minutework 0.1.36 → 0.1.38

package/EXTERNAL_ALPHA.md

@@ -63,6 +63,11 @@ the same source so they cannot drift) plus exported `skills/` guidance so the
 local coding agent sees the combined-web, mobile standalone-client,
 snapshot-delivery, and `mw.core.site` baseline workflow. Claude Code reads
 `CLAUDE.md`; Codex and other IDE agents read `AGENTS.md`.
+The generated capability-gap guidance is JSON-first and platform-submitted:
+agents record sanitized gaps in
+`.minutework/runtime/capability-gap-report.json`, run `minutework gaps submit`
+for likely reusable substrate gaps, and do not use GitHub credentials or create
+GitHub Issues/PRs from the generated workspace.
 The exported guidance includes a project-orientation fast path so broad
 questions like "what is this project about?", "what can we build?", and "can we
 make an existing product agentic?" route through the relevant skills in one

package/README.md

@@ -12,6 +12,9 @@ The current external alpha is intentionally narrow:
 - Developer-local broker surface: `minutework session start|resume|status`
 - Hosted release class: `ssr_container`
 - Deploy surface: `minutework deploy --preview`
+- Capability gap queue: `minutework gaps submit|status` sends sanitized
+  generated-workspace gap reports to platform `BuilderCapabilityRequest`
+  records; GitHub Issue/PR promotion is server-side follow-up automation
 - Deferred: `--live`, additional local coding engines, sidecar/runtime-backed deploys, and the commercial marketplace listing/pricing layer
 - Marketplace publish: `minutework publish` submits the compiled, digest-bound app pack through the platform publication-review + attestation gate and publishes it to the public marketplace catalog **only** on an approved (or approved-with-warnings) attestation; a rejected attestation prints the review findings and exits 1 without publishing
 
@@ -96,6 +99,10 @@ minutework session resume
   to the combined web, mobile, published-site, runtime-agent, OSS-adoption, and
   ontology workflows. Claude Code reads `CLAUDE.md`; Codex and other IDE agents
   read `AGENTS.md`.
+- Generated guidance tells Claude/Codex/Cursor to record capability gaps as
+  sanitized JSON first, submit likely reusable gaps with `minutework gaps
+  submit`, and avoid direct GitHub Issue/PR workflows from the generated
+  workspace.
 - Broad project questions route through a project-orientation fast path so the
   agent can answer "what is this project about?" or "can we make an existing
   product agentic?" without the user naming individual skills.
@@ -128,12 +135,12 @@ For direct third-party web hosts such as Vercel, deploy `tenant-app` only. In Ve
 
 ## Machine-readable output (`--json`)
 
-`validate`, `compile`, `codegen`, and `deploy --preview` accept `--json` so an IDE coding agent can drive them unattended and parse one stable shape. With `--json` the command prints a single result envelope to stdout and nothing else:
+`validate`, `compile`, `codegen`, `deploy --preview`, `publish`, and `gaps` accept `--json` so an IDE coding agent can drive them unattended and parse one stable shape. With `--json` the command prints a single result envelope to stdout and nothing else:
 
 ```json
 {
   "cliJsonVersion": 1,
-  "command": "validate | compile | codegen | deploy",
+  "command": "validate | compile | codegen | deploy | publish | gaps",
   "ok": true,
   "status": "ok | compiled | generated | activated | failed | rolled_back | confirmation_required | not_implemented | error",
   "result": {},
@@ -142,7 +149,7 @@ For direct third-party web hosts such as Vercel, deploy `tenant-app` only. In Ve
 ```
 
 - `ok` mirrors the process exit code: `0` when `ok` is `true`, non-zero otherwise (fail-closed).
-- `result` is the typed payload — the validate report (`validate`), the compile graph (`compile` / `codegen`), or the terminal deploy receipt (`deploy`).
+- `result` is the typed payload — the validate report (`validate`), the compile graph (`compile` / `codegen`), the terminal deploy receipt (`deploy`), publish review status (`publish`), or platform capability request status (`gaps`).
 - `deploy --preview --json` runs unattended and never prompts. Pair it with `--yes` to authorize the deploy; without `--yes` it returns `status: "confirmation_required"` (exit 1) instead of blocking on a prompt.
 - In `--json` mode the automatic diagnostic report is suppressed — the envelope and exit code are the whole contract.
 
@@ -161,7 +168,8 @@ CLI failures automatically send a sanitized diagnostic report to the MinuteWork
 
 - Node.js 18 or newer
 - [Poetry](https://python-poetry.org/) on `PATH` when your workspace includes the FastAPI sidecar and you plan to run it locally (then run `pnpm run install:sidecar` or `cd sidecar && poetry install`)
-- A MinuteWork platform that exposes the developer CLI auth and public-site preview deploy endpoints
+- A MinuteWork platform that exposes developer CLI auth, public-site preview
+  deploy, and developer Builder capability-request endpoints
 - An auth profile with interactive developer access, or a deploy token that includes `deploy.preview.request`
 
 If the hosted preview provider is not configured, preview deploy returns a typed failure or rollback-preserved receipt instead of a fake success.

package/assets/claude-local/CLAUDE.md.template

@@ -9,11 +9,22 @@ private authenticated workspace under `/app`.
 It uses `@minutework/web-auth` through a thin `src/mw/` substrate and
 same-origin `/_mw` routes; do not add per-app auth/gateway BFF routes or
 browser-stored tokens.
+For web password auth ergonomics, call `signUp` / `signInWithPassword` from
+`@minutework/web-auth`; these are cookie-backed web aliases and do not return
+access or refresh tokens. Use `useMinuteWorkSession().status` for guards with
+this precedence: `loading` -> `verification_required` -> `authenticated` ->
+`unauthenticated`.
 
 `mobile` is the standalone Expo/React Native client starter. It talks directly
 to the platform with native device-flow auth and bearer tokens; it is not a
 `tenant-app` web SDK cookie client and not a `sidecar`. It ships through the
 developer's own EAS/App Store/Play Store pipeline, not `minutework deploy`.
+Mobile may use `@minutework/native-auth` `signInWithPassword`, but that method
+returns/stores a native access/refresh token pair. Set
+`EXPO_PUBLIC_MW_TENANT_ID` to the non-secret tenant UUID so native password and
+browser-assisted flows send tenant context. The same method name in
+`@minutework/web-auth` is same-origin cookie auth for tenant web and does not
+return tokens.
 
 ## Refresh Managed Guidance
 
@@ -39,6 +50,16 @@ coding agent can use them as reference: browse `skills/` and read the relevant
 automatically and `/skill-name` invokes one directly; other agents (Codex,
 Cursor) can open the files directly or ask "What skills are available?".
 
+## Capability Gaps
+
+When a request exposes missing shared MinuteWork substrate, read
+`skills/capability-gap-reporting/SKILL.md`. Inspect runtime/platform truth
+first, write sanitized JSON to
+`.minutework/runtime/capability-gap-report.json`, then submit likely reusable
+gaps with `minutework gaps submit`. Do not use GitHub credentials, create
+GitHub Issues, or open GitHub PRs from this generated workspace; the platform
+`BuilderCapabilityRequest` queue is the trusted handoff.
+
 ## Project Orientation Fast Path
 
 When the user asks broad context questions like "what is this project about?",

package/assets/claude-local/skills/README.md

@@ -17,6 +17,10 @@ receive:
 - `tenant-app` is the combined public plus private web starter
 - `tenant-app` auth/data uses `@minutework/web-auth` and thin `src/mw/`
   substrate, not per-app auth/gateway BFF routes
+- `tenant-app` uses cookie-backed `signUp` / `signInWithPassword` aliases and
+  `useMinuteWorkSession().status`; mobile uses `@minutework/native-auth`
+  bearer-token storage for its same-named password method and sends the
+  configured `EXPO_PUBLIC_MW_TENANT_ID` tenant context
 - `mw.core.site` is a runtime baseline capability
 - tenant public authoring is runtime/CMS-backed through `mw.core.site`
 - Vuilder-owned public sites use `vuilder-public-site` and public-dj CMS
@@ -27,6 +31,9 @@ receive:
 - tenant-specific extensions belong in adjacent schemas or extension packs
 - per-customer deliverables usually come from runtime content/workflow, not a
   fresh product rebuild
+- reusable capability gaps are JSON-first and platform-submitted with
+  `minutework gaps submit`; generated workspaces do not open GitHub Issues or
+  PRs directly
 
 Generated-workspace-first guidance should live here, especially:
 

package/assets/claude-local/skills/app-pack-authoring/SKILL.md

@@ -27,6 +27,14 @@ An `app pack` is the shipped product unit.
 - The template may render a local `/login` page that calls SDK hooks. The SDK
   also exposes hosted UI helpers for same-origin `/_mw/login`,
   `/_mw/signup`, and `/_mw/verify-email`; both choices remain SDK-only.
+- For Supabase-like naming, web product UI may call
+  `signUp` / `signInWithPassword` from `@minutework/web-auth`. In `tenant-app`
+  these aliases remain cookie-backed web customer auth and do not return
+  bearer tokens.
+- Use `useMinuteWorkSession().status` for web guards instead of hand-rolled
+  `loading && !authenticated` branches. Status precedence is `loading` ->
+  `verification_required` -> `authenticated` -> `unauthenticated`; keep
+  request errors separate from status.
 - Client-side `/app` session checks are UX gating only. Real authorization is
   enforced server-side by platform `/_mw` routes and runtime dispatch checks:
   active customer membership, email verification, app publication, and
@@ -39,6 +47,12 @@ An `app pack` is the shipped product unit.
 - The authenticated `tenant-app` principal is `tenant_customer`. Do not model
   the generated customer app as an operator/platform-session app, and do not
   persist bearer/session/runtime tokens in browser JavaScript.
+- Native/mobile password auth belongs in `@minutework/native-auth`, not
+  `tenant-app`. Its `signInWithPassword(...)` method shares the web alias name
+  but returns/stores a native bearer access/refresh token pair for the platform
+  native API. Configure `EXPO_PUBLIC_MW_TENANT_ID` with the non-secret tenant
+  UUID so native password and browser-assisted flows send explicit tenant
+  context.
 - Use `sidecar` for internal APIs, workers, integrations, or Python-heavy compute.
 - For member-facing collaboration and operator workflows, check shell fit first
   before proposing standalone `tenant-app` routes or dashboards.

package/assets/claude-local/skills/capability-gap-reporting/SKILL.md

@@ -8,9 +8,43 @@ description: "A request does not cleanly fit current MinuteWork substrate and a
 Use this skill when a generated workspace discovers that the requested
 implementation does not cleanly fit current MinuteWork substrate.
 
+## Workflow
+
+1. Inspect available runtime/platform truth first:
+   - read the workspace MCP capability inventory and snapshot;
+   - check existing skills before inventing new substrate;
+   - prefer shipped MinuteWork primitives, baseline capabilities, app packs,
+     overlays, or reviewed skills when they already fit.
+2. Record the gap locally in
+   `.minutework/runtime/capability-gap-report.json` using the sanitized JSON
+   shape below.
+3. Submit likely reusable gaps to the platform queue:
+
+   ```bash
+   minutework gaps submit
+   ```
+
+   Use `minutework gaps submit --gap <gapId>` for one gap, and
+   `minutework gaps submit --all` only when the developer intentionally wants
+   tenant-local gaps submitted too.
+4. Check queue state with:
+
+   ```bash
+   minutework gaps status
+   ```
+
+Platform `BuilderCapabilityRequest` records are the trusted queue for reusable
+substrate requests. GitHub Issues and PRs are a later server-side automation
+step after Codex reviews the submitted platform record against the monorepo.
+Generated workspaces must not use GitHub credentials, create GitHub Issues,
+open GitHub PRs, or require monorepo permissions for capability gaps.
+
+## JSON Report
+
 - Record architecture gaps in `.minutework/runtime/capability-gap-report.json`.
 - Keep the report sanitized and tenant-safe. Do not include secrets, raw
-  prompts, private provider responses, or full payload copies.
+  prompts, private provider responses, full payload copies, absolute local
+  paths, env values, or source diffs.
 - Use the `MinuteWorkCapabilityGapReportV1` shape:
   - `version`
   - `generatedAt`
@@ -52,5 +86,12 @@ implementation does not cleanly fit current MinuteWork substrate.
   - `attached_app` when the right home is an attached-app integration surface
     rather than shared core substrate.
 - Prefer one concrete gap per missing shared capability.
-- Use gap reports to tell humans where MinuteWork needs new substrate. Do not
-  treat them as automatic implementation instructions.
+- Use gap reports to tell MinuteWork where shared substrate may be missing. Do
+  not treat them as automatic implementation instructions.
+- `minutework gaps submit` submits only `reusability: "likelyReusable"` gaps by
+  default and fails closed on missing auth, missing link, invalid reports, or
+  platform rejection.
+- The first slice stops at platform records:
+  `Builder agent -> gap JSON -> minutework gaps submit -> BuilderCapabilityRequest`.
+- Later automation may validate accepted requests, create or link GitHub Issues,
+  open PRs, and mark platform records resolved after protected-branch merge.

package/assets/claude-local/skills/generated-workspace-architecture/SKILL.md

@@ -32,6 +32,13 @@ the monorepo or a live tenant runtime.
 - A local `/login` page may call SDK hooks, while SDK hosted UI helpers point
   to same-origin `/_mw/login`, `/_mw/signup`, and `/_mw/verify-email`; both
   are valid only when they stay on the SDK/`/_mw` contract.
+- For Supabase-like naming in `tenant-app`, prefer
+  `signUp` / `signInWithPassword` from `@minutework/web-auth`. These are web
+  aliases over the same cookie-backed customer session; they do not return
+  access or refresh tokens.
+- Use `useMinuteWorkSession().status` for web app guards. Its precedence is
+  `loading` -> `verification_required` -> `authenticated` ->
+  `unauthenticated`; keep `error` as a separate field.
 - Client-side app guards are UX only. Platform `/_mw` routes and runtime
   dispatch enforce active customer membership, email verification, app
   publication, and manifest exposure server-side.
@@ -45,6 +52,13 @@ the monorepo or a live tenant runtime.
   platform-issued native session token, rather than the `tenant-app` web SDK /
   hosted-cookie session. The mobile starter remains npm-owned standalone app
   code and should not be added to the generated root `pnpm-workspace.yaml`.
+- Mobile may call `@minutework/native-auth` `signInWithPassword(...)`, but this
+  is native/member password auth that returns and stores a bearer access/refresh
+  token pair through the starter's secure storage. Configure
+  `EXPO_PUBLIC_MW_TENANT_ID` with the non-secret tenant UUID so native password
+  and browser-assisted flows send explicit tenant context. Do not copy
+  tenant-app web auth code into mobile, and do not expect the web SDK's
+  same-named method to return tokens.
 - If the `mobile` starter is enabled (`starters.mobile.enabled`), read
   `standalone-mobile-client/SKILL.md` before proposing the mobile surface.
 - `vuilder-public-site` is a Vuilder-owned public-site authoring workspace for

package/assets/claude-local/skills/standalone-mobile-client/SKILL.md

@@ -80,10 +80,26 @@ The native token flow mirrors the existing CLI developer-token flow
    freshly returned pair. Re-run the browser-assisted authorize step only when
    the refresh token itself is invalid or revoked.
 
+The native SDK also exposes `signInWithPassword({ email, password, tenantId? })`
+for member password sign-in. That method posts credentials to the native
+password-grant endpoint, persists the returned access/refresh pair through the
+starter's secure storage adapter, and returns a `NativeTokenPair`.
+The generated Expo starter wires `tenantId` from `EXPO_PUBLIC_MW_TENANT_ID`, a
+non-secret tenant UUID. Keep that configured and pass it through password and
+browser-assisted authorize flows; tenant membership is still enforced by the
+platform before a token pair is issued.
+
 The `tenant-app` web SDK / hosted-cookie path is **web-only**. The mobile app
 does not ride the `tenant-app` cookie jar, and it does not read or forward
 CSRF -- native uses the bearer token directly against the platform.
 
+`@minutework/web-auth` and `@minutework/native-auth` intentionally share the
+`signInWithPassword` name for developer ergonomics, but the mechanisms are
+different. Web `signInWithPassword` sets/uses same-origin cookies and returns a
+tenant customer session. Native `signInWithPassword` returns/stores a bearer
+access/refresh token pair. Do not copy code between those surfaces without
+switching SDKs and session expectations.
+
 ### Token binding (what is and isn't enforced)
 
 The token is bound to one tenant + membership, and that binding **is** enforced:

package/assets/templates/mobile-app/.env.example

@@ -14,5 +14,10 @@
 # The app calls /api/v1/native/... here.
 EXPO_PUBLIC_MW_PLATFORM_BASE_URL=https://<your-platform-base-url>
 
+# Non-secret tenant UUID this native app signs into. Native password sign-in
+# requires an explicit tenant context, and the browser-assisted authorize flow
+# sends this value too.
+EXPO_PUBLIC_MW_TENANT_ID=00000000-0000-0000-0000-000000000000
+
 # Optional display name shown in the UI. Defaults to "MinuteWork".
 # EXPO_PUBLIC_MW_APP_NAME=MinuteWork

package/assets/templates/mobile-app/AGENTS.md

@@ -37,11 +37,17 @@ flow).
 ## Status
 
 `src/mw/client.ts` and `src/mw/session.ts` are **implemented**: a real
-browser-assisted PKCE device flow against the platform native session endpoints
-(`/api/v1/native/session/*`), with tokens persisted in the device keychain via
-`expo-secure-store`. Wire your UI against the documented client methods
-(`authorize` -> `exchange`, `loadSession`, `logout`). Set `app.json` `expo.scheme`
-to your own unique scheme — that is the OAuth-style redirect target.
+native password sign-in method plus a browser-assisted PKCE device flow against
+the platform native session endpoints (`/api/v1/native/session/*`), with tokens
+persisted in the device keychain via `expo-secure-store`. Wire your UI against
+the documented client methods (`signInWithPassword`, `authorize` -> `exchange`,
+`loadSession`, `logout`). `signInWithPassword` here returns/stores a native
+bearer token pair; the same method name in `@minutework/web-auth` is
+cookie-backed web auth and does not return tokens. Set
+`EXPO_PUBLIC_MW_TENANT_ID` to the non-secret tenant UUID; the starter passes it
+as tenant context for both password sign-in and browser-assisted authorize. Set
+`app.json` `expo.scheme` to your own unique scheme — that is the OAuth-style
+redirect target for the browser-assisted flow.
 
 The starter is standalone npm-owned app code, even when generated beside
 `tenant-app` in a root pnpm workspace. Run mobile commands from `mobile/` with

package/assets/templates/mobile-app/README.md

@@ -13,7 +13,7 @@ plain screens use `StyleSheet` only so there is nothing to rip out.
 
 | Path | Owner | Notes |
 | --- | --- | --- |
-| `src/mw/env.ts` | **MinuteWork substrate** | Validates `EXPO_PUBLIC_MW_PLATFORM_BASE_URL` (+ optional app name) |
+| `src/mw/env.ts` | **MinuteWork substrate** | Validates `EXPO_PUBLIC_MW_PLATFORM_BASE_URL`, `EXPO_PUBLIC_MW_TENANT_ID` (+ optional app name) |
 | `src/mw/endpoints.ts` | **MinuteWork substrate** | Builds platform `/api/v1/native/...` URLs |
 | `src/mw/contracts.ts` | **MinuteWork substrate** | Zod schemas for native session + token payloads |
 | `src/mw/client.ts` | **MinuteWork substrate** | Native token client — real browser-assisted PKCE device flow |
@@ -43,6 +43,12 @@ This app authenticates as a **direct platform native client**:
   `Authorization: Bearer <access>`, and on `401` mints a fresh pair at
   `POST /api/v1/native/session/refresh/` (rotating — persist the new pair) before
   retrying. `POST /api/v1/native/session/logout/` revokes the token family.
+- `mwClient.signInWithPassword({ email, password })` is also available for
+  native/member password sign-in. The starter injects
+  `EXPO_PUBLIC_MW_TENANT_ID` as `tenantId` because the native password-grant
+  endpoint requires explicit tenant context. It stores the returned
+  access/refresh pair through `src/mw/session.ts` and returns that native token
+  pair.
 
 This is **NOT** the Next.js `tenant-app` model. The tenant-app uses a
 server-owned **BFF session cookie** (`platform_session_bff`) because a browser
@@ -52,6 +58,11 @@ token instead of a cookie. **Do not** try to reuse the BFF cookie path here, and
 **do not** build a parallel/local auth stack (no JWT minting, no local user
 table) — the platform owns identity.
 
+The web and native SDKs intentionally share the `signInWithPassword` name, but
+the mechanism is different: `@minutework/web-auth` sets/uses a same-origin web
+cookie and returns a tenant customer session; `@minutework/native-auth` stores
+and returns a bearer-token pair for the native platform API.
+
 The token is bound to a single tenant + membership, and that binding **is**
 enforced. The optional `audience` and `device_id` fields are **informational
 only**: the platform carries them through the flow but does **not** validate or
@@ -61,9 +72,13 @@ compare them, so do not rely on them as a security boundary.
 
 `src/mw/client.ts` and `src/mw/session.ts` are **implemented**. The client:
 
-- generates a PKCE `code_verifier` + S256 `code_challenge` (`expo-crypto`),
+- signs in with member credentials through `signInWithPassword(...)` when you
+  choose the native password flow, sending the configured tenant UUID,
+- generates a PKCE `code_verifier` + S256 `code_challenge` (`expo-crypto`) when
+  you choose the browser-assisted flow,
 - opens the platform `authorize` URL in a system browser
-  (`expo-web-browser`'s `openAuthSessionAsync`) with an anti-forgery `state`,
+  (`expo-web-browser`'s `openAuthSessionAsync`) with an anti-forgery `state`
+  and the configured tenant UUID,
 - captures the returned one-time `code` from the deep-link redirect, exchanges
   it (plus the `code_verifier`) for a token pair, and stores it in the device
   keychain (`expo-secure-store`),
@@ -84,18 +99,20 @@ The full flow is documented in the doc-comment at the top of `src/mw/client.ts`.
 
 ## Environment
 
-Fresh local development works without a `.env`: `src/mw/env.ts` defaults
-`EXPO_PUBLIC_MW_PLATFORM_BASE_URL` to `http://127.0.0.1:8000` so the app can
-boot immediately after install. For a physical device, a deployed platform, or
-anything you plan to ship, copy `.env.example` to `.env` and set:
+`src/mw/env.ts` defaults `EXPO_PUBLIC_MW_PLATFORM_BASE_URL` to
+`http://127.0.0.1:8000` when omitted, but native auth still requires a tenant
+UUID. Copy `.env.example` to `.env` and set:
 
 ```
 EXPO_PUBLIC_MW_PLATFORM_BASE_URL=https://<your-platform-base-url>
+EXPO_PUBLIC_MW_TENANT_ID=<tenant-uuid>
 ```
 
 Only `EXPO_PUBLIC_*` variables are bundled into the app, and they are **not
-secret** — never put keys/tokens in them. `src/mw/env.ts` validates this value
-at startup with zod.
+secret** — never put keys/tokens in them. The tenant UUID is not a secret; it
+only selects which tenant the platform should authenticate against. Platform
+membership checks still decide whether the user can receive a native token.
+`src/mw/env.ts` validates these values at startup with zod.
 
 ## Running locally
 

package/assets/templates/mobile-app/app/(auth)/login.tsx

@@ -1,14 +1,21 @@
 // DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate.
 //
 // This screen is intentionally plain and is meant to be REWRITTEN. It exists to
-// show the one integration seam you care about: kicking off MinuteWork's
+// show the two native auth seams you care about: password sign-in and
 // browser-assisted native sign-in through `src/mw/client.ts`.
 //
-// Pressing "Sign in" runs the real device flow: authorize in a system browser ->
-// exchange the returned code for a platform bearer token pair -> route into the
-// authed stack. Wire your own UI/UX around this call.
+// Both paths return/store a platform bearer token pair through the native auth
+// client, then route into the authed stack. Wire your own UI/UX around these
+// calls.
 import { useState } from "react";
-import { Alert, Pressable, StyleSheet, Text, View } from "react-native";
+import {
+  Alert,
+  Pressable,
+  StyleSheet,
+  Text,
+  TextInput,
+  View,
+} from "react-native";
 import { router } from "expo-router";
 
 import { mwClient } from "@/mw/client";
@@ -16,14 +23,13 @@ import { mwEnv } from "@/mw/env";
 
 export default function LoginScreen() {
   const [busy, setBusy] = useState(false);
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
 
-  async function onSignIn() {
+  async function finishSignIn(action: () => Promise<unknown>) {
     setBusy(true);
     try {
-      // Device flow: authorize (browser) -> exchange code+verifier for tokens
-      // (stored in the keychain by the client), then route into the authed stack.
-      const { code, codeVerifier, redirectUri } = await mwClient.authorize();
-      await mwClient.exchange(code, codeVerifier, redirectUri);
+      await action();
       router.replace("/(app)");
     } catch (error) {
       Alert.alert(
@@ -35,22 +41,82 @@ export default function LoginScreen() {
     }
   }
 
+  async function onPasswordSignIn() {
+    await finishSignIn(() =>
+      mwClient.signInWithPassword({
+        email,
+        password,
+        tenantId: mwEnv.tenantId,
+      }),
+    );
+  }
+
+  async function onBrowserSignIn() {
+    await finishSignIn(async () => {
+      // Device flow: authorize (browser) -> exchange code+verifier for tokens
+      // (stored in the keychain by the client), then route into the authed stack.
+      const { code, codeVerifier, redirectUri } = await mwClient.authorize({
+        tenantId: mwEnv.tenantId,
+      });
+      await mwClient.exchange(code, codeVerifier, redirectUri);
+    });
+  }
+
   return (
     <View style={styles.container}>
       <Text style={styles.title}>{mwEnv.appName}</Text>
       <Text style={styles.subtitle}>Sign in to continue</Text>
 
+      <View style={styles.form}>
+        <TextInput
+          autoCapitalize="none"
+          autoComplete="email"
+          autoCorrect={false}
+          editable={!busy}
+          inputMode="email"
+          onChangeText={setEmail}
+          placeholder="Email"
+          style={styles.input}
+          textContentType="username"
+          value={email}
+        />
+        <TextInput
+          autoCapitalize="none"
+          editable={!busy}
+          onChangeText={setPassword}
+          placeholder="Password"
+          secureTextEntry
+          style={styles.input}
+          textContentType="password"
+          value={password}
+        />
+      </View>
+
       <Pressable
         accessibilityRole="button"
-        disabled={busy}
-        onPress={onSignIn}
+        disabled={busy || !email || !password}
+        onPress={onPasswordSignIn}
         style={({ pressed }) => [
           styles.button,
-          (pressed || busy) && styles.buttonPressed,
+          (pressed || busy || !email || !password) && styles.buttonPressed,
         ]}
       >
         <Text style={styles.buttonText}>
-          {busy ? "Opening sign in…" : "Sign in with MinuteWork"}
+          {busy ? "Signing in..." : "Sign in with password"}
+        </Text>
+      </Pressable>
+
+      <Pressable
+        accessibilityRole="button"
+        disabled={busy}
+        onPress={onBrowserSignIn}
+        style={({ pressed }) => [
+          styles.secondaryButton,
+          (pressed || busy) && styles.buttonPressed,
+        ]}
+      >
+        <Text style={styles.secondaryButtonText}>
+          {busy ? "Opening..." : "Continue in browser"}
         </Text>
       </Pressable>
     </View>
@@ -74,11 +140,25 @@ const styles = StyleSheet.create({
     opacity: 0.7,
     marginBottom: 12,
   },
+  form: {
+    width: "100%",
+    gap: 10,
+  },
+  input: {
+    borderWidth: StyleSheet.hairlineWidth,
+    borderColor: "#d1d5db",
+    borderRadius: 10,
+    fontSize: 16,
+    paddingHorizontal: 14,
+    paddingVertical: 12,
+  },
   button: {
     backgroundColor: "#111827",
     paddingVertical: 14,
     paddingHorizontal: 24,
     borderRadius: 10,
+    width: "100%",
+    alignItems: "center",
   },
   buttonPressed: {
     opacity: 0.6,
@@ -88,4 +168,18 @@ const styles = StyleSheet.create({
     fontSize: 16,
     fontWeight: "600",
   },
+  secondaryButton: {
+    borderColor: "#111827",
+    borderRadius: 10,
+    borderWidth: StyleSheet.hairlineWidth,
+    paddingHorizontal: 24,
+    paddingVertical: 14,
+    width: "100%",
+    alignItems: "center",
+  },
+  secondaryButtonText: {
+    color: "#111827",
+    fontSize: 16,
+    fontWeight: "600",
+  },
 });

package/assets/templates/mobile-app/src/mw/client.ts

@@ -3,8 +3,10 @@ import * as Linking from "expo-linking";
 import * as WebBrowser from "expo-web-browser";
 import {
   createNativeAuthClient,
+  type NativeAuthorizeOptions,
   type NativeBrowser,
   type NativeCrypto,
+  type NativePasswordGrantOptions,
 } from "@minutework/native-auth";
 
 import { mwEnv } from "@/mw/env";
@@ -38,11 +40,27 @@ const nativeBrowser: NativeBrowser = {
   },
 };
 
-export const mwClient = createNativeAuthClient({
+const nativeAuthClient = createNativeAuthClient({
   platformBaseUrl: mwEnv.platformBaseUrl,
   storage: mwSession,
   crypto: nativeCrypto,
   browser: nativeBrowser,
 });
 
+export const mwClient = {
+  ...nativeAuthClient,
+  authorize(options: NativeAuthorizeOptions = {}) {
+    return nativeAuthClient.authorize({
+      ...options,
+      tenantId: mwEnv.tenantId,
+    });
+  },
+  signInWithPassword(options: NativePasswordGrantOptions) {
+    return nativeAuthClient.signInWithPassword({
+      ...options,
+      tenantId: mwEnv.tenantId,
+    });
+  },
+} satisfies typeof nativeAuthClient;
+
 export type MwClient = typeof mwClient;

package/assets/templates/mobile-app/src/mw/env.ts

@@ -9,7 +9,8 @@
 //
 // SECURITY: EXPO_PUBLIC_* values ship inside the app bundle and are readable by
 // anyone with the binary. Only put non-secret configuration here (a base URL,
-// a display name). Never put API keys, client secrets, or tokens in EXPO_PUBLIC_*.
+// tenant UUID, a display name). Never put API keys, client secrets, or tokens
+// in EXPO_PUBLIC_*.
 
 import { z } from "zod";
 
@@ -33,6 +34,7 @@ const optionalNameSchema = z.preprocess((value) => {
 
 const envSchema = z.object({
   platformBaseUrl: baseUrlSchema,
+  tenantId: z.string().uuid(),
   appName: optionalNameSchema,
 });
 
@@ -45,6 +47,7 @@ const parsed = envSchema.safeParse({
     configuredPlatformBaseUrl.trim().length > 0
       ? configuredPlatformBaseUrl
       : DEFAULT_LOCAL_PLATFORM_BASE_URL,
+  tenantId: process.env.EXPO_PUBLIC_MW_TENANT_ID,
   appName: process.env.EXPO_PUBLIC_MW_APP_NAME,
 });
 
@@ -58,7 +61,8 @@ if (!parsed.success) {
 
   throw new Error(
     `Invalid Expo public environment for mobile-app: ${issues}. ` +
-      "Set EXPO_PUBLIC_MW_PLATFORM_BASE_URL to the MinuteWork platform URL.",
+      "Set EXPO_PUBLIC_MW_PLATFORM_BASE_URL to the MinuteWork platform URL " +
+      "and EXPO_PUBLIC_MW_TENANT_ID to this native app's tenant UUID.",
   );
 }
 

package/assets/templates/mobile-app/template.json

@@ -14,5 +14,5 @@
     "reference/mwv3-dj6-docs/auth_and_credential_contract.md"
   ],
   "deployable": false,
-  "notes": "Bring-your-own-UI Expo (React Native + Expo Router) starter. Direct platform native API client (bearer token to /api/v1/native/...), NOT a tenant-app BFF cookie client. Distribution is the developer's EAS pipeline, not `minutework deploy`. Only src/mw/ is MinuteWork substrate; everything else is developer-owned. src/mw/client.ts implements the real browser-assisted PKCE device flow against the platform native session endpoints; the OAuth-style redirect target is the app.json expo.scheme. This manifest is validated by tools/template/validate-template.mjs, not the strict shared template.schema.json (mobile is not a web/sidecar deployable kind)."
+  "notes": "Bring-your-own-UI Expo (React Native + Expo Router) starter. Direct platform native API client (bearer token to /api/v1/native/...), NOT a tenant-app BFF cookie client. Distribution is the developer's EAS pipeline, not `minutework deploy`. Only src/mw/ is MinuteWork substrate; everything else is developer-owned. src/mw/client.ts implements native password sign-in plus the real browser-assisted PKCE device flow against the platform native session endpoints; set EXPO_PUBLIC_MW_TENANT_ID to the non-secret tenant UUID so both flows send tenant context. The OAuth-style redirect target is the app.json expo.scheme. This manifest is validated by tools/template/validate-template.mjs, not the strict shared template.schema.json (mobile is not a web/sidecar deployable kind)."
 }