@vertz/ui 0.2.16 → 0.2.18

package/dist/shared/{chunk-1rxa2fz4.js → chunk-07bh4m1e.js}

@@ -39,4 +39,10 @@ function __classList(el, classMap) {
   };
 }
 
-export { __attr, __show, __classList };
+// src/dom/events.ts
+function __on(el, event, handler) {
+  el.addEventListener(event, handler);
+  return () => el.removeEventListener(event, handler);
+}
+
+export { __attr, __show, __classList, __on };

package/dist/shared/{chunk-dhehvmj0.js → chunk-c3r237f0.js}

@@ -3,7 +3,7 @@ import {
   __element,
   __enterChildren,
   __exitChildren
-} from "./chunk-vndfjfdy.js";
+} from "./chunk-mgfrrrjq.js";
 import {
   getSSRContext
 } from "./chunk-4fwcwxn6.js";

package/dist/shared/{chunk-b0qqqk03.js → chunk-j5qtsm0b.js}

@@ -1,15 +1,7 @@
 import {
-  __classList
-} from "./chunk-1rxa2fz4.js";
-import {
-  RouterContext
-} from "./chunk-mtsvrj9e.js";
-import {
+  __classList,
   __on
-} from "./chunk-pnv25zep.js";
-import {
-  isBrowser
-} from "./chunk-14eqne2a.js";
+} from "./chunk-07bh4m1e.js";
 import {
   __append,
   __element,
@@ -17,7 +9,13 @@ import {
   __exitChildren,
   __staticText,
   getIsHydrating
-} from "./chunk-vndfjfdy.js";
+} from "./chunk-mgfrrrjq.js";
+import {
+  RouterContext
+} from "./chunk-mtsvrj9e.js";
+import {
+  isBrowser
+} from "./chunk-14eqne2a.js";
 import {
   _tryOnCleanup,
   createContext,
@@ -149,7 +147,9 @@ var OutletContext = createContext(undefined, "@vertz/ui::OutletContext");
 function Outlet() {
   const ctx = useContext(OutletContext);
   if (!ctx) {
-    return document.createComment("outlet:empty");
+    const el = __element("span");
+    el.style.display = "contents";
+    return el;
   }
   const container = __element("div");
   let childCleanups = [];

package/dist/shared/{chunk-vndfjfdy.js → chunk-mgfrrrjq.js}

@@ -254,6 +254,11 @@ function __child(fn) {
           if (isRenderNode(value) && wrapper.childNodes.length === 1 && wrapper.firstChild === value) {
             return;
           }
+          if (!isRenderNode(value) && value != null && typeof value !== "boolean" && wrapper.childNodes.length === 1 && wrapper.firstChild.nodeType === 3) {
+            const text = typeof value === "string" ? value : String(value);
+            wrapper.firstChild.data = text;
+            return;
+          }
           while (wrapper.firstChild) {
             wrapper.removeChild(wrapper.firstChild);
           }
@@ -272,6 +277,11 @@ function __child(fn) {
     if (isRenderNode(value) && wrapper.childNodes.length === 1 && wrapper.firstChild === value) {
       return;
     }
+    if (!isRenderNode(value) && value != null && typeof value !== "boolean" && typeof value !== "function" && wrapper.childNodes.length === 1 && wrapper.firstChild.nodeType === 3) {
+      const text = typeof value === "string" ? value : String(value);
+      wrapper.firstChild.data = text;
+      return;
+    }
     while (wrapper.firstChild) {
       wrapper.removeChild(wrapper.firstChild);
     }

package/dist/shared/{chunk-6jyt4ycw.js → chunk-yjs76c7v.js}

@@ -1,6 +1,6 @@
 import {
   injectCSS
-} from "./chunk-dhehvmj0.js";
+} from "./chunk-c3r237f0.js";
 
 // src/dom/animation.ts
 function onAnimationsComplete(el, callback) {

package/dist/src/auth/public.d.ts

@@ -121,6 +121,17 @@ interface EntitlementRegistry {}
 /** Entitlement type — narrows to literal union when codegen populates EntitlementRegistry. */
 type Entitlement = keyof EntitlementRegistry extends never ? string : Extract<keyof EntitlementRegistry, string>;
 /**
+* @internal Signal-backed version of AccessCheck — actual runtime type of can() return.
+* Use with canSignals() when framework code needs reactive signal access without compiler transforms.
+*/
+interface RawAccessCheck {
+	readonly allowed: ReadonlySignal<boolean>;
+	readonly reasons: ReadonlySignal<DenialReason[]>;
+	readonly reason: ReadonlySignal<DenialReason | undefined>;
+	readonly meta: ReadonlySignal<DenialMeta | undefined>;
+	readonly loading: ReadonlySignal<boolean>;
+}
+/**
 * Check if the current user has a specific entitlement.
 *
 * Must be called in the component body (like query()/form()).
@@ -136,6 +147,19 @@ type Entitlement = keyof EntitlementRegistry extends never ? string : Extract<ke
 declare function can(entitlement: Entitlement, entity?: {
 	__access?: Record<string, AccessCheckData>;
 }): AccessCheck;
+/**
+* @internal Framework use only.
+* Same as can() but returns raw ReadonlySignal properties.
+* Use when framework code needs reactive signal access without compiler transforms.
+*
+* Must NOT be added to the signal-api-registry — the compiler must not auto-unwrap these.
+*
+* @param entitlement - The entitlement to check
+* @param entity - Optional entity with pre-computed `__access` metadata
+*/
+declare function canSignals(entitlement: Entitlement, entity?: {
+	__access?: Record<string, AccessCheckData>;
+}): RawAccessCheck;
 /** Client-side access events (no orgId/userId — server scopes the broadcast) */
 type ClientAccessEvent = {
 	type: "access:flag_toggled";
@@ -179,16 +203,6 @@ interface AccessEventClient {
 	dispose(): void;
 }
 declare function createAccessEventClient(options: AccessEventClientOptions): AccessEventClient;
-interface AccessGateProps {
-	fallback?: () => unknown;
-	children: (() => unknown) | unknown;
-}
-/**
-* Gate component that blocks children while the access set is loading.
-* Use this to prevent flicker on initial render when access data
-* hasn't been hydrated yet.
-*/
-declare function AccessGate({ fallback, children }: AccessGateProps): ReadonlySignal<unknown> | unknown;
 import { Result } from "@vertz/fetch";
 /**
 * Minimal schema interface compatible with @vertz/schema.
@@ -306,11 +320,6 @@ interface AuthProviderProps {
 	children: (() => unknown) | unknown;
 }
 declare function AuthProvider({ basePath, accessControl, accessEvents, accessEventsUrl, flagEntitlementMap, children }: AuthProviderProps): HTMLElement;
-interface AuthGateProps {
-	fallback?: () => unknown;
-	children: (() => unknown) | unknown;
-}
-declare function AuthGate({ fallback, children }: AuthGateProps): ReadonlySignal<unknown> | unknown;
 /**
 * Create an AccessContextValue for use with AccessContext.Provider.
 * Hydrates from `window.__VERTZ_ACCESS_SET__` when available (SSR).
@@ -324,40 +333,24 @@ declare function AuthGate({ fallback, children }: AuthGateProps): ReadonlySignal
 * ```
 */
 declare function createAccessProvider(): AccessContextValue;
-interface OAuthButtonProps {
-	/** Provider ID (e.g., 'github', 'google') */
-	provider: string;
-	/** Custom label text. Defaults to "Continue with {Name}". */
-	label?: string;
-	/** Render icon only, no text. */
-	iconOnly?: boolean;
-	/** @internal — injected providers array for testing. Uses useAuth() in production. */
-	_providers?: OAuthProviderInfo[];
-}
-declare function OAuthButton({ provider, label, iconOnly, _providers }: OAuthButtonProps): Element;
-interface OAuthButtonsProps {
-	/** @internal — injected providers array for testing. Uses useAuth() in production. */
-	_providers?: OAuthProviderInfo[];
-}
-declare function OAuthButtons({ _providers }?: OAuthButtonsProps): HTMLDivElement;
-interface ProtectedRouteProps {
-	/** Path to redirect to when unauthenticated. Default: '/login' */
-	loginPath?: string;
-	/** Rendered while auth is resolving (idle/loading). Default: null */
-	fallback?: () => unknown;
-	/** Rendered when authenticated */
-	children: (() => unknown) | unknown;
-	/** Optional: required entitlements (integrates with can()) */
-	requires?: Entitlement[];
-	/** Rendered when authenticated but lacking required entitlements. Default: null */
-	forbidden?: () => unknown;
-	/** Append ?returnTo=<currentPath> when redirecting. Default: true */
-	returnTo?: boolean;
-}
-declare function ProtectedRoute({ loginPath, fallback, children, requires, forbidden, returnTo }: ProtectedRouteProps): ReadonlySignal<unknown> | unknown;
 /**
 * Get an SVG icon string for a provider.
 * Returns the built-in icon for known providers, or a generic fallback for unknown.
 */
 declare function getProviderIcon(providerId: string, size: number): string;
-export { useAuth, useAccessContext, getProviderIcon, createAccessProvider, createAccessEventClient, can, User, SignUpInput, SignOutOptions, SignInInput, ResetInput, ProtectedRouteProps, ProtectedRoute, OAuthProviderInfo, OAuthButtonsProps, OAuthButtons, OAuthButtonProps, OAuthButton, MfaInput, ForgotInput, EntitlementRegistry, Entitlement, DenialReason, DenialMeta, ClientAccessEvent, AuthStatus, AuthResponse, AuthProviderProps, AuthProvider, AuthGateProps, AuthGate, AuthErrorCode, AuthContextValue, AuthContext, AuthClientError, AccessSet, AccessGateProps, AccessGate, AccessEventClientOptions, AccessEventClient, AccessContextValue, AccessContext, AccessCheckData, AccessCheck };
+/**
+* Get a display name for a user with a fallback chain.
+* Chain: user.name (if string & non-empty) → user.email → fallback (default: 'Unknown')
+*/
+declare function getUserDisplayName(user: User | null | undefined, fallback?: string): string;
+/**
+* Get initials from a user's name or email (max 2 characters).
+* Chain: first + last word initials from name → first char of email → '?'
+*/
+declare function getUserInitials(user: User | null | undefined): string;
+/**
+* Default user silhouette icon for avatar fallbacks.
+* Returns an inline SVG string — no external requests, works in SSR.
+*/
+declare function getUserIcon(size: number): string;
+export { useAuth, useAccessContext, getUserInitials, getUserIcon, getUserDisplayName, getProviderIcon, createAccessProvider, createAccessEventClient, canSignals, can, User, SignUpInput, SignOutOptions, SignInInput, ResetInput, RawAccessCheck, OAuthProviderInfo, MfaInput, ForgotInput, EntitlementRegistry, Entitlement, DenialReason, DenialMeta, ClientAccessEvent, AuthStatus, AuthResponse, AuthProviderProps, AuthProvider, AuthErrorCode, AuthContextValue, AuthContext, AuthClientError, AccessSet, AccessEventClientOptions, AccessEventClient, AccessContextValue, AccessContext, AccessCheckData, AccessCheck };

package/dist/src/auth/public.js

@@ -1,26 +1,14 @@
 import {
   RouterContext
 } from "../../shared/chunk-mtsvrj9e.js";
-import {
-  __on
-} from "../../shared/chunk-pnv25zep.js";
 import {
   isBrowser
 } from "../../shared/chunk-14eqne2a.js";
-import {
-  __append,
-  __element,
-  __enterChildren,
-  __exitChildren,
-  __staticText
-} from "../../shared/chunk-vndfjfdy.js";
-import"../../shared/chunk-prj7nm08.js";
-import"../../shared/chunk-afawz764.js";
 import {
   _tryOnCleanup,
   computed,
   createContext,
-  domEffect,
+  getSSRContext,
   signal,
   useContext
 } from "../../shared/chunk-4fwcwxn6.js";
@@ -34,25 +22,18 @@ function useAccessContext() {
   }
   return ctx;
 }
-function createFallbackDenied() {
-  return {
-    allowed: computed(() => false),
-    reasons: computed(() => ["not_authenticated"]),
-    reason: computed(() => "not_authenticated"),
-    meta: computed(() => {
-      return;
-    }),
-    loading: computed(() => false)
-  };
-}
 var __DEV__ = typeof process !== "undefined" && true;
-function can(entitlement, entity) {
-  const ctx = useContext(AccessContext);
+function createAccessCheckRaw(ctx, entitlement, entity) {
   if (!ctx) {
-    if (__DEV__) {
-      console.warn("can() called without AccessContext.Provider — all checks denied");
-    }
-    return createFallbackDenied();
+    return {
+      allowed: computed(() => false),
+      reasons: computed(() => ["not_authenticated"]),
+      reason: computed(() => "not_authenticated"),
+      meta: computed(() => {
+        return;
+      }),
+      loading: computed(() => false)
+    };
   }
   const accessData = computed(() => {
     if (entity?.__access?.[entitlement])
@@ -73,6 +54,20 @@ function can(entitlement, entity) {
     })
   };
 }
+function can(entitlement, entity) {
+  const ctx = useContext(AccessContext);
+  if (!ctx && __DEV__) {
+    console.warn("can() called without AccessContext.Provider — all checks denied");
+  }
+  return createAccessCheckRaw(ctx, entitlement, entity);
+}
+function canSignals(entitlement, entity) {
+  const ctx = useContext(AccessContext);
+  if (!ctx && __DEV__) {
+    console.warn("canSignals() called without AccessContext.Provider — all checks denied");
+  }
+  return createAccessCheckRaw(ctx, entitlement, entity);
+}
 // src/auth/access-event-client.ts
 var BASE_BACKOFF_MS = 1000;
 var MAX_BACKOFF_MS = 30000;
@@ -158,26 +153,6 @@ function createAccessEventClient(options) {
   }
   return { connect, disconnect, dispose };
 }
-// src/auth/access-gate.ts
-function AccessGate({
-  fallback,
-  children
-}) {
-  const ctx = useContext(AccessContext);
-  if (!ctx) {
-    return typeof children === "function" ? children() : children;
-  }
-  const isLoaded = computed(() => {
-    const set = ctx.accessSet;
-    return set !== null;
-  });
-  return computed(() => {
-    if (isLoaded.value) {
-      return typeof children === "function" ? children() : children;
-    }
-    return fallback ? fallback() : null;
-  });
-}
 // src/auth/access-event-handler.ts
 function handleAccessEvent(accessSet, event, flagEntitlementMap) {
   const current = accessSet.value;
@@ -791,6 +766,16 @@ function AuthProvider({
         refresh();
       }, 0);
     }
+  } else {
+    const ssrCtx = getSSRContext();
+    if (ssrCtx?.ssrAuth) {
+      if (ssrCtx.ssrAuth.status === "authenticated") {
+        userSignal.value = ssrCtx.ssrAuth.user;
+        statusSignal.value = "authenticated";
+      } else {
+        statusSignal.value = "unauthenticated";
+      }
+    }
   }
   if (accessControl && accessSetSignal && accessLoadingSignal) {
     if (isBrowser() && window.__VERTZ_ACCESS_SET__ && typeof window.__VERTZ_ACCESS_SET__.entitlements === "object" && window.__VERTZ_ACCESS_SET__.entitlements !== null) {
@@ -808,23 +793,6 @@ function AuthProvider({
   }
   return AuthContext.Provider({ value: contextValue, children });
 }
-// src/auth/auth-gate.ts
-function AuthGate({ fallback, children }) {
-  const ctx = useContext(AuthContext);
-  if (!ctx) {
-    return typeof children === "function" ? children() : children;
-  }
-  const isResolved = computed(() => {
-    const status = ctx.status;
-    return status !== "idle" && status !== "loading";
-  });
-  return computed(() => {
-    if (isResolved.value) {
-      return typeof children === "function" ? children() : children;
-    }
-    return fallback ? fallback() : null;
-  });
-}
 // src/auth/create-access-provider.ts
 function createAccessProvider() {
   const accessSet = signal(null);
@@ -851,127 +819,49 @@ function getProviderIcon(providerId, size) {
   const iconFn = icons[providerId];
   return iconFn ? iconFn(size) : fallbackIcon(size);
 }
-
-// src/auth/oauth-button.ts
-var DANGEROUS_SCHEMES = ["javascript:", "data:", "vbscript:"];
-function isSafeUrl(url) {
-  const normalized = url.replace(/\s/g, "").toLowerCase();
-  if (normalized.startsWith("//"))
-    return false;
-  for (const scheme of DANGEROUS_SCHEMES) {
-    if (normalized.startsWith(scheme))
-      return false;
-  }
-  return true;
-}
-function OAuthButton({ provider, label, iconOnly, _providers }) {
-  const providers = _providers ?? useAuth().providers;
-  const providerInfo = providers.find((p) => p.id === provider);
-  if (!providerInfo) {
-    return __element("span");
-  }
-  const safeAuthUrl = isSafeUrl(providerInfo.authUrl) ? providerInfo.authUrl : "#";
-  const props = { type: "button" };
-  if (iconOnly) {
-    props["aria-label"] = `Continue with ${providerInfo.name}`;
-  }
-  const el = __element("button", props);
-  __on(el, "click", () => {
-    window.location.href = safeAuthUrl;
-  });
-  __enterChildren(el);
-  const iconSpan = __element("span");
-  iconSpan.innerHTML = getProviderIcon(provider, 20);
-  __append(el, iconSpan);
-  if (!iconOnly) {
-    const text = label ?? `Continue with ${providerInfo.name}`;
-    const textSpan = __element("span");
-    __enterChildren(textSpan);
-    __append(textSpan, __staticText(text));
-    __exitChildren();
-    __append(el, textSpan);
-  }
-  __exitChildren();
-  return el;
+// src/auth/user-display.ts
+function getUserDisplayName(user, fallback = "Unknown") {
+  if (!user)
+    return fallback;
+  const name = user.name;
+  if (typeof name === "string" && name.trim().length > 0)
+    return name.trim();
+  if (user.email)
+    return user.email;
+  return fallback;
 }
-// src/auth/oauth-buttons.ts
-function OAuthButtons({ _providers } = {}) {
-  const providers = _providers ?? useAuth().providers;
-  const container = __element("div");
-  __enterChildren(container);
-  for (const provider of providers) {
-    const button = OAuthButton({
-      provider: provider.id,
-      _providers: providers
-    });
-    __append(container, button);
-  }
-  __exitChildren();
-  return container;
+function getUserInitials(user) {
+  if (!user)
+    return "?";
+  const name = user.name;
+  if (typeof name === "string" && name.trim().length > 0) {
+    const words = name.trim().split(/\s+/);
+    const first = words[0] ?? "";
+    const last = words[words.length - 1] ?? "";
+    if (words.length === 1 || !last)
+      return first.charAt(0).toUpperCase() || "?";
+    return (first.charAt(0) + last.charAt(0)).toUpperCase();
+  }
+  if (user.email && user.email.length > 0)
+    return user.email.charAt(0).toUpperCase();
+  return "?";
 }
-// src/auth/protected-route.ts
-var __DEV__2 = typeof process !== "undefined" && true;
-function ProtectedRoute({
-  loginPath = "/login",
-  fallback,
-  children,
-  requires,
-  forbidden,
-  returnTo = true
-}) {
-  const ctx = useContext(AuthContext);
-  if (!ctx) {
-    if (__DEV__2) {
-      console.warn("ProtectedRoute used without AuthProvider — rendering children unprotected");
-    }
-    return typeof children === "function" ? children() : children;
-  }
-  const router = useContext(RouterContext);
-  const checks = requires?.map((e) => can(e));
-  const allAllowed = computed(() => !checks || checks.every((c) => c.allowed.value));
-  const isResolved = computed(() => {
-    const status = ctx.status;
-    return status !== "idle" && status !== "loading";
-  });
-  const shouldRedirect = computed(() => {
-    if (!isResolved.value)
-      return false;
-    return !ctx.isAuthenticated;
-  });
-  if (router) {
-    domEffect(() => {
-      if (shouldRedirect.value) {
-        const search = returnTo && isBrowser() ? `?returnTo=${encodeURIComponent(window.location.pathname + window.location.search)}` : "";
-        router.navigate({ to: `${loginPath}${search}`, replace: true });
-      }
-    });
-  }
-  return computed(() => {
-    if (!isResolved.value) {
-      return fallback ? fallback() : null;
-    }
-    if (shouldRedirect.value) {
-      return fallback ? fallback() : null;
-    }
-    if (!allAllowed.value) {
-      return forbidden ? forbidden() : null;
-    }
-    return typeof children === "function" ? children() : children;
-  });
+// src/auth/user-icon.ts
+function getUserIcon(size) {
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${size}" height="${size}" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M19 21v-2a4 4 0 0 0-4-4H9a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>`;
 }
 export {
   useAuth,
   useAccessContext,
+  getUserInitials,
+  getUserIcon,
+  getUserDisplayName,
   getProviderIcon,
   createAccessProvider,
   createAccessEventClient,
+  canSignals,
   can,
-  ProtectedRoute,
-  OAuthButtons,
-  OAuthButton,
   AuthProvider,
-  AuthGate,
   AuthContext,
-  AccessGate,
   AccessContext
 };

package/dist/src/css/public.js

@@ -8,8 +8,8 @@ import {
   globalCss,
   s,
   variants
-} from "../../shared/chunk-dhehvmj0.js";
-import"../../shared/chunk-vndfjfdy.js";
+} from "../../shared/chunk-c3r237f0.js";
+import"../../shared/chunk-mgfrrrjq.js";
 import"../../shared/chunk-prj7nm08.js";
 import"../../shared/chunk-afawz764.js";
 import"../../shared/chunk-4fwcwxn6.js";

package/dist/src/index.d.ts

@@ -117,12 +117,14 @@ declare function createContext<T>(defaultValue?: T, __stableId?: string): Contex
 * Returns the default value if no Provider is active.
 */
 declare function useContext<T>(ctx: Context<T>): UnwrapSignals<T> | undefined;
+/** DOM element types accepted by JSX (mirrors JSX.Element). */
+type JsxElement = HTMLElement | SVGElement | DocumentFragment;
 /** Props for the ErrorBoundary component. */
 interface ErrorBoundaryProps {
 	/** Function that returns the children to render. */
-	children: () => Node;
+	children: () => JsxElement;
 	/** Fallback renderer that receives the caught error and a retry function. */
-	fallback: (error: Error, retry: () => void) => Node;
+	fallback: (error: Error, retry: () => void) => JsxElement;
 }
 /**
 * ErrorBoundary component.
@@ -135,7 +137,7 @@ interface ErrorBoundaryProps {
 * Also registers an async error handler so that nested Suspense components
 * can propagate async errors to this boundary.
 */
-declare function ErrorBoundary(props: ErrorBoundaryProps): Node;
+declare function ErrorBoundary(props: ErrorBoundaryProps): JsxElement;
 /**
 * Runs callback once on mount. Never re-executes.
 * Return a function to register cleanup that runs on unmount.
@@ -184,12 +186,14 @@ interface Ref<T> {
 * `ref.current` will hold the DOM element.
 */
 declare function ref<T>(): Ref<T>;
+/** DOM element types accepted by JSX (mirrors JSX.Element). */
+type JsxElement2 = HTMLElement | SVGElement | DocumentFragment;
 /** Props for the Suspense component. */
 interface SuspenseProps {
 	/** Function that returns the children to render (may throw a Promise). */
-	children: () => Node;
+	children: () => JsxElement2;
 	/** Fallback renderer shown while children are pending. */
-	fallback: () => Node;
+	fallback: () => JsxElement2;
 }
 /**
 * Suspense component for async boundaries.
@@ -202,7 +206,7 @@ interface SuspenseProps {
 * to the nearest ErrorBoundary. If no ErrorBoundary exists, the error is surfaced
 * globally via queueMicrotask to avoid silent swallowing.
 */
-declare function Suspense(props: SuspenseProps): Node;
+declare function Suspense(props: SuspenseProps): JsxElement2;
 declare const ANIMATION_DURATION: string;
 declare const ANIMATION_EASING: string;
 declare const fadeIn: string;
@@ -1395,7 +1399,7 @@ declare const OutletContext: Context<OutletContextValue>;
 * Must be called inside a layout component rendered by RouterView.
 * Reads from OutletContext to determine which child to render.
 */
-declare function Outlet(): Node;
+declare function Outlet(): HTMLElement;
 declare const RouterContext: Context<Router>;
 declare function useRouter<T extends Record<string, RouteConfigLike> = RouteDefinitionMap>(): UnwrapSignals<Router<T>>;
 /**

package/dist/src/index.js

@@ -21,7 +21,7 @@ import {
   slideOutToTop,
   zoomIn,
   zoomOut
-} from "../shared/chunk-6jyt4ycw.js";
+} from "../shared/chunk-yjs76c7v.js";
 import {
   Link,
   Outlet,
@@ -30,8 +30,8 @@ import {
   createLink,
   parseSearchParams,
   useSearchParams
-} from "../shared/chunk-b0qqqk03.js";
-import"../shared/chunk-1rxa2fz4.js";
+} from "../shared/chunk-j5qtsm0b.js";
+import"../shared/chunk-07bh4m1e.js";
 import {
   createRouter
 } from "../shared/chunk-fkbgbf3n.js";
@@ -57,7 +57,7 @@ import {
   queryMatch,
   registerRelationSchema,
   resetRelationSchemas_TEST_ONLY
-} from "../shared/chunk-4mtn7af6.js";
+} from "../shared/chunk-fs3eec4b.js";
 import"../shared/chunk-jrtrk5z4.js";
 import {
   ThemeProvider,
@@ -74,16 +74,7 @@ import {
   resolveChildren,
   s,
   variants
-} from "../shared/chunk-dhehvmj0.js";
-import {
-  RouterContext,
-  useParams,
-  useRouter
-} from "../shared/chunk-mtsvrj9e.js";
-import"../shared/chunk-pnv25zep.js";
-import {
-  isBrowser
-} from "../shared/chunk-14eqne2a.js";
+} from "../shared/chunk-c3r237f0.js";
 import {
   __append,
   __element,
@@ -96,7 +87,7 @@ import {
   exitChildren,
   getIsHydrating,
   startHydration
-} from "../shared/chunk-vndfjfdy.js";
+} from "../shared/chunk-mgfrrrjq.js";
 import"../shared/chunk-prj7nm08.js";
 import {
   RENDER_NODE_BRAND,
@@ -105,6 +96,14 @@ import {
   isRenderNode,
   setAdapter
 } from "../shared/chunk-afawz764.js";
+import {
+  RouterContext,
+  useParams,
+  useRouter
+} from "../shared/chunk-mtsvrj9e.js";
+import {
+  isBrowser
+} from "../shared/chunk-14eqne2a.js";
 import {
   DisposalScopeError,
   _tryOnCleanup,

package/dist/src/internals.d.ts

@@ -969,7 +969,34 @@ interface SSRRenderContext {
 	* Used by the build pipeline to discover which routes to pre-render.
 	*/
 	discoveredRoutes?: string[];
+	/**
+	* Auth state resolved by the server (e.g. from session cookie).
+	* Set by ssrRenderToString() before Pass 1 so AuthProvider can
+	* hydrate status/user synchronously during SSR.
+	*/
+	ssrAuth?: SSRAuth;
+	/**
+	* Written by ProtectedRoute during Pass 1 when the user is not
+	* authenticated. Signals ssrRenderToString() to skip Pass 2 and
+	* return a redirect response instead.
+	*/
+	ssrRedirect?: {
+		to: string;
+	};
 }
+/** Auth state injected into SSRRenderContext by the server. */
+type SSRAuth = {
+	status: "authenticated";
+	user: {
+		id: string;
+		email: string;
+		role: string;
+		[key: string]: unknown;
+	};
+	expiresAt: number;
+} | {
+	status: "unauthenticated";
+};
 type SSRContextResolver = () => SSRRenderContext | undefined;
 declare function registerSSRResolver(resolver: SSRContextResolver | null): void;
 declare function getSSRContext(): SSRRenderContext | undefined;
@@ -983,4 +1010,4 @@ declare function getSSRContext(): SSRRenderContext | undefined;
 * clears during HMR module re-evaluation.
 */
 declare function hasSSRResolver(): boolean;
-export { stopSignalCollection, startSignalCollection, setContextScope, setAdapter, runCleanups, resolveComponent, removeNode, registerSSRResolver, pushScope, popScope, onCleanup, onAnimationsComplete, matchRoute, matchPath, lifecycleEffect, isRenderNode, isBrowser, insertBefore, hasSSRResolver, getSSRContext, getContextScope, getAdapter, executeLoaders, domEffect, deserializeProps, deriveKey, createDOMAdapter, compileTheme, clearChildren, _tryOnCleanup, __text, __staticText, __show, __on, __list, __insert, __exitChildren, __enterChildren, __element, __conditional, __classList, __child, __attr, __append, SSRRenderContext, SSRQueryEntry, SPACING_SCALE, SIZE_KEYWORDS, SHADOW_SCALE, RenderText, RenderNode, RenderElement, RenderAdapter, RENDER_NODE_BRAND, RADIUS_SCALE, QueryEnvelopeStore, PropertyMapping, PSEUDO_PREFIXES, PSEUDO_MAP, PROPERTY_MAP, MemoryCache, MatchResult, LINE_HEIGHT_SCALE, KEYWORD_MAP, HEIGHT_AXIS_PROPERTIES, FONT_WEIGHT_SCALE, FONT_SIZE_SCALE, EntityStore, DISPLAY_MAP, CSS_COLOR_KEYWORDS, CSSDeclarationEntry, CONTENT_MAP, COLOR_NAMESPACES, ALIGNMENT_MAP };
+export { stopSignalCollection, startSignalCollection, setContextScope, setAdapter, runCleanups, resolveComponent, removeNode, registerSSRResolver, pushScope, popScope, onCleanup, onAnimationsComplete, matchRoute, matchPath, lifecycleEffect, isRenderNode, isBrowser, insertBefore, hasSSRResolver, getSSRContext, getContextScope, getAdapter, executeLoaders, domEffect, deserializeProps, deriveKey, createDOMAdapter, compileTheme, clearChildren, _tryOnCleanup, __text, __staticText, __show, __on, __list, __insert, __exitChildren, __enterChildren, __element, __conditional, __classList, __child, __attr, __append, SSRRenderContext, SSRQueryEntry, SSRAuth, SPACING_SCALE, SIZE_KEYWORDS, SHADOW_SCALE, RenderText, RenderNode, RenderElement, RenderAdapter, RENDER_NODE_BRAND, RADIUS_SCALE, QueryEnvelopeStore, PropertyMapping, PSEUDO_PREFIXES, PSEUDO_MAP, PROPERTY_MAP, MemoryCache, MatchResult, LINE_HEIGHT_SCALE, KEYWORD_MAP, HEIGHT_AXIS_PROPERTIES, FONT_WEIGHT_SCALE, FONT_SIZE_SCALE, EntityStore, DISPLAY_MAP, CSS_COLOR_KEYWORDS, CSSDeclarationEntry, CONTENT_MAP, COLOR_NAMESPACES, ALIGNMENT_MAP };

package/dist/src/internals.js

@@ -2,12 +2,13 @@ import {
   deserializeProps,
   onAnimationsComplete,
   resolveComponent
-} from "../shared/chunk-6jyt4ycw.js";
+} from "../shared/chunk-yjs76c7v.js";
 import {
   __attr,
   __classList,
+  __on,
   __show
-} from "../shared/chunk-1rxa2fz4.js";
+} from "../shared/chunk-07bh4m1e.js";
 import {
   executeLoaders,
   matchPath,
@@ -18,7 +19,7 @@ import {
   MemoryCache,
   QueryEnvelopeStore,
   deriveKey
-} from "../shared/chunk-4mtn7af6.js";
+} from "../shared/chunk-fs3eec4b.js";
 import"../shared/chunk-jrtrk5z4.js";
 import {
   ALIGNMENT_MAP,
@@ -39,13 +40,7 @@ import {
   SIZE_KEYWORDS,
   SPACING_SCALE,
   compileTheme
-} from "../shared/chunk-dhehvmj0.js";
-import {
-  __on
-} from "../shared/chunk-pnv25zep.js";
-import {
-  isBrowser
-} from "../shared/chunk-14eqne2a.js";
+} from "../shared/chunk-c3r237f0.js";
 import {
   __append,
   __child,
@@ -58,7 +53,7 @@ import {
   claimComment,
   claimText,
   getIsHydrating
-} from "../shared/chunk-vndfjfdy.js";
+} from "../shared/chunk-mgfrrrjq.js";
 import"../shared/chunk-prj7nm08.js";
 import {
   RENDER_NODE_BRAND,
@@ -67,6 +62,9 @@ import {
   isRenderNode,
   setAdapter
 } from "../shared/chunk-afawz764.js";
+import {
+  isBrowser
+} from "../shared/chunk-14eqne2a.js";
 import {
   _tryOnCleanup,
   domEffect,

package/dist/src/jsx-runtime/index.d.ts

@@ -1,3 +1,7 @@
+/** A ref container for DOM element access. */
+interface Ref<T> {
+	current: T | undefined;
+}
 /**
 * JSX namespace - required for TypeScript's react-jsx mode
 * to understand intrinsic element types and component types.
@@ -11,6 +15,7 @@ declare namespace JSX {
 	}
 	interface IntrinsicAttributes {
 		key?: string | number;
+		ref?: Ref<unknown> | ((el: Element) => void);
 	}
 	interface IntrinsicElements {
 		[key: string]: HTMLAttributes | undefined;

package/dist/src/jsx-runtime/index.js

@@ -26,7 +26,7 @@ function jsxImpl(tag, props) {
   if (typeof tag === "function") {
     return tag(props || {});
   }
-  const { children, ...attrs } = props || {};
+  const { children, ref: refProp, ...attrs } = props || {};
   const svg = isSVGTag(tag);
   const element = svg ? document.createElementNS(SVG_NS, tag) : document.createElement(tag);
   for (const [key, value] of Object.entries(attrs)) {
@@ -45,6 +45,13 @@ function jsxImpl(tag, props) {
     }
   }
   applyChildren(element, children);
+  if (refProp != null) {
+    if (typeof refProp === "function") {
+      refProp(element);
+    } else if (typeof refProp === "object" && "current" in refProp) {
+      refProp.current = element;
+    }
+  }
   return element;
 }
 function jsx(tag, props) {

package/dist/src/query/public.js

@@ -1,10 +1,10 @@
 import {
   query,
   queryMatch
-} from "../../shared/chunk-4mtn7af6.js";
+} from "../../shared/chunk-fs3eec4b.js";
 import"../../shared/chunk-jrtrk5z4.js";
-import"../../shared/chunk-14eqne2a.js";
 import"../../shared/chunk-afawz764.js";
+import"../../shared/chunk-14eqne2a.js";
 import"../../shared/chunk-4fwcwxn6.js";
 
 // src/query/public.ts

package/dist/src/router/public.d.ts

@@ -388,7 +388,7 @@ declare const OutletContext: Context<OutletContextValue>;
 * Must be called inside a layout component rendered by RouterView.
 * Reads from OutletContext to determine which child to render.
 */
-declare function Outlet(): Node;
+declare function Outlet(): HTMLElement;
 declare const RouterContext: Context<Router>;
 declare function useRouter<T extends Record<string, RouteConfigLike> = RouteDefinitionMap>(): UnwrapSignals<Router<T>>;
 /**

package/dist/src/router/public.js

@@ -6,8 +6,8 @@ import {
   createLink,
   parseSearchParams,
   useSearchParams
-} from "../../shared/chunk-b0qqqk03.js";
-import"../../shared/chunk-1rxa2fz4.js";
+} from "../../shared/chunk-j5qtsm0b.js";
+import"../../shared/chunk-07bh4m1e.js";
 import {
   createRouter
 } from "../../shared/chunk-fkbgbf3n.js";
@@ -15,16 +15,15 @@ import {
   defineRoutes
 } from "../../shared/chunk-6wd36w21.js";
 import"../../shared/chunk-jrtrk5z4.js";
+import"../../shared/chunk-mgfrrrjq.js";
+import"../../shared/chunk-prj7nm08.js";
+import"../../shared/chunk-afawz764.js";
 import {
   RouterContext,
   useParams,
   useRouter
 } from "../../shared/chunk-mtsvrj9e.js";
-import"../../shared/chunk-pnv25zep.js";
 import"../../shared/chunk-14eqne2a.js";
-import"../../shared/chunk-vndfjfdy.js";
-import"../../shared/chunk-prj7nm08.js";
-import"../../shared/chunk-afawz764.js";
 import"../../shared/chunk-4fwcwxn6.js";
 export {
   useSearchParams,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vertz/ui",
-  "version": "0.2.16",
+  "version": "0.2.18",
   "type": "module",
   "license": "MIT",
   "description": "Vertz UI framework — signals, components, JSX runtime",
@@ -69,11 +69,11 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@vertz/fetch": "^0.2.15"
+    "@vertz/fetch": "^0.2.17"
   },
   "devDependencies": {
     "@happy-dom/global-registrator": "^20.7.0",
-    "@vertz/schema": "^0.2.15",
+    "@vertz/schema": "^0.2.17",
     "bunup": "^0.16.31",
     "happy-dom": "^20.7.0",
     "typescript": "^5.7.0"

package/dist/shared/chunk-pnv25zep.js

@@ -1,7 +0,0 @@
-// src/dom/events.ts
-function __on(el, event, handler) {
-  el.addEventListener(event, handler);
-  return () => el.removeEventListener(event, handler);
-}
-
-export { __on };

package/dist/shared/{chunk-4mtn7af6.js → chunk-fs3eec4b.js}

@@ -1,13 +1,13 @@
 import {
   isNavPrefetchActive
 } from "./chunk-jrtrk5z4.js";
-import {
-  isBrowser
-} from "./chunk-14eqne2a.js";
 import {
   getAdapter,
   isRenderNode
 } from "./chunk-afawz764.js";
+import {
+  isBrowser
+} from "./chunk-14eqne2a.js";
 import {
   _tryOnCleanup,
   batch,