sh3-core 0.17.2 → 0.19.1

package/dist/chrome/CompactChrome.svelte

@@ -1,7 +1,7 @@
 <script lang="ts">
   /*
    * Top app bar for compact mode. Three-column grid:
-   *   leading  — one button per non-null drawer anchor (read from
+   *   leading  — one Button per non-null drawer anchor (read from
    *              the active CompactRendering)
    *   title    — active app name
    *   trailing — palette button + overflow (menu sheet) button
@@ -10,21 +10,49 @@
    * state and renders MenuSheet conditionally.
    */
   import { sh3 } from '../sh3Runtime.svelte';
-  import { layoutStore } from '../layout/store.svelte';
+  import { layoutStore, getActiveRoot } from '../layout/store.svelte';
   import { derive } from '../layout/compact/derive';
   import { getLiveDispatcherState } from '../actions/state.svelte';
   import { getRegisteredApp } from '../apps/registry.svelte';
+  import { returnToHome } from '../apps/lifecycle';
+  import Button from '../primitives/Button.svelte';
   import MenuSheet from './MenuSheet.svelte';
   import type { DrawerAnchor } from '../layout/compact/types';
 
   const rendering = $derived(derive(layoutStore.root));
   const dispatcher = $derived(getLiveDispatcherState());
-  const title = $derived.by(() => {
+  const onHome = $derived(getActiveRoot() === 'home');
+  const appLabel = $derived.by(() => {
     const id = dispatcher.activeAppId;
     if (!id) return 'SH3';
     return getRegisteredApp(id)?.manifest.label ?? id;
   });
 
+  /**
+   * Pick the topmost carousel — the one with the lexicographically smallest
+   * path key. `''` (root) sorts before `'0'` etc.; among siblings, smaller
+   * indices sort first. This deterministically selects the spatially-topmost
+   * full-width tab group when multiple carousels are stacked vertically.
+   */
+  const topmostCarouselLabel = $derived.by(() => {
+    if (rendering.carousels.size === 0) return null;
+    let bestKey: string | null = null;
+    let bestLabel = '';
+    for (const [key, info] of rendering.carousels) {
+      if (bestKey === null || key < bestKey) {
+        bestKey = key;
+        bestLabel = info.activeLabel;
+      }
+    }
+    return bestLabel;
+  });
+
+  const title = $derived.by(() => {
+    const carouselLabel = topmostCarouselLabel;
+    if (carouselLabel) return `${appLabel} › ${carouselLabel}`;
+    return appLabel;
+  });
+
   let menuOpen = $state(false);
 
   function toggleDrawer(anchor: DrawerAnchor) {
@@ -37,20 +65,34 @@
 
 <header class="sh3-compact-chrome" data-sh3-region="compact-chrome">
   <div class="leading">
+    <Button
+      variant="icon"
+      icon="house"
+      ariaLabel="Home"
+      title="Home"
+      disabled={onHome}
+      onclick={() => returnToHome()}
+    />
     {#if rendering.drawers.left}
-      <button onclick={() => toggleDrawer('left')} aria-label="Toggle left drawer" data-sh3-anchor="left">≡</button>
+      <span data-sh3-anchor="left">
+        <Button variant="icon" icon="menu" ariaLabel="Toggle left drawer" title="Toggle left drawer" onclick={() => toggleDrawer('left')} />
+      </span>
     {/if}
     {#if rendering.drawers.right}
-      <button onclick={() => toggleDrawer('right')} aria-label="Toggle right drawer" data-sh3-anchor="right">▣</button>
+      <span data-sh3-anchor="right">
+        <Button variant="icon" icon="panel-right" ariaLabel="Toggle right drawer" title="Toggle right drawer" onclick={() => toggleDrawer('right')} />
+      </span>
     {/if}
     {#if rendering.drawers.top}
-      <button onclick={() => toggleDrawer('top')} aria-label="Toggle top drawer" data-sh3-anchor="top">⫶</button>
+      <span data-sh3-anchor="top">
+        <Button variant="icon" icon="panel-top" ariaLabel="Toggle top drawer" title="Toggle top drawer" onclick={() => toggleDrawer('top')} />
+      </span>
     {/if}
   </div>
   <div class="title">{title}</div>
   <div class="trailing">
-    <button onclick={openPalette} aria-label="Open command palette">⌘</button>
-    <button onclick={() => (menuOpen = true)} aria-label="Open menu">⋯</button>
+    <Button variant="icon" icon="command" ariaLabel="Open command palette" title="Open command palette" onclick={openPalette} />
+    <Button variant="icon" icon="ellipsis-vertical" ariaLabel="Open menu" title="Open menu" onclick={() => { menuOpen = true; }} />
   </div>
 </header>
 
@@ -71,20 +113,12 @@
   .leading,
   .trailing {
     display: inline-flex;
+    align-items: center;
     gap: var(--sh3-pad-xs);
   }
-  button {
-    width: 40px;
-    height: 40px;
-    font-size: var(--sh3-font-lg);
-    border: none;
-    background: none;
-    cursor: pointer;
-    border-radius: var(--sh3-radius-sm);
-    color: var(--sh3-fg);
-  }
-  button:active {
-    background: var(--sh3-bg-sunken);
+  .leading > span {
+    display: inline-flex;
+    align-items: center;
   }
   .title {
     font-weight: 600;

package/dist/chrome/CompactChrome.svelte.test.js

@@ -6,8 +6,10 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { mount, unmount, flushSync } from 'svelte';
 import CompactChrome from './CompactChrome.svelte';
-import { __resetLayoutStoreForTest, attachApp, detachApp, switchToApp, } from '../layout/store.svelte';
+import { __resetLayoutStoreForTest, attachApp, detachApp, switchToApp, switchToHome, } from '../layout/store.svelte';
 import { drawerStore } from '../layout/compact/drawerStore.svelte';
+import { setActiveApp, __resetDispatcherStateForTest } from '../actions/state.svelte';
+import { registerApp, __resetAppRegistryForTest } from '../apps/registry.svelte';
 const CompactChromeAny = CompactChrome;
 function fakeApp() {
     return {
@@ -34,11 +36,22 @@ afterEach(() => {
         host = null;
     }
     detachApp();
+    __resetAppRegistryForTest();
+    __resetDispatcherStateForTest();
 });
 beforeEach(() => {
     __resetLayoutStoreForTest();
     drawerStore.__reset();
+    __resetAppRegistryForTest();
+    __resetDispatcherStateForTest();
 });
+function attachAndActivate(app) {
+    var _a;
+    registerApp(app);
+    attachApp(app);
+    switchToApp();
+    setActiveApp(app.manifest.id, new Set((_a = app.manifest.requiredShards) !== null && _a !== void 0 ? _a : []));
+}
 describe('CompactChrome (dom)', () => {
     it('renders a leading toggle for each present drawer anchor', () => {
         attachApp(fakeApp());
@@ -48,10 +61,9 @@ describe('CompactChrome (dom)', () => {
         document.body.appendChild(host);
         mounted = mount(CompactChromeAny, { target: host });
         flushSync();
-        const leading = host.querySelectorAll('.leading button');
-        expect(leading.length).toBe(2);
-        expect(host.querySelector('.leading button[data-sh3-anchor="left"]')).not.toBeNull();
-        expect(host.querySelector('.leading button[data-sh3-anchor="right"]')).not.toBeNull();
+        expect(host.querySelector('.leading [data-sh3-anchor="left"] button')).not.toBeNull();
+        expect(host.querySelector('.leading [data-sh3-anchor="right"] button')).not.toBeNull();
+        expect(host.querySelector('.leading [data-sh3-anchor="top"] button')).toBeNull();
     });
     it('renders palette + overflow buttons in the trailing section', () => {
         attachApp(fakeApp());
@@ -65,3 +77,98 @@ describe('CompactChrome (dom)', () => {
         expect(trailing.length).toBe(2);
     });
 });
+describe('CompactChrome — home button', () => {
+    it('renders a home button as the first leading item', () => {
+        attachApp(fakeApp());
+        switchToApp();
+        flushSync();
+        host = document.createElement('div');
+        document.body.appendChild(host);
+        mounted = mount(CompactChromeAny, { target: host });
+        flushSync();
+        const homeBtn = host.querySelector('.leading button[aria-label="Home"]');
+        expect(homeBtn).not.toBeNull();
+        expect(homeBtn === null || homeBtn === void 0 ? void 0 : homeBtn.hasAttribute('disabled')).toBe(false);
+    });
+    it('disables the home button when on home', () => {
+        switchToHome();
+        flushSync();
+        host = document.createElement('div');
+        document.body.appendChild(host);
+        mounted = mount(CompactChromeAny, { target: host });
+        flushSync();
+        const homeBtn = host.querySelector('.leading button[aria-label="Home"]');
+        expect(homeBtn).not.toBeNull();
+        expect(homeBtn === null || homeBtn === void 0 ? void 0 : homeBtn.hasAttribute('disabled')).toBe(true);
+    });
+});
+describe('CompactChrome — breadcrumb', () => {
+    it('renders only AppName when no carousel is active', () => {
+        var _a;
+        const app = {
+            manifest: { id: 'plain-app', label: 'Plain App', layoutVersion: 6 },
+            initialLayout: { type: 'slot', slotId: 'b', viewId: null, role: 'body' },
+        };
+        attachAndActivate(app);
+        flushSync();
+        host = document.createElement('div');
+        document.body.appendChild(host);
+        mounted = mount(CompactChromeAny, { target: host });
+        flushSync();
+        const title = host.querySelector('.title');
+        expect((_a = title === null || title === void 0 ? void 0 : title.textContent) === null || _a === void 0 ? void 0 : _a.trim()).toBe('Plain App');
+    });
+    it('renders AppName › ActiveLabel when a carousel is active', () => {
+        var _a;
+        const app = {
+            manifest: { id: 'carousel-app', label: 'Carousel App', layoutVersion: 6 },
+            initialLayout: {
+                type: 'tabs',
+                activeTab: 1,
+                tabs: [
+                    { slotId: 's0', viewId: null, label: 'First', role: 'body' },
+                    { slotId: 's1', viewId: null, label: 'Second', role: 'body' },
+                ],
+            },
+        };
+        attachAndActivate(app);
+        flushSync();
+        host = document.createElement('div');
+        document.body.appendChild(host);
+        mounted = mount(CompactChromeAny, { target: host });
+        flushSync();
+        const title = host.querySelector('.title');
+        expect((_a = title === null || title === void 0 ? void 0 : title.textContent) === null || _a === void 0 ? void 0 : _a.trim()).toBe('Carousel App › Second');
+    });
+    it('with multiple stacked carousels, breadcrumb uses the topmost (lowest path-key sort order)', () => {
+        var _a;
+        const app = {
+            manifest: { id: 'stacked-app', label: 'Stacked', layoutVersion: 6 },
+            initialLayout: {
+                type: 'split',
+                direction: 'vertical',
+                sizes: [0.5, 0.5],
+                children: [
+                    {
+                        type: 'tabs',
+                        activeTab: 0,
+                        tabs: [{ slotId: 'top0', viewId: null, label: 'TopActive', role: 'body' }],
+                    },
+                    {
+                        type: 'tabs',
+                        activeTab: 0,
+                        tabs: [{ slotId: 'bot0', viewId: null, label: 'BottomActive', role: 'body' }],
+                    },
+                ],
+            },
+        };
+        attachAndActivate(app);
+        flushSync();
+        host = document.createElement('div');
+        document.body.appendChild(host);
+        mounted = mount(CompactChromeAny, { target: host });
+        flushSync();
+        const title = host.querySelector('.title');
+        expect((_a = title === null || title === void 0 ? void 0 : title.textContent) === null || _a === void 0 ? void 0 : _a.trim()).toBe('Stacked › TopActive');
+    });
+});

package/dist/createShell.d.ts

@@ -22,5 +22,14 @@ export interface Sh3Config {
     target?: string | HTMLElement;
     /** Server base URL ('' for same-origin) */
     serverUrl?: string;
+    /**
+     * When true, override the local-owner short-circuit and run the
+     * full server-driven auth flow (boot config fetch, SignInWall when
+     * required) against `serverUrl`. Used by Tauri clients connecting
+     * to a remote sh3-server (e.g. Android), where Tauri presence makes
+     * `platform.localOwner` true even though authentication is server-
+     * gated.
+     */
+    remoteAuth?: boolean;
 }
 export declare function createShell(config?: Sh3Config): Promise<void>;

package/dist/createShell.js

@@ -10,8 +10,9 @@ import { mount, unmount } from 'svelte';
 import { Sh3 } from './index';
 import { registerShard, registerApp, bootstrap, bootstrapSatellite, __setBackend, setLocalOwner, } from './host';
 import { resolvePlatform } from './platform/index';
+import { apiFetch } from './transport/apiFetch';
 import { hydrateTokenOverrides } from './theme';
-import { __setEnvServerUrl } from './env/index';
+import { __setEnvServerUrl, getEnvServerUrl } from './env/index';
 import { __setActiveScope } from './documents/config';
 import { initFromBoot } from './auth/index';
 import SignInWall from './auth/SignInWall.svelte';
@@ -83,11 +84,13 @@ export async function createShell(config) {
         mount(SatelliteShell, { target, props: { payload: satellite.payload } });
         return;
     }
-    // 3. Fetch boot config (skip for local-owner platforms like Tauri/dev)
+    // 3. Fetch boot config (skip for purely-local owners; remoteAuth
+    //    forces it for cross-origin Tauri clients).
     let bootConfig = null;
-    if (!platform.localOwner) {
+    const useServerAuth = !platform.localOwner || (config === null || config === void 0 ? void 0 : config.remoteAuth) === true;
+    if (useServerAuth) {
         try {
-            const res = await fetch(`${sUrl}/api/boot`, { credentials: 'include' });
+            const res = await apiFetch(`${sUrl}/api/boot`);
             if (res.ok) {
                 bootConfig = await res.json();
             }
@@ -97,7 +100,7 @@ export async function createShell(config) {
         }
     }
     // 4. Auth decision point
-    if (platform.localOwner) {
+    if (platform.localOwner && !(config === null || config === void 0 ? void 0 : config.remoteAuth)) {
         // Local-owner (Tauri/dev): no auth, no sign-in, scope is 'local'.
         // setLocalOwner() already called above — admin is assumed.
         __setActiveScope('local');
@@ -110,7 +113,7 @@ export async function createShell(config) {
         if (!session && auth.required && !auth.guestAllowed) {
             await showSignInWall(target, bootConfig);
             // After successful sign-in, re-fetch boot config
-            const res = await fetch(`${sUrl}/api/boot`, { credentials: 'include' });
+            const res = await apiFetch(`${sUrl}/api/boot`);
             if (res.ok) {
                 bootConfig = await res.json();
                 initFromBoot(sUrl, bootConfig);
@@ -150,7 +153,17 @@ async function loadDiscoveredPackages(packages) {
         return;
     for (const pkg of packages) {
         try {
-            const res = await fetch(pkg.bundleUrl);
+            // Server returns server-relative paths like `/packages/<id>/client.js`.
+            // In a cross-origin Tauri client these resolve against the webview
+            // origin (`tauri://localhost`) instead of the configured server, so
+            // we get the SPA's index.html back and the loader chokes on `<`.
+            // Resolve against the active serverUrl and route through apiFetch
+            // for the cross-origin-safe transport + bearer header.
+            const isAbsolute = pkg.bundleUrl.startsWith('http://') || pkg.bundleUrl.startsWith('https://');
+            const base = getEnvServerUrl();
+            const sep = pkg.bundleUrl.startsWith('/') ? '' : '/';
+            const url = isAbsolute ? pkg.bundleUrl : `${base}${sep}${pkg.bundleUrl}`;
+            const res = await apiFetch(url);
             if (!res.ok) {
                 console.warn(`[sh3] Failed to fetch discovered package "${pkg.id}": HTTP ${res.status}`);
                 continue;

package/dist/createShell.remoteAuth.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/createShell.remoteAuth.test.js

@@ -0,0 +1,71 @@
+import { describe, expect, it, vi, beforeEach, afterEach } from 'vitest';
+describe('createShell remoteAuth flag', () => {
+    let originalFetch;
+    beforeEach(() => {
+        originalFetch = globalThis.fetch;
+        vi.resetModules();
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+        vi.doUnmock('./platform/index');
+        vi.doUnmock('./host');
+    });
+    function shortCircuitAfterBoot() {
+        // Mock bootstrap so createShell throws right after the boot-config
+        // fetch we want to observe — and never reaches mount(Sh3, ...).
+        vi.doMock('./host', async () => {
+            const actual = await vi.importActual('./host');
+            return Object.assign(Object.assign({}, actual), { bootstrap: async () => {
+                    throw new Error('test-skip-bootstrap');
+                } });
+        });
+    }
+    it('fetches /api/boot when remoteAuth is true even if localOwner is detected', async () => {
+        const calls = [];
+        globalThis.fetch = vi.fn(async (input) => {
+            calls.push(String(input));
+            return new Response(JSON.stringify({
+                version: '0.18.0',
+                tenantId: 't1',
+                auth: { required: false, guestAllowed: true, selfRegistration: false },
+                session: { token: 'tok', userId: 'u1', role: 'user', expiresAt: Number.MAX_SAFE_INTEGER },
+                user: { id: 'u1', username: 'u', displayName: 'U', role: 'user', createdAt: '', updatedAt: '' },
+            }), { status: 200, headers: { 'Content-Type': 'application/json' } });
+        });
+        vi.doMock('./platform/index', () => ({
+            resolvePlatform: async () => ({ backends: null, localOwner: true }),
+        }));
+        shortCircuitAfterBoot();
+        document.body.innerHTML = '<div id="app"></div>';
+        const { createShell } = await import('./createShell');
+        // The full boot pipeline (mount, bootstrap, etc.) may throw in this
+        // test env — we only care that the boot-config fetch was attempted.
+        try {
+            await createShell({ serverUrl: 'https://remote.example.com', remoteAuth: true });
+        }
+        catch (_a) {
+            // ignore — assertion below is the contract.
+        }
+        expect(calls.some(u => u === 'https://remote.example.com/api/boot')).toBe(true);
+    });
+    it('keeps the legacy localOwner short-circuit when remoteAuth is absent', async () => {
+        const calls = [];
+        globalThis.fetch = vi.fn(async (input) => {
+            calls.push(String(input));
+            return new Response('ok');
+        });
+        vi.doMock('./platform/index', () => ({
+            resolvePlatform: async () => ({ backends: null, localOwner: true }),
+        }));
+        shortCircuitAfterBoot();
+        document.body.innerHTML = '<div id="app"></div>';
+        const { createShell } = await import('./createShell');
+        try {
+            await createShell({ serverUrl: '' });
+        }
+        catch (_a) {
+            // ignore — assertion below is the contract.
+        }
+        expect(calls.some(u => u.endsWith('/api/boot'))).toBe(false);
+    });
+});

package/dist/documents/http-backend.js

@@ -20,6 +20,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
 var _HttpDocumentBackend_instances, _HttpDocumentBackend_baseUrl, _HttpDocumentBackend_apiKey, _HttpDocumentBackend_authHeaders;
+import { apiFetch } from '../transport/apiFetch';
 export class HttpDocumentBackend {
     /**
      * @param baseUrl - The server origin (e.g. 'http://localhost:3000' or window.location.origin).
@@ -36,7 +37,7 @@ export class HttpDocumentBackend {
     async read(tenantId, shardId, path) {
         var _a;
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${path}`;
-        const res = await fetch(url, { credentials: 'include' });
+        const res = await apiFetch(url, { credentials: 'include' });
         if (res.status === 404)
             return null;
         if (!res.ok)
@@ -50,45 +51,45 @@ export class HttpDocumentBackend {
     async write(tenantId, shardId, path, content) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${path}`;
         const headers = Object.assign(Object.assign({}, __classPrivateFieldGet(this, _HttpDocumentBackend_instances, "m", _HttpDocumentBackend_authHeaders).call(this)), { 'Content-Type': typeof content === 'string' ? 'text/plain' : 'application/octet-stream' });
-        const res = await fetch(url, { method: 'PUT', headers, body: content, credentials: 'include' });
+        const res = await apiFetch(url, { method: 'PUT', headers, body: content, credentials: 'include' });
         if (!res.ok)
             throw new Error(`Document write failed: ${res.status}`);
     }
     async delete(tenantId, shardId, path) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${path}`;
-        const res = await fetch(url, { method: 'DELETE', headers: __classPrivateFieldGet(this, _HttpDocumentBackend_instances, "m", _HttpDocumentBackend_authHeaders).call(this), credentials: 'include' });
+        const res = await apiFetch(url, { method: 'DELETE', headers: __classPrivateFieldGet(this, _HttpDocumentBackend_instances, "m", _HttpDocumentBackend_authHeaders).call(this), credentials: 'include' });
         if (!res.ok)
             throw new Error(`Document delete failed: ${res.status}`);
     }
     async list(tenantId, shardId) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}`;
-        const res = await fetch(url, { credentials: 'include' });
+        const res = await apiFetch(url, { credentials: 'include' });
         if (!res.ok)
             throw new Error(`Document list failed: ${res.status}`);
         return res.json();
     }
     async exists(tenantId, shardId, path) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${path}`;
-        const res = await fetch(url, { method: 'HEAD', credentials: 'include' });
+        const res = await apiFetch(url, { method: 'HEAD', credentials: 'include' });
         return res.ok;
     }
     async listAllShards(tenantId) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/_shards`;
-        const res = await fetch(url, { credentials: 'include' });
+        const res = await apiFetch(url, { credentials: 'include' });
         if (!res.ok)
             throw new Error(`listAllShards failed: ${res.status}`);
         return res.json();
     }
     async listAllDocuments(tenantId) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/_all`;
-        const res = await fetch(url, { credentials: 'include' });
+        const res = await apiFetch(url, { credentials: 'include' });
         if (!res.ok)
             throw new Error(`listAllDocuments failed: ${res.status}`);
         return res.json();
     }
     async readMeta(tenantId, shardId, path) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${path}?meta=1`;
-        const res = await fetch(url, { credentials: 'include' });
+        const res = await apiFetch(url, { credentials: 'include' });
         if (!res.ok)
             throw new Error(`readMeta failed: ${res.status}`);
         const body = await res.json();
@@ -101,7 +102,7 @@ export class HttpDocumentBackend {
         const body = typeof choice === 'string'
             ? { choice }
             : { choice: choice.origin };
-        const res = await fetch(url, {
+        const res = await apiFetch(url, {
             method: 'POST',
             credentials: 'include',
             headers: Object.assign(Object.assign({}, __classPrivateFieldGet(this, _HttpDocumentBackend_instances, "m", _HttpDocumentBackend_authHeaders).call(this)), { 'Content-Type': 'application/json' }),
@@ -112,7 +113,7 @@ export class HttpDocumentBackend {
     }
     async readBranch(tenantId, shardId, path, origin) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${path}/branch?origin=${encodeURIComponent(origin)}`;
-        const res = await fetch(url, { credentials: 'include' });
+        const res = await apiFetch(url, { credentials: 'include' });
         if (res.status === 404)
             return null;
         if (!res.ok)
@@ -122,7 +123,7 @@ export class HttpDocumentBackend {
     async rename(tenantId, shardId, oldPath, newPath) {
         const url = `${__classPrivateFieldGet(this, _HttpDocumentBackend_baseUrl, "f")}/api/docs/${tenantId}/${shardId}/${oldPath}/rename`;
         const headers = Object.assign(Object.assign({}, __classPrivateFieldGet(this, _HttpDocumentBackend_instances, "m", _HttpDocumentBackend_authHeaders).call(this)), { 'Content-Type': 'application/json' });
-        const res = await fetch(url, {
+        const res = await apiFetch(url, {
             method: 'POST',
             headers,
             body: JSON.stringify({ to: newPath }),

package/dist/env/client.js

@@ -3,6 +3,7 @@
  * from the server.
  */
 import { getAuthHeader, isAdmin } from '../auth/index';
+import { apiFetch } from '../transport/apiFetch';
 /** Server base URL, set once during configuration. */
 let serverUrl = '';
 /** Configure the server URL for env state operations. */
@@ -18,7 +19,9 @@ export function getEnvServerUrl() {
  * Returns an empty object if the server has no stored state.
  */
 export async function fetchEnvState(shardId) {
-    const res = await fetch(`${serverUrl}/api/env-state/${encodeURIComponent(shardId)}`);
+    const res = await apiFetch(`${serverUrl}/api/env-state/${encodeURIComponent(shardId)}`, {
+        credentials: 'omit',
+    });
     if (!res.ok) {
         console.warn(`[sh3] Failed to fetch env state for "${shardId}": HTTP ${res.status}`);
         return {};
@@ -38,10 +41,11 @@ export async function putEnvState(shardId, state) {
     const headers = { 'Content-Type': 'application/json' };
     if (auth)
         headers['Authorization'] = auth;
-    const res = await fetch(`${serverUrl}/api/env-state/${encodeURIComponent(shardId)}`, {
+    const res = await apiFetch(`${serverUrl}/api/env-state/${encodeURIComponent(shardId)}`, {
         method: 'PUT',
         headers,
         body: JSON.stringify(state),
+        credentials: 'omit',
     });
     if (!res.ok) {
         const body = await res.json().catch(() => ({}));
@@ -73,10 +77,11 @@ export async function serverInstallPackage(manifest, clientBundle, serverBundle)
     const headers = {};
     if (auth)
         headers['Authorization'] = auth;
-    const res = await fetch(`${serverUrl}/api/packages/install`, {
+    const res = await apiFetch(`${serverUrl}/api/packages/install`, {
         method: 'POST',
         headers,
         body: form,
+        credentials: 'omit',
     });
     if (!res.ok) {
         let body = {};
@@ -104,10 +109,11 @@ export async function serverUninstallPackage(id) {
     const headers = { 'Content-Type': 'application/json' };
     if (auth)
         headers['Authorization'] = auth;
-    const res = await fetch(`${serverUrl}/api/packages/uninstall`, {
+    const res = await apiFetch(`${serverUrl}/api/packages/uninstall`, {
         method: 'POST',
         headers,
         body: JSON.stringify({ id }),
+        credentials: 'omit',
     });
     if (!res.ok) {
         const body = await res.json().catch(() => ({}));
@@ -118,7 +124,7 @@ export async function serverUninstallPackage(id) {
  * Fetch the list of packages installed on the server.
  */
 export async function fetchServerPackages() {
-    const res = await fetch(`${serverUrl}/api/packages`);
+    const res = await apiFetch(`${serverUrl}/api/packages`, { credentials: 'omit' });
     if (!res.ok)
         return [];
     return await res.json();