@viyv/account-client 0.1.0

package/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2026 viyv. All Rights Reserved.
+
+PROPRIETARY AND CONFIDENTIAL
+
+This software and its source code (the "Software") are the proprietary and
+confidential property of viyv. Unauthorized copying, distribution,
+modification, public display, public performance, reverse engineering, or
+commercial use of the Software, in whole or in part, via any medium, is
+strictly prohibited without the express prior written permission of viyv.
+
+No license, express or implied, by estoppel or otherwise, to any intellectual
+property rights is granted by this document. The receipt or possession of the
+Software does not convey or imply any right to use, reproduce, disclose, or
+distribute its contents.
+
+Separately published SDK packages (e.g. @viyv/account-client,
+@viyv/license-verify) may be distributed as compiled artifacts under their own
+published package terms; that distribution does not grant any rights to this
+repository's source code.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/chunk-UX6UAFIF.js

@@ -0,0 +1,23 @@
+// src/entitlement.ts
+function parseEntitlement(wire) {
+  return {
+    organizationId: wire.organization_id,
+    plan: wire.plan,
+    addons: wire.addons ?? [],
+    products: wire.products ?? [],
+    features: wire.features
+  };
+}
+function entitlementForProduct(entitlement, product) {
+  if (!entitlement) return null;
+  return {
+    enabled: entitlement.products.includes(product),
+    plan: entitlement.plan,
+    addons: entitlement.addons,
+    features: entitlement.features
+  };
+}
+
+export { entitlementForProduct, parseEntitlement };
+//# sourceMappingURL=chunk-UX6UAFIF.js.map
+//# sourceMappingURL=chunk-UX6UAFIF.js.map

package/dist/entitlement-B3pXM2vO.d.cts

@@ -0,0 +1,47 @@
+import { PlanTier, ProductSlug, EntitlementFeatures } from '@viyv/shared';
+
+/** The signed-in user as returned by better-auth's get-session. */
+interface AccountUser {
+    id: string;
+    email: string;
+    name?: string | null;
+    image?: string | null;
+}
+/** Active organization, when the session carries one. */
+interface AccountOrg {
+    id: string;
+    slug?: string | null;
+    name?: string | null;
+}
+/** Shape of GET /v1/license/entitlement (docs/09 A-4). */
+interface Entitlement {
+    organizationId: string;
+    plan: PlanTier;
+    addons: string[];
+    /** Product slugs this org may use (free-start lists the agent family). */
+    products: ProductSlug[];
+    features: EntitlementFeatures;
+}
+/** Per-product entitlement view returned by useEntitlement(slug). */
+interface ProductEntitlement {
+    /** Whether the product is enabled for this org. */
+    enabled: boolean;
+    plan: PlanTier;
+    addons: string[];
+    /** The full feature map (callers branch on the flags they care about). */
+    features: EntitlementFeatures;
+}
+/** Raw JSON from GET /v1/license/entitlement (snake_case wire form). */
+interface EntitlementWire {
+    organization_id: string;
+    plan: PlanTier;
+    addons: string[];
+    products: ProductSlug[];
+    features: EntitlementFeatures;
+}
+/** Normalize the wire payload into the camelCase {@link Entitlement}. */
+declare function parseEntitlement(wire: EntitlementWire): Entitlement;
+/** Project a full entitlement down to a single product's view. */
+declare function entitlementForProduct(entitlement: Entitlement | null, product: ProductSlug): ProductEntitlement | null;
+
+export { type AccountOrg as A, type Entitlement as E, type ProductEntitlement as P, type AccountUser as a, entitlementForProduct as e, parseEntitlement as p };

package/dist/entitlement-B3pXM2vO.d.ts

@@ -0,0 +1,47 @@
+import { PlanTier, ProductSlug, EntitlementFeatures } from '@viyv/shared';
+
+/** The signed-in user as returned by better-auth's get-session. */
+interface AccountUser {
+    id: string;
+    email: string;
+    name?: string | null;
+    image?: string | null;
+}
+/** Active organization, when the session carries one. */
+interface AccountOrg {
+    id: string;
+    slug?: string | null;
+    name?: string | null;
+}
+/** Shape of GET /v1/license/entitlement (docs/09 A-4). */
+interface Entitlement {
+    organizationId: string;
+    plan: PlanTier;
+    addons: string[];
+    /** Product slugs this org may use (free-start lists the agent family). */
+    products: ProductSlug[];
+    features: EntitlementFeatures;
+}
+/** Per-product entitlement view returned by useEntitlement(slug). */
+interface ProductEntitlement {
+    /** Whether the product is enabled for this org. */
+    enabled: boolean;
+    plan: PlanTier;
+    addons: string[];
+    /** The full feature map (callers branch on the flags they care about). */
+    features: EntitlementFeatures;
+}
+/** Raw JSON from GET /v1/license/entitlement (snake_case wire form). */
+interface EntitlementWire {
+    organization_id: string;
+    plan: PlanTier;
+    addons: string[];
+    products: ProductSlug[];
+    features: EntitlementFeatures;
+}
+/** Normalize the wire payload into the camelCase {@link Entitlement}. */
+declare function parseEntitlement(wire: EntitlementWire): Entitlement;
+/** Project a full entitlement down to a single product's view. */
+declare function entitlementForProduct(entitlement: Entitlement | null, product: ProductSlug): ProductEntitlement | null;
+
+export { type AccountOrg as A, type Entitlement as E, type ProductEntitlement as P, type AccountUser as a, entitlementForProduct as e, parseEntitlement as p };

package/dist/index.cjs

@@ -0,0 +1,117 @@
+'use strict';
+
+var client = require('better-auth/client');
+
+// src/index.ts
+
+// src/device.ts
+var DEFAULT_DEVICE_CLIENT_ID = "viyv-browser-macapp";
+var DEVICE_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+function createDeviceFlowClient(config) {
+  const f = config.fetchImpl ?? fetch;
+  const clientId = config.clientId ?? DEFAULT_DEVICE_CLIENT_ID;
+  const base = config.apiBase.replace(/\/$/, "");
+  async function postJson(path, body, extraHeaders) {
+    const headers = { "content-type": "application/json" };
+    if (extraHeaders) {
+      for (const [k, v] of Object.entries(extraHeaders)) headers[k] = v;
+    }
+    const res = await f(`${base}${path}`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body)
+    });
+    return await res.json();
+  }
+  async function postForm(path, params) {
+    const res = await f(`${base}${path}`, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams(params).toString()
+    });
+    return await res.json();
+  }
+  return {
+    start: () => postJson("/v1/auth/device/start", { client_id: clientId }),
+    poll: (deviceCode) => postForm("/v1/auth/device/poll", {
+      grant_type: DEVICE_CODE_GRANT_TYPE,
+      device_code: deviceCode,
+      client_id: clientId
+    }),
+    refresh: (refreshToken) => postJson("/v1/auth/device/refresh", {
+      refresh_token: refreshToken
+    }),
+    revoke: (accessToken) => postJson(
+      "/v1/auth/device/revoke",
+      {},
+      { authorization: `Bearer ${accessToken}` }
+    ),
+    fetchLicense: async (accessToken) => {
+      const res = await f(`${base}/v1/license/current`, {
+        headers: { authorization: `Bearer ${accessToken}` }
+      });
+      return await res.json();
+    },
+    userinfo: async (accessToken) => {
+      const res = await f(`${base}/v1/auth/device/userinfo`, {
+        headers: { authorization: `Bearer ${accessToken}` }
+      });
+      if (res.status === 401) return { error: "invalid_token" };
+      return await res.json();
+    }
+  };
+}
+
+// src/entitlement.ts
+function parseEntitlement(wire) {
+  return {
+    organizationId: wire.organization_id,
+    plan: wire.plan,
+    addons: wire.addons ?? [],
+    products: wire.products ?? [],
+    features: wire.features
+  };
+}
+function entitlementForProduct(entitlement, product) {
+  if (!entitlement) return null;
+  return {
+    enabled: entitlement.products.includes(product),
+    plan: entitlement.plan,
+    addons: entitlement.addons,
+    features: entitlement.features
+  };
+}
+
+// src/index.ts
+var ACCOUNT_CLIENT_PACKAGE = "@viyv/account-client";
+function createAccountClient(config) {
+  const client$1 = client.createAuthClient({
+    baseURL: config.apiBase,
+    basePath: "/v1/auth",
+    fetchOptions: { credentials: "include" }
+  });
+  return {
+    raw: client$1,
+    signUp: (params) => client$1.signUp.email({
+      email: params.email,
+      password: params.password,
+      name: params.name ?? params.email.split("@")[0] ?? params.email
+    }),
+    signIn: (params) => client$1.signIn.email({
+      email: params.email,
+      password: params.password
+    }),
+    signOut: () => client$1.signOut(),
+    getSession: () => client$1.getSession()
+  };
+}
+
+exports.ACCOUNT_CLIENT_PACKAGE = ACCOUNT_CLIENT_PACKAGE;
+exports.DEFAULT_DEVICE_CLIENT_ID = DEFAULT_DEVICE_CLIENT_ID;
+exports.DEVICE_CODE_GRANT_TYPE = DEVICE_CODE_GRANT_TYPE;
+exports.createAccountClient = createAccountClient;
+exports.createDeviceFlowClient = createDeviceFlowClient;
+exports.entitlementForProduct = entitlementForProduct;
+exports.parseEntitlement = parseEntitlement;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.d.cts

@@ -0,0 +1,115 @@
+import { createAuthClient } from 'better-auth/client';
+import { DeviceUserinfoResponse } from '@viyv/shared';
+export { DeviceUserinfoResponse, EntitlementFeatures, PlanTier, ProductSlug } from '@viyv/shared';
+export { A as AccountOrg, a as AccountUser, E as Entitlement, P as ProductEntitlement, e as entitlementForProduct, p as parseEntitlement } from './entitlement-B3pXM2vO.cjs';
+
+declare const DEFAULT_DEVICE_CLIENT_ID: "viyv-browser-macapp";
+/** RFC 8628 §3.4 device_code grant type (token endpoint `grant_type`). */
+declare const DEVICE_CODE_GRANT_TYPE: "urn:ietf:params:oauth:grant-type:device_code";
+interface DeviceStartResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+interface DeviceTokenResponse {
+    access_token: string;
+    refresh_token: string;
+    token_type: "Bearer";
+    expires_in: number;
+    scope: string;
+}
+/** Poll error codes per RFC 8628 / docs/03. */
+type DevicePollError = "authorization_pending" | "slow_down" | "expired_token" | "access_denied";
+interface LicenseCurrentResponse {
+    license_jwt: string;
+    expires_in: number;
+}
+interface DeviceFlowClientConfig {
+    /** e.g. "https://api.viyv.io". */
+    apiBase: string;
+    /** Device client id (default viyv-browser-macapp). */
+    clientId?: string;
+    /** Injectable fetch (Node/Electron). Defaults to global fetch. */
+    fetchImpl?: typeof fetch;
+}
+interface DeviceFlowClient {
+    start(): Promise<DeviceStartResponse>;
+    /**
+     * Poll once. Resolves to a token pair when approved, or
+     * `{ error }` (authorization_pending / expired_token / ...) while waiting.
+     */
+    poll(deviceCode: string): Promise<DeviceTokenResponse | {
+        error: DevicePollError;
+    }>;
+    refresh(refreshToken: string): Promise<DeviceTokenResponse | {
+        error: string;
+    }>;
+    revoke(accessToken: string): Promise<{
+        revoked: boolean;
+    }>;
+    /** Fetch the current license JWT using a Bearer access token. */
+    fetchLicense(accessToken: string): Promise<LicenseCurrentResponse>;
+    /**
+     * Read the signed-in identity for a device access token (OIDC-style userinfo,
+     * GET /v1/auth/device/userinfo). Returns `{ error: "invalid_token" }` on 401.
+     */
+    userinfo(accessToken: string): Promise<DeviceUserinfoResponse | {
+        error: string;
+    }>;
+}
+/**
+ * Create a Device Flow client bound to an api.viyv.io base. Non-browser clients
+ * (the Mac app) call these directly with Bearer auth — CORS does not apply.
+ */
+declare function createDeviceFlowClient(config: DeviceFlowClientConfig): DeviceFlowClient;
+
+declare const ACCOUNT_CLIENT_PACKAGE: "@viyv/account-client";
+interface AccountClientConfig {
+    /** e.g. "https://api.viyv.io" */
+    apiBase: string;
+    /**
+     * e.g. ".viyv.io". Cross-subdomain cookies are set server-side; this is kept
+     * for parity with docs/04 <AccountProvider cookieDomain> and future hooks.
+     */
+    cookieDomain?: string;
+}
+/** Result envelope returned by better-auth client calls (data or error). */
+interface AuthResult<T = unknown> {
+    data: T | null;
+    error: {
+        message?: string;
+        status?: number;
+        statusText?: string;
+    } | null;
+}
+/**
+ * Public surface of the account client. Methods are typed explicitly (rather
+ * than inferred) so the published `.d.ts` does not reference better-auth's
+ * internal module paths (TS2742 portability).
+ */
+interface AccountClient {
+    /** Raw better-auth client (escape hatch for org/session methods). */
+    raw: ReturnType<typeof createAuthClient>;
+    signUp(params: {
+        email: string;
+        password: string;
+        name?: string;
+    }): Promise<AuthResult>;
+    signIn(params: {
+        email: string;
+        password: string;
+    }): Promise<AuthResult>;
+    signOut(): Promise<AuthResult>;
+    getSession(): Promise<AuthResult>;
+}
+/**
+ * Create an account client bound to a viyv-account API base. The underlying
+ * better-auth client sends credentials so the `.viyv.io` session cookie flows
+ * cross-subdomain.
+ */
+declare function createAccountClient(config: AccountClientConfig): AccountClient;
+
+export { ACCOUNT_CLIENT_PACKAGE, type AccountClient, type AccountClientConfig, type AuthResult, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, type DeviceFlowClient, type DeviceFlowClientConfig, type DevicePollError, type DeviceStartResponse, type DeviceTokenResponse, type LicenseCurrentResponse, createAccountClient, createDeviceFlowClient };

package/dist/index.d.ts

@@ -0,0 +1,115 @@
+import { createAuthClient } from 'better-auth/client';
+import { DeviceUserinfoResponse } from '@viyv/shared';
+export { DeviceUserinfoResponse, EntitlementFeatures, PlanTier, ProductSlug } from '@viyv/shared';
+export { A as AccountOrg, a as AccountUser, E as Entitlement, P as ProductEntitlement, e as entitlementForProduct, p as parseEntitlement } from './entitlement-B3pXM2vO.js';
+
+declare const DEFAULT_DEVICE_CLIENT_ID: "viyv-browser-macapp";
+/** RFC 8628 §3.4 device_code grant type (token endpoint `grant_type`). */
+declare const DEVICE_CODE_GRANT_TYPE: "urn:ietf:params:oauth:grant-type:device_code";
+interface DeviceStartResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+interface DeviceTokenResponse {
+    access_token: string;
+    refresh_token: string;
+    token_type: "Bearer";
+    expires_in: number;
+    scope: string;
+}
+/** Poll error codes per RFC 8628 / docs/03. */
+type DevicePollError = "authorization_pending" | "slow_down" | "expired_token" | "access_denied";
+interface LicenseCurrentResponse {
+    license_jwt: string;
+    expires_in: number;
+}
+interface DeviceFlowClientConfig {
+    /** e.g. "https://api.viyv.io". */
+    apiBase: string;
+    /** Device client id (default viyv-browser-macapp). */
+    clientId?: string;
+    /** Injectable fetch (Node/Electron). Defaults to global fetch. */
+    fetchImpl?: typeof fetch;
+}
+interface DeviceFlowClient {
+    start(): Promise<DeviceStartResponse>;
+    /**
+     * Poll once. Resolves to a token pair when approved, or
+     * `{ error }` (authorization_pending / expired_token / ...) while waiting.
+     */
+    poll(deviceCode: string): Promise<DeviceTokenResponse | {
+        error: DevicePollError;
+    }>;
+    refresh(refreshToken: string): Promise<DeviceTokenResponse | {
+        error: string;
+    }>;
+    revoke(accessToken: string): Promise<{
+        revoked: boolean;
+    }>;
+    /** Fetch the current license JWT using a Bearer access token. */
+    fetchLicense(accessToken: string): Promise<LicenseCurrentResponse>;
+    /**
+     * Read the signed-in identity for a device access token (OIDC-style userinfo,
+     * GET /v1/auth/device/userinfo). Returns `{ error: "invalid_token" }` on 401.
+     */
+    userinfo(accessToken: string): Promise<DeviceUserinfoResponse | {
+        error: string;
+    }>;
+}
+/**
+ * Create a Device Flow client bound to an api.viyv.io base. Non-browser clients
+ * (the Mac app) call these directly with Bearer auth — CORS does not apply.
+ */
+declare function createDeviceFlowClient(config: DeviceFlowClientConfig): DeviceFlowClient;
+
+declare const ACCOUNT_CLIENT_PACKAGE: "@viyv/account-client";
+interface AccountClientConfig {
+    /** e.g. "https://api.viyv.io" */
+    apiBase: string;
+    /**
+     * e.g. ".viyv.io". Cross-subdomain cookies are set server-side; this is kept
+     * for parity with docs/04 <AccountProvider cookieDomain> and future hooks.
+     */
+    cookieDomain?: string;
+}
+/** Result envelope returned by better-auth client calls (data or error). */
+interface AuthResult<T = unknown> {
+    data: T | null;
+    error: {
+        message?: string;
+        status?: number;
+        statusText?: string;
+    } | null;
+}
+/**
+ * Public surface of the account client. Methods are typed explicitly (rather
+ * than inferred) so the published `.d.ts` does not reference better-auth's
+ * internal module paths (TS2742 portability).
+ */
+interface AccountClient {
+    /** Raw better-auth client (escape hatch for org/session methods). */
+    raw: ReturnType<typeof createAuthClient>;
+    signUp(params: {
+        email: string;
+        password: string;
+        name?: string;
+    }): Promise<AuthResult>;
+    signIn(params: {
+        email: string;
+        password: string;
+    }): Promise<AuthResult>;
+    signOut(): Promise<AuthResult>;
+    getSession(): Promise<AuthResult>;
+}
+/**
+ * Create an account client bound to a viyv-account API base. The underlying
+ * better-auth client sends credentials so the `.viyv.io` session cookie flows
+ * cross-subdomain.
+ */
+declare function createAccountClient(config: AccountClientConfig): AccountClient;
+
+export { ACCOUNT_CLIENT_PACKAGE, type AccountClient, type AccountClientConfig, type AuthResult, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, type DeviceFlowClient, type DeviceFlowClientConfig, type DevicePollError, type DeviceStartResponse, type DeviceTokenResponse, type LicenseCurrentResponse, createAccountClient, createDeviceFlowClient };

package/dist/index.js

@@ -0,0 +1,88 @@
+export { entitlementForProduct, parseEntitlement } from './chunk-UX6UAFIF.js';
+import { createAuthClient } from 'better-auth/client';
+
+// src/device.ts
+var DEFAULT_DEVICE_CLIENT_ID = "viyv-browser-macapp";
+var DEVICE_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+function createDeviceFlowClient(config) {
+  const f = config.fetchImpl ?? fetch;
+  const clientId = config.clientId ?? DEFAULT_DEVICE_CLIENT_ID;
+  const base = config.apiBase.replace(/\/$/, "");
+  async function postJson(path, body, extraHeaders) {
+    const headers = { "content-type": "application/json" };
+    if (extraHeaders) {
+      for (const [k, v] of Object.entries(extraHeaders)) headers[k] = v;
+    }
+    const res = await f(`${base}${path}`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body)
+    });
+    return await res.json();
+  }
+  async function postForm(path, params) {
+    const res = await f(`${base}${path}`, {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams(params).toString()
+    });
+    return await res.json();
+  }
+  return {
+    start: () => postJson("/v1/auth/device/start", { client_id: clientId }),
+    poll: (deviceCode) => postForm("/v1/auth/device/poll", {
+      grant_type: DEVICE_CODE_GRANT_TYPE,
+      device_code: deviceCode,
+      client_id: clientId
+    }),
+    refresh: (refreshToken) => postJson("/v1/auth/device/refresh", {
+      refresh_token: refreshToken
+    }),
+    revoke: (accessToken) => postJson(
+      "/v1/auth/device/revoke",
+      {},
+      { authorization: `Bearer ${accessToken}` }
+    ),
+    fetchLicense: async (accessToken) => {
+      const res = await f(`${base}/v1/license/current`, {
+        headers: { authorization: `Bearer ${accessToken}` }
+      });
+      return await res.json();
+    },
+    userinfo: async (accessToken) => {
+      const res = await f(`${base}/v1/auth/device/userinfo`, {
+        headers: { authorization: `Bearer ${accessToken}` }
+      });
+      if (res.status === 401) return { error: "invalid_token" };
+      return await res.json();
+    }
+  };
+}
+
+// src/index.ts
+var ACCOUNT_CLIENT_PACKAGE = "@viyv/account-client";
+function createAccountClient(config) {
+  const client = createAuthClient({
+    baseURL: config.apiBase,
+    basePath: "/v1/auth",
+    fetchOptions: { credentials: "include" }
+  });
+  return {
+    raw: client,
+    signUp: (params) => client.signUp.email({
+      email: params.email,
+      password: params.password,
+      name: params.name ?? params.email.split("@")[0] ?? params.email
+    }),
+    signIn: (params) => client.signIn.email({
+      email: params.email,
+      password: params.password
+    }),
+    signOut: () => client.signOut(),
+    getSession: () => client.getSession()
+  };
+}
+
+export { ACCOUNT_CLIENT_PACKAGE, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, createAccountClient, createDeviceFlowClient };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map