npm - @valentinkolb/cloud - Versions diffs - 0.4.0 → 0.5.0 - Mend

@valentinkolb/cloud 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/package.json +18 -6
package/scripts/preload.ts +78 -23
package/src/_internal/define-app.ts +53 -46
package/src/api/accounts-entities.ts +4 -0
package/src/api/admin-core-settings.ts +98 -0
package/src/api/announcements.ts +131 -0
package/src/api/auth/schemas.ts +24 -0
package/src/api/auth.ts +113 -10
package/src/api/index.ts +7 -2
package/src/api/me.ts +203 -14
package/src/api/search/schemas.ts +1 -0
package/src/api/search.ts +62 -8
package/src/config/ssr.ts +2 -9
package/src/contracts/announcements.test.ts +37 -0
package/src/contracts/announcements.ts +121 -0
package/src/contracts/app.ts +2 -0
package/src/contracts/index.ts +3 -2
package/src/contracts/registry.ts +2 -0
package/src/contracts/shared.ts +108 -1
package/src/desktop/index.ts +704 -0
package/src/desktop/solid.tsx +938 -0
package/src/server/api/index.ts +1 -1
package/src/server/api/respond.ts +50 -10
package/src/server/index.ts +44 -38
package/src/server/middleware/auth.ts +98 -9
package/src/server/middleware/index.ts +2 -1
package/src/server/middleware/settings.ts +26 -0
package/src/server/services/access.test.ts +197 -0
package/src/server/services/access.ts +254 -6
package/src/server/services/index.ts +14 -11
package/src/server/services/pagination.ts +22 -0
package/src/server/time.ts +45 -0
package/src/services/account-lifecycle/index.ts +142 -18
package/src/services/accounts/app.ts +658 -170
package/src/services/accounts/authz.test.ts +77 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/entities.ts +84 -5
package/src/services/accounts/groups.ts +30 -24
package/src/services/accounts/model.test.ts +30 -0
package/src/services/accounts/switching.test.ts +14 -0
package/src/services/accounts/switching.ts +15 -6
package/src/services/accounts/users.ts +75 -52
package/src/services/announcements/index.test.ts +32 -0
package/src/services/announcements/index.ts +224 -0
package/src/services/audit/index.test.ts +84 -0
package/src/services/audit/index.ts +431 -0
package/src/services/auth-flows/index.ts +9 -2
package/src/services/auth-flows/ipa.ts +0 -2
package/src/services/auth-flows/magic-link.ts +3 -2
package/src/services/auth-flows/password-reset.ts +284 -0
package/src/services/auth-flows/proxy-return.test.ts +24 -0
package/src/services/auth-flows/proxy-return.ts +49 -0
package/src/services/gateway.ts +162 -0
package/src/services/index.ts +44 -2
package/src/services/ipa/effective-groups.test.ts +33 -0
package/src/services/ipa/effective-groups.ts +70 -0
package/src/services/ipa/profile.ts +45 -3
package/src/services/ipa/search.ts +3 -5
package/src/services/ipa/service-account.ts +15 -0
package/src/services/ipa/sync-planning.test.ts +32 -0
package/src/services/ipa/sync-planning.ts +22 -0
package/src/services/ipa/sync.ts +110 -38
package/src/services/oauth-tokens.ts +104 -0
package/src/services/postgres.ts +21 -6
package/src/services/providers/local/auth.test.ts +22 -0
package/src/services/providers/local/auth.ts +46 -3
package/src/services/secrets.ts +10 -0
package/src/services/service-account-credentials.test.ts +210 -0
package/src/services/service-account-credentials.ts +715 -0
package/src/services/service-accounts.ts +188 -0
package/src/services/session/index.ts +7 -8
package/src/services/settings/app.ts +4 -20
package/src/services/settings/defaults.ts +64 -22
package/src/services/settings/store.ts +47 -0
package/src/services/weather/forecast.ts +40 -7
package/src/services/webauthn.test.ts +36 -0
package/src/services/webauthn.ts +384 -0
package/src/shared/icons.ts +391 -100
package/src/shared/index.ts +7 -0
package/src/shared/markdown/extensions/code.ts +38 -1
package/src/shared/markdown/extensions/images.ts +39 -3
package/src/shared/markdown/extensions/info-blocks.ts +5 -5
package/src/shared/markdown/extensions/mark.ts +48 -0
package/src/shared/markdown/extensions/sub-sup.ts +60 -0
package/src/shared/markdown/extensions/tables.ts +79 -58
package/src/shared/markdown/formula.test.ts +1089 -0
package/src/shared/markdown/formula.ts +1187 -0
package/src/shared/markdown/index.ts +76 -2
package/src/shared/mock-cover.ts +130 -0
package/src/shared/redirect.test.ts +49 -0
package/src/shared/redirect.ts +52 -0
package/src/shared/theme.test.ts +24 -0
package/src/shared/theme.ts +68 -0
package/src/shared/time.ts +13 -0
package/src/ssr/AdminLayout.tsx +7 -3
package/src/ssr/AdminSidebar.tsx +115 -49
package/src/ssr/AppLaunchpad.island.tsx +176 -0
package/src/ssr/Footer.island.tsx +3 -8
package/src/ssr/GlobalAnnouncements.island.tsx +141 -0
package/src/ssr/GlobalSearchDialog.tsx +545 -117
package/src/ssr/HotkeysHelpRail.island.tsx +3 -70
package/src/ssr/Layout.tsx +74 -66
package/src/ssr/LayoutBreadcrumbs.island.tsx +44 -0
package/src/ssr/LayoutHelp.tsx +266 -0
package/src/ssr/NavMenu.island.tsx +0 -39
package/src/ssr/ThemeToggleRail.island.tsx +3 -3
package/src/ssr/TimezoneCookie.island.tsx +23 -0
package/src/ssr/islands/index.ts +13 -0
package/src/styles/base-popover.css +5 -2
package/src/styles/effects.css +87 -6
package/src/styles/global.css +146 -9
package/src/styles/input.css +3 -1
package/src/styles/utilities-buttons.css +133 -27
package/src/styles/utilities-code-display.css +67 -0
package/src/styles/utilities-completion.css +223 -0
package/src/styles/utilities-detail.css +73 -0
package/src/styles/utilities-feedback.css +16 -15
package/src/styles/utilities-layout.css +42 -2
package/src/styles/utilities-markdown-editor.css +472 -0
package/src/styles/utilities-navigation.css +63 -8
package/src/styles/utilities-script.css +84 -0
package/src/styles/utilities-table-tile.css +229 -0
package/src/types/ambient.d.ts +9 -0
package/src/ui/completion/behaviors.test.ts +95 -0
package/src/ui/completion/behaviors.ts +205 -0
package/src/ui/completion/engine.ts +368 -0
package/src/ui/completion/index.ts +40 -0
package/src/ui/completion/overlay.ts +92 -0
package/src/ui/dialog-core.ts +173 -45
package/src/ui/filter/FilterChip.tsx +42 -40
package/src/ui/index.ts +11 -12
package/src/ui/input/AutocompleteEditor.tsx +656 -0
package/src/ui/input/CheckboxCard.tsx +91 -0
package/src/ui/input/Combobox.tsx +375 -0
package/src/ui/input/DatePicker.tsx +846 -0
package/src/ui/input/DateTimeInput.tsx +29 -4
package/src/ui/input/FileDropzone.tsx +116 -0
package/src/ui/input/IconInput.tsx +116 -0
package/src/ui/input/ImageInput.tsx +19 -2
package/src/ui/input/MultiSelectInput.tsx +448 -0
package/src/ui/input/NumberInput.tsx +417 -61
package/src/ui/input/SegmentedControl.tsx +2 -2
package/src/ui/input/Select.tsx +172 -10
package/src/ui/input/Slider.tsx +3 -4
package/src/ui/input/Switch.tsx +3 -2
package/src/ui/input/TemplateEditor.tsx +212 -0
package/src/ui/input/TextInput.tsx +144 -13
package/src/ui/input/index.ts +53 -8
package/src/ui/input/markdown/MarkdownEditor.tsx +774 -0
package/src/ui/input/markdown/Toolbar.tsx +90 -0
package/src/ui/input/markdown/actions.ts +233 -0
package/src/ui/input/markdown/active-formats.ts +94 -0
package/src/ui/input/markdown/behaviors.ts +193 -0
package/src/ui/input/markdown/code-zone.ts +23 -0
package/src/ui/input/markdown/highlight.ts +316 -0
package/src/ui/layout.ts +22 -0
package/src/ui/misc/AppOverview.tsx +105 -0
package/src/ui/misc/AppWorkspace.tsx +607 -0
package/src/ui/misc/Calendar.tsx +1291 -0
package/src/ui/misc/Chart.tsx +162 -0
package/src/ui/misc/CodeDisplay.tsx +54 -0
package/src/ui/misc/ContextMenu.tsx +2 -2
package/src/ui/misc/DataTable.tsx +269 -0
package/src/ui/misc/DockWorkspace.tsx +425 -0
package/src/ui/misc/Docs.tsx +153 -0
package/src/ui/misc/Dropdown.tsx +2 -2
package/src/ui/misc/EntitySearch.tsx +260 -129
package/src/ui/misc/LinkCard.tsx +14 -2
package/src/ui/misc/LogEntriesTable.tsx +34 -31
package/src/ui/misc/Pagination.tsx +31 -12
package/src/ui/misc/PanelDialog.tsx +109 -0
package/src/ui/misc/Panes.tsx +873 -0
package/src/ui/misc/PermissionEditor.tsx +358 -262
package/src/ui/misc/Placeholder.tsx +40 -0
package/src/ui/misc/ProgressBar.tsx +1 -1
package/src/ui/misc/ResourceApiKeys.tsx +260 -0
package/src/ui/misc/SettingsModal.tsx +150 -0
package/src/ui/misc/StatCell.tsx +182 -40
package/src/ui/misc/StatGrid.tsx +149 -0
package/src/ui/misc/StructuredDataPreview.tsx +107 -0
package/src/ui/misc/code-highlight.ts +213 -0
package/src/ui/misc/index.ts +93 -12
package/src/ui/prompts.tsx +362 -312
package/src/ui/toast.ts +384 -0
package/src/ui/widgets/Widget.tsx +12 -4
package/src/ssr/MoreAppsDropdown.island.tsx +0 -61
package/src/ui/ipa/GroupView.tsx +0 -36
package/src/ui/ipa/LoginBtn.tsx +0 -16
package/src/ui/ipa/UserView.tsx +0 -58
package/src/ui/ipa/index.ts +0 -4
package/src/ui/navigation.ts +0 -32
package/src/ui/sidebar.tsx +0 -468
/package/src/ui/{ipa → misc}/Avatar.tsx +0 -0

package/src/api/auth/schemas.ts CHANGED Viewed

@@ -11,6 +11,7 @@ export const LoginSchema = z.object({
 export const EmailLoginSchema = z.object({
   email: z.email(),
   acceptedAgb: z.literal(true),
+  redirectTo: z.string().max(2048).optional(),
 });
 export const VerifyTokenSchema = z.object({
@@ -18,6 +19,24 @@ export const VerifyTokenSchema = z.object({
   acceptedAgb: z.literal(true),
 });
+export const PasswordResetRequestSchema = z.object({
+  email: z.email(),
+  acceptedAgb: z.literal(true),
+  redirectTo: z.string().max(2048).optional(),
+});
+export const PasswordResetCompleteSchema = z
+  .object({
+    token: z.uuid(),
+    newPassword: z.string().min(8),
+    confirmPassword: z.string().min(1),
+    acceptedAgb: z.literal(true),
+  })
+  .refine((data) => data.newPassword === data.confirmPassword, {
+    message: "Passwords do not match",
+    path: ["confirmPassword"],
+  });
 export const AdminLoginSchema = z.object({
   token: z.string().min(1),
 });
@@ -26,3 +45,8 @@ export const AuthResponseSchema = z.object({
   session_token: z.string(),
   user: UserSchema,
 });
+export const VerifyPasskeyAuthenticationSchema = z.object({
+  response: z.unknown(),
+  acceptedAgb: z.literal(true),
+});

package/src/api/auth.ts CHANGED Viewed

@@ -1,10 +1,12 @@
 import { Hono, type Context } from "hono";
 import { describeRoute } from "hono-openapi";
+import { z } from "zod";
 import { v } from "../server";
 import { jsonResponse } from "../server";
 import { auth, type AuthContext } from "../server";
 import { rateLimit } from "../server";
-import { authFlows, accounts, getFreeIpaConfig, logger } from "../services";
+import { respond } from "../server";
+import { authFlows, accounts, getFreeIpaConfig, logger, webauthn } from "../services";
 import { sql } from "bun";
 import { env } from "../config";
 import { ChangeExpiredPasswordSchema } from "../contracts";
@@ -14,8 +16,11 @@ import {
   LoginSchema,
   EmailLoginSchema,
   VerifyTokenSchema,
+  PasswordResetRequestSchema,
+  PasswordResetCompleteSchema,
   AdminLoginSchema,
   AuthResponseSchema,
+  VerifyPasskeyAuthenticationSchema,
 } from "./auth/schemas";
 import { ErrorResponseSchema, MessageResponseSchema } from "../contracts";
@@ -56,7 +61,7 @@ const app = new Hono<AuthContext>()
       }
       // Store minimal session in Redis
-      const sessionToken = await auth.session.create(c, loginResult.userId, loginResult.ipaSession);
+      const sessionToken = await auth.session.create(c, loginResult.userId);
       log.info("Login successful", { uid: username });
       return c.json({
@@ -65,13 +70,51 @@ const app = new Hono<AuthContext>()
       });
     },
   )
+  .post(
+    "/passkeys/authentication/start",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Start passkey login",
+      description: "Create WebAuthn authentication options for passkey sign-in.",
+      responses: {
+        200: jsonResponse(z.unknown(), "Passkey authentication options"),
+        400: jsonResponse(ErrorResponseSchema, "Passkey login is not available"),
+      },
+    }),
+    async (c) => respond(c, webauthn.beginAuthentication()),
+  )
+  .post(
+    "/passkeys/authentication/verify",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Verify passkey login",
+      description: "Verify a WebAuthn authentication response and create a normal Cloud session.",
+      responses: {
+        200: jsonResponse(AuthResponseSchema, "Passkey login successful"),
+        401: jsonResponse(ErrorResponseSchema, "Passkey verification failed"),
+      },
+    }),
+    v("json", VerifyPasskeyAuthenticationSchema),
+    async (c) => {
+      const result = await webauthn.finishAuthentication({
+        response: c.req.valid("json").response as never,
+      });
+      if (!result.ok) {
+        const status = result.error.status;
+        return c.json({ message: result.error.message, code: result.error.code }, status as 400 | 401 | 403 | 404 | 409 | 500);
+      }
+      const sessionToken = await auth.session.create(c, result.data.user.id);
+      log.info("Passkey login successful", { uid: result.data.user.uid });
+      return c.json({ session_token: sessionToken, user: result.data.user });
+    },
+  )
   .post(
     "/logout",
     describeRoute({
       tags: ["Auth"],
       summary: "Logout",
-      description:
-        "Idempotent: clears the session cookie and deletes the session key if present. No authentication required — logout must always succeed.",
+      description: "Idempotent: clears the session cookie and deletes the session key if present. No authentication required — logout must always succeed.",
       responses: {
         200: jsonResponse(MessageResponseSchema, "Session invalidated"),
       },
@@ -116,7 +159,7 @@ const app = new Hono<AuthContext>()
         return jsonError(c, changeResult.message, changeResult.status === 401 ? 401 : 400);
       }
-      const sessionToken = await auth.session.create(c, changeResult.userId, changeResult.ipaSession);
+      const sessionToken = await auth.session.create(c, changeResult.userId);
       log.info("Password changed via expired flow", { uid: username });
       return c.json({ session_token: sessionToken, user: changeResult.user });
@@ -135,9 +178,12 @@ const app = new Hono<AuthContext>()
     }),
     v("json", EmailLoginSchema),
     async (c) => {
-      const { email } = c.req.valid("json");
+      const { email, redirectTo } = c.req.valid("json");
-      const requestResult = await authFlows.magicLink.request({ email });
+      const requestResult = await authFlows.magicLink.request({
+        email,
+        redirectTo,
+      });
       if (!requestResult.ok) {
         return c.json({ message: requestResult.message }, requestResult.status);
       }
@@ -171,15 +217,72 @@ const app = new Hono<AuthContext>()
       }
       // Create session (no IPA session for email-only users)
-      const sessionToken = await auth.session.create(c, verifyResult.userId, null);
+      const sessionToken = await auth.session.create(c, verifyResult.userId);
       if (verifyResult.createdGuest) {
-        log.info("Guest user created", { email: verifyResult.email, uid: verifyResult.user.uid });
+        log.info("Guest user created", {
+          email: verifyResult.email,
+          uid: verifyResult.user.uid,
+        });
       }
       log.info("Token verified", { email: verifyResult.email });
       return c.json({ session_token: sessionToken, user: verifyResult.user });
     },
   )
+  .post(
+    "/password-reset/request",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Request password reset",
+      description: "Request a one-time password reset email for an IPA-backed account. The response is always generic to avoid account enumeration.",
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Request accepted"),
+      },
+    }),
+    v("json", PasswordResetRequestSchema),
+    async (c) => {
+      const { email, redirectTo } = c.req.valid("json");
+      const result = await authFlows.passwordReset.request({
+        email,
+        redirectTo,
+      });
+      return c.json({ message: result.message });
+    },
+  )
+  .post(
+    "/password-reset/complete",
+    describeRoute({
+      tags: ["Auth"],
+      summary: "Complete password reset",
+      description: "Set a new password using a one-time reset token. Creates a normal Cloud session only after the password was changed successfully.",
+      responses: {
+        200: jsonResponse(AuthResponseSchema, "Password reset completed and session created"),
+        400: jsonResponse(ErrorResponseSchema, "Password reset failed"),
+        401: jsonResponse(ErrorResponseSchema, "Invalid or expired reset token"),
+      },
+    }),
+    v("json", PasswordResetCompleteSchema),
+    async (c) => {
+      const { token, newPassword } = c.req.valid("json");
+      const result = await authFlows.passwordReset.complete({
+        token,
+        newPassword,
+      });
+      if (!result.ok) {
+        if (result.reason === "policy_failed") {
+          return c.json({ message: result.message }, 400);
+        }
+        const status = result.status >= 500 ? 500 : result.status === 401 ? 401 : 400;
+        return jsonError(c, result.message, status);
+      }
+      const sessionToken = await auth.session.create(c, result.userId);
+      log.info("Password reset completed", { uid: result.user.uid });
+      return c.json({ user: result.user, session_token: sessionToken });
+    },
+  )
   .post(
     "/admin-login",
     describeRoute({
@@ -221,7 +324,7 @@ const app = new Hono<AuthContext>()
       const user = await accounts.users.get({ uid: "admin" });
       if (!user) return jsonError(c, "Failed to resolve admin user.", 500);
-      const sessionToken = await auth.session.create(c, user.id, null);
+      const sessionToken = await auth.session.create(c, user.id);
       log.info("Admin login successful");
       return c.json({ session_token: sessionToken, user });
     },

package/src/api/index.ts CHANGED Viewed

@@ -15,10 +15,12 @@
  */
 import { Hono } from "hono";
 import { prettyJSON } from "hono/pretty-json";
+import accountsEntitiesRoutes from "./accounts-entities";
+import adminCoreSettingsRoutes from "./admin-core-settings";
+import adminLifecycleRoutes from "./admin-lifecycle";
+import { adminAnnouncementRoutes, announcementRoutes } from "./announcements";
 import authRoutes from "./auth";
 import meRoutes from "./me";
-import adminLifecycleRoutes from "./admin-lifecycle";
-import accountsEntitiesRoutes from "./accounts-entities";
 import { createSearchRoutes } from "./search";
 /**
@@ -33,6 +35,9 @@ const buildCoreApi = () => {
     .route("/auth", authRoutes)
     .route("/me", meRoutes)
     .route("/accounts", accountsEntitiesRoutes)
+    .route("/announcements", announcementRoutes)
+    .route("/admin/core/announcements", adminAnnouncementRoutes)
+    .route("/admin/core/settings", adminCoreSettingsRoutes)
     .route("/admin/lifecycle", adminLifecycleRoutes)
     .route("/", searchRoutes);
 };

package/src/api/me.ts CHANGED Viewed

@@ -10,17 +10,34 @@ import { auth, jsonResponse, rateLimit, requiresAuth, respond, v, type AuthConte
 import { ok } from "@valentinkolb/stdlib";
 import {
   ChangePasswordSchema,
+  AccountActivityListResponseSchema,
   CreateAccountRequestSchema,
+  CreateUserApiKeyResponseSchema,
+  CreateUserApiKeySchema,
+  CreateWebAuthnPasskeySchema,
   ErrorResponseSchema,
+  ListWebAuthnPasskeysResponseSchema,
   MessageResponseSchema,
+  ServiceAccountCredentialSchema,
   UpdateProfileSchema,
   UserSchema,
+  WebAuthnPasskeySchema,
 } from "../contracts";
 import {
   accountLifecycle,
   accountsAppService as accountsService,
+  audit,
+  serviceAccountCredentials,
+  webauthn,
 } from "../services";
+const toAccountsActor = (user: AuthContext["Variables"]["user"]) => ({
+  userId: user.id,
+  uid: user.uid,
+  roles: user.roles,
+  provider: user.provider,
+});
 const ExtendAccountResponseSchema = z.object({
   message: z.string(),
   newExpiry: z.string().datetime().optional(),
@@ -31,10 +48,42 @@ const AccountRequestResponseSchema = z.object({
   message: z.string(),
 });
+const ListApiKeysResponseSchema = z.object({
+  items: z.array(ServiceAccountCredentialSchema),
+});
+const AccountActivityQuerySchema = z.object({
+  days: z.coerce.number().int().pipe(z.union([z.literal(7), z.literal(30), z.literal(90)])).optional().default(30),
+});
 const app = new Hono<AuthContext>()
   .use(rateLimit())
   .use(auth.requireRole("authenticated"))
+  .get(
+    "/activity",
+    describeRoute({
+      tags: ["Me"],
+      summary: "List current user account activity",
+      description: "List safe self-service audit activity for the authenticated account.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(AccountActivityListResponseSchema, "Account activity"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    v("query", AccountActivityQuerySchema),
+    async (c) =>
+      respond(c, async () => {
+        const page = await audit.listSelfServiceActivity({
+          userId: c.get("user").id,
+          days: c.req.valid("query").days,
+          pagination: { page: 1, perPage: 50 },
+        });
+        return ok({ items: page.items });
+      }),
+  )
   .get(
     "/",
     describeRoute({
@@ -67,15 +116,162 @@ const app = new Hono<AuthContext>()
     async (c) =>
       respond(c, async () => {
         const user = c.get("user");
-        const token = c.get("sessionToken");
         const data = c.req.valid("json");
-        const ipaSession = user.provider === "ipa" ? await auth.session.getIpaSession(token) : null;
-        const result = await accountsService.user.update({ ipaSession, id: user.id, data });
+        const result = await accountsService.user.update({ actor: toAccountsActor(user), id: user.id, data });
         if (!result.ok) return result;
         return ok({ message: "Profile updated." });
       }),
   )
+  .get(
+    "/passkeys",
+    describeRoute({
+      tags: ["Me"],
+      summary: "List current user passkeys",
+      description: "List WebAuthn passkeys registered to the authenticated account.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(ListWebAuthnPasskeysResponseSchema, "Passkeys"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const items = await webauthn.listForUser({ userId: c.get("user").id });
+        return ok({ items });
+      }),
+  )
+  .post(
+    "/passkeys/registration/start",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Start passkey registration",
+      description: "Create WebAuthn registration options for the authenticated account.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(z.unknown(), "Passkey registration options"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    async (c) => respond(c, webauthn.beginRegistration({ user: c.get("user") })),
+  )
+  .post(
+    "/passkeys/registration/verify",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Verify passkey registration",
+      description: "Verify a WebAuthn registration response and store the passkey public credential.",
+      ...requiresAuth,
+      responses: {
+        201: jsonResponse(WebAuthnPasskeySchema, "Passkey created"),
+        400: jsonResponse(ErrorResponseSchema, "Passkey registration failed"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    v("json", CreateWebAuthnPasskeySchema),
+    async (c) =>
+      respond(c, () => {
+        const data = c.req.valid("json");
+        return webauthn.finishRegistration({
+          user: c.get("user"),
+          name: data.name,
+          response: data.response as never,
+        });
+      }, 201),
+  )
+  .delete(
+    "/passkeys/:id",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Delete current user passkey",
+      description: "Delete a WebAuthn passkey registered to the authenticated account.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "Passkey deleted"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+        404: jsonResponse(ErrorResponseSchema, "Passkey not found"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const result = await webauthn.deleteForUser({ user: c.get("user"), id: c.req.param("id") });
+        if (!result.ok) return result;
+        return ok({ message: "Passkey deleted." });
+      }),
+  )
+  .post(
+    "/api-keys",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Create current user API key",
+      description: "Create a user-bound API key for the authenticated account. The raw token is returned once.",
+      ...requiresAuth,
+      responses: {
+        201: jsonResponse(CreateUserApiKeyResponseSchema, "API key created"),
+        400: jsonResponse(ErrorResponseSchema, "Failed to create API key"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    v("json", CreateUserApiKeySchema),
+    async (c) =>
+      respond(c, async () => {
+        const user = c.get("user");
+        const data = c.req.valid("json");
+        return serviceAccountCredentials.createUserApiToken({
+          user,
+          name: data.name,
+          expiresAt: data.expiresAt ?? null,
+        });
+      }, 201),
+  )
+  .get(
+    "/api-keys",
+    describeRoute({
+      tags: ["Me"],
+      summary: "List current user API keys",
+      description: "List active user-bound API keys owned by the authenticated account.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(ListApiKeysResponseSchema, "API keys"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const items = await serviceAccountCredentials.listForDelegatedUser({ userId: c.get("user").id });
+        return ok({ items });
+      }),
+  )
+  .delete(
+    "/api-keys/:id",
+    describeRoute({
+      tags: ["Me"],
+      summary: "Revoke current user API key",
+      description: "Revoke an API key owned by the authenticated account.",
+      ...requiresAuth,
+      responses: {
+        200: jsonResponse(MessageResponseSchema, "API key revoked"),
+        401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+        404: jsonResponse(ErrorResponseSchema, "API key not found"),
+      },
+    }),
+    async (c) =>
+      respond(c, async () => {
+        const result = await serviceAccountCredentials.revokeForDelegatedUser({
+          credentialId: c.req.param("id"),
+          user: c.get("user"),
+        });
+        if (!result.ok) return result;
+        return ok({ message: "API key revoked." });
+      }),
+  )
   .post(
     "/password",
     describeRoute({
@@ -118,10 +314,8 @@ const app = new Hono<AuthContext>()
     async (c) =>
       respond(c, async () => {
         const user = c.get("user");
-        const token = c.get("sessionToken");
-        const ipaSession = user.provider === "ipa" ? await auth.session.getIpaSession(token) : null;
-        const result = await accountLifecycle.extendCurrentUserAccount({ user, ipaSession });
-        return ok(result);
+        const result = await accountLifecycle.extendCurrentUserAccount({ user });
+        return result;
       }),
   )
@@ -142,12 +336,7 @@ const app = new Hono<AuthContext>()
     async (c) =>
       respond(c, async () => {
         const user = c.get("user");
-        if (user.profile !== "guest") {
-          return { ok: false, error: "Only guest accounts can be self-deleted.", status: 403 };
-        }
-        const token = c.get("sessionToken");
-        const ipaSession = user.provider === "ipa" ? await auth.session.getIpaSession(token) : null;
-        const result = await accountsService.user.removeSelf({ user, ipaSession });
+        const result = await accountsService.user.removeSelf({ user });
         if (!result.ok) return result;
         await auth.session.delete(c);
         return ok({ message: "Account deleted." });
@@ -197,7 +386,7 @@ const app = new Hono<AuthContext>()
         if (!pending) {
           return { ok: false, error: "No pending request", status: 404 };
         }
-        const result = await accountsService.accountRequest.withdraw({ id: pending.id, userId: user.id });
+        const result = await accountsService.accountRequest.withdraw({ id: pending.id, actor: toAccountsActor(user) });
         if (!result.ok) return result;
         return ok({ message: "Request withdrawn" });
       }),

package/src/api/search/schemas.ts CHANGED Viewed

@@ -37,6 +37,7 @@ export const SearchResponseSchema = z.object({
   query: z.string(),
   count: z.number().int().nonnegative(),
   items: z.array(SearchItemSchema),
+  unsupportedTags: z.array(z.string()).optional(),
 });
 export type SearchItem = z.infer<typeof SearchItemSchema>;

package/src/api/search.ts CHANGED Viewed

@@ -8,11 +8,18 @@ import { SearchItemSchema, SearchQuerySchema, SearchResponseSchema, type SearchI
 const log = logger("search");
+/**
+ * Maximum items returned to the client after merging across providers.
+ * The frontend has no further limit — this caps the rendered list.
+ */
+const GLOBAL_RESULT_LIMIT = 30;
 type HttpSearchProvider = {
   appId: string;
   appName: string;
   appIcon: string;
   endpoint: string;
+  tags: string[];
 };
 /**
@@ -28,6 +35,7 @@ const getSearchProviders = async (): Promise<HttpSearchProvider[]> => {
       appName: e.name,
       appIcon: e.icon,
       endpoint: e.search!.endpoint,
+      tags: [...e.search!.tags],
     }));
 };
@@ -50,26 +58,69 @@ export const createSearchRoutes = () =>
           200: jsonResponse(SearchResponseSchema, "Merged search results"),
           400: jsonResponse(ErrorResponseSchema, "Invalid query"),
           401: jsonResponse(ErrorResponseSchema, "Authentication required"),
+          403: jsonResponse(ErrorResponseSchema, "User-backed actor required"),
         },
       }),
       v("query", SearchQuerySchema),
       async (c) => {
+        if (!c.get("user")) {
+          return c.json({ message: "Global search requires a user-backed actor", code: "FORBIDDEN" }, 403);
+        }
         const query = c.req.valid("query");
         const providers = await getSearchProviders();
+        const cookie = c.req.raw.headers.get("Cookie") ?? "";
+        const authorization = c.req.raw.headers.get("Authorization");
+        // Pre-filter providers by tag overlap. With no tags, every provider
+        // runs (text-only search). With tags, only providers that own at least
+        // one requested tag participate — saves fanout to apps that can't
+        // contribute. Tags the user typed that no provider declares are
+        // returned to the client so it can render a helpful empty state.
+        const knownTags = new Set(providers.flatMap((p) => p.tags));
+        const unsupportedTags = query.tag.filter((t) => !knownTags.has(t));
+        const active =
+          query.tag.length === 0
+            ? providers
+            : providers.filter((p) => p.tags.some((t) => query.tag.includes(t)));
+        if (query.tag.length > 0 && active.length === 0) {
+          return c.json({
+            query: query.q,
+            count: 0,
+            items: [],
+            unsupportedTags,
+          });
+        }
+        // Single-provider queries get a larger sample for better local
+        // ranking — the global slice below still caps the response. Capped
+        // at GLOBAL_RESULT_LIMIT so a single app can saturate the response
+        // but no more.
+        const effectiveProviderLimit =
+          active.length === 1
+            ? Math.min(GLOBAL_RESULT_LIMIT, query.provider_limit * 3)
+            : query.provider_limit;
         const settled = await Promise.allSettled(
-          providers.map(async (provider) => {
+          active.map(async (provider) => {
+            // Scope tags to those this provider declared. Apps no longer need
+            // their own gate — the framework guarantees they only see tags
+            // they understand.
+            const scopedTags = query.tag.filter((t) => provider.tags.includes(t));
             const res = await fetch(provider.endpoint, {
               method: "POST",
               headers: {
                 "Content-Type": "application/json",
-                // Forward the session cookie for auth on the app's internal search endpoint
-                Cookie: c.req.raw.headers.get("Cookie") ?? "",
+                // Forward the authenticated user context to app search providers.
+                Cookie: cookie,
+                ...(authorization ? { Authorization: authorization } : {}),
               },
               body: JSON.stringify({
                 query: query.q,
-                tags: query.tag,
-                limit: query.provider_limit,
+                tags: scopedTags,
+                limit: effectiveProviderLimit,
               }),
             });
@@ -106,7 +157,7 @@ export const createSearchRoutes = () =>
           if (result.status === "fulfilled") return result.value;
           log.warn("Search provider failed", {
-            appId: providers[index]?.appId ?? "unknown",
+            appId: active[index]?.appId ?? "unknown",
             tags: query.tag,
             error: result.reason instanceof Error ? result.reason.message : String(result.reason),
           });
@@ -119,10 +170,13 @@ export const createSearchRoutes = () =>
           return a.title.localeCompare(b.title);
         });
+        const sliced = items.slice(0, GLOBAL_RESULT_LIMIT);
         return c.json({
           query: query.q,
-          count: items.length,
-          items,
+          count: sliced.length,
+          items: sliced,
+          ...(unsupportedTags.length > 0 ? { unsupportedTags } : {}),
         });
       },
     );