@viyv/account-client 0.2.0 → 0.3.0

package/dist/{chunk-UX6UAFIF.js → chunk-V3SLFECG.js}

@@ -5,6 +5,7 @@ function parseEntitlement(wire) {
     plan: wire.plan,
     addons: wire.addons ?? [],
     products: wire.products ?? [],
+    productPlans: wire.product_plans ?? {},
     features: wire.features
   };
 }
@@ -12,12 +13,14 @@ function entitlementForProduct(entitlement, product) {
   if (!entitlement) return null;
   return {
     enabled: entitlement.products.includes(product),
-    plan: entitlement.plan,
+    // Per-product billing: report THIS product's own tier (free-start default),
+    // not the org-wide effective `plan`.
+    plan: entitlement.productPlans[product] ?? "free",
     addons: entitlement.addons,
     features: entitlement.features
   };
 }
 
 export { entitlementForProduct, parseEntitlement };
-//# sourceMappingURL=chunk-UX6UAFIF.js.map
-//# sourceMappingURL=chunk-UX6UAFIF.js.map
+//# sourceMappingURL=chunk-V3SLFECG.js.map
+//# sourceMappingURL=chunk-V3SLFECG.js.map

package/dist/{entitlement-B3pXM2vO.d.cts → entitlement-CfKncUyH.d.cts}

@@ -16,16 +16,24 @@ interface AccountOrg {
 /** Shape of GET /v1/license/entitlement (docs/09 A-4). */
 interface Entitlement {
     organizationId: string;
+    /**
+     * The org's effective (highest) tier across its products — a back-compat
+     * summary. Per-product billing (2026-06-13): the authoritative per-product
+     * tier is in {@link Entitlement.productPlans}.
+     */
     plan: PlanTier;
     addons: string[];
     /** Product slugs this org may use (free-start lists the agent family). */
     products: ProductSlug[];
+    /** Per-product tier (each enabled product → its plan; free-start = "free"). */
+    productPlans: Partial<Record<ProductSlug, PlanTier>>;
     features: EntitlementFeatures;
 }
 /** Per-product entitlement view returned by useEntitlement(slug). */
 interface ProductEntitlement {
     /** Whether the product is enabled for this org. */
     enabled: boolean;
+    /** THIS product's tier (per-product billing) — not the org-wide summary. */
     plan: PlanTier;
     addons: string[];
     /** The full feature map (callers branch on the flags they care about). */
@@ -37,6 +45,7 @@ interface EntitlementWire {
     plan: PlanTier;
     addons: string[];
     products: ProductSlug[];
+    product_plans?: Partial<Record<ProductSlug, PlanTier>>;
     features: EntitlementFeatures;
 }
 /** Normalize the wire payload into the camelCase {@link Entitlement}. */

package/dist/{entitlement-B3pXM2vO.d.ts → entitlement-CfKncUyH.d.ts}

@@ -16,16 +16,24 @@ interface AccountOrg {
 /** Shape of GET /v1/license/entitlement (docs/09 A-4). */
 interface Entitlement {
     organizationId: string;
+    /**
+     * The org's effective (highest) tier across its products — a back-compat
+     * summary. Per-product billing (2026-06-13): the authoritative per-product
+     * tier is in {@link Entitlement.productPlans}.
+     */
     plan: PlanTier;
     addons: string[];
     /** Product slugs this org may use (free-start lists the agent family). */
     products: ProductSlug[];
+    /** Per-product tier (each enabled product → its plan; free-start = "free"). */
+    productPlans: Partial<Record<ProductSlug, PlanTier>>;
     features: EntitlementFeatures;
 }
 /** Per-product entitlement view returned by useEntitlement(slug). */
 interface ProductEntitlement {
     /** Whether the product is enabled for this org. */
     enabled: boolean;
+    /** THIS product's tier (per-product billing) — not the org-wide summary. */
     plan: PlanTier;
     addons: string[];
     /** The full feature map (callers branch on the flags they care about). */
@@ -37,6 +45,7 @@ interface EntitlementWire {
     plan: PlanTier;
     addons: string[];
     products: ProductSlug[];
+    product_plans?: Partial<Record<ProductSlug, PlanTier>>;
     features: EntitlementFeatures;
 }
 /** Normalize the wire payload into the camelCase {@link Entitlement}. */

package/dist/index.cjs

@@ -69,6 +69,7 @@ function parseEntitlement(wire) {
     plan: wire.plan,
     addons: wire.addons ?? [],
     products: wire.products ?? [],
+    productPlans: wire.product_plans ?? {},
     features: wire.features
   };
 }
@@ -76,7 +77,9 @@ function entitlementForProduct(entitlement, product) {
   if (!entitlement) return null;
   return {
     enabled: entitlement.products.includes(product),
-    plan: entitlement.plan,
+    // Per-product billing: report THIS product's own tier (free-start default),
+    // not the org-wide effective `plan`.
+    plan: entitlement.productPlans[product] ?? "free",
     addons: entitlement.addons,
     features: entitlement.features
   };
@@ -101,6 +104,21 @@ function createAccountClient(config) {
       email: params.email,
       password: params.password
     }),
+    signInWithProvider: (provider, options) => client$1.signIn.social({
+      provider,
+      callbackURL: options.callbackURL,
+      errorCallbackURL: options.errorCallbackURL
+    }),
+    listAccounts: () => client$1.listAccounts(),
+    linkSocial: (provider, options) => client$1.linkSocial({
+      provider,
+      callbackURL: options.callbackURL,
+      errorCallbackURL: options.errorCallbackURL
+    }),
+    unlinkAccount: (params) => client$1.unlinkAccount({
+      providerId: params.providerId,
+      accountId: params.accountId
+    }),
     signOut: () => client$1.signOut(),
     getSession: () => client$1.getSession()
   };

package/dist/index.d.cts

@@ -1,7 +1,7 @@
 import { createAuthClient } from 'better-auth/client';
 import { DeviceUserinfoResponse } from '@viyv/shared';
 export { DeviceUserinfoResponse, EntitlementFeatures, PlanTier, ProductSlug } from '@viyv/shared';
-export { A as AccountOrg, a as AccountUser, E as Entitlement, P as ProductEntitlement, e as entitlementForProduct, p as parseEntitlement } from './entitlement-B3pXM2vO.cjs';
+export { A as AccountOrg, a as AccountUser, E as Entitlement, P as ProductEntitlement, e as entitlementForProduct, p as parseEntitlement } from './entitlement-CfKncUyH.cjs';
 
 declare const DEFAULT_DEVICE_CLIENT_ID: "viyv-browser-macapp";
 /** RFC 8628 §3.4 device_code grant type (token endpoint `grant_type`). */
@@ -85,6 +85,29 @@ interface AuthResult<T = unknown> {
         statusText?: string;
     } | null;
 }
+/** OAuth providers exposed on the hosted signin surface (app.viyv.io). */
+type SocialProvider = "google" | "github";
+interface SocialRedirectOptions {
+    /**
+     * Where the provider returns the user AFTER auth completes (success). Social
+     * login is a FULL-PAGE redirect, so this is the ONLY carrier that survives the
+     * provider round-trip — unlike the email/password path, you cannot set
+     * window.location after the call. Pass an open-redirect-validated target (the
+     * hosted signin runs `safeReturnTo()` before handing the value here).
+     */
+    callbackURL: string;
+    /** Where to send the user if the OAuth flow errors (e.g. "/signin?error=oauth"). */
+    errorCallbackURL?: string;
+}
+/** One linked credential/OAuth account, as returned by GET /list-accounts. */
+interface LinkedAccount {
+    id: string;
+    providerId: string;
+    accountId: string;
+    scopes?: string[];
+    createdAt?: string;
+    updatedAt?: string;
+}
 /**
  * Public surface of the account client. Methods are typed explicitly (rather
  * than inferred) so the published `.d.ts` does not reference better-auth's
@@ -102,6 +125,28 @@ interface AccountClient {
         email: string;
         password: string;
     }): Promise<AuthResult>;
+    /**
+     * Begin an OAuth login. NAVIGATES the browser to the provider (full-page
+     * redirect), so on success it does not resolve to a useful value — control
+     * leaves the page. `options.callbackURL` chooses where the user lands after
+     * the round-trip; the AuthResult is meaningful only for a synchronous error.
+     */
+    signInWithProvider(provider: SocialProvider, options: SocialRedirectOptions): Promise<AuthResult>;
+    /** List the signed-in user's linked accounts (credential + OAuth). */
+    listAccounts(): Promise<AuthResult<LinkedAccount[]>>;
+    /**
+     * Link an OAuth provider to the SIGNED-IN user (explicit link, not implicit).
+     * Also a full-page redirect to the provider.
+     */
+    linkSocial(provider: SocialProvider, options: SocialRedirectOptions): Promise<AuthResult>;
+    /**
+     * Unlink an OAuth/credential account from the signed-in user. Fails server-side
+     * if it would remove the user's last remaining credential.
+     */
+    unlinkAccount(params: {
+        providerId: string;
+        accountId?: string;
+    }): Promise<AuthResult>;
     signOut(): Promise<AuthResult>;
     getSession(): Promise<AuthResult>;
 }
@@ -112,4 +157,4 @@ interface AccountClient {
  */
 declare function createAccountClient(config: AccountClientConfig): AccountClient;
 
-export { ACCOUNT_CLIENT_PACKAGE, type AccountClient, type AccountClientConfig, type AuthResult, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, type DeviceFlowClient, type DeviceFlowClientConfig, type DevicePollError, type DeviceStartResponse, type DeviceTokenResponse, type LicenseCurrentResponse, createAccountClient, createDeviceFlowClient };
+export { ACCOUNT_CLIENT_PACKAGE, type AccountClient, type AccountClientConfig, type AuthResult, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, type DeviceFlowClient, type DeviceFlowClientConfig, type DevicePollError, type DeviceStartResponse, type DeviceTokenResponse, type LicenseCurrentResponse, type LinkedAccount, type SocialProvider, type SocialRedirectOptions, createAccountClient, createDeviceFlowClient };

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 import { createAuthClient } from 'better-auth/client';
 import { DeviceUserinfoResponse } from '@viyv/shared';
 export { DeviceUserinfoResponse, EntitlementFeatures, PlanTier, ProductSlug } from '@viyv/shared';
-export { A as AccountOrg, a as AccountUser, E as Entitlement, P as ProductEntitlement, e as entitlementForProduct, p as parseEntitlement } from './entitlement-B3pXM2vO.js';
+export { A as AccountOrg, a as AccountUser, E as Entitlement, P as ProductEntitlement, e as entitlementForProduct, p as parseEntitlement } from './entitlement-CfKncUyH.js';
 
 declare const DEFAULT_DEVICE_CLIENT_ID: "viyv-browser-macapp";
 /** RFC 8628 §3.4 device_code grant type (token endpoint `grant_type`). */
@@ -85,6 +85,29 @@ interface AuthResult<T = unknown> {
         statusText?: string;
     } | null;
 }
+/** OAuth providers exposed on the hosted signin surface (app.viyv.io). */
+type SocialProvider = "google" | "github";
+interface SocialRedirectOptions {
+    /**
+     * Where the provider returns the user AFTER auth completes (success). Social
+     * login is a FULL-PAGE redirect, so this is the ONLY carrier that survives the
+     * provider round-trip — unlike the email/password path, you cannot set
+     * window.location after the call. Pass an open-redirect-validated target (the
+     * hosted signin runs `safeReturnTo()` before handing the value here).
+     */
+    callbackURL: string;
+    /** Where to send the user if the OAuth flow errors (e.g. "/signin?error=oauth"). */
+    errorCallbackURL?: string;
+}
+/** One linked credential/OAuth account, as returned by GET /list-accounts. */
+interface LinkedAccount {
+    id: string;
+    providerId: string;
+    accountId: string;
+    scopes?: string[];
+    createdAt?: string;
+    updatedAt?: string;
+}
 /**
  * Public surface of the account client. Methods are typed explicitly (rather
  * than inferred) so the published `.d.ts` does not reference better-auth's
@@ -102,6 +125,28 @@ interface AccountClient {
         email: string;
         password: string;
     }): Promise<AuthResult>;
+    /**
+     * Begin an OAuth login. NAVIGATES the browser to the provider (full-page
+     * redirect), so on success it does not resolve to a useful value — control
+     * leaves the page. `options.callbackURL` chooses where the user lands after
+     * the round-trip; the AuthResult is meaningful only for a synchronous error.
+     */
+    signInWithProvider(provider: SocialProvider, options: SocialRedirectOptions): Promise<AuthResult>;
+    /** List the signed-in user's linked accounts (credential + OAuth). */
+    listAccounts(): Promise<AuthResult<LinkedAccount[]>>;
+    /**
+     * Link an OAuth provider to the SIGNED-IN user (explicit link, not implicit).
+     * Also a full-page redirect to the provider.
+     */
+    linkSocial(provider: SocialProvider, options: SocialRedirectOptions): Promise<AuthResult>;
+    /**
+     * Unlink an OAuth/credential account from the signed-in user. Fails server-side
+     * if it would remove the user's last remaining credential.
+     */
+    unlinkAccount(params: {
+        providerId: string;
+        accountId?: string;
+    }): Promise<AuthResult>;
     signOut(): Promise<AuthResult>;
     getSession(): Promise<AuthResult>;
 }
@@ -112,4 +157,4 @@ interface AccountClient {
  */
 declare function createAccountClient(config: AccountClientConfig): AccountClient;
 
-export { ACCOUNT_CLIENT_PACKAGE, type AccountClient, type AccountClientConfig, type AuthResult, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, type DeviceFlowClient, type DeviceFlowClientConfig, type DevicePollError, type DeviceStartResponse, type DeviceTokenResponse, type LicenseCurrentResponse, createAccountClient, createDeviceFlowClient };
+export { ACCOUNT_CLIENT_PACKAGE, type AccountClient, type AccountClientConfig, type AuthResult, DEFAULT_DEVICE_CLIENT_ID, DEVICE_CODE_GRANT_TYPE, type DeviceFlowClient, type DeviceFlowClientConfig, type DevicePollError, type DeviceStartResponse, type DeviceTokenResponse, type LicenseCurrentResponse, type LinkedAccount, type SocialProvider, type SocialRedirectOptions, createAccountClient, createDeviceFlowClient };

package/dist/index.js

@@ -1,4 +1,4 @@
-export { entitlementForProduct, parseEntitlement } from './chunk-UX6UAFIF.js';
+export { entitlementForProduct, parseEntitlement } from './chunk-V3SLFECG.js';
 import { createAuthClient } from 'better-auth/client';
 
 // src/device.ts
@@ -78,6 +78,21 @@ function createAccountClient(config) {
       email: params.email,
       password: params.password
     }),
+    signInWithProvider: (provider, options) => client.signIn.social({
+      provider,
+      callbackURL: options.callbackURL,
+      errorCallbackURL: options.errorCallbackURL
+    }),
+    listAccounts: () => client.listAccounts(),
+    linkSocial: (provider, options) => client.linkSocial({
+      provider,
+      callbackURL: options.callbackURL,
+      errorCallbackURL: options.errorCallbackURL
+    }),
+    unlinkAccount: (params) => client.unlinkAccount({
+      providerId: params.providerId,
+      accountId: params.accountId
+    }),
     signOut: () => client.signOut(),
     getSession: () => client.getSession()
   };

package/dist/introspect.cjs

@@ -7,6 +7,7 @@ function parseEntitlement(wire) {
     plan: wire.plan,
     addons: wire.addons ?? [],
     products: wire.products ?? [],
+    productPlans: wire.product_plans ?? {},
     features: wire.features
   };
 }
@@ -59,7 +60,10 @@ function createIntrospectionClient(config) {
       try {
         raw = await res.json();
       } catch (err) {
-        return { status: "integrity_error", reason: `introspect unparseable body: ${errMessage(err)}` };
+        return {
+          status: "integrity_error",
+          reason: `introspect unparseable body: ${errMessage(err)}`
+        };
       }
       if (!raw || typeof raw !== "object") {
         return { status: "integrity_error", reason: "introspect non-object body" };
@@ -105,6 +109,65 @@ function createIntrospectionClient(config) {
       } catch (err) {
         return { status: "unavailable", reason: `entitlement unparseable body: ${errMessage(err)}` };
       }
+    },
+    async listOrgMembers(orgId) {
+      let res;
+      try {
+        res = await call(`/v1/orgs/${encodeURIComponent(orgId)}/members`, {
+          method: "GET",
+          headers: secretHeaders
+        });
+      } catch (err) {
+        return { status: "unavailable", reason: `roster transport error: ${errMessage(err)}` };
+      }
+      if (!res.ok) return { status: "unavailable", reason: `roster http ${res.status}` };
+      try {
+        const body = await res.json();
+        return {
+          status: "ok",
+          members: (body.members ?? []).map((m) => ({
+            userId: m.user_id,
+            email: m.email ?? null,
+            name: m.name ?? null,
+            role: m.role,
+            seatNo: m.seat_no ?? null
+          }))
+        };
+      } catch (err) {
+        return { status: "unavailable", reason: `roster unparseable body: ${errMessage(err)}` };
+      }
+    },
+    async listOrgTeams(orgId) {
+      let res;
+      try {
+        res = await call(`/v1/orgs/${encodeURIComponent(orgId)}/teams`, {
+          method: "GET",
+          headers: secretHeaders
+        });
+      } catch (err) {
+        return { status: "unavailable", reason: `teams transport error: ${errMessage(err)}` };
+      }
+      if (!res.ok) return { status: "unavailable", reason: `teams http ${res.status}` };
+      try {
+        const body = await res.json();
+        return {
+          status: "ok",
+          teams: (body.teams ?? []).map((t) => ({
+            id: t.id,
+            slug: t.slug,
+            name: t.name,
+            members: (t.members ?? []).map((m) => ({
+              userId: m.user_id,
+              orgMemberId: m.org_member_id,
+              teamRole: m.team_role,
+              email: m.email ?? null,
+              name: m.name ?? null
+            }))
+          }))
+        };
+      } catch (err) {
+        return { status: "unavailable", reason: `teams unparseable body: ${errMessage(err)}` };
+      }
     }
   };
 }

package/dist/introspect.d.cts

@@ -1,4 +1,4 @@
-import { E as Entitlement } from './entitlement-B3pXM2vO.cjs';
+import { E as Entitlement } from './entitlement-CfKncUyH.cjs';
 import '@viyv/shared';
 
 interface IntrospectionClientConfig {
@@ -56,12 +56,54 @@ type OrgEntitlementOutcome = {
     status: "unavailable";
     reason: string;
 };
+/** An org member resolved from the m2m roster read (camelCase). */
+interface OrgMemberInfo {
+    userId: string;
+    email: string | null;
+    name: string | null;
+    role: string;
+    seatNo: number | null;
+}
+/** A sub-team member resolved from the m2m teams read. */
+interface OrgTeamMemberInfo {
+    userId: string;
+    orgMemberId: string;
+    /** lead | member (free-text at the source; the caller maps it). */
+    teamRole: string;
+    email: string | null;
+    name: string | null;
+}
+/** A sub-team resolved from the m2m teams read. */
+interface OrgTeamInfo {
+    id: string;
+    slug: string;
+    name: string;
+    members: OrgTeamMemberInfo[];
+}
+type OrgRosterOutcome = {
+    status: "ok";
+    members: OrgMemberInfo[];
+} | {
+    status: "unavailable";
+    reason: string;
+};
+type OrgTeamsOutcome = {
+    status: "ok";
+    teams: OrgTeamInfo[];
+} | {
+    status: "unavailable";
+    reason: string;
+};
 interface IntrospectionClient {
     /** Resolve a device access token to a subject (fail-closed, see taxonomy). */
     introspectDevice(accessToken: string): Promise<IntrospectionOutcome>;
     /** Read an org's entitlement by id (m2m). */
     getOrgEntitlement(orgId: string): Promise<OrgEntitlementOutcome>;
+    /** Read an org's member roster (m2m, service secret). Names are render-time only. */
+    listOrgMembers(orgId: string): Promise<OrgRosterOutcome>;
+    /** Read an org's sub-teams + their members (m2m, service secret). */
+    listOrgTeams(orgId: string): Promise<OrgTeamsOutcome>;
 }
 declare function createIntrospectionClient(config: IntrospectionClientConfig): IntrospectionClient;
 
-export { type IntrospectionClient, type IntrospectionClientConfig, type IntrospectionOutcome, type OrgEntitlementOutcome, type ResolvedDeviceSubject, createIntrospectionClient };
+export { type IntrospectionClient, type IntrospectionClientConfig, type IntrospectionOutcome, type OrgEntitlementOutcome, type OrgMemberInfo, type OrgRosterOutcome, type OrgTeamInfo, type OrgTeamMemberInfo, type OrgTeamsOutcome, type ResolvedDeviceSubject, createIntrospectionClient };

package/dist/introspect.d.ts

@@ -1,4 +1,4 @@
-import { E as Entitlement } from './entitlement-B3pXM2vO.js';
+import { E as Entitlement } from './entitlement-CfKncUyH.js';
 import '@viyv/shared';
 
 interface IntrospectionClientConfig {
@@ -56,12 +56,54 @@ type OrgEntitlementOutcome = {
     status: "unavailable";
     reason: string;
 };
+/** An org member resolved from the m2m roster read (camelCase). */
+interface OrgMemberInfo {
+    userId: string;
+    email: string | null;
+    name: string | null;
+    role: string;
+    seatNo: number | null;
+}
+/** A sub-team member resolved from the m2m teams read. */
+interface OrgTeamMemberInfo {
+    userId: string;
+    orgMemberId: string;
+    /** lead | member (free-text at the source; the caller maps it). */
+    teamRole: string;
+    email: string | null;
+    name: string | null;
+}
+/** A sub-team resolved from the m2m teams read. */
+interface OrgTeamInfo {
+    id: string;
+    slug: string;
+    name: string;
+    members: OrgTeamMemberInfo[];
+}
+type OrgRosterOutcome = {
+    status: "ok";
+    members: OrgMemberInfo[];
+} | {
+    status: "unavailable";
+    reason: string;
+};
+type OrgTeamsOutcome = {
+    status: "ok";
+    teams: OrgTeamInfo[];
+} | {
+    status: "unavailable";
+    reason: string;
+};
 interface IntrospectionClient {
     /** Resolve a device access token to a subject (fail-closed, see taxonomy). */
     introspectDevice(accessToken: string): Promise<IntrospectionOutcome>;
     /** Read an org's entitlement by id (m2m). */
     getOrgEntitlement(orgId: string): Promise<OrgEntitlementOutcome>;
+    /** Read an org's member roster (m2m, service secret). Names are render-time only. */
+    listOrgMembers(orgId: string): Promise<OrgRosterOutcome>;
+    /** Read an org's sub-teams + their members (m2m, service secret). */
+    listOrgTeams(orgId: string): Promise<OrgTeamsOutcome>;
 }
 declare function createIntrospectionClient(config: IntrospectionClientConfig): IntrospectionClient;
 
-export { type IntrospectionClient, type IntrospectionClientConfig, type IntrospectionOutcome, type OrgEntitlementOutcome, type ResolvedDeviceSubject, createIntrospectionClient };
+export { type IntrospectionClient, type IntrospectionClientConfig, type IntrospectionOutcome, type OrgEntitlementOutcome, type OrgMemberInfo, type OrgRosterOutcome, type OrgTeamInfo, type OrgTeamMemberInfo, type OrgTeamsOutcome, type ResolvedDeviceSubject, createIntrospectionClient };

package/dist/introspect.js

@@ -1,4 +1,4 @@
-import { parseEntitlement } from './chunk-UX6UAFIF.js';
+import { parseEntitlement } from './chunk-V3SLFECG.js';
 
 // src/introspect.ts
 var DEFAULT_TIMEOUT_MS = 5e3;
@@ -48,7 +48,10 @@ function createIntrospectionClient(config) {
       try {
         raw = await res.json();
       } catch (err) {
-        return { status: "integrity_error", reason: `introspect unparseable body: ${errMessage(err)}` };
+        return {
+          status: "integrity_error",
+          reason: `introspect unparseable body: ${errMessage(err)}`
+        };
       }
       if (!raw || typeof raw !== "object") {
         return { status: "integrity_error", reason: "introspect non-object body" };
@@ -94,6 +97,65 @@ function createIntrospectionClient(config) {
       } catch (err) {
         return { status: "unavailable", reason: `entitlement unparseable body: ${errMessage(err)}` };
       }
+    },
+    async listOrgMembers(orgId) {
+      let res;
+      try {
+        res = await call(`/v1/orgs/${encodeURIComponent(orgId)}/members`, {
+          method: "GET",
+          headers: secretHeaders
+        });
+      } catch (err) {
+        return { status: "unavailable", reason: `roster transport error: ${errMessage(err)}` };
+      }
+      if (!res.ok) return { status: "unavailable", reason: `roster http ${res.status}` };
+      try {
+        const body = await res.json();
+        return {
+          status: "ok",
+          members: (body.members ?? []).map((m) => ({
+            userId: m.user_id,
+            email: m.email ?? null,
+            name: m.name ?? null,
+            role: m.role,
+            seatNo: m.seat_no ?? null
+          }))
+        };
+      } catch (err) {
+        return { status: "unavailable", reason: `roster unparseable body: ${errMessage(err)}` };
+      }
+    },
+    async listOrgTeams(orgId) {
+      let res;
+      try {
+        res = await call(`/v1/orgs/${encodeURIComponent(orgId)}/teams`, {
+          method: "GET",
+          headers: secretHeaders
+        });
+      } catch (err) {
+        return { status: "unavailable", reason: `teams transport error: ${errMessage(err)}` };
+      }
+      if (!res.ok) return { status: "unavailable", reason: `teams http ${res.status}` };
+      try {
+        const body = await res.json();
+        return {
+          status: "ok",
+          teams: (body.teams ?? []).map((t) => ({
+            id: t.id,
+            slug: t.slug,
+            name: t.name,
+            members: (t.members ?? []).map((m) => ({
+              userId: m.user_id,
+              orgMemberId: m.org_member_id,
+              teamRole: m.team_role,
+              email: m.email ?? null,
+              name: m.name ?? null
+            }))
+          }))
+        };
+      } catch (err) {
+        return { status: "unavailable", reason: `teams unparseable body: ${errMessage(err)}` };
+      }
     }
   };
 }