minutework 0.1.32 → 0.1.33

package/assets/templates/next-tenant-app/src/lib/public-site.ts

@@ -1,32 +1,11 @@
-import "server-only";
-
 import type { Metadata } from "next";
 
-import { env } from "@/lib/platform/env.server";
-
-export function isPublicContentDisabled() {
-  return env.MW_PUBLIC_CONTENT_SOURCE === "none";
-}
-
-export function buildDisabledPublicMetadata(): Metadata {
-  return {
-    robots: {
-      index: false,
-      follow: false,
-    },
-  };
-}
-
 export function resolvePublicMetadataBase() {
-  if (!env.MW_PUBLIC_BASE_URL) {
+  const value = process.env.MW_PUBLIC_BASE_URL || "";
+  if (!value) {
     return null;
   }
-
-  return new URL(
-    env.MW_PUBLIC_BASE_URL.endsWith("/")
-      ? env.MW_PUBLIC_BASE_URL
-      : `${env.MW_PUBLIC_BASE_URL}/`,
-  );
+  return new URL(value.endsWith("/") ? value : `${value}/`);
 }
 
 export function resolvePublicSiteUrl(pathname = "/") {
@@ -41,11 +20,8 @@ export function buildPublicMetadata(input: {
   description: string;
   path: string;
   siteName?: string;
-  type?: "website" | "article";
-  publishedTime?: string | null;
 }): Metadata {
   const canonicalUrl = resolvePublicSiteUrl(input.path)?.toString();
-
   return {
     title: input.title,
     description: input.description,
@@ -59,10 +35,9 @@ export function buildPublicMetadata(input: {
     openGraph: {
       title: input.title,
       description: input.description,
-      siteName: input.siteName ?? env.MW_TEMPLATE_APP_NAME,
-      type: input.type ?? "website",
+      siteName: input.siteName ?? process.env.MW_TEMPLATE_APP_NAME ?? "Tenant App",
+      type: "website",
       ...(canonicalUrl ? { url: canonicalUrl } : {}),
-      ...(input.publishedTime ? { publishedTime: input.publishedTime } : {}),
     },
     twitter: {
       card: "summary_large_image",

package/assets/templates/next-tenant-app/src/mw/client.ts

@@ -0,0 +1,18 @@
+"use client";
+
+// MinuteWork substrate. Thin layer - do not put product UI/logic here.
+
+import {
+  createIdempotencyKey,
+  createMinuteWorkClient,
+  type IdempotencyKey,
+} from "@minutework/web-auth";
+
+export const mwAppId =
+  process.env.NEXT_PUBLIC_MW_APP_ID?.trim() || "tenant.app";
+
+export const mw = createMinuteWorkClient({
+  appId: mwAppId,
+});
+
+export { createIdempotencyKey, type IdempotencyKey };

package/assets/templates/next-tenant-app/src/mw/mock.test.ts

@@ -0,0 +1,21 @@
+import { describe, expect, it } from "vitest";
+
+import { createIdempotencyKey } from "@/mw/client";
+import { createTemplateMockMinuteWorkClient } from "@/mw/mock";
+
+describe("MinuteWork SDK mock substrate", () => {
+  it("supports the template manifest query and action without platform BFF routes", async () => {
+    const client = createTemplateMockMinuteWorkClient();
+    await client.auth.verifyEmail({ token: "mock-verification-token" });
+
+    const queryResult = await client.query<{ count: number }>("demo.list", {});
+    const actionResult = await client.action<{ created: boolean }>(
+      "demo.create",
+      { title: "Created" },
+      { idempotencyKey: createIdempotencyKey("test") },
+    );
+
+    expect(queryResult.count).toBe(1);
+    expect(actionResult.created).toBe(true);
+  });
+});

package/assets/templates/next-tenant-app/src/mw/mock.ts

@@ -0,0 +1,35 @@
+"use client";
+
+// MinuteWork substrate. Thin layer - do not put product UI/logic here.
+
+import { createMockMinuteWorkClient } from "@minutework/web-auth/mock";
+
+export function createTemplateMockMinuteWorkClient() {
+  return createMockMinuteWorkClient({
+    appId: "tenant.app",
+    verified: true,
+    queryHandlers: {
+      "demo.list": () => ({
+        data: [
+          {
+            id: "demo-record-1",
+            display_label: "Demo record",
+            data: { title: "Demo record", status: "ready" },
+          },
+        ],
+        count: 1,
+      }),
+    },
+    actionHandlers: {
+      "demo.create": (payload, options) => ({
+        data: {
+          id: "demo-created",
+          display_label: String(payload.title || "Created record"),
+          data: payload,
+        },
+        created: true,
+        idempotency_key: options.idempotencyKey,
+      }),
+    },
+  });
+}

package/assets/templates/next-tenant-app/src/mw/provider.tsx

@@ -0,0 +1,17 @@
+"use client";
+
+// MinuteWork substrate. Thin layer - do not put product UI/logic here.
+
+import type { ReactNode } from "react";
+
+import { MinuteWorkProvider } from "@minutework/web-auth/react";
+
+import { mw } from "@/mw/client";
+
+export function MinuteWorkSdkProvider({ children }: { children: ReactNode }) {
+  return (
+    <MinuteWorkProvider client={mw} loadSessionOnMount>
+      {children}
+    </MinuteWorkProvider>
+  );
+}

package/assets/templates/next-tenant-app/template.json

@@ -1,7 +1,7 @@
 {
   "template_id": "next-tenant-app",
   "template_kind": "combined_web",
-  "template_profile": "platform_session_bff",
+  "template_profile": "tenant_web_auth_sdk",
   "template_bundle_ref": "runtime/builder/templates/next-tenant-app",
   "template_version": "0.3.0",
   "materialize": {
@@ -20,8 +20,8 @@
     "reference/mwv3-dj6-docs/runtime_compute_isolation_and_sandboxing_contract.md"
   ],
   "example_features": {
-    "runtime_command_demo": {
-      "default_enabled": false
+    "manifest_sdk_demo": {
+      "default_enabled": true
     }
   }
 }

package/assets/templates/next-tenant-app/template.schema.json

@@ -33,6 +33,7 @@
       "type": "string",
       "enum": [
         "platform_session_bff",
+        "tenant_web_auth_sdk",
         "bridge_internal",
         "public_dj_cms"
       ]

package/assets/templates/next-tenant-app/tools/template/validate-route-contract.mjs

@@ -15,13 +15,12 @@ const requiredPaths = [
   "src/app/login/page.tsx",
   "src/app/app/layout.tsx",
   "src/app/app/page.tsx",
-  "src/app/app/examples/runtime-commands/page.tsx",
+  "src/app/app/demo/page.tsx",
   "src/app/robots.ts",
   "src/app/sitemap.ts",
-  "src/lib/content/contracts.ts",
-  "src/lib/content/custom-adapter.ts",
-  "src/lib/content/empty-state.ts",
-  "src/lib/content/adapter.server.ts",
+  "src/mw/client.ts",
+  "src/mw/provider.tsx",
+  "src/mw/mock.ts",
 ];
 
 const missingPaths = requiredPaths.filter(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "minutework",
-  "version": "0.1.32",
+  "version": "0.1.33",
   "description": "MinuteWork CLI for workspace scaffolding, local preview workflows, and hosted preview deploys.",
   "type": "module",
   "bin": {
@@ -25,7 +25,7 @@
     "jiti": "^2.6.1",
     "zod": "^4.3.6",
     "@minutework/platform-config": "0.1.2",
-    "@minutework/schema-compiler": "0.1.4"
+    "@minutework/schema-compiler": "0.1.5"
   },
   "devDependencies": {
     "@types/node": "^24.9.1",

package/vendor/workspace-mcp/types.d.ts

@@ -356,8 +356,10 @@ export declare const SchemaStatusSchema: z.ZodObject<{
                 input_schema_key: z.ZodOptional<z.ZodNullable<z.ZodString>>;
                 output_schema_key: z.ZodOptional<z.ZodNullable<z.ZodString>>;
                 primitive: z.ZodOptional<z.ZodString>;
+                required_roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
                 schema_key: z.ZodString;
                 version: z.ZodLiteral<"ActionManifestV1">;
+                web_customer_exposed: z.ZodOptional<z.ZodBoolean>;
             }, z.core.$strict>>;
             appManifests: z.ZodArray<z.ZodObject<{
                 actions: z.ZodArray<z.ZodString>;
@@ -416,8 +418,10 @@ export declare const SchemaStatusSchema: z.ZodObject<{
                     detail: "detail";
                     list: "list";
                 }>, z.ZodLiteral<"connector">]>;
+                required_roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
                 schema_key: z.ZodString;
                 version: z.ZodLiteral<"QueryManifestV1">;
+                web_customer_exposed: z.ZodOptional<z.ZodBoolean>;
             }, z.core.$strict>>;
             releaseMetadata: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>>;
             routeManifests: z.ZodArray<z.ZodObject<{

package/assets/templates/next-tenant-app/src/app/(cms)/[...path]/page.tsx

@@ -1,89 +0,0 @@
-import type { Metadata } from "next";
-import { notFound } from "next/navigation";
-
-import { ContentStructureRenderer } from "@/features/public-shell/components/section-renderer";
-import { PublicSiteShell } from "@/features/public-shell/components/public-site-shell";
-import { getPageByPath, getSiteConfig, listPages } from "@/lib/content/adapter.server";
-import {
-  buildDisabledPublicMetadata,
-  buildPublicMetadata,
-  isPublicContentDisabled,
-} from "@/lib/public-site";
-
-type PageParams = { path: string[] };
-
-export async function generateStaticParams(): Promise<PageParams[]> {
-  if (isPublicContentDisabled()) {
-    return [];
-  }
-
-  const pages = await listPages("published");
-  return pages
-    .filter((p) => p.path !== "/")
-    .map((p) => ({
-      path: p.path.replace(/^\//, "").split("/").filter(Boolean),
-    }));
-}
-
-export async function generateMetadata({
-  params,
-}: {
-  params: Promise<PageParams>;
-}): Promise<Metadata> {
-  if (isPublicContentDisabled()) {
-    return buildDisabledPublicMetadata();
-  }
-
-  const { path: pathSegments } = await params;
-  const pagePath = `/${pathSegments.join("/")}`;
-  const page = await getPageByPath(pagePath);
-
-  if (!page) return {};
-
-  const seo = page.seo_metadata;
-  return buildPublicMetadata({
-    title: seo?.title ?? page.title,
-    description: seo?.description ?? page.title,
-    path: pagePath,
-  });
-}
-
-export default async function CmsPage({
-  params,
-}: {
-  params: Promise<PageParams>;
-}) {
-  if (isPublicContentDisabled()) {
-    notFound();
-  }
-
-  const { path: pathSegments } = await params;
-  const pagePath = `/${pathSegments.join("/")}`;
-  const [siteConfig, page] = await Promise.all([
-    getSiteConfig(),
-    getPageByPath(pagePath),
-  ]);
-
-  if (!page || page.status === "draft") {
-    notFound();
-  }
-
-  const sections = page.content_structure?.sections ?? [];
-
-  return (
-    <PublicSiteShell siteConfig={siteConfig} activeHref={pagePath}>
-      <div className="space-y-8">
-        <div className="space-y-3">
-          <h1 className="text-3xl font-semibold tracking-tight sm:text-4xl">
-            {page.title}
-          </h1>
-        </div>
-        {sections.length > 0 ? (
-          <ContentStructureRenderer sections={sections} />
-        ) : (
-          <p className="text-muted-foreground">This page has no content yet.</p>
-        )}
-      </div>
-    </PublicSiteShell>
-  );
-}

package/assets/templates/next-tenant-app/src/app/api/auth/context/route.test.ts

@@ -1,90 +0,0 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
-
-const fetchSessionContext = vi.fn();
-const resetSessionContext = vi.fn();
-const updateSessionContext = vi.fn();
-const readPlatformAuthState = vi.fn();
-const syncPlatformAuthStateToResponse = vi.fn();
-
-vi.mock("@/lib/platform/client.server", () => ({
-  fetchSessionContext,
-  resetSessionContext,
-  updateSessionContext,
-}));
-
-vi.mock("@/lib/platform/session.server", () => ({
-  readPlatformAuthState,
-  syncPlatformAuthStateToResponse,
-}));
-
-describe("auth context route", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("proxies valid tenant context updates through the BFF", async () => {
-    const authState = { sessionId: "session-1", csrfToken: "csrf-1" };
-    const payload = {
-      authenticated: true as const,
-      user: {
-        id: "user-1",
-        username: "demo-user",
-        email: "demo@example.com",
-      },
-      active_tenant_id: "tenant-2",
-      active_tenant: {
-        tenant_id: "tenant-2",
-        tenant_slug: "beta",
-        tenant_name: "Beta",
-        role: "member",
-      },
-      memberships: [
-        {
-          tenant_id: "tenant-2",
-          tenant_slug: "beta",
-          tenant_name: "Beta",
-          role: "member",
-        },
-      ],
-    };
-
-    readPlatformAuthState.mockResolvedValue(authState);
-    updateSessionContext.mockResolvedValue({
-      data: payload,
-      authState: authState,
-    });
-
-    const route = await import("./route");
-    const response = await route.PUT(
-      new Request("http://localhost/api/auth/context", {
-        method: "PUT",
-        headers: { "content-type": "application/json" },
-        body: JSON.stringify({ tenant_id: "tenant-2" }),
-      }),
-    );
-
-    expect(updateSessionContext).toHaveBeenCalledWith(authState, {
-      tenant_id: "tenant-2",
-    });
-    expect(syncPlatformAuthStateToResponse).toHaveBeenCalledWith(
-      response,
-      authState,
-      authState,
-    );
-    expect(response.status).toBe(200);
-    await expect(response.json()).resolves.toEqual(payload);
-  });
-
-  it("returns 401 when the browser has no stored platform session", async () => {
-    readPlatformAuthState.mockResolvedValue({
-      sessionId: null,
-      csrfToken: "csrf-1",
-    });
-
-    const route = await import("./route");
-    const response = await route.DELETE();
-
-    expect(resetSessionContext).not.toHaveBeenCalled();
-    expect(response.status).toBe(401);
-  });
-});

package/assets/templates/next-tenant-app/src/app/api/auth/context/route.ts

@@ -1,78 +0,0 @@
-import { NextResponse } from "next/server";
-
-import {
-  fetchSessionContext,
-  resetSessionContext,
-  updateSessionContext,
-} from "@/lib/platform/client.server";
-import { tenantSessionContextRequestSchema } from "@/lib/platform/contracts";
-import { toPlatformErrorResponse } from "@/lib/platform/route-response";
-import {
-  readPlatformAuthState,
-  syncPlatformAuthStateToResponse,
-} from "@/lib/platform/session.server";
-
-function unauthorizedResponse() {
-  return NextResponse.json({ detail: "Authentication required." }, { status: 401 });
-}
-
-export async function GET() {
-  const authState = await readPlatformAuthState();
-
-  if (!authState.sessionId) {
-    return unauthorizedResponse();
-  }
-
-  try {
-    const result = await fetchSessionContext(authState);
-    const response = NextResponse.json(result.data, { status: 200 });
-    syncPlatformAuthStateToResponse(response, authState, result.authState);
-    return response;
-  } catch (error) {
-    return toPlatformErrorResponse(error, "Unable to load tenant context.", authState);
-  }
-}
-
-export async function PUT(request: Request) {
-  const authState = await readPlatformAuthState();
-
-  if (!authState.sessionId) {
-    return unauthorizedResponse();
-  }
-
-  const body = await request.json().catch(() => null);
-  const parsed = tenantSessionContextRequestSchema.safeParse(body);
-
-  if (!parsed.success) {
-    return NextResponse.json(
-      { detail: "Invalid tenant context payload." },
-      { status: 400 },
-    );
-  }
-
-  try {
-    const result = await updateSessionContext(authState, parsed.data);
-    const response = NextResponse.json(result.data, { status: 200 });
-    syncPlatformAuthStateToResponse(response, authState, result.authState);
-    return response;
-  } catch (error) {
-    return toPlatformErrorResponse(error, "Unable to update tenant context.", authState);
-  }
-}
-
-export async function DELETE() {
-  const authState = await readPlatformAuthState();
-
-  if (!authState.sessionId) {
-    return unauthorizedResponse();
-  }
-
-  try {
-    const result = await resetSessionContext(authState);
-    const response = NextResponse.json(result.data, { status: 200 });
-    syncPlatformAuthStateToResponse(response, authState, result.authState);
-    return response;
-  } catch (error) {
-    return toPlatformErrorResponse(error, "Unable to reset tenant context.", authState);
-  }
-}

package/assets/templates/next-tenant-app/src/app/api/auth/login/route.ts

@@ -1,31 +0,0 @@
-import { NextResponse } from "next/server";
-
-import { loginWithPassword } from "@/lib/platform/client.server";
-import { loginRequestSchema } from "@/lib/platform/contracts";
-import { toPlatformErrorResponse } from "@/lib/platform/route-response";
-import {
-  readPlatformAuthState,
-  syncPlatformAuthStateToResponse,
-} from "@/lib/platform/session.server";
-
-export async function POST(request: Request) {
-  const authState = await readPlatformAuthState();
-  const body = await request.json().catch(() => null);
-  const parsed = loginRequestSchema.safeParse(body);
-
-  if (!parsed.success) {
-    return NextResponse.json(
-      { detail: "Invalid login payload." },
-      { status: 400 },
-    );
-  }
-
-  try {
-    const result = await loginWithPassword(authState, parsed.data);
-    const response = NextResponse.json({ authenticated: true }, { status: 200 });
-    syncPlatformAuthStateToResponse(response, authState, result.authState);
-    return response;
-  } catch (error) {
-    return toPlatformErrorResponse(error, "Unable to sign in.", authState);
-  }
-}

package/assets/templates/next-tenant-app/src/app/api/auth/logout/route.ts

@@ -1,16 +0,0 @@
-import { NextResponse } from "next/server";
-
-import { logoutPlatformSession } from "@/lib/platform/client.server";
-import {
-  clearPlatformSessionFromResponse,
-  readPlatformAuthState,
-} from "@/lib/platform/session.server";
-
-export async function POST() {
-  const authState = await readPlatformAuthState();
-  await logoutPlatformSession(authState).catch(() => null);
-
-  const response = new NextResponse(null, { status: 204 });
-  clearPlatformSessionFromResponse(response);
-  return response;
-}

package/assets/templates/next-tenant-app/src/app/api/auth/password-change/route.test.ts

@@ -1,79 +0,0 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
-
-const changePassword = vi.fn();
-const readPlatformAuthState = vi.fn();
-const syncPlatformAuthStateToResponse = vi.fn();
-
-vi.mock("@/lib/platform/client.server", () => ({
-  changePassword,
-}));
-
-vi.mock("@/lib/platform/session.server", () => ({
-  readPlatformAuthState,
-  syncPlatformAuthStateToResponse,
-}));
-
-describe("password change route", () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it("rejects invalid password payloads before proxying upstream", async () => {
-    readPlatformAuthState.mockResolvedValue({
-      sessionId: "session-1",
-      csrfToken: "csrf-1",
-    });
-
-    const route = await import("./route");
-    const response = await route.POST(
-      new Request("http://localhost/api/auth/password-change", {
-        method: "POST",
-        headers: { "content-type": "application/json" },
-        body: JSON.stringify({
-          current_password: "old",
-          new_password: "new-password",
-          confirm_password: "different-password",
-        }),
-      }),
-    );
-
-    expect(changePassword).not.toHaveBeenCalled();
-    expect(response.status).toBe(400);
-  });
-
-  it("proxies valid password changes through the BFF", async () => {
-    const authState = { sessionId: "session-1", csrfToken: "csrf-1" };
-
-    readPlatformAuthState.mockResolvedValue(authState);
-    changePassword.mockResolvedValue({
-      data: { has_password: true },
-      authState,
-    });
-
-    const route = await import("./route");
-    const response = await route.POST(
-      new Request("http://localhost/api/auth/password-change", {
-        method: "POST",
-        headers: { "content-type": "application/json" },
-        body: JSON.stringify({
-          current_password: "old-password",
-          new_password: "new-password",
-          confirm_password: "new-password",
-        }),
-      }),
-    );
-
-    expect(changePassword).toHaveBeenCalledWith(authState, {
-      current_password: "old-password",
-      new_password: "new-password",
-      confirm_password: "new-password",
-    });
-    expect(syncPlatformAuthStateToResponse).toHaveBeenCalledWith(
-      response,
-      authState,
-      authState,
-    );
-    expect(response.status).toBe(200);
-    await expect(response.json()).resolves.toEqual({ has_password: true });
-  });
-});

package/assets/templates/next-tenant-app/src/app/api/auth/password-change/route.ts

@@ -1,40 +0,0 @@
-import { NextResponse } from "next/server";
-
-import { changePassword } from "@/lib/platform/client.server";
-import { passwordChangeRequestSchema } from "@/lib/platform/contracts";
-import { toPlatformErrorResponse } from "@/lib/platform/route-response";
-import {
-  readPlatformAuthState,
-  syncPlatformAuthStateToResponse,
-} from "@/lib/platform/session.server";
-
-export async function POST(request: Request) {
-  const authState = await readPlatformAuthState();
-
-  if (!authState.sessionId) {
-    return NextResponse.json({ detail: "Authentication required." }, { status: 401 });
-  }
-
-  const body = await request.json().catch(() => null);
-  const parsed = passwordChangeRequestSchema.safeParse(body);
-
-  if (!parsed.success) {
-    return NextResponse.json(
-      { detail: "Invalid password change payload." },
-      { status: 400 },
-    );
-  }
-
-  try {
-    const result = await changePassword(authState, parsed.data);
-    const response = NextResponse.json(result.data, { status: 200 });
-    syncPlatformAuthStateToResponse(response, authState, result.authState);
-    return response;
-  } catch (error) {
-    return toPlatformErrorResponse(
-      error,
-      "Unable to change password.",
-      authState,
-    );
-  }
-}