alepha 0.20.6 → 0.20.7

package/src/security/atoms/currentTenantAtom.ts

@@ -0,0 +1,34 @@
+import { $atom, t } from "alepha";
+
+/**
+ * Atom storing the active tenant for the current request.
+ *
+ * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context
+ * that sets the atom before calling tenant-scoped logic.
+ *
+ * Typically set by an app-level middleware that resolves the tenant from the
+ * request `Host` header (or another signal) and writes the resolved id to the
+ * store. Framework code that reads this atom:
+ *
+ * - Repository scoping: `withOrganization` / `stampOrganization` prefer this
+ *   value over `currentUserAtom.organization` so cross-tenant users (admins,
+ *   agency operators) are scoped to the tenant they are currently acting in
+ *   rather than the one they belong to.
+ * - Session creation: the value is persisted into the JWT as a `tenant` claim,
+ *   and the issuer resolver rejects tokens whose claim does not match the
+ *   tenant resolved from the current request.
+ *
+ * `id` is a free-form string so the framework stays neutral on tenant identity
+ * (slug, UUID, composite). Pick whatever matches the column marked with
+ * `PG_ORGANIZATION` in your entities.
+ */
+export const currentTenantAtom = $atom({
+  name: "alepha.security.tenant",
+  schema: t.optional(
+    t.object({
+      id: t.text({
+        description: "Tenant identifier (slug, UUID, or composite).",
+      }),
+    }),
+  ),
+});

package/src/security/index.browser.ts

@@ -2,6 +2,7 @@ import { $module } from "alepha";
 
 // ---------------------------------------------------------------------------------------------------------------------
 
+export * from "./atoms/currentTenantAtom.ts";
 export * from "./atoms/currentUserAtom.ts";
 export * from "./errors/InvalidCredentialsError.ts";
 export * from "./errors/InvalidPermissionError.ts";

package/src/security/index.ts

@@ -1,5 +1,6 @@
 import { $module } from "alepha";
 import type { FetchOptions } from "alepha/server";
+import { currentTenantAtom } from "./atoms/currentTenantAtom.ts";
 import { currentUserAtom } from "./atoms/currentUserAtom.ts";
 import type { UserAccountToken } from "./interfaces/UserAccountToken.ts";
 import { $issuer } from "./primitives/$issuer.ts";
@@ -13,6 +14,7 @@ import type { UserAccount } from "./schemas/userAccountInfoSchema.ts";
 // ---------------------------------------------------------------------------------------------------------------------
 
 export * from "alepha/crypto";
+export * from "./atoms/currentTenantAtom.ts";
 export * from "./atoms/currentUserAtom.ts";
 export * from "./errors/InvalidCredentialsError.ts";
 export * from "./errors/InvalidPermissionError.ts";
@@ -55,6 +57,15 @@ declare module "alepha" {
      * The current authenticated user.
      */
     "alepha.security.user"?: UserAccount;
+
+    /**
+     * The tenant the current request is acting in.
+     *
+     * Typically set by an app-level middleware from the request `Host`. When
+     * present, `Repository` scoping and session creation prefer this value
+     * over `currentUserAtom.organization`.
+     */
+    "alepha.security.tenant"?: { id: string };
   }
 }
 
@@ -100,6 +111,6 @@ declare module "alepha/server" {
 export const AlephaSecurity = $module({
   name: "alepha.security",
   primitives: [$issuer, $role, $permission],
-  atoms: [currentUserAtom],
+  atoms: [currentUserAtom, currentTenantAtom],
   services: [SecurityProvider, JwtProvider, ServerSecurityProvider],
 });

package/src/security/primitives/$issuer.ts

@@ -1,4 +1,11 @@
-import { $inject, AlephaError, createPrimitive, KIND, Primitive } from "alepha";
+import {
+  $inject,
+  Alepha,
+  AlephaError,
+  createPrimitive,
+  KIND,
+  Primitive,
+} from "alepha";
 import {
   DateTimeProvider,
   type Duration,
@@ -7,6 +14,7 @@ import {
 import { $logger } from "alepha/logger";
 import type { ServerRequest } from "alepha/server";
 import type { JSONWebKeySet, JWTPayload } from "jose";
+import { currentTenantAtom } from "../atoms/currentTenantAtom.ts";
 import { SecurityError } from "../errors/SecurityError.ts";
 import type { IssuerResolver } from "../interfaces/IssuerResolver.ts";
 import { JwtProvider } from "../providers/JwtProvider.ts";
@@ -119,6 +127,7 @@ export interface IssuerExternal {
 // ---------------------------------------------------------------------------------------------------------------------
 
 export class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {
+  protected readonly alepha = $inject(Alepha);
   protected readonly securityProvider = $inject(SecurityProvider);
   protected readonly dateTimeProvider = $inject(DateTimeProvider);
   protected readonly jwt = $inject(JwtProvider);
@@ -302,6 +311,12 @@ export class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {
       aud: this.name,
     });
 
+    // Bind the token to the tenant the request is acting in. The default JWT
+    // resolver compares this claim against `currentTenantAtom` on every
+    // request, so a token minted on `b14.club.alepha.dev` is rejected on
+    // `viska.club.alepha.dev` even when the user belongs to both.
+    const tenant = this.alepha.store.get(currentTenantAtom)?.id;
+
     const access_token = await this.jwt.create(
       {
         // jwt
@@ -318,6 +333,7 @@ export class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {
         // our claims
         organization: user.organization,
         roles: user.roles,
+        tenant,
       },
       this.name,
     );

package/src/security/providers/SecurityProvider.ts

@@ -10,6 +10,7 @@ import { $logger } from "alepha/logger";
 import { ForbiddenError } from "alepha/server";
 import type { JSONWebKeySet, JWTPayload } from "jose";
 import type { JWTVerifyOptions } from "jose/jwt/verify";
+import { currentTenantAtom } from "../atoms/currentTenantAtom.ts";
 import { currentUserAtom } from "../atoms/currentUserAtom.ts";
 import { InvalidPermissionError } from "../errors/InvalidPermissionError.ts";
 import { InvalidTokenError } from "../errors/InvalidTokenError.ts";
@@ -110,6 +111,23 @@ export class SecurityProvider {
         // Parse and validate JWT
         const { result } = await this.jwt.parse(token, realmName);
 
+        // Reject tokens whose tenant claim doesn't match the tenant resolved
+        // for the current request. Prevents a token minted on tenant A from
+        // being replayed on tenant B (subdomain spoofing, leaked bearer
+        // tokens). Tokens minted without a tenant claim (no active tenant at
+        // session creation) pass through — single-tenant apps are unaffected.
+        const claimTenant = this.getTenantFromPayload(result.payload);
+        if (claimTenant) {
+          const activeTenant = this.alepha.store.get(currentTenantAtom)?.id;
+          if (activeTenant && activeTenant !== claimTenant) {
+            this.log.warn("JWT tenant claim does not match active tenant", {
+              claim: claimTenant,
+              active: activeTenant,
+            });
+            return null;
+          }
+        }
+
         // Extract user info from JWT payload
         return this.createUserFromPayload(result.payload, realmName);
       },
@@ -927,6 +945,25 @@ export class SecurityProvider {
       return payload.organization;
     }
   }
+
+  /**
+   * Extracts the tenant id from the JWT payload, when present.
+   *
+   * Tokens minted with no active tenant (single-tenant apps, server-to-server
+   * calls before any request-scoped middleware runs) omit the claim, in which
+   * case the resolver does not enforce a tenant match.
+   */
+  public getTenantFromPayload(
+    payload: Record<string, any>,
+  ): string | undefined {
+    if (!payload) {
+      return;
+    }
+
+    if (typeof payload.tenant === "string") {
+      return payload.tenant;
+    }
+  }
 }
 
 // =====================================================================================================================

package/src/server/auth/__tests__/validateRedirectUri.spec.ts

@@ -0,0 +1,78 @@
+import { Alepha } from "alepha";
+import { describe, it } from "vitest";
+import { AlephaServerAuth } from "../index.ts";
+import { ServerAuthProvider } from "../providers/ServerAuthProvider.ts";
+
+class ProviderProbe extends ServerAuthProvider {
+  public probeValidate(uri: string) {
+    return this.validateRedirectUri(uri);
+  }
+}
+
+const setup = async (env: Record<string, string> = {}) => {
+  const alepha = Alepha.create({ env });
+  alepha.with(AlephaServerAuth);
+  alepha.with(ProviderProbe);
+  await alepha.start();
+  return alepha.inject(ProviderProbe);
+};
+
+describe("validateRedirectUri", () => {
+  describe("without COOKIE_PARENT_DOMAIN (legacy behaviour)", () => {
+    it("accepts relative paths", async ({ expect }) => {
+      const p = await setup({});
+      expect(p.probeValidate("/admin")).toBe("/admin");
+    });
+    it("rejects protocol-relative URLs", async ({ expect }) => {
+      const p = await setup({});
+      expect(p.probeValidate("//evil.com")).toBe("/");
+    });
+    it("rejects absolute URLs", async ({ expect }) => {
+      const p = await setup({});
+      expect(p.probeValidate("https://evil.com/x")).toBe("/");
+    });
+  });
+
+  describe("with COOKIE_PARENT_DOMAIN=.club.alepha.dev", () => {
+    const env = { COOKIE_PARENT_DOMAIN: ".club.alepha.dev" };
+    it("still accepts relative paths", async ({ expect }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("/admin")).toBe("/admin");
+    });
+    it("still rejects protocol-relative URLs", async ({ expect }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("//evil.com")).toBe("/");
+    });
+    it("rejects unrelated absolute URLs", async ({ expect }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("https://evil.com/x")).toBe("/");
+    });
+    it("rejects http (must be https)", async ({ expect }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("http://viscapadel.club.alepha.dev/admin")).toBe(
+        "/",
+      );
+    });
+    it("accepts subdomain under the parent domain", async ({ expect }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("https://viscapadel.club.alepha.dev/admin")).toBe(
+        "https://viscapadel.club.alepha.dev/admin",
+      );
+    });
+    it("accepts the bare parent domain", async ({ expect }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("https://club.alepha.dev/dashboard")).toBe(
+        "https://club.alepha.dev/dashboard",
+      );
+    });
+    it("rejects look-alike domains (suffix match without dot boundary)", async ({
+      expect,
+    }) => {
+      const p = await setup(env);
+      expect(p.probeValidate("https://notclub.alepha.dev/x")).toBe("/");
+      expect(
+        p.probeValidate("https://evil-club.alepha.dev.attacker.com/x"),
+      ).toBe("/");
+    });
+  });
+});

package/src/server/auth/providers/ServerAuthProvider.ts

@@ -41,14 +41,30 @@ export class ServerAuthProvider {
   protected readonly serverLinksProvider = $inject(ServerLinksProvider);
 
   /**
-   * Validates that a redirect URI is a safe relative path.
-   * Prevents open redirect attacks by rejecting absolute URLs and protocol-relative URLs.
+   * Validates that a redirect URI is a safe relative path, or — when
+   * COOKIE_PARENT_DOMAIN is configured — an https URL whose host is the
+   * parent domain or a subdomain of it. Used by SaaS deployments where the
+   * OAuth callback dispatches users back to their tenant subdomain.
+   *
+   * Prevents open redirect attacks by rejecting any other absolute URL.
    */
   protected validateRedirectUri(uri: string): string {
-    if (!uri.startsWith("/") || uri.startsWith("//")) {
-      return "/";
+    if (uri.startsWith("/") && !uri.startsWith("//")) {
+      return uri;
     }
-    return uri;
+    const parent = this.alepha.env.COOKIE_PARENT_DOMAIN;
+    if (typeof parent === "string" && parent) {
+      try {
+        const parsed = new URL(uri);
+        const parentHost = parent.startsWith(".") ? parent.slice(1) : parent;
+        if (parsed.protocol !== "https:") return "/";
+        if (parsed.host === parentHost) return uri;
+        if (parsed.host.endsWith(`.${parentHost}`)) return uri;
+      } catch {
+        // fall through
+      }
+    }
+    return "/";
   }
 
   public get identities(): Array<AuthPrimitive> {

package/tsconfig.base.json

@@ -1,6 +1,7 @@
 {
   "compilerOptions": {
-    "module": "nodenext",
+    "module": "esnext",
+    "moduleResolution": "bundler",
     "target": "esnext",
     "strict": true,
     "jsx": "react-jsx",

package/dist/react/websocket/index.d.ts

@@ -1,117 +0,0 @@
-import { ChannelPrimitive, TWSObject } from "alepha/websocket";
-import { Static } from "alepha";
-
-//#region ../../src/react/websocket/hooks/useRoom.d.ts
-/**
- * UseRoom options
- */
-interface UseRoomOptions<TClient extends TWSObject, TServer extends TWSObject> {
-  /**
-   * Room ID to connect to
-   */
-  roomId: string;
-  /**
-   * Channel primitive defining the schemas
-   */
-  channel: ChannelPrimitive<TClient, TServer>;
-  /**
-   * Handler for incoming messages from the server
-   */
-  handler: (message: Static<TClient>) => void;
-  /**
-   * Optional WebSocket URL override
-   * Defaults to auto-detected URL based on window.location
-   */
-  url?: string;
-  /**
-   * Enable automatic reconnection on disconnect
-   * @default true
-   */
-  autoReconnect?: boolean;
-  /**
-   * Reconnection interval in milliseconds
-   * @default 3000
-   */
-  reconnectInterval?: number;
-  /**
-   * Maximum reconnection attempts (-1 for infinite)
-   * @default 10
-   */
-  maxReconnectAttempts?: number;
-  /**
-   * Called when connection is established
-   */
-  onConnect?: () => void;
-  /**
-   * Called when connection is closed
-   */
-  onDisconnect?: () => void;
-  /**
-   * Called on connection error
-   */
-  onError?: (error: Error) => void;
-}
-/**
- * UseRoom return value
- */
-interface UseRoomReturn<TServer extends TWSObject> {
-  /**
-   * Send a message to the server
-   */
-  send: (message: Static<TServer>) => Promise<void>;
-  /**
-   * Whether the connection is established
-   */
-  isConnected: boolean;
-  /**
-   * Whether the connection is in progress
-   */
-  isConnecting: boolean;
-  /**
-   * Whether there was an error
-   */
-  isError: boolean;
-  /**
-   * The error object if any
-   */
-  error?: Error;
-  /**
-   * Manually reconnect
-   */
-  reconnect: () => void;
-  /**
-   * Manually disconnect
-   */
-  disconnect: () => void;
-}
-/**
- * React hook for WebSocket room communication
- *
- * Provides automatic connection management, reconnection, and type-safe messaging
- * for WebSocket rooms using the injected WebSocketClient service.
- *
- * Multiple useRoom hooks on the same channel will share a single WebSocket connection.
- *
- * @example
- * ```tsx
- * const chat = useRoom({
- *   roomId: "room-123",
- *   channel: chatChannel,
- *   handler: (message) => {
- *     if (message.type === "append") {
- *       setMessages(prev => [...prev, message]);
- *     }
- *   }
- * }, [roomId]);
- *
- * const sendMessage = async () => {
- *   await chat.send({
- *     content: "Hello, world!"
- *   });
- * };
- * ```
- */
-declare const useRoom: <TClient extends TWSObject, TServer extends TWSObject>(options: UseRoomOptions<TClient, TServer>, deps: unknown[]) => UseRoomReturn<TServer>;
-//#endregion
-export { UseRoomOptions, UseRoomReturn, useRoom };
-//# sourceMappingURL=index.d.ts.map

package/dist/react/websocket/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../../../src/react/websocket/hooks/useRoom.tsx"],"mappings":";;;;;;AASA;UAAiB,cAAA,iBACC,SAAA,kBACA,SAAA;EAFa;;;EAO7B,MAAA;EAKmC;;;EAAnC,OAAA,EAAS,gBAAA,CAAiB,OAAA,EAAS,OAAA;EA4CjB;;;EAvClB,OAAA,GAAU,OAAA,EAAS,MAAA,CAAO,OAAA;EAhBV;;;;EAsBhB,GAAA;EAXS;;;;EAiBT,aAAA;EAZ0B;;;;EAkB1B,iBAAA;EAMA;;;;EAAA,oBAAA;EAeW;;;EAVX,SAAA;EAgB4B;;;EAX5B,YAAA;EAegB;;;EAVhB,OAAA,IAAW,KAAA,EAAO,KAAA;AAAA;;;;UAMH,aAAA,iBAA8B,SAAA;EAItB;;;EAAvB,IAAA,GAAO,OAAA,EAAS,MAAA,CAAO,OAAA,MAAa,OAAA;EAUpC;;;EALA,WAAA;EAoBA;;;EAfA,YAAA;EAkDW;;;EA7CX,OAAA;EA6CiE;;;EAxCjE,KAAA,GAAQ,KAAA;EA2CO;;;EAtCf,SAAA;EAmCsB;;;EA9BtB,UAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA8BW,OAAA,mBAA2B,SAAA,kBAA2B,SAAA,EACjE,OAAA,EAAS,cAAA,CAAe,OAAA,EAAS,OAAA,GACjC,IAAA,gBACC,aAAA,CAAc,OAAA"}

package/dist/react/websocket/index.js

@@ -1,108 +0,0 @@
-import { useAlepha, useInject } from "alepha/react";
-import { WebSocketClient } from "alepha/websocket";
-import { useEffect, useRef, useState } from "react";
-//#region ../../src/react/websocket/hooks/useRoom.tsx
-/**
-* React hook for WebSocket room communication
-*
-* Provides automatic connection management, reconnection, and type-safe messaging
-* for WebSocket rooms using the injected WebSocketClient service.
-*
-* Multiple useRoom hooks on the same channel will share a single WebSocket connection.
-*
-* @example
-* ```tsx
-* const chat = useRoom({
-*   roomId: "room-123",
-*   channel: chatChannel,
-*   handler: (message) => {
-*     if (message.type === "append") {
-*       setMessages(prev => [...prev, message]);
-*     }
-*   }
-* }, [roomId]);
-*
-* const sendMessage = async () => {
-*   await chat.send({
-*     content: "Hello, world!"
-*   });
-* };
-* ```
-*/
-const useRoom = (options, deps) => {
-	const webSocketClient = useInject(WebSocketClient);
-	const unsubscribeRef = useRef(null);
-	const [isConnected, setIsConnected] = useState(false);
-	const [isConnecting, setIsConnecting] = useState(false);
-	const [isError, setIsError] = useState(false);
-	const [error, setError] = useState(void 0);
-	const { roomId, channel, handler, url, autoReconnect, reconnectInterval, maxReconnectAttempts, onConnect, onDisconnect, onError } = options;
-	const handlerRef = useRef(handler);
-	handlerRef.current = handler;
-	useEffect(() => {
-		const unsubscribe = webSocketClient.subscribe(roomId, channel, (msg) => handlerRef.current(msg), {
-			url,
-			autoReconnect,
-			reconnectInterval,
-			maxReconnectAttempts,
-			onConnect: () => {
-				setIsConnected(true);
-				setIsConnecting(false);
-				setIsError(false);
-				setError(void 0);
-				onConnect?.();
-			},
-			onDisconnect: () => {
-				setIsConnected(false);
-				setIsConnecting(false);
-				onDisconnect?.();
-			},
-			onError: (err) => {
-				setIsError(true);
-				setError(err);
-				setIsConnecting(false);
-				onError?.(err);
-			}
-		});
-		unsubscribeRef.current = unsubscribe;
-		const connection = webSocketClient.getConnection(channel);
-		if (connection) {
-			setIsConnected(connection.isConnected);
-			setIsConnecting(connection.isConnecting);
-			setIsError(connection.isError);
-			setError(connection.error);
-		}
-		return () => {
-			unsubscribe();
-			unsubscribeRef.current = null;
-		};
-	}, deps);
-	if (!useAlepha().isBrowser()) return {
-		send: async (_message) => {},
-		isConnected: false,
-		isConnecting: false,
-		isError: false,
-		error: void 0,
-		reconnect: () => {},
-		disconnect: () => {}
-	};
-	return {
-		send: async (message) => {
-			await webSocketClient.send(roomId, channel, message);
-		},
-		isConnected,
-		isConnecting,
-		isError,
-		error,
-		reconnect: () => {
-			webSocketClient.getConnection(channel)?.reconnect();
-		},
-		disconnect: () => {
-			unsubscribeRef.current?.();
-		}
-	};
-};
-//#endregion
-export { useRoom };
-
-//# sourceMappingURL=index.js.map

package/dist/react/websocket/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../../src/react/websocket/hooks/useRoom.tsx"],"sourcesContent":["import type { Static } from \"alepha\";\nimport { useAlepha, useInject } from \"alepha/react\";\nimport type { ChannelPrimitive, TWSObject } from \"alepha/websocket\";\nimport { WebSocketClient } from \"alepha/websocket\";\nimport { useEffect, useRef, useState } from \"react\";\n\n/**\n * UseRoom options\n */\nexport interface UseRoomOptions<\n  TClient extends TWSObject,\n  TServer extends TWSObject,\n> {\n  /**\n   * Room ID to connect to\n   */\n  roomId: string;\n\n  /**\n   * Channel primitive defining the schemas\n   */\n  channel: ChannelPrimitive<TClient, TServer>;\n\n  /**\n   * Handler for incoming messages from the server\n   */\n  handler: (message: Static<TClient>) => void;\n\n  /**\n   * Optional WebSocket URL override\n   * Defaults to auto-detected URL based on window.location\n   */\n  url?: string;\n\n  /**\n   * Enable automatic reconnection on disconnect\n   * @default true\n   */\n  autoReconnect?: boolean;\n\n  /**\n   * Reconnection interval in milliseconds\n   * @default 3000\n   */\n  reconnectInterval?: number;\n\n  /**\n   * Maximum reconnection attempts (-1 for infinite)\n   * @default 10\n   */\n  maxReconnectAttempts?: number;\n\n  /**\n   * Called when connection is established\n   */\n  onConnect?: () => void;\n\n  /**\n   * Called when connection is closed\n   */\n  onDisconnect?: () => void;\n\n  /**\n   * Called on connection error\n   */\n  onError?: (error: Error) => void;\n}\n\n/**\n * UseRoom return value\n */\nexport interface UseRoomReturn<TServer extends TWSObject> {\n  /**\n   * Send a message to the server\n   */\n  send: (message: Static<TServer>) => Promise<void>;\n\n  /**\n   * Whether the connection is established\n   */\n  isConnected: boolean;\n\n  /**\n   * Whether the connection is in progress\n   */\n  isConnecting: boolean;\n\n  /**\n   * Whether there was an error\n   */\n  isError: boolean;\n\n  /**\n   * The error object if any\n   */\n  error?: Error;\n\n  /**\n   * Manually reconnect\n   */\n  reconnect: () => void;\n\n  /**\n   * Manually disconnect\n   */\n  disconnect: () => void;\n}\n\n/**\n * React hook for WebSocket room communication\n *\n * Provides automatic connection management, reconnection, and type-safe messaging\n * for WebSocket rooms using the injected WebSocketClient service.\n *\n * Multiple useRoom hooks on the same channel will share a single WebSocket connection.\n *\n * @example\n * ```tsx\n * const chat = useRoom({\n *   roomId: \"room-123\",\n *   channel: chatChannel,\n *   handler: (message) => {\n *     if (message.type === \"append\") {\n *       setMessages(prev => [...prev, message]);\n *     }\n *   }\n * }, [roomId]);\n *\n * const sendMessage = async () => {\n *   await chat.send({\n *     content: \"Hello, world!\"\n *   });\n * };\n * ```\n */\nexport const useRoom = <TClient extends TWSObject, TServer extends TWSObject>(\n  options: UseRoomOptions<TClient, TServer>,\n  deps: unknown[],\n): UseRoomReturn<TServer> => {\n  const webSocketClient = useInject(WebSocketClient);\n  const unsubscribeRef = useRef<(() => void) | null>(null);\n\n  const [isConnected, setIsConnected] = useState(false);\n  const [isConnecting, setIsConnecting] = useState(false);\n  const [isError, setIsError] = useState(false);\n  const [error, setError] = useState<Error | undefined>(undefined);\n\n  const {\n    roomId,\n    channel,\n    handler,\n    url,\n    autoReconnect,\n    reconnectInterval,\n    maxReconnectAttempts,\n    onConnect,\n    onDisconnect,\n    onError,\n  } = options;\n\n  // Keep handler ref stable to avoid stale closures\n  const handlerRef = useRef(handler);\n  handlerRef.current = handler;\n\n  useEffect(() => {\n    // Subscribe to room — use ref so handler is always current\n    const unsubscribe = webSocketClient.subscribe(\n      roomId,\n      channel,\n      (msg) => handlerRef.current(msg),\n      {\n        url,\n        autoReconnect,\n        reconnectInterval,\n        maxReconnectAttempts,\n        onConnect: () => {\n          setIsConnected(true);\n          setIsConnecting(false);\n          setIsError(false);\n          setError(undefined);\n          onConnect?.();\n        },\n        onDisconnect: () => {\n          setIsConnected(false);\n          setIsConnecting(false);\n          onDisconnect?.();\n        },\n        onError: (err) => {\n          setIsError(true);\n          setError(err);\n          setIsConnecting(false);\n          onError?.(err);\n        },\n      },\n    );\n\n    unsubscribeRef.current = unsubscribe;\n\n    // Get initial state from connection\n    const connection = webSocketClient.getConnection(channel);\n    if (connection) {\n      setIsConnected(connection.isConnected);\n      setIsConnecting(connection.isConnecting);\n      setIsError(connection.isError);\n      setError(connection.error);\n    }\n\n    // Cleanup on unmount or deps change\n    return () => {\n      unsubscribe();\n      unsubscribeRef.current = null;\n    };\n  }, deps);\n\n  const alepha = useAlepha();\n\n  if (!alepha.isBrowser()) {\n    return {\n      send: async (_message: Static<TServer>) => {\n        // No-op on server\n      },\n      isConnected: false,\n      isConnecting: false,\n      isError: false,\n      error: undefined,\n      reconnect: () => {\n        // No-op on server\n      },\n      disconnect: () => {\n        // No-op on server\n      },\n    };\n  }\n\n  return {\n    send: async (message: Static<TServer>) => {\n      await webSocketClient.send(roomId, channel, message);\n    },\n    isConnected,\n    isConnecting,\n    isError,\n    error,\n    reconnect: () => {\n      const connection = webSocketClient.getConnection(channel);\n      connection?.reconnect();\n    },\n    disconnect: () => {\n      unsubscribeRef.current?.();\n    },\n  };\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuIA,MAAa,WACX,SACA,SAC2B;CAC3B,MAAM,kBAAkB,UAAU,gBAAgB;CAClD,MAAM,iBAAiB,OAA4B,KAAK;CAExD,MAAM,CAAC,aAAa,kBAAkB,SAAS,MAAM;CACrD,MAAM,CAAC,cAAc,mBAAmB,SAAS,MAAM;CACvD,MAAM,CAAC,SAAS,cAAc,SAAS,MAAM;CAC7C,MAAM,CAAC,OAAO,YAAY,SAA4B,KAAA,EAAU;CAEhE,MAAM,EACJ,QACA,SACA,SACA,KACA,eACA,mBACA,sBACA,WACA,cACA,YACE;CAGJ,MAAM,aAAa,OAAO,QAAQ;CAClC,WAAW,UAAU;CAErB,gBAAgB;EAEd,MAAM,cAAc,gBAAgB,UAClC,QACA,UACC,QAAQ,WAAW,QAAQ,IAAI,EAChC;GACE;GACA;GACA;GACA;GACA,iBAAiB;IACf,eAAe,KAAK;IACpB,gBAAgB,MAAM;IACtB,WAAW,MAAM;IACjB,SAAS,KAAA,EAAU;IACnB,aAAa;;GAEf,oBAAoB;IAClB,eAAe,MAAM;IACrB,gBAAgB,MAAM;IACtB,gBAAgB;;GAElB,UAAU,QAAQ;IAChB,WAAW,KAAK;IAChB,SAAS,IAAI;IACb,gBAAgB,MAAM;IACtB,UAAU,IAAI;;GAEjB,CACF;EAED,eAAe,UAAU;EAGzB,MAAM,aAAa,gBAAgB,cAAc,QAAQ;EACzD,IAAI,YAAY;GACd,eAAe,WAAW,YAAY;GACtC,gBAAgB,WAAW,aAAa;GACxC,WAAW,WAAW,QAAQ;GAC9B,SAAS,WAAW,MAAM;;EAI5B,aAAa;GACX,aAAa;GACb,eAAe,UAAU;;IAE1B,KAAK;CAIR,IAAI,CAFW,WAEJ,CAAC,WAAW,EACrB,OAAO;EACL,MAAM,OAAO,aAA8B;EAG3C,aAAa;EACb,cAAc;EACd,SAAS;EACT,OAAO,KAAA;EACP,iBAAiB;EAGjB,kBAAkB;EAGnB;CAGH,OAAO;EACL,MAAM,OAAO,YAA6B;GACxC,MAAM,gBAAgB,KAAK,QAAQ,SAAS,QAAQ;;EAEtD;EACA;EACA;EACA;EACA,iBAAiB;GAEf,gBADmC,cAAc,QACvC,EAAE,WAAW;;EAEzB,kBAAkB;GAChB,eAAe,WAAW;;EAE7B"}