npm - @valentinkolb/cloud - Versions diffs - 0.1.0 - Mend

@valentinkolb/cloud 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/package.json +69 -0
package/public/logo.svg +1 -0
package/scripts/build.ts +113 -0
package/scripts/preload.ts +73 -0
package/src/_internal/define-app.ts +399 -0
package/src/_internal/heartbeat.ts +33 -0
package/src/_internal/registry.ts +100 -0
package/src/_internal/runtime-context.ts +38 -0
package/src/api/accounts-entities.ts +134 -0
package/src/api/admin-lifecycle.ts +210 -0
package/src/api/auth/schemas.ts +28 -0
package/src/api/auth.ts +230 -0
package/src/api/index.ts +66 -0
package/src/api/me.ts +206 -0
package/src/api/search/schemas.ts +43 -0
package/src/api/search.ts +130 -0
package/src/clients/core.ts +19 -0
package/src/config/env.ts +23 -0
package/src/config/index.ts +6 -0
package/src/config/ssr.ts +58 -0
package/src/contracts/app.ts +140 -0
package/src/contracts/index.ts +5 -0
package/src/contracts/profile.ts +67 -0
package/src/contracts/registry.ts +50 -0
package/src/contracts/settings-types.ts +84 -0
package/src/contracts/shared.ts +258 -0
package/src/contracts/widgets.ts +121 -0
package/src/index.ts +6 -0
package/src/server/api/index.ts +1 -0
package/src/server/api/respond.ts +55 -0
package/src/server/api-client.ts +54 -0
package/src/server/app-context.ts +39 -0
package/src/server/index.ts +62 -0
package/src/server/middleware/auth.ts +168 -0
package/src/server/middleware/index.ts +7 -0
package/src/server/middleware/middleware.ts +47 -0
package/src/server/middleware/openapi.ts +126 -0
package/src/server/middleware/rate-limit.ts +126 -0
package/src/server/middleware/request-logger.ts +41 -0
package/src/server/middleware/validator.ts +35 -0
package/src/server/services/access.ts +294 -0
package/src/server/services/freeipa/client.ts +100 -0
package/src/server/services/freeipa/index.ts +9 -0
package/src/server/services/freeipa/session.ts +78 -0
package/src/server/services/freeipa/tls.ts +48 -0
package/src/server/services/freeipa/util.ts +60 -0
package/src/server/services/geo.ts +154 -0
package/src/server/services/index.ts +28 -0
package/src/server/services/services.ts +13 -0
package/src/services/account-lifecycle/audit.ts +41 -0
package/src/services/account-lifecycle/index.ts +907 -0
package/src/services/account-lifecycle/scheduler.ts +347 -0
package/src/services/account-model.ts +21 -0
package/src/services/accounts/app.ts +966 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/base-group.ts +11 -0
package/src/services/accounts/base-user.ts +45 -0
package/src/services/accounts/entities.ts +529 -0
package/src/services/accounts/group-sql.ts +106 -0
package/src/services/accounts/groups.ts +246 -0
package/src/services/accounts/index.ts +14 -0
package/src/services/accounts/ipa-data.ts +64 -0
package/src/services/accounts/lifecycle.ts +2 -0
package/src/services/accounts/local-groups.ts +491 -0
package/src/services/accounts/model.ts +135 -0
package/src/services/accounts/switching.ts +117 -0
package/src/services/accounts/users.ts +714 -0
package/src/services/auth-flows/index.ts +6 -0
package/src/services/auth-flows/ipa.ts +128 -0
package/src/services/auth-flows/magic-link.ts +119 -0
package/src/services/freeipa-config.ts +89 -0
package/src/services/index.ts +46 -0
package/src/services/ipa/auth.ts +122 -0
package/src/services/ipa/groups.ts +684 -0
package/src/services/ipa/guard.ts +17 -0
package/src/services/ipa/index.ts +17 -0
package/src/services/ipa/profile.ts +90 -0
package/src/services/ipa/search.ts +154 -0
package/src/services/ipa/sync.ts +740 -0
package/src/services/ipa/users.ts +794 -0
package/src/services/logging/index.ts +294 -0
package/src/services/notifications/email.ts +123 -0
package/src/services/notifications/index.ts +413 -0
package/src/services/postgres.ts +51 -0
package/src/services/providers/index.ts +27 -0
package/src/services/providers/local/auth.ts +13 -0
package/src/services/providers/local/index.ts +4 -0
package/src/services/providers/local/users.ts +255 -0
package/src/services/session/index.ts +137 -0
package/src/services/settings/api.ts +61 -0
package/src/services/settings/app.ts +101 -0
package/src/services/settings/crypto.ts +69 -0
package/src/services/settings/defaults.ts +824 -0
package/src/services/settings/index.ts +203 -0
package/src/services/settings/namespace.ts +9 -0
package/src/services/settings/snapshot.ts +49 -0
package/src/services/settings/store.ts +179 -0
package/src/services/settings/templates.ts +10 -0
package/src/services/weather/forecast.ts +287 -0
package/src/services/weather/geo.ts +110 -0
package/src/services/weather/index.ts +99 -0
package/src/services/weather/location.ts +24 -0
package/src/services/weather/locations.ts +125 -0
package/src/services/weather/migrate.ts +22 -0
package/src/services/weather/types.ts +61 -0
package/src/services/weather/ui.ts +50 -0
package/src/shared/account-display.ts +17 -0
package/src/shared/account-session.ts +15 -0
package/src/shared/icons.ts +109 -0
package/src/shared/index.ts +10 -0
package/src/shared/markdown/client.ts +130 -0
package/src/shared/markdown/extensions/code.ts +58 -0
package/src/shared/markdown/extensions/images.ts +43 -0
package/src/shared/markdown/extensions/info-blocks.ts +93 -0
package/src/shared/markdown/extensions/katex.ts +120 -0
package/src/shared/markdown/extensions/links.ts +34 -0
package/src/shared/markdown/extensions/tables.ts +88 -0
package/src/shared/markdown/extensions/task-list.ts +53 -0
package/src/shared/markdown/index.ts +97 -0
package/src/shared/markdown/shared.ts +36 -0
package/src/ssr/AdminLayout.tsx +42 -0
package/src/ssr/AdminSidebar.tsx +95 -0
package/src/ssr/Footer.island.tsx +62 -0
package/src/ssr/GlobalSearchDialog.tsx +389 -0
package/src/ssr/GlobalSearchHelpDialog.tsx +106 -0
package/src/ssr/GlobalSearchTrigger.island.tsx +42 -0
package/src/ssr/HotkeysHelpRail.island.tsx +99 -0
package/src/ssr/Layout.tsx +326 -0
package/src/ssr/MoreAppsDropdown.island.tsx +61 -0
package/src/ssr/NavMenu.island.tsx +108 -0
package/src/ssr/ThemeToggleRail.island.tsx +27 -0
package/src/ssr/index.ts +5 -0
package/src/ssr/islands/SearchBar.island.tsx +77 -0
package/src/ssr/islands/index.ts +1 -0
package/src/ssr/runtime.ts +22 -0
package/src/styles/base-popover.css +28 -0
package/src/styles/effects.css +65 -0
package/src/styles/global.css +133 -0
package/src/styles/input.css +54 -0
package/src/styles/tokens.css +35 -0
package/src/styles/utilities-buttons.css +125 -0
package/src/styles/utilities-feedback.css +65 -0
package/src/styles/utilities-layout.css +122 -0
package/src/styles/utilities-navigation.css +196 -0
package/src/types/ambient.d.ts +8 -0
package/src/ui/admin-settings.tsx +148 -0
package/src/ui/dialog-core.ts +146 -0
package/src/ui/filter/FilterChip.tsx +196 -0
package/src/ui/filter/index.ts +2 -0
package/src/ui/index.ts +19 -0
package/src/ui/input/Checkbox.tsx +55 -0
package/src/ui/input/ColorInput.tsx +122 -0
package/src/ui/input/DateTimeInput.tsx +86 -0
package/src/ui/input/ImageInput.tsx +170 -0
package/src/ui/input/NumberInput.tsx +113 -0
package/src/ui/input/PinInput.tsx +169 -0
package/src/ui/input/SegmentedControl.tsx +99 -0
package/src/ui/input/Select.tsx +288 -0
package/src/ui/input/SelectChip.tsx +61 -0
package/src/ui/input/Slider.tsx +118 -0
package/src/ui/input/Switch.tsx +62 -0
package/src/ui/input/TagsInput.tsx +115 -0
package/src/ui/input/TextInput.tsx +160 -0
package/src/ui/input/index.ts +13 -0
package/src/ui/input/types.ts +42 -0
package/src/ui/input/util.tsx +105 -0
package/src/ui/ipa/Avatar.tsx +28 -0
package/src/ui/ipa/GroupView.tsx +36 -0
package/src/ui/ipa/LoginBtn.tsx +16 -0
package/src/ui/ipa/UserView.tsx +58 -0
package/src/ui/ipa/index.ts +4 -0
package/src/ui/misc/ContextMenu.tsx +211 -0
package/src/ui/misc/CopyButton.tsx +28 -0
package/src/ui/misc/Dropdown.tsx +194 -0
package/src/ui/misc/EntitySearch.tsx +213 -0
package/src/ui/misc/Lightbox.tsx +194 -0
package/src/ui/misc/LinkCard.tsx +34 -0
package/src/ui/misc/LogEntriesTable.tsx +61 -0
package/src/ui/misc/MarkdownView.tsx +65 -0
package/src/ui/misc/Pagination.tsx +51 -0
package/src/ui/misc/PermissionEditor.tsx +379 -0
package/src/ui/misc/ProgressBar.tsx +47 -0
package/src/ui/misc/RemoveBtn.tsx +27 -0
package/src/ui/misc/StatCell.tsx +90 -0
package/src/ui/misc/index.ts +18 -0
package/src/ui/navigation.ts +32 -0
package/src/ui/prompts.tsx +854 -0
package/src/ui/sidebar.tsx +468 -0
package/src/ui/widgets/Widget.tsx +62 -0
package/src/ui/widgets/WidgetCard.tsx +19 -0
package/src/ui/widgets/WidgetHero.tsx +39 -0
package/src/ui/widgets/WidgetList.tsx +84 -0
package/src/ui/widgets/WidgetPills.tsx +68 -0
package/src/ui/widgets/WidgetStat.tsx +67 -0
package/src/ui/widgets/WidgetStatus.tsx +62 -0
package/src/ui/widgets/index.ts +9 -0

package/src/api/auth.ts ADDED Viewed

@@ -0,0 +1,230 @@
+import { Hono, type Context } from "hono";
+import { describeRoute } from "hono-openapi";
+import { v } from "../server";
+import { jsonResponse } from "../server";
+import { auth, type AuthContext } from "../server";
+import { rateLimit } from "../server";
+import { authFlows, accounts, getFreeIpaConfig, logger } from "../services";
+import { sql } from "bun";
+import { env } from "../config";
+import { ChangeExpiredPasswordSchema } from "../contracts";
+const log = logger("auth");
+import {
+  LoginSchema,
+  EmailLoginSchema,
+  VerifyTokenSchema,
+  AdminLoginSchema,
+  AuthResponseSchema,
+} from "./auth/schemas";
+import { ErrorResponseSchema, MessageResponseSchema } from "../contracts";
+const jsonError = (c: Context, message: string, status: 400 | 401 | 500) => c.json({ message }, status);
+/** Authentication routes: login, logout. */
+const app = new Hono<AuthContext>()
+  .use(rateLimit())
+  .post(
+    "/login",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Login via FreeIPA",
+      description: "Authenticate with FreeIPA username and password. Returns a session token and sets a session cookie.",
+      responses: {
+        200: jsonResponse(AuthResponseSchema, "Login successful"),
+        401: jsonResponse(ErrorResponseSchema, "Invalid username or password"),
+      },
+    }),
+    v("json", LoginSchema),
+    async (c) => {
+      const { username, password, acceptedAgb: _ } = c.req.valid("json");
+      if (!(await getFreeIpaConfig()).enabled) {
+        return c.json({ message: "FreeIPA is disabled." }, 400);
+      }
+      const loginResult = await authFlows.ipa.login({ username, password });
+      if (!loginResult.ok && loginResult.reason === "password_expired") {
+        log.info("Login failed", { uid: username, reason: "password_expired" });
+        return c.json({ message: "Password expired", passwordExpired: true }, 401);
+      }
+      if (!loginResult.ok) {
+        log.info("Login failed", {
+          uid: username,
+          reason: loginResult.reason,
+        });
+        return c.json({ message: loginResult.message }, loginResult.status);
+      }
+      // Store minimal session in Redis
+      const sessionToken = await auth.session.create(c, loginResult.userId, loginResult.ipaSession);
+      log.info("Login successful", { uid: username });
+      return c.json({
+        session_token: sessionToken,
+        user: loginResult.user,
+      });
+    },
+  )
+  .post(
+    "/logout",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Logout",
+      description:
+        "Idempotent: clears the session cookie and deletes the session key if present. No authentication required — logout must always succeed.",
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Session invalidated"),
+      },
+    }),
+    async (c) => {
+      await auth.session.delete(c);
+      log.info("Logout");
+      return c.json({ message: "Logged out" });
+    },
+  )
+  .post(
+    "/change-expired-password",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Change expired password",
+      description: "Change an expired or temporary password using FreeIPA's change_password endpoint. No active session required. For regular password changes of a logged-in user, use POST /api/me/password instead.",
+      responses: {
+        200: jsonResponse(AuthResponseSchema, "Password changed and logged in"),
+        400: jsonResponse(ErrorResponseSchema, "Failed to change password"),
+      },
+    }),
+    v("json", ChangeExpiredPasswordSchema),
+    async (c) => {
+      const { username, currentPassword, newPassword } = c.req.valid("json");
+      if (!(await getFreeIpaConfig()).enabled) {
+        return c.json({ message: "FreeIPA is disabled." }, 400);
+      }
+      const changeResult = await authFlows.ipa.changeExpiredPassword({
+        username,
+        currentPassword,
+        newPassword,
+      });
+      if (!changeResult.ok) {
+        if (changeResult.reason === "change_failed") {
+          const status = changeResult.status >= 500 ? 500 : 400;
+          return jsonError(c, changeResult.message, status);
+        }
+        if (changeResult.reason === "password_expired") {
+          return c.json({ message: "Password expired", passwordExpired: true }, 401);
+        }
+        return jsonError(c, changeResult.message, changeResult.status === 401 ? 401 : 400);
+      }
+      const sessionToken = await auth.session.create(c, changeResult.userId, changeResult.ipaSession);
+      log.info("Password changed via expired flow", { uid: username });
+      return c.json({ session_token: sessionToken, user: changeResult.user });
+    },
+  )
+  .post(
+    "/email-login",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Request magic link login",
+      description: "Request a magic link token via email for local account sign-in.",
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Request accepted"),
+        400: jsonResponse(ErrorResponseSchema, "Email sign-in not available"),
+      },
+    }),
+    v("json", EmailLoginSchema),
+    async (c) => {
+      const { email } = c.req.valid("json");
+      const requestResult = await authFlows.magicLink.request({ email });
+      if (!requestResult.ok) {
+        return c.json({ message: requestResult.message }, requestResult.status);
+      }
+      log.info("Magic link requested", { email });
+      return c.json({
+        message: "If this email can sign in with a login code, a code has been sent.",
+      });
+    },
+  )
+  .post(
+    "/verify-token",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Verify magic link token",
+      description: "Verify a magic link token and create a session.",
+      responses: {
+        200: jsonResponse(AuthResponseSchema, "Token verified, session created"),
+        401: jsonResponse(ErrorResponseSchema, "Invalid or expired token"),
+      },
+    }),
+    v("json", VerifyTokenSchema),
+    async (c) => {
+      const { token } = c.req.valid("json");
+      const verifyResult = await authFlows.magicLink.verify({ token });
+      if (!verifyResult.ok) {
+        log.info("Token invalid/expired");
+        const status = verifyResult.status >= 500 ? 500 : verifyResult.status === 400 ? 400 : 401;
+        return jsonError(c, verifyResult.message, status);
+      }
+      // Create session (no IPA session for email-only users)
+      const sessionToken = await auth.session.create(c, verifyResult.userId, null);
+      if (verifyResult.createdGuest) {
+        log.info("Guest user created", { email: verifyResult.email, uid: verifyResult.user.uid });
+      }
+      log.info("Token verified", { email: verifyResult.email });
+      return c.json({ session_token: sessionToken, user: verifyResult.user });
+    },
+  )
+  .post(
+    "/admin-login",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Admin token login",
+      description: "Hidden emergency login using a static token. Creates/ensures the local admin account.",
+      responses: {
+        200: jsonResponse(AuthResponseSchema, "Login successful"),
+        401: jsonResponse(ErrorResponseSchema, "Invalid token"),
+        503: jsonResponse(ErrorResponseSchema, "Admin login not configured"),
+      },
+    }),
+    v("json", AdminLoginSchema),
+    async (c) => {
+      if (!env.ADMIN_LOGIN_TOKEN) {
+        return jsonError(c, "Admin login is not configured.", 500);
+      }
+      const { token } = c.req.valid("json");
+      const a = Buffer.from(token);
+      const b = Buffer.from(env.ADMIN_LOGIN_TOKEN);
+      if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
+        log.warn("Admin login failed: invalid token");
+        return jsonError(c, "Invalid token.", 401);
+      }
+      // Ensure the admin user exists and has emergency-admin semantics. The
+      // prior `DO NOTHING` could log into a pre-existing `uid='admin'` row that
+      // was locally demoted (non-admin local user, or even an IPA row named
+      // admin), silently bypassing the intent of the emergency endpoint.
+      await sql`
+        INSERT INTO auth.users (uid, provider, profile, admin, given_name, sn, display_name)
+        VALUES ('admin', 'local', 'user', true, 'Admin', '', 'Admin')
+        ON CONFLICT (uid) DO UPDATE SET
+          provider = 'local',
+          profile = 'user',
+          admin = true
+      `;
+      const user = await accounts.users.get({ uid: "admin" });
+      if (!user) return jsonError(c, "Failed to resolve admin user.", 500);
+      const sessionToken = await auth.session.create(c, user.id, null);
+      log.info("Admin login successful");
+      return c.json({ session_token: sessionToken, user });
+    },
+  );
+export default app;

package/src/api/index.ts ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * Core platform API surface — owned by cloud-lib, mounted by the core-app.
+ *
+ * Lives here (not in an app) because every container shares the same auth
+ * model, self-service shape, lifecycle controls and entity search; redefining
+ * any of these per-app would break the platform invariant.
+ *
+ * Apps that need a typed client to these routes import from
+ * `@valentinkolb/cloud/clients/core`. The client and the routes share their
+ * type via `CoreApiType` below.
+ */
+import { Hono } from "hono";
+import { Scalar } from "@scalar/hono-api-reference";
+import { generateSpecs } from "hono-openapi";
+import { prettyJSON } from "hono/pretty-json";
+import { createMarkdownFromOpenApi } from "@scalar/openapi-to-markdown";
+import { openApiMeta } from "../server";
+import authRoutes from "./auth";
+import meRoutes from "./me";
+import adminLifecycleRoutes from "./admin-lifecycle";
+import accountsEntitiesRoutes from "./accounts-entities";
+import { createSearchRoutes } from "./search";
+/**
+ * Single-expression chain so `typeof buildCoreApi()` captures every route's
+ * input/output. Splitting into `new Hono()` + `.route(...)` calls would erase
+ * the typed shape for the client.
+ */
+const buildCoreApi = () => {
+  const searchRoutes = createSearchRoutes();
+  return new Hono()
+    .use(prettyJSON())
+    .route("/auth", authRoutes)
+    .route("/me", meRoutes)
+    .route("/accounts", accountsEntitiesRoutes)
+    .route("/admin/lifecycle", adminLifecycleRoutes)
+    .route("/", searchRoutes);
+};
+/** Type of the entire core HTTP surface — consumed by the client builder. */
+export type CoreApiType = ReturnType<typeof buildCoreApi>;
+/**
+ * Build the core router and accompanying OpenAPI assets. The core-app calls
+ * this and mounts the returned router under `/api`.
+ */
+export const createCoreApiRouter = async () => {
+  const api = buildCoreApi();
+  const spec = await generateSpecs(api, openApiMeta);
+  const llmsTxt = await createMarkdownFromOpenApi(JSON.stringify(spec));
+  api.get("/openapi.json", (c) => c.json(spec));
+  api.get(
+    "/docs",
+    Scalar({
+      theme: "saturn",
+      url: "/api/openapi.json",
+      hideClientButton: true,
+    }),
+  );
+  api.all("/*", (c) => c.json({ message: "API route not found" }, 404));
+  return { api, llmsTxt };
+};

package/src/api/me.ts ADDED Viewed

@@ -0,0 +1,206 @@
+/**
+ * Self-service endpoints — everything a logged-in user does with their OWN
+ * account. Owned by core, mounted at /api/me/*. Auth flows live in /auth;
+ * third-party management lives in the accounts admin app.
+ */
+import { Hono } from "hono";
+import { describeRoute } from "hono-openapi";
+import { z } from "zod";
+import { auth, jsonResponse, rateLimit, requiresAuth, respond, v, type AuthContext } from "../server";
+import { ok } from "@valentinkolb/stdlib";
+import {
+  ChangePasswordSchema,
+  CreateAccountRequestSchema,
+  ErrorResponseSchema,
+  MessageResponseSchema,
+  UpdateProfileSchema,
+  UserSchema,
+} from "../contracts";
+import {
+  accountLifecycle,
+  accountsAppService as accountsService,
+} from "../services";
+const ExtendAccountResponseSchema = z.object({
+  message: z.string(),
+  newExpiry: z.string().datetime().optional(),
+});
+const AccountRequestResponseSchema = z.object({
+  id: z.uuid(),
+  message: z.string(),
+});
+const app = new Hono<AuthContext>()
+  .use(rateLimit())
+  .use(auth.requireRole("authenticated"))
+  .get(
+    "/",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Get current user",
+      description: "Return the authenticated user resource.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(UserSchema, "Current user"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    async (c) => respond(c, ok(c.get("user"))),
+  )
+  .patch(
+    "/",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Update current user",
+      description: "Update the authenticated user's canonical profile fields and IPA-only self-service fields.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Profile updated"),
+        400: jsonResponse(ErrorResponseSchema, "Failed to update profile"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    v("json", UpdateProfileSchema),
+    async (c) =>
+      respond(c, async () => {
+        const user = c.get("user");
+        const token = c.get("sessionToken");
+        const data = c.req.valid("json");
+        const ipaSession = user.provider === "ipa" ? await auth.session.getIpaSession(token) : null;
+        const result = await accountsService.user.update({ ipaSession, id: user.id, data });
+        if (!result.ok) return result;
+        return ok({ message: "Profile updated." });
+      }),
+  )
+  .post(
+    "/password",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Change current user password",
+      description: "Change the authenticated user's password. Requires the current password for verification.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Password changed"),
+        400: jsonResponse(ErrorResponseSchema, "Failed to change password"),
+        401: jsonResponse(ErrorResponseSchema, "Current password is incorrect"),
+      },
+    }),
+    v("json", ChangePasswordSchema),
+    async (c) =>
+      respond(c, async () => {
+        const result = await accountsService.user.changeOwnPassword({
+          user: c.get("user"),
+          currentPassword: c.req.valid("json").currentPassword,
+          newPassword: c.req.valid("json").newPassword,
+        });
+        if (!result.ok) return result;
+        return ok({ message: "Password changed successfully." });
+      }),
+  )
+  .post(
+    "/account-extension",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Extend current user account",
+      description: "Extends the authenticated account according to lifecycle settings.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(ExtendAccountResponseSchema, "Account extension result"),
+        400: jsonResponse(ErrorResponseSchema, "Unable to extend account"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const user = c.get("user");
+        const token = c.get("sessionToken");
+        const ipaSession = user.provider === "ipa" ? await auth.session.getIpaSession(token) : null;
+        const result = await accountLifecycle.extendCurrentUserAccount({ user, ipaSession });
+        return ok(result);
+      }),
+  )
+  .delete(
+    "/",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Delete current user",
+      description: "Delete the authenticated user's account. Only available for guest-profile users.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Account deleted"),
+        400: jsonResponse(ErrorResponseSchema, "Failed to delete account"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+        403: jsonResponse(ErrorResponseSchema, "Only guest accounts can be self-deleted"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const user = c.get("user");
+        if (user.profile !== "guest") {
+          return { ok: false, error: "Only guest accounts can be self-deleted.", status: 403 };
+        }
+        const token = c.get("sessionToken");
+        const ipaSession = user.provider === "ipa" ? await auth.session.getIpaSession(token) : null;
+        const result = await accountsService.user.removeSelf({ user, ipaSession });
+        if (!result.ok) return result;
+        await auth.session.delete(c);
+        return ok({ message: "Account deleted." });
+      }),
+  )
+  // Account request: a local user asks for an IPA-backed account. Each user
+  // has at most one pending request; `POST` creates it, `DELETE` withdraws
+  // the current one. Admin processing of requests lives in the accounts app.
+  .post(
+    "/account-request",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Submit account request",
+      description: "Local accounts can request a centrally managed FreeIPA account. Must accept terms of service.",
+      ...requiresAuth,
+      responses: {
+        201: jsonResponse(AccountRequestResponseSchema, "Request created"),
+        400: jsonResponse(ErrorResponseSchema, "FreeIPA is disabled"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+        403: jsonResponse(ErrorResponseSchema, "Only local accounts can request FreeIPA access"),
+        409: jsonResponse(ErrorResponseSchema, "Pending request already exists"),
+      },
+    }),
+    v("json", CreateAccountRequestSchema),
+    async (c) =>
+      respond(c, accountsService.accountRequest.create({ user: c.get("user"), data: c.req.valid("json") }), 201),
+  )
+  .delete(
+    "/account-request",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Withdraw pending account request",
+      description: "Withdraws the current user's pending FreeIPA account request, if any.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Request withdrawn"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+        404: jsonResponse(ErrorResponseSchema, "No pending request"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const user = c.get("user");
+        const pending = await accountsService.accountRequest.getPendingForUser({ userId: user.id });
+        if (!pending) {
+          return { ok: false, error: "No pending request", status: 404 };
+        }
+        const result = await accountsService.accountRequest.withdraw({ id: pending.id, userId: user.id });
+        if (!result.ok) return result;
+        return ok({ message: "Request withdrawn" });
+      }),
+  );
+export default app;

package/src/api/search/schemas.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import { z } from "zod";
+const TAG_PATTERN = /^[^\s#]+$/;
+const TagArraySchema = z.preprocess(
+  (value) => {
+    if (Array.isArray(value)) return value;
+    if (typeof value === "string") return [value];
+    return [];
+  },
+  z
+    .array(z.string().trim().min(1).regex(TAG_PATTERN))
+    .transform((tags) => [...new Set(tags.map((tag) => tag.toLowerCase()))]),
+);
+export const SearchQuerySchema = z.object({
+  q: z.string().optional().default("").transform((query) => query.trim()),
+  tag: TagArraySchema.optional().default([]),
+  provider_limit: z.coerce.number().int().min(1).max(99).optional().default(10),
+});
+export const SearchItemSchema = z.object({
+  appId: z.string(),
+  appName: z.string(),
+  appIcon: z.string(),
+  id: z.string(),
+  title: z.string(),
+  href: z.string().startsWith("/"),
+  preview: z.string().optional(),
+  icon: z.string().optional(),
+  priority: z.number().int().min(0).max(9).optional(),
+  metadata: z.array(z.object({ label: z.string(), value: z.string() })).optional(),
+  previewUrl: z.string().startsWith("/").optional(),
+});
+export const SearchResponseSchema = z.object({
+  query: z.string(),
+  count: z.number().int().nonnegative(),
+  items: z.array(SearchItemSchema),
+});
+export type SearchItem = z.infer<typeof SearchItemSchema>;
+export type SearchResponse = z.infer<typeof SearchResponseSchema>;

package/src/api/search.ts ADDED Viewed

@@ -0,0 +1,130 @@
+import { Hono } from "hono";
+import { describeRoute } from "hono-openapi";
+import { auth, jsonResponse, requiresAuth, v, type AuthContext } from "../server";
+import { ErrorResponseSchema } from "../contracts";
+import { logger } from "../services";
+import { listApps } from "..";
+import { SearchItemSchema, SearchQuerySchema, SearchResponseSchema, type SearchItem } from "./search/schemas";
+const log = logger("search");
+type HttpSearchProvider = {
+  appId: string;
+  appName: string;
+  appIcon: string;
+  endpoint: string;
+};
+/**
+ * Discovers search providers from the app registry.
+ * Only apps with a `search` capability (and therefore a search endpoint) are included.
+ */
+const getSearchProviders = async (): Promise<HttpSearchProvider[]> => {
+  const entries = await listApps();
+  return entries
+    .filter((e) => !!e.search)
+    .map((e) => ({
+      appId: e.id,
+      appName: e.name,
+      appIcon: e.icon,
+      endpoint: e.search!.endpoint,
+    }));
+};
+/**
+ * Creates the global search route.
+ * Discovers search providers from the registry and fetches results via HTTP,
+ * forwarding the session cookie for authentication.
+ */
+export const createSearchRoutes = () =>
+  new Hono<AuthContext>()
+    .use(auth.requireRole("authenticated"))
+    .get(
+      "/search",
+      describeRoute({
+        tags: ["Search"],
+        summary: "Global search",
+        description: "Searches across app providers discovered via the service registry with optional tag filters.",
+        ...requiresAuth,
+        responses: {
+          200: jsonResponse(SearchResponseSchema, "Merged search results"),
+          400: jsonResponse(ErrorResponseSchema, "Invalid query"),
+          401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+        },
+      }),
+      v("query", SearchQuerySchema),
+      async (c) => {
+        const query = c.req.valid("query");
+        const providers = await getSearchProviders();
+        const settled = await Promise.allSettled(
+          providers.map(async (provider) => {
+            const res = await fetch(provider.endpoint, {
+              method: "POST",
+              headers: {
+                "Content-Type": "application/json",
+                // Forward the session cookie for auth on the app's internal search endpoint
+                Cookie: c.req.raw.headers.get("Cookie") ?? "",
+              },
+              body: JSON.stringify({
+                query: query.q,
+                tags: query.tag,
+                limit: query.provider_limit,
+              }),
+            });
+            if (!res.ok) {
+              throw new Error(`Search provider ${provider.appId} returned ${res.status}`);
+            }
+            const results: unknown[] = await res.json();
+            const validItems: SearchItem[] = [];
+            for (const item of results) {
+              const parsed = SearchItemSchema.safeParse({
+                ...(item as Record<string, unknown>),
+                appId: provider.appId,
+                appName: provider.appName,
+                appIcon: provider.appIcon,
+              });
+              if (!parsed.success) {
+                log.warn("Search provider returned invalid item", {
+                  appId: provider.appId,
+                  tags: query.tag,
+                  issues: parsed.error.issues.map((issue) => issue.message),
+                });
+                continue;
+              }
+              validItems.push(parsed.data);
+            }
+            return validItems;
+          }),
+        );
+        const items = settled.flatMap((result, index) => {
+          if (result.status === "fulfilled") return result.value;
+          log.warn("Search provider failed", {
+            appId: providers[index]?.appId ?? "unknown",
+            tags: query.tag,
+            error: result.reason instanceof Error ? result.reason.message : String(result.reason),
+          });
+          return [];
+        });
+        items.sort((a, b) => {
+          const priorityDiff = (b.priority ?? 0) - (a.priority ?? 0);
+          if (priorityDiff !== 0) return priorityDiff;
+          return a.title.localeCompare(b.title);
+        });
+        return c.json({
+          query: query.q,
+          count: items.length,
+          items,
+        });
+      },
+    );
+export type SearchApiType = ReturnType<typeof createSearchRoutes>;

package/src/clients/core.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Typed client for the core platform API.
+ *
+ * Apps that need to call core endpoints (`/api/auth/*`, `/api/me/*`,
+ * `/api/admin/lifecycle/*`, `/api/accounts/entities`) import this client
+ * instead of constructing their own — the type stays in lockstep with the
+ * actual route definitions in `@valentinkolb/cloud/api`.
+ */
+import { api } from "../server/api-client";
+import type { CoreApiType } from "../api";
+export const coreClient = api.create<CoreApiType>({ baseUrl: "/api" });
+/**
+ * Alias for islands that already use the conventional name `apiClient`.
+ * Both names refer to the same client; use whichever fits the call site.
+ */
+export const apiClient = coreClient;
+export type { CoreApiType };