@vertz/ui 0.2.12 → 0.2.13

package/dist/shared/{chunk-662f9zrb.js → chunk-j6qyxfdc.js}

@@ -1,15 +1,15 @@
-import {
-  getAdapter,
-  isRenderNode
-} from "./chunk-g4rch80a.js";
-import {
-  domEffect
-} from "./chunk-2rs8a26p.js";
 import {
   SVG_NS,
   isSVGTag,
   normalizeSVGAttr
 } from "./chunk-prj7nm08.js";
+import {
+  getAdapter,
+  isRenderNode
+} from "./chunk-h89w580h.js";
+import {
+  domEffect
+} from "./chunk-8hsz5y4a.js";
 
 // src/hydrate/hydration-context.ts
 var isHydrating = false;

package/dist/shared/{chunk-g1gf16fz.js → chunk-mj7b4t40.js}

@@ -1,26 +1,66 @@
 import {
   executeLoaders,
   matchRoute
-} from "./chunk-9e92w0wt.js";
+} from "./chunk-83g4h38e.js";
 import {
   prefetchNavData
 } from "./chunk-jrtrk5z4.js";
 import {
+  getSSRContext,
   signal
-} from "./chunk-2rs8a26p.js";
+} from "./chunk-8hsz5y4a.js";
 
 // src/router/navigate.ts
 var DEFAULT_NAV_THRESHOLD_MS = 500;
 function createRouter(routes, initialUrl, options) {
-  const isSSR = typeof window === "undefined" || typeof globalThis.__SSR_URL__ !== "undefined";
-  let url;
-  if (initialUrl) {
-    url = initialUrl;
-  } else if (isSSR) {
-    url = globalThis.__SSR_URL__ || "/";
-  } else {
-    url = window.location.pathname + window.location.search;
+  const ssrCtx = getSSRContext();
+  const isSSR = ssrCtx !== undefined;
+  if (isSSR || typeof window === "undefined") {
+    const ssrUrl = initialUrl ?? ssrCtx?.url ?? "/";
+    const fallbackMatch = matchRoute(routes, ssrUrl);
+    return {
+      current: {
+        get value() {
+          const ctx = getSSRContext();
+          if (ctx)
+            return matchRoute(routes, ctx.url);
+          return fallbackMatch;
+        },
+        peek() {
+          const ctx = getSSRContext();
+          if (ctx)
+            return matchRoute(routes, ctx.url);
+          return fallbackMatch;
+        },
+        notify() {}
+      },
+      searchParams: {
+        get value() {
+          const ctx = getSSRContext();
+          if (ctx) {
+            const m = matchRoute(routes, ctx.url);
+            return m?.search ?? {};
+          }
+          return fallbackMatch?.search ?? {};
+        },
+        peek() {
+          const ctx = getSSRContext();
+          if (ctx) {
+            const m = matchRoute(routes, ctx.url);
+            return m?.search ?? {};
+          }
+          return fallbackMatch?.search ?? {};
+        },
+        notify() {}
+      },
+      loaderData: { value: [], peek: () => [], notify() {} },
+      loaderError: { value: null, peek: () => null, notify() {} },
+      navigate: () => Promise.resolve(),
+      revalidate: () => Promise.resolve(),
+      dispose: () => {}
+    };
   }
+  const url = initialUrl ?? window.location.pathname + window.location.search;
   const initialMatch = matchRoute(routes, url);
   function normalizeUrl(rawUrl) {
     const qIdx = rawUrl.indexOf("?");
@@ -35,10 +75,54 @@ function createRouter(routes, initialUrl, options) {
   const visitedUrls = new Set;
   if (initialMatch)
     visitedUrls.add(normalizeUrl(url));
-  const current = signal(initialMatch);
+  const _current = signal(initialMatch);
   const loaderData = signal([]);
   const loaderError = signal(null);
-  const searchParams = signal(initialMatch?.search ?? {});
+  const _searchParams = signal(initialMatch?.search ?? {});
+  const current = {
+    get value() {
+      const ctx = getSSRContext();
+      if (ctx)
+        return matchRoute(routes, ctx.url);
+      return _current.value;
+    },
+    set value(v) {
+      _current.value = v;
+    },
+    peek() {
+      const ctx = getSSRContext();
+      if (ctx)
+        return matchRoute(routes, ctx.url);
+      return _current.peek();
+    },
+    notify() {
+      _current.notify();
+    }
+  };
+  const searchParams = {
+    get value() {
+      const ctx = getSSRContext();
+      if (ctx) {
+        const match = matchRoute(routes, ctx.url);
+        return match?.search ?? {};
+      }
+      return _searchParams.value;
+    },
+    set value(v) {
+      _searchParams.value = v;
+    },
+    peek() {
+      const ctx = getSSRContext();
+      if (ctx) {
+        const match = matchRoute(routes, ctx.url);
+        return match?.search ?? {};
+      }
+      return _searchParams.peek();
+    },
+    notify() {
+      _searchParams.notify();
+    }
+  };
   let navigationGen = 0;
   let navigateGen = 0;
   let currentAbort = null;
@@ -71,17 +155,6 @@ function createRouter(routes, initialUrl, options) {
       return;
     await Promise.race([target, new Promise((r) => setTimeout(r, DEFAULT_NAV_THRESHOLD_MS))]);
   }
-  if (isSSR) {
-    const g = globalThis;
-    const prev = g.__VERTZ_SSR_SYNC_ROUTER__;
-    g.__VERTZ_SSR_SYNC_ROUTER__ = (ssrUrl) => {
-      if (typeof prev === "function")
-        prev(ssrUrl);
-      const match = matchRoute(routes, ssrUrl);
-      current.value = match;
-      searchParams.value = match?.search ?? {};
-    };
-  }
   if (initialMatch) {
     const gen = ++navigationGen;
     const abort = new AbortController;
@@ -125,12 +198,10 @@ function createRouter(routes, initialUrl, options) {
   async function navigate(navUrl, navOptions) {
     const gen = ++navigateGen;
     const handle = startPrefetch(navUrl);
-    if (!isSSR) {
-      if (navOptions?.replace) {
-        window.history.replaceState(null, "", navUrl);
-      } else {
-        window.history.pushState(null, "", navUrl);
-      }
+    if (navOptions?.replace) {
+      window.history.replaceState(null, "", navUrl);
+    } else {
+      window.history.pushState(null, "", navUrl);
     }
     const isCachedNav = visitedUrls.has(normalizeUrl(navUrl));
     if (!isCachedNav && (handle?.firstEvent || handle?.done)) {
@@ -152,19 +223,14 @@ function createRouter(routes, initialUrl, options) {
       await runLoaders(match, gen, abort.signal);
     }
   }
-  let onPopState = null;
-  if (!isSSR) {
-    onPopState = () => {
-      const popUrl = window.location.pathname + window.location.search;
-      startPrefetch(popUrl);
-      applyNavigation(popUrl).catch(() => {});
-    };
-    window.addEventListener("popstate", onPopState);
-  }
+  const onPopState = () => {
+    const popUrl = window.location.pathname + window.location.search;
+    startPrefetch(popUrl);
+    applyNavigation(popUrl).catch(() => {});
+  };
+  window.addEventListener("popstate", onPopState);
   function dispose() {
-    if (onPopState) {
-      window.removeEventListener("popstate", onPopState);
-    }
+    window.removeEventListener("popstate", onPopState);
     if (currentAbort) {
       currentAbort.abort();
     }

package/dist/shared/{chunk-18jzqefd.js → chunk-nn9v1zmk.js}

@@ -1,7 +1,7 @@
 import {
   __classList,
   __on
-} from "./chunk-wn4gv1qd.js";
+} from "./chunk-dksg08fq.js";
 import {
   __append,
   __element,
@@ -9,7 +9,7 @@ import {
   __exitChildren,
   __staticText,
   getIsHydrating
-} from "./chunk-662f9zrb.js";
+} from "./chunk-j6qyxfdc.js";
 import {
   _tryOnCleanup,
   createContext,
@@ -20,7 +20,7 @@ import {
   signal,
   untrack,
   useContext
-} from "./chunk-2rs8a26p.js";
+} from "./chunk-8hsz5y4a.js";
 
 // src/router/link.ts
 var DANGEROUS_SCHEMES = ["javascript:", "data:", "vbscript:"];
@@ -103,7 +103,7 @@ function useParams() {
   if (!router) {
     throw new Error("useParams() must be called within RouterContext.Provider");
   }
-  return router.current?.params ?? {};
+  return router.current?.parsedParams ?? router.current?.params ?? {};
 }
 
 // src/router/outlet.ts

package/dist/src/auth/public.d.ts

@@ -0,0 +1,303 @@
+/**
+* A reactive signal that holds a value and notifies subscribers on change.
+*/
+interface Signal<T> {
+	/** Get the current value and subscribe to changes (when inside a tracking context). */
+	get value(): T;
+	/** Set the current value and notify subscribers if changed. */
+	set value(newValue: T);
+	/** Read the current value without subscribing (no tracking). */
+	peek(): T;
+	/** Manually notify all subscribers (useful after mutating the value in place). */
+	notify(): void;
+}
+/**
+* A read-only reactive value derived from other signals.
+*/
+interface ReadonlySignal<T> {
+	/** Get the current value and subscribe to changes. */
+	readonly value: T;
+	/** Read the current value without subscribing. */
+	peek(): T;
+}
+/**
+* Unwraps a ReadonlySignal to its value type.
+* Used by signal APIs (like query()) to expose plain values in TypeScript
+* while the compiler auto-unwraps them at runtime.
+*
+* @example
+* type UnwrappedData = Unwrapped<ReadonlySignal<Task | undefined>>; // → Task | undefined
+*/
+type Unwrapped<T> = T extends ReadonlySignal<infer U> ? U : T;
+/**
+* Unwraps all signal properties of an object type.
+* Properties that are signals become their inner value type.
+* Non-signal properties and primitive types pass through unchanged.
+*
+* Used by `useContext` to present context values without the Signal wrapper.
+*
+* @example
+* type Settings = { theme: Signal<string>; setTheme: (t: string) => void };
+* type Unwrapped = UnwrapSignals<Settings>; // { theme: string; setTheme: (t: string) => void }
+*/
+type UnwrapSignals<T> = T extends object ? { [K in keyof T] : Unwrapped<T[K]> } : T;
+/**
+* Props for the JSX pattern of Context.Provider.
+*
+* `children` accepts both raw values (what TypeScript sees in JSX) and
+* thunks (what the compiler produces). At compile time the compiler wraps
+* JSX children in `() => ...`, but TypeScript checks the pre-compilation
+* source where children are plain elements.
+*/
+interface ProviderJsxProps<T> {
+	value: T;
+	children: (() => unknown) | unknown;
+}
+/** A context object created by `createContext`. */
+interface Context<T> {
+	/** Provide a value via callback pattern. */
+	Provider(value: T, fn: () => void): void;
+	/** Provide a value via JSX pattern (single-arg object with children thunk). */
+	Provider(props: ProviderJsxProps<T>): HTMLElement;
+	/** @internal — current value stack */
+	_stack: T[];
+	/** @internal — default value */
+	_default: T | undefined;
+}
+/**
+* Client-side access set types.
+*
+* Mirrors server types (no server imports). See "Known Limitations"
+* in the design doc for drift risk documentation.
+*/
+type DenialReason = "plan_required" | "role_required" | "limit_reached" | "flag_disabled" | "hierarchy_denied" | "step_up_required" | "not_authenticated";
+interface DenialMeta {
+	requiredPlans?: string[];
+	requiredRoles?: string[];
+	disabledFlags?: string[];
+	limit?: {
+		max: number;
+		consumed: number;
+		remaining: number;
+	};
+	fvaMaxAge?: number;
+}
+interface AccessCheckData {
+	allowed: boolean;
+	reasons: DenialReason[];
+	reason?: DenialReason;
+	meta?: DenialMeta;
+}
+interface AccessSet {
+	entitlements: Record<string, AccessCheckData>;
+	flags: Record<string, boolean>;
+	plan: string | null;
+	computedAt: string;
+}
+/** Public return type of can(). All properties are ReadonlySignal (compiler auto-unwraps). */
+interface AccessCheck {
+	readonly allowed: boolean;
+	readonly reasons: DenialReason[];
+	readonly reason: DenialReason | undefined;
+	readonly meta: DenialMeta | undefined;
+	readonly loading: boolean;
+}
+interface AccessContextValue {
+	accessSet: Signal<AccessSet | null>;
+	loading: Signal<boolean>;
+}
+declare const AccessContext: Context<AccessContextValue>;
+/**
+* Read the access context. Returns getter-wrapped object (wrapSignalProps
+* applied by Provider). Throws if no provider — consistent with useRouter(),
+* useDialogStack(), and all other use* hooks.
+*/
+declare function useAccessContext(): UnwrapSignals<AccessContextValue>;
+/**
+* Check if the current user has a specific entitlement.
+*
+* Must be called in the component body (like query()/form()).
+* Returns an AccessCheck with ReadonlySignal properties that the
+* compiler auto-unwraps via signal-api registration.
+*
+* **UI-advisory only.** Server always re-validates before mutations.
+* `can()` controls UI visibility, not authorization.
+*
+* @param entitlement - The entitlement to check
+* @param entity - Optional entity with pre-computed `__access` metadata
+*/
+declare function can(entitlement: string, entity?: {
+	__access?: Record<string, AccessCheckData>;
+}): AccessCheck;
+/**
+* Access Event Client — WebSocket client for real-time access invalidation.
+*
+* Connects to the access event WebSocket endpoint, handles reconnection
+* with exponential backoff, and delivers parsed events to the caller.
+*/
+/** Client-side access events (no orgId/userId — server scopes the broadcast) */
+type ClientAccessEvent = {
+	type: "access:flag_toggled";
+	flag: string;
+	enabled: boolean;
+} | {
+	type: "access:limit_updated";
+	entitlement: string;
+	consumed: number;
+	remaining: number;
+	max: number;
+} | {
+	type: "access:role_changed";
+} | {
+	type: "access:plan_changed";
+};
+interface AccessEventClientOptions {
+	/** WebSocket URL. Defaults to deriving from window.location. */
+	url?: string;
+	/** Called for each access event received from the server. */
+	onEvent: (event: ClientAccessEvent) => void;
+	/** Called after a successful reconnection (not the initial connect). */
+	onReconnect: () => void;
+}
+interface AccessEventClient {
+	connect(): void;
+	disconnect(): void;
+	dispose(): void;
+}
+declare function createAccessEventClient(options: AccessEventClientOptions): AccessEventClient;
+interface AccessGateProps {
+	fallback?: () => unknown;
+	children: (() => unknown) | unknown;
+}
+/**
+* Gate component that blocks children while the access set is loading.
+* Use this to prevent flicker on initial render when access data
+* hasn't been hydrated yet.
+*/
+declare function AccessGate({ fallback, children }: AccessGateProps): ReadonlySignal<unknown> | unknown;
+import { Result } from "@vertz/fetch";
+/**
+* Minimal schema interface compatible with @vertz/schema.
+* Any object with a `parse(data: unknown): Result` method satisfies this.
+*/
+interface FormSchema<T> {
+	parse(data: unknown): {
+		ok: true;
+		data: T;
+	} | {
+		ok: false;
+		error: unknown;
+	};
+}
+/**
+* An SDK method with endpoint metadata attached.
+* Generated SDK methods expose `.url` and `.method` for progressive enhancement.
+*/
+interface SdkMethod<
+	TBody,
+	TResult
+> {
+	(body: TBody): PromiseLike<Result<TResult, Error>>;
+	url: string;
+	method: string;
+	meta?: {
+		bodySchema?: FormSchema<TBody>;
+	};
+}
+/**
+* An SDK method with embedded schema metadata.
+* Generated by `@vertz/codegen` — carries `.meta.bodySchema` for auto-validation.
+*/
+interface SdkMethodWithMeta<
+	TBody,
+	TResult
+> extends SdkMethod<TBody, TResult> {
+	meta: {
+		bodySchema: FormSchema<TBody>;
+	};
+}
+interface User {
+	id: string;
+	email: string;
+	role: string;
+	emailVerified?: boolean;
+	[key: string]: unknown;
+}
+type AuthStatus = "idle" | "loading" | "authenticated" | "unauthenticated" | "mfa_required" | "error";
+type AuthErrorCode = "INVALID_CREDENTIALS" | "USER_EXISTS" | "USER_NOT_FOUND" | "INVALID_TOKEN" | "TOKEN_EXPIRED" | "MFA_REQUIRED" | "INVALID_MFA_CODE" | "RATE_LIMITED" | "NETWORK_ERROR" | "SERVER_ERROR";
+interface AuthClientError {
+	code: AuthErrorCode;
+	message: string;
+	statusCode: number;
+	retryAfter?: number;
+}
+interface SignInInput {
+	email: string;
+	password: string;
+}
+interface SignUpInput {
+	email: string;
+	password: string;
+	[key: string]: unknown;
+}
+interface MfaInput {
+	code: string;
+}
+interface ForgotInput {
+	email: string;
+}
+interface ResetInput {
+	token: string;
+	password: string;
+}
+interface AuthResponse {
+	user: User;
+	expiresAt: number;
+}
+interface AuthContextValue {
+	user: Signal<User | null>;
+	status: Signal<AuthStatus>;
+	isAuthenticated: ReadonlySignal<boolean>;
+	isLoading: ReadonlySignal<boolean>;
+	error: Signal<AuthClientError | null>;
+	signIn: SdkMethodWithMeta<SignInInput, AuthResponse>;
+	signUp: SdkMethodWithMeta<SignUpInput, AuthResponse>;
+	signOut: () => Promise<void>;
+	refresh: () => Promise<void>;
+	mfaChallenge: SdkMethodWithMeta<MfaInput, AuthResponse>;
+	forgotPassword: SdkMethodWithMeta<ForgotInput, void>;
+	resetPassword: SdkMethodWithMeta<ResetInput, void>;
+}
+declare const AuthContext: Context<AuthContextValue>;
+declare function useAuth(): UnwrapSignals<AuthContextValue>;
+interface AuthProviderProps {
+	basePath?: string;
+	accessControl?: boolean;
+	/** Enable WebSocket-based real-time access event updates. Requires accessControl. */
+	accessEvents?: boolean;
+	/** WebSocket URL for access events. Defaults to deriving from window.location. */
+	accessEventsUrl?: string;
+	/** Map of entitlement names to their required flags. Used for inline flag toggle updates. */
+	flagEntitlementMap?: Record<string, string[]>;
+	children: (() => unknown) | unknown;
+}
+declare function AuthProvider({ basePath, accessControl, accessEvents, accessEventsUrl, flagEntitlementMap, children }: AuthProviderProps): HTMLElement;
+interface AuthGateProps {
+	fallback?: () => unknown;
+	children: (() => unknown) | unknown;
+}
+declare function AuthGate({ fallback, children }: AuthGateProps): ReadonlySignal<unknown> | unknown;
+/**
+* Create an AccessContextValue for use with AccessContext.Provider.
+* Hydrates from `window.__VERTZ_ACCESS_SET__` when available (SSR).
+*
+* @example
+* ```tsx
+* const accessValue = createAccessProvider();
+* <AccessContext.Provider value={accessValue}>
+*   <App />
+* </AccessContext.Provider>
+* ```
+*/
+declare function createAccessProvider(): AccessContextValue;
+export { useAuth, useAccessContext, createAccessProvider, createAccessEventClient, can, User, SignUpInput, SignInInput, ResetInput, MfaInput, ForgotInput, DenialReason, DenialMeta, ClientAccessEvent, AuthStatus, AuthResponse, AuthProviderProps, AuthProvider, AuthGateProps, AuthGate, AuthErrorCode, AuthContextValue, AuthContext, AuthClientError, AccessSet, AccessGateProps, AccessGate, AccessEventClientOptions, AccessEventClient, AccessContextValue, AccessContext, AccessCheckData, AccessCheck };