRoles(userId, roles) {
+    await this.ensureInitialized();
+    const requestedRoles = [...new Set(roles.map((role) => role.trim()).filter(Boolean))];
+    await this.replaceRoles(userId, requestedRoles.length > 0 ? requestedRoles : ["member"]);
+    await this.writeAuditEvent({
+      actorType: "service",
+      actorId: this.config.webServiceId,
+      eventType: "auth.user_roles_set",
+      targetType: "user",
+      targetId: userId,
+      data: { roles: requestedRoles }
+    });
+    return this.principalForUser(userId);
+  }
   async startDeviceFlow(request) {
     await this.ensureInitialized();
     const current = now();

package/dist/api/auth/memory-provider.d.ts CHANGED Viewed

@@ -42,7 +42,11 @@ export declare class MemoryDeviceCodeAuthProvider implements ApiAuthProvider {
             scopes: string[];
             roles: string[];
             permissions: string[];
-            metadata: Record<string, unknown>;
+            metadata: {
+                username: string;
+                firstName: string;
+                lastName: string;
+            };
         };
     }>;
     createServiceToken(_input: {

package/dist/api/auth/memory-provider.js CHANGED Viewed

@@ -179,7 +179,12 @@ class MemoryDeviceCodeAuthProvider {
         scopes: ["auth:me"],
         roles: ["member"],
         permissions: ["auth:read:self"],
-        metadata: identity.profile
+        metadata: {
+          ...identity.profile ?? {},
+          username: identity.username ?? void 0,
+          firstName: typeof identity.profile?.firstName === "string" ? identity.profile.firstName : void 0,
+          lastName: typeof identity.profile?.lastName === "string" ? identity.profile.lastName : void 0
+        }
       }
     };
   }

package/dist/api/auth/rbac.js CHANGED Viewed

@@ -52,6 +52,7 @@ const permissionDefinitions = [
   contentPermission("services", "impersonate", "global", "Allow trusted web and service impersonation flows."),
   contentPermission("services", "manage", "global", "Manage service credentials and internal service auth."),
   contentPermission("users", "read", "global", "Read user records."),
+  contentPermission("users", "manage", "global", "Manage user records."),
   contentPermission("roles", "manage", "global", "Manage role assignments."),
   contentPermission("audit", "read", "global", "Read audit events."),
   contentPermission("jobs", "manage", "global", "Manage internal job and worker control surfaces."),

package/dist/api/config.js CHANGED Viewed

@@ -1,9 +1,16 @@
+import { existsSync } from "node:fs";
 import { resolve } from "node:path";
 function parseInteger(value, fallback) {
   if (!value) return fallback;
   const parsed = Number.parseInt(value, 10);
   return Number.isFinite(parsed) ? parsed : fallback;
 }
+function resolveLocalWranglerConfigPath(repoRoot, env) {
+  const explicit = env.TREESEED_API_D1_WRANGLER_CONFIG?.trim() || env.TREESEED_LOCAL_WRANGLER_CONFIG?.trim();
+  if (explicit) return resolve(repoRoot, explicit);
+  const generated = resolve(repoRoot, ".treeseed", "generated", "environments", "local", "wrangler.toml");
+  return existsSync(generated) ? generated : void 0;
+}
 function normalizeUrl(value) {
   return value.endsWith("/") ? value.slice(0, -1) : value;
 }
@@ -42,6 +49,7 @@ function resolveApiConfig(env = process.env) {
     d1DatabaseId: env.TREESEED_API_D1_DATABASE_ID?.trim() || void 0,
     d1DatabaseName: env.TREESEED_API_D1_DATABASE_NAME?.trim() || env.SITE_DATA_DB?.trim() || void 0,
     d1LocalPersistTo: env.TREESEED_API_D1_LOCAL_PERSIST_TO?.trim() || resolve(repoRoot, ".wrangler/state/v3/d1"),
+    d1WranglerConfigPath: resolveLocalWranglerConfigPath(repoRoot, env),
     webServiceId: env.TREESEED_API_WEB_SERVICE_ID?.trim() || "web",
     webServiceSecret: env.TREESEED_API_WEB_SERVICE_SECRET?.trim() || "treeseed-web-service-dev-secret",
     webAssertionSecret: env.TREESEED_API_WEB_ASSERTION_SECRET?.trim() || env.TREESEED_API_AUTH_SECRET?.trim() || "treeseed-web-assertion-dev-secret",

package/dist/api/providers.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { MemoryDeviceCodeAuthProvider } from "./auth/memory-provider.js";
 import { D1AuthProvider } from "./auth/d1-provider.js";
+import { resolveApiD1Database } from "./auth/d1-database.js";
 function addProviders(target, incoming, label) {
   for (const [id, value] of Object.entries(incoming ?? {})) {
     if (target.has(id)) {
@@ -24,7 +25,7 @@ function resolveApiRuntimeProviders(config, overrides = {}) {
   const agentVerification = /* @__PURE__ */ new Map();
   addProviders(authRegistry, {
     memory: ({ config: runtimeConfig }) => new MemoryDeviceCodeAuthProvider(runtimeConfig),
-    d1: ({ config: runtimeConfig }) => new D1AuthProvider(runtimeConfig)
+    d1: ({ config: runtimeConfig }) => new D1AuthProvider(runtimeConfig, { db: resolveApiD1Database(runtimeConfig) })
   }, "auth");
   addProviders(authRegistry, overrides.auth, "auth");
   addProviders(agentExecution, { stub: { id: "stub" } }, "agent execution");

package/dist/api/railway.d.ts CHANGED Viewed

@@ -32,6 +32,7 @@ export declare function createRailwayTreeseedApiServer(options?: ApiServerOption
         d1DatabaseId?: string;
         d1DatabaseName?: string;
         d1LocalPersistTo?: string;
+        d1WranglerConfigPath?: string;
         webServiceId: string;
         webServiceSecret: string;
         webAssertionSecret: string;

package/dist/api/types.d.ts CHANGED Viewed

@@ -45,6 +45,19 @@ export interface ApiAuthProvider {
         userId: string;
         identityId: string | null;
     }>;
+    createUser?(input: {
+        email?: string | null;
+        username?: string | null;
+        displayName?: string | null;
+        metadata?: Record<string, unknown>;
+    }): Promise<{
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
+    setUserRoles?(userId: string, roles: string[]): Promise<{
+        principal: ApiPrincipal;
+        userId: string;
+    }>;
     createServiceToken(input: {
         serviceId: string;
         name: string;
@@ -98,6 +111,7 @@ export interface ApiConfig {
     d1DatabaseId?: string;
     d1DatabaseName?: string;
     d1LocalPersistTo?: string;
+    d1WranglerConfigPath?: string;
     webServiceId: string;
     webServiceSecret: string;
     webAssertionSecret: string;
@@ -142,6 +156,7 @@ export interface UserIdentityProfileInput {
     providerSubject: string;
     email?: string | null;
     emailVerified?: boolean;
+    username?: string | null;
     displayName?: string | null;
     profile?: Record<string, unknown>;
 }