minutework 0.1.37 → 0.1.38

package/assets/claude-local/CLAUDE.md.template

@@ -9,11 +9,22 @@ private authenticated workspace under `/app`.
 It uses `@minutework/web-auth` through a thin `src/mw/` substrate and
 same-origin `/_mw` routes; do not add per-app auth/gateway BFF routes or
 browser-stored tokens.
+For web password auth ergonomics, call `signUp` / `signInWithPassword` from
+`@minutework/web-auth`; these are cookie-backed web aliases and do not return
+access or refresh tokens. Use `useMinuteWorkSession().status` for guards with
+this precedence: `loading` -> `verification_required` -> `authenticated` ->
+`unauthenticated`.
 
 `mobile` is the standalone Expo/React Native client starter. It talks directly
 to the platform with native device-flow auth and bearer tokens; it is not a
 `tenant-app` web SDK cookie client and not a `sidecar`. It ships through the
 developer's own EAS/App Store/Play Store pipeline, not `minutework deploy`.
+Mobile may use `@minutework/native-auth` `signInWithPassword`, but that method
+returns/stores a native access/refresh token pair. Set
+`EXPO_PUBLIC_MW_TENANT_ID` to the non-secret tenant UUID so native password and
+browser-assisted flows send tenant context. The same method name in
+`@minutework/web-auth` is same-origin cookie auth for tenant web and does not
+return tokens.
 
 ## Refresh Managed Guidance
 

package/assets/claude-local/skills/README.md

@@ -17,6 +17,10 @@ receive:
 - `tenant-app` is the combined public plus private web starter
 - `tenant-app` auth/data uses `@minutework/web-auth` and thin `src/mw/`
   substrate, not per-app auth/gateway BFF routes
+- `tenant-app` uses cookie-backed `signUp` / `signInWithPassword` aliases and
+  `useMinuteWorkSession().status`; mobile uses `@minutework/native-auth`
+  bearer-token storage for its same-named password method and sends the
+  configured `EXPO_PUBLIC_MW_TENANT_ID` tenant context
 - `mw.core.site` is a runtime baseline capability
 - tenant public authoring is runtime/CMS-backed through `mw.core.site`
 - Vuilder-owned public sites use `vuilder-public-site` and public-dj CMS

package/assets/claude-local/skills/app-pack-authoring/SKILL.md

@@ -27,6 +27,14 @@ An `app pack` is the shipped product unit.
 - The template may render a local `/login` page that calls SDK hooks. The SDK
   also exposes hosted UI helpers for same-origin `/_mw/login`,
   `/_mw/signup`, and `/_mw/verify-email`; both choices remain SDK-only.
+- For Supabase-like naming, web product UI may call
+  `signUp` / `signInWithPassword` from `@minutework/web-auth`. In `tenant-app`
+  these aliases remain cookie-backed web customer auth and do not return
+  bearer tokens.
+- Use `useMinuteWorkSession().status` for web guards instead of hand-rolled
+  `loading && !authenticated` branches. Status precedence is `loading` ->
+  `verification_required` -> `authenticated` -> `unauthenticated`; keep
+  request errors separate from status.
 - Client-side `/app` session checks are UX gating only. Real authorization is
   enforced server-side by platform `/_mw` routes and runtime dispatch checks:
   active customer membership, email verification, app publication, and
@@ -39,6 +47,12 @@ An `app pack` is the shipped product unit.
 - The authenticated `tenant-app` principal is `tenant_customer`. Do not model
   the generated customer app as an operator/platform-session app, and do not
   persist bearer/session/runtime tokens in browser JavaScript.
+- Native/mobile password auth belongs in `@minutework/native-auth`, not
+  `tenant-app`. Its `signInWithPassword(...)` method shares the web alias name
+  but returns/stores a native bearer access/refresh token pair for the platform
+  native API. Configure `EXPO_PUBLIC_MW_TENANT_ID` with the non-secret tenant
+  UUID so native password and browser-assisted flows send explicit tenant
+  context.
 - Use `sidecar` for internal APIs, workers, integrations, or Python-heavy compute.
 - For member-facing collaboration and operator workflows, check shell fit first
   before proposing standalone `tenant-app` routes or dashboards.

package/assets/claude-local/skills/generated-workspace-architecture/SKILL.md

@@ -32,6 +32,13 @@ the monorepo or a live tenant runtime.
 - A local `/login` page may call SDK hooks, while SDK hosted UI helpers point
   to same-origin `/_mw/login`, `/_mw/signup`, and `/_mw/verify-email`; both
   are valid only when they stay on the SDK/`/_mw` contract.
+- For Supabase-like naming in `tenant-app`, prefer
+  `signUp` / `signInWithPassword` from `@minutework/web-auth`. These are web
+  aliases over the same cookie-backed customer session; they do not return
+  access or refresh tokens.
+- Use `useMinuteWorkSession().status` for web app guards. Its precedence is
+  `loading` -> `verification_required` -> `authenticated` ->
+  `unauthenticated`; keep `error` as a separate field.
 - Client-side app guards are UX only. Platform `/_mw` routes and runtime
   dispatch enforce active customer membership, email verification, app
   publication, and manifest exposure server-side.
@@ -45,6 +52,13 @@ the monorepo or a live tenant runtime.
   platform-issued native session token, rather than the `tenant-app` web SDK /
   hosted-cookie session. The mobile starter remains npm-owned standalone app
   code and should not be added to the generated root `pnpm-workspace.yaml`.
+- Mobile may call `@minutework/native-auth` `signInWithPassword(...)`, but this
+  is native/member password auth that returns and stores a bearer access/refresh
+  token pair through the starter's secure storage. Configure
+  `EXPO_PUBLIC_MW_TENANT_ID` with the non-secret tenant UUID so native password
+  and browser-assisted flows send explicit tenant context. Do not copy
+  tenant-app web auth code into mobile, and do not expect the web SDK's
+  same-named method to return tokens.
 - If the `mobile` starter is enabled (`starters.mobile.enabled`), read
   `standalone-mobile-client/SKILL.md` before proposing the mobile surface.
 - `vuilder-public-site` is a Vuilder-owned public-site authoring workspace for

package/assets/claude-local/skills/standalone-mobile-client/SKILL.md

@@ -80,10 +80,26 @@ The native token flow mirrors the existing CLI developer-token flow
    freshly returned pair. Re-run the browser-assisted authorize step only when
    the refresh token itself is invalid or revoked.
 
+The native SDK also exposes `signInWithPassword({ email, password, tenantId? })`
+for member password sign-in. That method posts credentials to the native
+password-grant endpoint, persists the returned access/refresh pair through the
+starter's secure storage adapter, and returns a `NativeTokenPair`.
+The generated Expo starter wires `tenantId` from `EXPO_PUBLIC_MW_TENANT_ID`, a
+non-secret tenant UUID. Keep that configured and pass it through password and
+browser-assisted authorize flows; tenant membership is still enforced by the
+platform before a token pair is issued.
+
 The `tenant-app` web SDK / hosted-cookie path is **web-only**. The mobile app
 does not ride the `tenant-app` cookie jar, and it does not read or forward
 CSRF -- native uses the bearer token directly against the platform.
 
+`@minutework/web-auth` and `@minutework/native-auth` intentionally share the
+`signInWithPassword` name for developer ergonomics, but the mechanisms are
+different. Web `signInWithPassword` sets/uses same-origin cookies and returns a
+tenant customer session. Native `signInWithPassword` returns/stores a bearer
+access/refresh token pair. Do not copy code between those surfaces without
+switching SDKs and session expectations.
+
 ### Token binding (what is and isn't enforced)
 
 The token is bound to one tenant + membership, and that binding **is** enforced:

package/assets/templates/mobile-app/.env.example

@@ -14,5 +14,10 @@
 # The app calls /api/v1/native/... here.
 EXPO_PUBLIC_MW_PLATFORM_BASE_URL=https://<your-platform-base-url>
 
+# Non-secret tenant UUID this native app signs into. Native password sign-in
+# requires an explicit tenant context, and the browser-assisted authorize flow
+# sends this value too.
+EXPO_PUBLIC_MW_TENANT_ID=00000000-0000-0000-0000-000000000000
+
 # Optional display name shown in the UI. Defaults to "MinuteWork".
 # EXPO_PUBLIC_MW_APP_NAME=MinuteWork

package/assets/templates/mobile-app/AGENTS.md

@@ -37,11 +37,17 @@ flow).
 ## Status
 
 `src/mw/client.ts` and `src/mw/session.ts` are **implemented**: a real
-browser-assisted PKCE device flow against the platform native session endpoints
-(`/api/v1/native/session/*`), with tokens persisted in the device keychain via
-`expo-secure-store`. Wire your UI against the documented client methods
-(`authorize` -> `exchange`, `loadSession`, `logout`). Set `app.json` `expo.scheme`
-to your own unique scheme — that is the OAuth-style redirect target.
+native password sign-in method plus a browser-assisted PKCE device flow against
+the platform native session endpoints (`/api/v1/native/session/*`), with tokens
+persisted in the device keychain via `expo-secure-store`. Wire your UI against
+the documented client methods (`signInWithPassword`, `authorize` -> `exchange`,
+`loadSession`, `logout`). `signInWithPassword` here returns/stores a native
+bearer token pair; the same method name in `@minutework/web-auth` is
+cookie-backed web auth and does not return tokens. Set
+`EXPO_PUBLIC_MW_TENANT_ID` to the non-secret tenant UUID; the starter passes it
+as tenant context for both password sign-in and browser-assisted authorize. Set
+`app.json` `expo.scheme` to your own unique scheme — that is the OAuth-style
+redirect target for the browser-assisted flow.
 
 The starter is standalone npm-owned app code, even when generated beside
 `tenant-app` in a root pnpm workspace. Run mobile commands from `mobile/` with

package/assets/templates/mobile-app/README.md

@@ -13,7 +13,7 @@ plain screens use `StyleSheet` only so there is nothing to rip out.
 
 | Path | Owner | Notes |
 | --- | --- | --- |
-| `src/mw/env.ts` | **MinuteWork substrate** | Validates `EXPO_PUBLIC_MW_PLATFORM_BASE_URL` (+ optional app name) |
+| `src/mw/env.ts` | **MinuteWork substrate** | Validates `EXPO_PUBLIC_MW_PLATFORM_BASE_URL`, `EXPO_PUBLIC_MW_TENANT_ID` (+ optional app name) |
 | `src/mw/endpoints.ts` | **MinuteWork substrate** | Builds platform `/api/v1/native/...` URLs |
 | `src/mw/contracts.ts` | **MinuteWork substrate** | Zod schemas for native session + token payloads |
 | `src/mw/client.ts` | **MinuteWork substrate** | Native token client — real browser-assisted PKCE device flow |
@@ -43,6 +43,12 @@ This app authenticates as a **direct platform native client**:
   `Authorization: Bearer <access>`, and on `401` mints a fresh pair at
   `POST /api/v1/native/session/refresh/` (rotating — persist the new pair) before
   retrying. `POST /api/v1/native/session/logout/` revokes the token family.
+- `mwClient.signInWithPassword({ email, password })` is also available for
+  native/member password sign-in. The starter injects
+  `EXPO_PUBLIC_MW_TENANT_ID` as `tenantId` because the native password-grant
+  endpoint requires explicit tenant context. It stores the returned
+  access/refresh pair through `src/mw/session.ts` and returns that native token
+  pair.
 
 This is **NOT** the Next.js `tenant-app` model. The tenant-app uses a
 server-owned **BFF session cookie** (`platform_session_bff`) because a browser
@@ -52,6 +58,11 @@ token instead of a cookie. **Do not** try to reuse the BFF cookie path here, and
 **do not** build a parallel/local auth stack (no JWT minting, no local user
 table) — the platform owns identity.
 
+The web and native SDKs intentionally share the `signInWithPassword` name, but
+the mechanism is different: `@minutework/web-auth` sets/uses a same-origin web
+cookie and returns a tenant customer session; `@minutework/native-auth` stores
+and returns a bearer-token pair for the native platform API.
+
 The token is bound to a single tenant + membership, and that binding **is**
 enforced. The optional `audience` and `device_id` fields are **informational
 only**: the platform carries them through the flow but does **not** validate or
@@ -61,9 +72,13 @@ compare them, so do not rely on them as a security boundary.
 
 `src/mw/client.ts` and `src/mw/session.ts` are **implemented**. The client:
 
-- generates a PKCE `code_verifier` + S256 `code_challenge` (`expo-crypto`),
+- signs in with member credentials through `signInWithPassword(...)` when you
+  choose the native password flow, sending the configured tenant UUID,
+- generates a PKCE `code_verifier` + S256 `code_challenge` (`expo-crypto`) when
+  you choose the browser-assisted flow,
 - opens the platform `authorize` URL in a system browser
-  (`expo-web-browser`'s `openAuthSessionAsync`) with an anti-forgery `state`,
+  (`expo-web-browser`'s `openAuthSessionAsync`) with an anti-forgery `state`
+  and the configured tenant UUID,
 - captures the returned one-time `code` from the deep-link redirect, exchanges
   it (plus the `code_verifier`) for a token pair, and stores it in the device
   keychain (`expo-secure-store`),
@@ -84,18 +99,20 @@ The full flow is documented in the doc-comment at the top of `src/mw/client.ts`.
 
 ## Environment
 
-Fresh local development works without a `.env`: `src/mw/env.ts` defaults
-`EXPO_PUBLIC_MW_PLATFORM_BASE_URL` to `http://127.0.0.1:8000` so the app can
-boot immediately after install. For a physical device, a deployed platform, or
-anything you plan to ship, copy `.env.example` to `.env` and set:
+`src/mw/env.ts` defaults `EXPO_PUBLIC_MW_PLATFORM_BASE_URL` to
+`http://127.0.0.1:8000` when omitted, but native auth still requires a tenant
+UUID. Copy `.env.example` to `.env` and set:
 
 ```
 EXPO_PUBLIC_MW_PLATFORM_BASE_URL=https://<your-platform-base-url>
+EXPO_PUBLIC_MW_TENANT_ID=<tenant-uuid>
 ```
 
 Only `EXPO_PUBLIC_*` variables are bundled into the app, and they are **not
-secret** — never put keys/tokens in them. `src/mw/env.ts` validates this value
-at startup with zod.
+secret** — never put keys/tokens in them. The tenant UUID is not a secret; it
+only selects which tenant the platform should authenticate against. Platform
+membership checks still decide whether the user can receive a native token.
+`src/mw/env.ts` validates these values at startup with zod.
 
 ## Running locally
 

package/assets/templates/mobile-app/app/(auth)/login.tsx

@@ -1,14 +1,21 @@
 // DEVELOPER-OWNED — replace freely. Only src/mw/ is MinuteWork substrate.
 //
 // This screen is intentionally plain and is meant to be REWRITTEN. It exists to
-// show the one integration seam you care about: kicking off MinuteWork's
+// show the two native auth seams you care about: password sign-in and
 // browser-assisted native sign-in through `src/mw/client.ts`.
 //
-// Pressing "Sign in" runs the real device flow: authorize in a system browser ->
-// exchange the returned code for a platform bearer token pair -> route into the
-// authed stack. Wire your own UI/UX around this call.
+// Both paths return/store a platform bearer token pair through the native auth
+// client, then route into the authed stack. Wire your own UI/UX around these
+// calls.
 import { useState } from "react";
-import { Alert, Pressable, StyleSheet, Text, View } from "react-native";
+import {
+  Alert,
+  Pressable,
+  StyleSheet,
+  Text,
+  TextInput,
+  View,
+} from "react-native";
 import { router } from "expo-router";
 
 import { mwClient } from "@/mw/client";
@@ -16,14 +23,13 @@ import { mwEnv } from "@/mw/env";
 
 export default function LoginScreen() {
   const [busy, setBusy] = useState(false);
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
 
-  async function onSignIn() {
+  async function finishSignIn(action: () => Promise<unknown>) {
     setBusy(true);
     try {
-      // Device flow: authorize (browser) -> exchange code+verifier for tokens
-      // (stored in the keychain by the client), then route into the authed stack.
-      const { code, codeVerifier, redirectUri } = await mwClient.authorize();
-      await mwClient.exchange(code, codeVerifier, redirectUri);
+      await action();
       router.replace("/(app)");
     } catch (error) {
       Alert.alert(
@@ -35,22 +41,82 @@ export default function LoginScreen() {
     }
   }
 
+  async function onPasswordSignIn() {
+    await finishSignIn(() =>
+      mwClient.signInWithPassword({
+        email,
+        password,
+        tenantId: mwEnv.tenantId,
+      }),
+    );
+  }
+
+  async function onBrowserSignIn() {
+    await finishSignIn(async () => {
+      // Device flow: authorize (browser) -> exchange code+verifier for tokens
+      // (stored in the keychain by the client), then route into the authed stack.
+      const { code, codeVerifier, redirectUri } = await mwClient.authorize({
+        tenantId: mwEnv.tenantId,
+      });
+      await mwClient.exchange(code, codeVerifier, redirectUri);
+    });
+  }
+
   return (
     <View style={styles.container}>
       <Text style={styles.title}>{mwEnv.appName}</Text>
       <Text style={styles.subtitle}>Sign in to continue</Text>
 
+      <View style={styles.form}>
+        <TextInput
+          autoCapitalize="none"
+          autoComplete="email"
+          autoCorrect={false}
+          editable={!busy}
+          inputMode="email"
+          onChangeText={setEmail}
+          placeholder="Email"
+          style={styles.input}
+          textContentType="username"
+          value={email}
+        />
+        <TextInput
+          autoCapitalize="none"
+          editable={!busy}
+          onChangeText={setPassword}
+          placeholder="Password"
+          secureTextEntry
+          style={styles.input}
+          textContentType="password"
+          value={password}
+        />
+      </View>
+
       <Pressable
         accessibilityRole="button"
-        disabled={busy}
-        onPress={onSignIn}
+        disabled={busy || !email || !password}
+        onPress={onPasswordSignIn}
         style={({ pressed }) => [
           styles.button,
-          (pressed || busy) && styles.buttonPressed,
+          (pressed || busy || !email || !password) && styles.buttonPressed,
         ]}
       >
         <Text style={styles.buttonText}>
-          {busy ? "Opening sign in…" : "Sign in with MinuteWork"}
+          {busy ? "Signing in..." : "Sign in with password"}
+        </Text>
+      </Pressable>
+
+      <Pressable
+        accessibilityRole="button"
+        disabled={busy}
+        onPress={onBrowserSignIn}
+        style={({ pressed }) => [
+          styles.secondaryButton,
+          (pressed || busy) && styles.buttonPressed,
+        ]}
+      >
+        <Text style={styles.secondaryButtonText}>
+          {busy ? "Opening..." : "Continue in browser"}
         </Text>
       </Pressable>
     </View>
@@ -74,11 +140,25 @@ const styles = StyleSheet.create({
     opacity: 0.7,
     marginBottom: 12,
   },
+  form: {
+    width: "100%",
+    gap: 10,
+  },
+  input: {
+    borderWidth: StyleSheet.hairlineWidth,
+    borderColor: "#d1d5db",
+    borderRadius: 10,
+    fontSize: 16,
+    paddingHorizontal: 14,
+    paddingVertical: 12,
+  },
   button: {
     backgroundColor: "#111827",
     paddingVertical: 14,
     paddingHorizontal: 24,
     borderRadius: 10,
+    width: "100%",
+    alignItems: "center",
   },
   buttonPressed: {
     opacity: 0.6,
@@ -88,4 +168,18 @@ const styles = StyleSheet.create({
     fontSize: 16,
     fontWeight: "600",
   },
+  secondaryButton: {
+    borderColor: "#111827",
+    borderRadius: 10,
+    borderWidth: StyleSheet.hairlineWidth,
+    paddingHorizontal: 24,
+    paddingVertical: 14,
+    width: "100%",
+    alignItems: "center",
+  },
+  secondaryButtonText: {
+    color: "#111827",
+    fontSize: 16,
+    fontWeight: "600",
+  },
 });

package/assets/templates/mobile-app/src/mw/client.ts

@@ -3,8 +3,10 @@ import * as Linking from "expo-linking";
 import * as WebBrowser from "expo-web-browser";
 import {
   createNativeAuthClient,
+  type NativeAuthorizeOptions,
   type NativeBrowser,
   type NativeCrypto,
+  type NativePasswordGrantOptions,
 } from "@minutework/native-auth";
 
 import { mwEnv } from "@/mw/env";
@@ -38,11 +40,27 @@ const nativeBrowser: NativeBrowser = {
   },
 };
 
-export const mwClient = createNativeAuthClient({
+const nativeAuthClient = createNativeAuthClient({
   platformBaseUrl: mwEnv.platformBaseUrl,
   storage: mwSession,
   crypto: nativeCrypto,
   browser: nativeBrowser,
 });
 
+export const mwClient = {
+  ...nativeAuthClient,
+  authorize(options: NativeAuthorizeOptions = {}) {
+    return nativeAuthClient.authorize({
+      ...options,
+      tenantId: mwEnv.tenantId,
+    });
+  },
+  signInWithPassword(options: NativePasswordGrantOptions) {
+    return nativeAuthClient.signInWithPassword({
+      ...options,
+      tenantId: mwEnv.tenantId,
+    });
+  },
+} satisfies typeof nativeAuthClient;
+
 export type MwClient = typeof mwClient;

package/assets/templates/mobile-app/src/mw/env.ts

@@ -9,7 +9,8 @@
 //
 // SECURITY: EXPO_PUBLIC_* values ship inside the app bundle and are readable by
 // anyone with the binary. Only put non-secret configuration here (a base URL,
-// a display name). Never put API keys, client secrets, or tokens in EXPO_PUBLIC_*.
+// tenant UUID, a display name). Never put API keys, client secrets, or tokens
+// in EXPO_PUBLIC_*.
 
 import { z } from "zod";
 
@@ -33,6 +34,7 @@ const optionalNameSchema = z.preprocess((value) => {
 
 const envSchema = z.object({
   platformBaseUrl: baseUrlSchema,
+  tenantId: z.string().uuid(),
   appName: optionalNameSchema,
 });
 
@@ -45,6 +47,7 @@ const parsed = envSchema.safeParse({
     configuredPlatformBaseUrl.trim().length > 0
       ? configuredPlatformBaseUrl
       : DEFAULT_LOCAL_PLATFORM_BASE_URL,
+  tenantId: process.env.EXPO_PUBLIC_MW_TENANT_ID,
   appName: process.env.EXPO_PUBLIC_MW_APP_NAME,
 });
 
@@ -58,7 +61,8 @@ if (!parsed.success) {
 
   throw new Error(
     `Invalid Expo public environment for mobile-app: ${issues}. ` +
-      "Set EXPO_PUBLIC_MW_PLATFORM_BASE_URL to the MinuteWork platform URL.",
+      "Set EXPO_PUBLIC_MW_PLATFORM_BASE_URL to the MinuteWork platform URL " +
+      "and EXPO_PUBLIC_MW_TENANT_ID to this native app's tenant UUID.",
   );
 }
 

package/assets/templates/mobile-app/template.json

@@ -14,5 +14,5 @@
     "reference/mwv3-dj6-docs/auth_and_credential_contract.md"
   ],
   "deployable": false,
-  "notes": "Bring-your-own-UI Expo (React Native + Expo Router) starter. Direct platform native API client (bearer token to /api/v1/native/...), NOT a tenant-app BFF cookie client. Distribution is the developer's EAS pipeline, not `minutework deploy`. Only src/mw/ is MinuteWork substrate; everything else is developer-owned. src/mw/client.ts implements the real browser-assisted PKCE device flow against the platform native session endpoints; the OAuth-style redirect target is the app.json expo.scheme. This manifest is validated by tools/template/validate-template.mjs, not the strict shared template.schema.json (mobile is not a web/sidecar deployable kind)."
+  "notes": "Bring-your-own-UI Expo (React Native + Expo Router) starter. Direct platform native API client (bearer token to /api/v1/native/...), NOT a tenant-app BFF cookie client. Distribution is the developer's EAS pipeline, not `minutework deploy`. Only src/mw/ is MinuteWork substrate; everything else is developer-owned. src/mw/client.ts implements native password sign-in plus the real browser-assisted PKCE device flow against the platform native session endpoints; set EXPO_PUBLIC_MW_TENANT_ID to the non-secret tenant UUID so both flows send tenant context. The OAuth-style redirect target is the app.json expo.scheme. This manifest is validated by tools/template/validate-template.mjs, not the strict shared template.schema.json (mobile is not a web/sidecar deployable kind)."
 }

package/assets/templates/next-tenant-app/README.md

@@ -26,6 +26,13 @@ The local `/login` route is product UI that calls SDK hooks. The SDK also
 provides hosted UI helpers for same-origin `/_mw/login`, `/_mw/signup`, and
 `/_mw/verify-email` URLs; both paths stay on the same SDK contract.
 
+For Supabase-like naming, the template uses `signUp` and
+`signInWithPassword` from `@minutework/web-auth/react`. These aliases still use
+the same cookie-backed web customer session and do not return access or refresh
+tokens. App guards should read `useMinuteWorkSession().status`, whose stable
+precedence is `loading` -> `verification_required` -> `authenticated` ->
+`unauthenticated`; keep `error` as a separate field.
+
 Client-side `/app` session checks are only UX gating. Authorization is enforced
 by the platform `/_mw` routes and runtime dispatch: active customer membership,
 email verification, app publication, and manifest `web_customer_exposed`

package/assets/templates/next-tenant-app/package.json

@@ -27,7 +27,7 @@
     "design-system:visual": "playwright test -c tools/design-system/playwright.config.mjs"
   },
   "dependencies": {
-    "@minutework/web-auth": "^0.1.0",
+    "@minutework/web-auth": "^0.1.1",
     "@radix-ui/react-slot": "^1.2.4",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",

package/assets/templates/next-tenant-app/src/features/auth/components/login-screen.tsx

@@ -17,7 +17,7 @@ type AuthMode = "login" | "signup";
 export function LoginScreen({ appName }: { appName: string }) {
   const router = useRouter();
   const searchParams = useSearchParams();
-  const { login, signup } = useMinuteWorkAuth();
+  const { signInWithPassword, signUp } = useMinuteWorkAuth();
   const [mode, setMode] = useState<AuthMode>("login");
   const [email, setEmail] = useState("");
   const [displayName, setDisplayName] = useState("");
@@ -34,7 +34,7 @@ export function LoginScreen({ appName }: { appName: string }) {
 
     try {
       if (mode === "signup") {
-        await signup({
+        await signUp({
           email,
           password,
           displayName,
@@ -45,7 +45,7 @@ export function LoginScreen({ appName }: { appName: string }) {
         return;
       }
 
-      await login({ email, password });
+      await signInWithPassword({ email, password });
       startTransition(() => {
         router.replace(appRoutes.appHome);
         router.refresh();

package/assets/templates/next-tenant-app/src/features/shell/components/authenticated-app-layout-shell.tsx

@@ -44,8 +44,7 @@ export function AuthenticatedAppLayoutShell({
 }) {
   const router = useRouter();
   const { logout } = useMinuteWorkAuth();
-  const { session, loading, authenticated, emailVerificationRequired } =
-    useMinuteWorkSession();
+  const { session, status } = useMinuteWorkSession();
 
   function redirectToLogin() {
     startTransition(() => {
@@ -59,7 +58,7 @@ export function AuthenticatedAppLayoutShell({
     redirectToLogin();
   }
 
-  if (loading) {
+  if (status === "loading") {
     return (
       <main className="min-h-screen bg-background text-foreground">
         <div className="mx-auto flex min-h-screen max-w-5xl items-center px-6 py-10">
@@ -71,11 +70,7 @@ export function AuthenticatedAppLayoutShell({
     );
   }
 
-  if (
-    emailVerificationRequired ||
-    session?.email_verification_required ||
-    session?.customer_membership?.status === "pending_verification"
-  ) {
+  if (status === "verification_required") {
     return (
       <main className="min-h-screen bg-background text-foreground">
         <div className="mx-auto flex min-h-screen max-w-5xl items-center px-6 py-10">
@@ -102,7 +97,7 @@ export function AuthenticatedAppLayoutShell({
     );
   }
 
-  if (!authenticated || !session?.customer_membership) {
+  if (status !== "authenticated" || !session?.customer_membership) {
     return (
       <main className="min-h-screen bg-background text-foreground">
         <div className="mx-auto flex min-h-screen max-w-5xl items-center px-6 py-10">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "minutework",
-  "version": "0.1.37",
+  "version": "0.1.38",
   "description": "MinuteWork CLI for workspace scaffolding, local preview workflows, and hosted preview deploys.",
   "type": "module",
   "bin": {