@treeseed/sdk 0.10.7 → 0.10.9

package/dist/api/auth/d1-provider.d.ts

@@ -10,6 +10,11 @@ export declare class D1AuthProvider implements ApiAuthProvider {
     startDeviceFlow(request: DeviceCodeStartRequest): Promise<DeviceCodeStartResponse>;
     pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
     refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
+    issueUserSession(userId: string, options?: {
+        sessionType?: string;
+        scopes?: string[];
+        data?: Record<string, unknown>;
+    }): Promise<TokenRefreshResponse>;
     approveDeviceFlow(request: DeviceCodeApproveRequest): Promise<{
         ok: true;
     }>;

package/dist/api/auth/d1-provider.js

@@ -34,6 +34,9 @@ class D1AuthProvider {
   refreshAccessToken(request) {
     return this.store.refreshAccessToken(request);
   }
+  issueUserSession(userId, options = {}) {
+    return this.store.issueUserSession(userId, options);
+  }
   approveDeviceFlow(request) {
     return this.store.approveDeviceFlow(request);
   }

package/dist/api/auth/d1-store.d.ts

@@ -58,6 +58,11 @@ export declare class D1AuthStore {
         ok: true;
     }>;
     pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
+    issueUserSession(userId: string, options?: {
+        sessionType?: string;
+        scopes?: string[];
+        data?: Record<string, unknown>;
+    }): Promise<TokenRefreshResponse>;
     refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
     createPersonalAccessToken(userId: string, input: {
         name: string;

package/dist/api/auth/d1-store.js

@@ -198,15 +198,6 @@ class D1AuthStore {
   }
   async seedCatalog() {
     const createdAt = isoNow();
-    const seeded = await this.first(
-      `SELECT key FROM permissions WHERE key = '*:*:*' LIMIT 1`
-    );
-    const adminRole = await this.first(
-      `SELECT key FROM roles WHERE key = 'platform_admin' LIMIT 1`
-    );
-    if (seeded?.key && adminRole?.key) {
-      return;
-    }
     for (const permission of DEFAULT_PERMISSIONS) {
       await this.run(
         `INSERT OR IGNORE INTO permissions (id, key, resource, action, scope, description, created_at)
@@ -650,6 +641,68 @@ class D1AuthStore {
       }
     };
   }
+  async issueUserSession(userId, options = {}) {
+    await this.ensureInitialized();
+    const principalRecord = await this.principalForUser(userId);
+    const refreshToken = nextOpaqueToken("refresh");
+    const sessionId = randomUUID();
+    const refreshTokenHash = stableHash(refreshToken, this.config.authSecret);
+    const expiresAt = addSeconds(now(), this.config.accessTokenTtlSeconds);
+    const refreshExpiresAt = addSeconds(now(), this.config.refreshTokenTtlSeconds);
+    const requestedScopes = options.scopes && options.scopes.length > 0 ? [...new Set(options.scopes)] : principalRecord.principal.scopes;
+    await this.run(
+      `INSERT INTO auth_sessions (id, user_id, session_type, refresh_token_hash, scopes_json, expires_at, revoked_at, data_json, created_at, updated_at)
+			 VALUES (?, ?, ?, ?, ?, ?, NULL, ?, ?, ?)`,
+      [
+        sessionId,
+        userId,
+        options.sessionType?.trim() || "web",
+        refreshTokenHash,
+        JSON.stringify(requestedScopes),
+        refreshExpiresAt.toISOString(),
+        JSON.stringify(options.data ?? {}),
+        isoNow(),
+        isoNow()
+      ]
+    );
+    const accessToken = createAccessToken({
+      sub: principalRecord.principal.id,
+      displayName: principalRecord.principal.displayName,
+      scopes: requestedScopes,
+      roles: principalRecord.principal.roles,
+      permissions: principalRecord.principal.permissions,
+      metadata: {
+        ...principalRecord.principal.metadata,
+        sessionId
+      },
+      iat: Math.floor(Date.now() / 1e3),
+      exp: Math.floor(expiresAt.getTime() / 1e3),
+      iss: this.config.issuer,
+      jti: randomUUID(),
+      tokenType: "access"
+    }, this.config.authSecret);
+    await this.writeAuditEvent({
+      actorType: "user",
+      actorId: userId,
+      eventType: "auth.session_issued",
+      targetType: "auth_session",
+      targetId: sessionId,
+      data: { sessionType: options.sessionType ?? "web" }
+    });
+    return {
+      ok: true,
+      status: "approved",
+      accessToken,
+      refreshToken,
+      tokenType: "Bearer",
+      expiresAt: expiresAt.toISOString(),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal: {
+        ...principalRecord.principal,
+        scopes: requestedScopes
+      }
+    };
+  }
   async refreshAccessToken(request) {
     await this.ensureInitialized();
     const refreshHash = stableHash(request.refreshToken, this.config.authSecret);

package/dist/api/auth/memory-provider.d.ts

@@ -11,6 +11,11 @@ export declare class MemoryDeviceCodeAuthProvider implements ApiAuthProvider {
     }>;
     pollDeviceFlow(request: DeviceCodePollRequest): Promise<DeviceCodePollResponse>;
     refreshAccessToken(request: TokenRefreshRequest): Promise<TokenRefreshResponse>;
+    issueUserSession(userId: string, options?: {
+        sessionType?: string;
+        scopes?: string[];
+        data?: Record<string, unknown>;
+    }): Promise<TokenRefreshResponse>;
     authenticateBearerToken(token: string): Promise<{
         principal: ApiPrincipal;
         credential: {

package/dist/api/auth/memory-provider.js

@@ -154,6 +154,47 @@ class MemoryDeviceCodeAuthProvider {
       principal: session.principal
     };
   }
+  async issueUserSession(userId, options = {}) {
+    const principal = {
+      id: userId,
+      displayName: userId,
+      scopes: options.scopes ?? ["auth:me"],
+      roles: ["member"],
+      permissions: ["auth:read:self"],
+      metadata: {
+        ...options.data ?? {},
+        sessionType: options.sessionType ?? "web"
+      }
+    };
+    const refreshToken = nextOpaqueToken("refresh");
+    this.refreshSessions.set(refreshToken, {
+      principal,
+      expiresAt: nowSeconds() + this.config.refreshTokenTtlSeconds
+    });
+    const expiresAt = nowSeconds() + this.config.accessTokenTtlSeconds;
+    return {
+      ok: true,
+      status: "approved",
+      accessToken: createAccessToken({
+        sub: principal.id,
+        displayName: principal.displayName,
+        scopes: principal.scopes,
+        roles: principal.roles,
+        permissions: principal.permissions,
+        metadata: principal.metadata,
+        iat: nowSeconds(),
+        exp: expiresAt,
+        iss: this.config.issuer,
+        jti: randomUUID(),
+        tokenType: "access"
+      }, this.config.authSecret),
+      refreshToken,
+      tokenType: "Bearer",
+      expiresAt: formatExpiry(expiresAt),
+      expiresInSeconds: this.config.accessTokenTtlSeconds,
+      principal
+    };
+  }
   async authenticateBearerToken(token) {
     const payload = verifyAccessToken(token, this.config.authSecret);
     return payload ? {

package/dist/api/types.d.ts

@@ -83,6 +83,11 @@ export interface ApiAuthProvider {
         expiresInSeconds: number;
         principal: ApiPrincipal;
     }>;
+    issueUserSession?(userId: string, options?: {
+        sessionType?: string;
+        scopes?: string[];
+        data?: Record<string, unknown>;
+    }): Promise<TokenRefreshResponse>;
 }
 export type ApiRuntimeProviderSelections = {
     auth: string;

package/dist/market-client.d.ts

@@ -19,6 +19,13 @@ export interface MarketSession {
     expiresAt?: string;
     principal?: ApiPrincipal | null;
 }
+export interface MarketWebAuthSession {
+    accessToken: string;
+    refreshToken?: string | null;
+    expiresInSeconds?: number;
+    principal: ApiPrincipal;
+    session?: Record<string, unknown> | null;
+}
 export interface MarketRegistryState {
     version: 1;
     activeMarketId: string;
@@ -128,6 +135,118 @@ export declare class MarketClient {
     logout(): Promise<{
         ok: true;
     }>;
+    webSignUp(body: {
+        email: string;
+        password: string;
+        username?: string | null;
+        name?: string | null;
+        firstName?: string | null;
+        lastName?: string | null;
+    }): Promise<{
+        ok: true;
+        payload: MarketWebAuthSession;
+    }>;
+    webSignIn(body: {
+        email?: string;
+        username?: string;
+        login?: string;
+        password: string;
+    }): Promise<{
+        ok: true;
+        payload: MarketWebAuthSession;
+    }>;
+    checkWebUsername(username: string): Promise<{
+        ok: true;
+        payload: {
+            username: string;
+            available: boolean;
+            status: string;
+        };
+    }>;
+    webSessions(): Promise<{
+        ok: true;
+        payload: unknown[];
+    }>;
+    revokeWebSession(sessionId: string): Promise<{
+        ok: true;
+        payload: {
+            sessionId: string;
+        };
+    }>;
+    updateWebProfile(body: {
+        name?: string | null;
+        image?: string | null;
+    }): Promise<{
+        ok: true;
+        payload: MarketWebAuthSession;
+    }>;
+    webAppearance(): Promise<{
+        ok: true;
+        payload: {
+            scheme: string;
+            mode: string;
+        };
+    }>;
+    updateWebAppearance(body: {
+        colorScheme?: string | null;
+        scheme?: string | null;
+        themeMode?: string | null;
+        mode?: string | null;
+    }): Promise<{
+        ok: true;
+        payload: {
+            scheme: string;
+            mode: string;
+        };
+    }>;
+    updateWebEmail(body: {
+        email: string;
+    }): Promise<{
+        ok: true;
+        payload: MarketWebAuthSession;
+    }>;
+    updateWebPassword(body: {
+        currentPassword?: string;
+        password: string;
+    }): Promise<{
+        ok: true;
+        payload: {
+            changed: true;
+        };
+    }>;
+    requestWebPasswordReset(body: {
+        email: string;
+    }): Promise<{
+        ok: true;
+        payload: {
+            sent: true;
+            resetToken?: string | null;
+        };
+    }>;
+    completeWebPasswordReset(body: {
+        token: string;
+        password: string;
+    }): Promise<{
+        ok: true;
+        payload: {
+            reset: true;
+        };
+    }>;
+    accountDeletionBlockers(): Promise<{
+        ok: true;
+        payload: {
+            blockers: unknown[];
+            canDelete: boolean;
+        };
+    }>;
+    deleteAccount(body?: {
+        confirmation?: string;
+    }): Promise<{
+        ok: true;
+        payload: {
+            deleted: true;
+        };
+    }>;
     me(): Promise<{
         ok: true;
         payload: {

package/dist/market-client.js

@@ -319,6 +319,85 @@ class MarketClient {
       requireAuth: true
     });
   }
+  webSignUp(body) {
+    return this.request("/v1/auth/web/sign-up", {
+      method: "POST",
+      body
+    });
+  }
+  webSignIn(body) {
+    return this.request("/v1/auth/web/sign-in", {
+      method: "POST",
+      body
+    });
+  }
+  checkWebUsername(username) {
+    return this.request(
+      `/v1/auth/web/username/check?username=${encodeURIComponent(username)}`
+    );
+  }
+  webSessions() {
+    return this.request("/v1/auth/web/sessions", { requireAuth: true });
+  }
+  revokeWebSession(sessionId) {
+    return this.request(
+      `/v1/auth/web/sessions/${encodeURIComponent(sessionId)}/revoke`,
+      { method: "POST", requireAuth: true }
+    );
+  }
+  updateWebProfile(body) {
+    return this.request("/v1/auth/web/profile", {
+      method: "PATCH",
+      body,
+      requireAuth: true
+    });
+  }
+  webAppearance() {
+    return this.request("/v1/auth/web/appearance", { requireAuth: true });
+  }
+  updateWebAppearance(body) {
+    return this.request("/v1/auth/web/appearance", {
+      method: "PATCH",
+      body,
+      requireAuth: true
+    });
+  }
+  updateWebEmail(body) {
+    return this.request("/v1/auth/web/email", {
+      method: "PATCH",
+      body,
+      requireAuth: true
+    });
+  }
+  updateWebPassword(body) {
+    return this.request("/v1/auth/web/password", {
+      method: "PATCH",
+      body,
+      requireAuth: true
+    });
+  }
+  requestWebPasswordReset(body) {
+    return this.request("/v1/auth/web/password-reset/request", {
+      method: "POST",
+      body
+    });
+  }
+  completeWebPasswordReset(body) {
+    return this.request("/v1/auth/web/password-reset/complete", {
+      method: "POST",
+      body
+    });
+  }
+  accountDeletionBlockers() {
+    return this.request("/v1/auth/web/account/deletion-blockers", { requireAuth: true });
+  }
+  deleteAccount(body = {}) {
+    return this.request("/v1/auth/web/account", {
+      method: "DELETE",
+      body,
+      requireAuth: true
+    });
+  }
   me() {
     return this.request("/v1/me", { requireAuth: true });
   }

package/dist/operations/services/project-platform.js

@@ -45,7 +45,7 @@ import { CloudflareQueuePullClient, CloudflareQueuePushClient } from "../../remo
 import { runPrefixedCommand, runTreeseedBootstrapDag, sleep, writeTreeseedBootstrapLine } from "./bootstrap-runner.js";
 import { runTenantDeployPreflight } from "./save-deploy-preflight.js";
 const PROJECT_PLATFORM_BOOTSTRAP_SYSTEMS = ["data", "web", "api", "agents"];
-const WEB_PLATFORM_BOOTSTRAP_SYSTEMS = ["data", "web"];
+const WEB_PLATFORM_BOOTSTRAP_SYSTEMS = PROJECT_PLATFORM_BOOTSTRAP_SYSTEMS;
 const PROCESSING_PLATFORM_BOOTSTRAP_SYSTEMS = ["api", "agents"];
 function stableHash(value) {
   return createHash("sha256").update(value).digest("hex");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@treeseed/sdk",
-  "version": "0.10.7",
+  "version": "0.10.9",
   "description": "Shared Treeseed SDK for content-backed and D1-backed object models.",
   "license": "AGPL-3.0-only",
   "repository": {