sh3-core 0.5.2 → 0.5.5

package/dist/auth/auth.svelte.js

@@ -1,127 +1,144 @@
 /**
- * Client-side admin mode — API key elevation for SH3.
+ * Client-side auth — session-based identity for SH3.
  *
- * Stores the key in the user state zone so it persists across sessions.
- * Provides reactive `isAdmin` for gating admin apps. The key is verified
- * against the server on elevation and on boot (via initAuth).
+ * The boot flow (createShell) calls initFromBoot() with the server's
+ * boot config. After that, login/logout call the server and update
+ * the reactive state. isAdmin/isGuest/isAuthenticated are reactive
+ * getters consumed by shell components.
  *
- * Boot-time verification uses a short timeout and fails open — the shell
- * remains usable without admin access when the server is slow or offline.
- *
- * OS analogy: sudo / elevated permissions, not web login.
- *
- * .svelte.ts because it uses $state for reactive admin status.
+ * .svelte.ts because it uses $state for reactive auth status.
  */
-import { createStateZones } from '../state/zones.svelte';
-const state = createStateZones('__shell__:auth', {
-    user: { apiKey: null },
-});
-/** Reactive admin status. */
-let admin = $state(false);
-/** Server base URL, set once during initAuth. */
+/** Reactive auth state. */
+let currentUser = $state(null);
+let currentSession = $state(null);
+let guest = $state(false);
+/** Server base URL, set during boot. */
 let serverUrl = '';
 /**
- * Verify a key against the server. Returns true if valid.
- * Accepts an optional AbortSignal for timeout control.
+ * Initialize auth from boot config. Called once by createShell()
+ * after fetching /api/boot.
  */
-async function verifyKey(key, signal) {
+export function initFromBoot(url, config) {
+    serverUrl = url;
+    currentUser = config.user;
+    currentSession = config.session;
+    guest = !config.session && !config.user;
+}
+/**
+ * Log in with username + password. On success, updates reactive state.
+ * Returns { ok: true } or { ok: false, error: string }.
+ */
+export async function login(username, password) {
     try {
-        const response = await fetch(`${serverUrl}/api/auth/verify`, {
+        const res = await fetch(`${serverUrl}/api/auth/login`, {
             method: 'POST',
-            headers: { Authorization: `Bearer ${key}` },
-            signal,
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ username, password }),
         });
-        if (!response.ok)
-            return false;
-        const body = await response.json();
-        return body.valid === true;
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            return { ok: false, error: body.error || 'Login failed' };
+        }
+        const body = await res.json();
+        currentUser = body.user;
+        currentSession = body.session;
+        guest = false;
+        return { ok: true };
     }
     catch (_a) {
-        return false;
+        return { ok: false, error: 'Network error' };
     }
 }
 /**
- * Initialize auth at boot. Call once from bootstrap().
- *
- * If a key is stored from a previous session, verifies it against the
- * server with a 3-second timeout. If verification fails (key revoked,
- * server down, timeout), the shell boots without admin access — the
- * stored key is cleared only on explicit rejection (401), not on
- * network failure (so a temporary outage doesn't force re-entry).
- *
- * @param url - Server base URL ('' for same-origin).
+ * Register a new account (when self-registration is enabled).
+ * On success, auto-logs in and updates reactive state.
  */
-export async function initAuth(url = '') {
-    serverUrl = url;
-    const stored = state.user.apiKey;
-    if (!stored)
-        return;
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 3000);
+export async function register(username, password, displayName) {
     try {
-        const response = await fetch(`${serverUrl}/api/auth/verify`, {
+        const res = await fetch(`${serverUrl}/api/auth/register`, {
             method: 'POST',
-            headers: { Authorization: `Bearer ${stored}` },
-            signal: controller.signal,
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ username, password, displayName }),
         });
-        clearTimeout(timeout);
-        if (response.ok) {
-            const body = await response.json();
-            if (body.valid === true) {
-                admin = true;
-                return;
-            }
-        }
-        // Server explicitly rejected the key — clear it.
-        if (response.status === 401 || response.status === 403) {
-            state.user.apiKey = null;
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            return { ok: false, error: body.error || 'Registration failed' };
         }
-        // Other errors (5xx, etc.): keep the key, boot unelevated.
+        const body = await res.json();
+        currentUser = body.user;
+        currentSession = body.session;
+        guest = false;
+        return { ok: true };
     }
     catch (_a) {
-        clearTimeout(timeout);
-        // Network error or timeout: keep the key, boot unelevated.
-        // User can re-elevate manually once connectivity returns.
+        return { ok: false, error: 'Network error' };
     }
 }
 /**
- * Elevate to admin mode with an API key. Verifies against the server
- * before storing. Returns true on success, false if the key is invalid.
+ * Log out — clear session on server and client.
  */
-export async function elevate(key) {
-    const valid = await verifyKey(key);
-    if (valid) {
-        state.user.apiKey = key;
-        admin = true;
+export async function logout() {
+    try {
+        await fetch(`${serverUrl}/api/auth/logout`, {
+            method: 'POST',
+            credentials: 'include',
+        });
     }
-    return valid;
+    catch (_a) {
+        // Best effort
+    }
+    currentUser = null;
+    currentSession = null;
+    guest = true;
 }
 /**
- * De-escalate from admin mode — clear the stored key and drop elevation.
+ * Mark this session as local-owner — auto-elevate to admin without
+ * server verification. Called by the host in Tauri / dev environments.
  */
-export function deescalate() {
-    state.user.apiKey = null;
-    admin = false;
+export function setLocalOwner() {
+    currentUser = {
+        id: 'local',
+        username: 'local',
+        displayName: 'Local Owner',
+        role: 'admin',
+        createdAt: '',
+        updatedAt: '',
+    };
+    currentSession = {
+        token: 'local',
+        userId: 'local',
+        role: 'admin',
+        expiresAt: Infinity,
+    };
+    guest = false;
 }
-/**
- * Reactive getter — true when the user has elevated to admin mode.
- */
+/** Reactive — true when the user has admin role. */
 export function isAdmin() {
-    return admin;
+    return (currentSession === null || currentSession === void 0 ? void 0 : currentSession.role) === 'admin';
 }
-/**
- * Mark this session as local-owner — auto-elevate to admin without
- * key verification. Called by the host in Tauri / dev environments
- * where the user owns the machine. Idempotent.
- */
-export function setLocalOwner() {
-    admin = true;
+/** Reactive — true when the user has a valid session. */
+export function isAuthenticated() {
+    return currentSession !== null;
+}
+/** Reactive — true when browsing without a session. */
+export function isGuest() {
+    return guest;
+}
+/** Get the current user (reactive). */
+export function getUser() {
+    return currentUser;
+}
+/** Get the current session (reactive). */
+export function getSession() {
+    return currentSession;
 }
 /**
- * Build an Authorization header value for authenticated fetch calls.
- * Returns null if not elevated.
+ * Build an Authorization header value for authenticated fetch calls
+ * that need explicit headers (e.g. non-cookie contexts).
+ * Returns null if not authenticated.
  */
 export function getAuthHeader() {
-    const key = state.user.apiKey;
-    return key ? `Bearer ${key}` : null;
+    return currentSession ? `Bearer ${currentSession.token}` : null;
 }

package/dist/auth/index.d.ts

@@ -1 +1,2 @@
-export { initAuth, elevate, deescalate, isAdmin, getAuthHeader, setLocalOwner } from './auth.svelte';
+export { initFromBoot, login, logout, register, isAdmin, isAuthenticated, isGuest, getUser, getSession, getAuthHeader, setLocalOwner, } from './auth.svelte';
+export type { AuthUser, AuthSession, BootConfig, GlobalSettings } from './types';

package/dist/auth/index.js

@@ -1 +1 @@
-export { initAuth, elevate, deescalate, isAdmin, getAuthHeader, setLocalOwner } from './auth.svelte';
+export { initFromBoot, login, logout, register, isAdmin, isAuthenticated, isGuest, getUser, getSession, getAuthHeader, setLocalOwner, } from './auth.svelte';

package/dist/auth/types.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Shared auth types — used by both client and server.
+ * Kept in sh3-core so the server can import them at build time
+ * and the client uses them directly.
+ */
+/** Public user shape (never includes passwordHash). */
+export interface AuthUser {
+    id: string;
+    username: string;
+    displayName: string;
+    role: 'admin' | 'user';
+    createdAt: string;
+    updatedAt: string;
+}
+/** Session shape returned to the client. */
+export interface AuthSession {
+    token: string;
+    userId: string;
+    role: 'admin' | 'user';
+    expiresAt: number;
+}
+/** Response from GET /api/boot. */
+export interface BootConfig {
+    auth: {
+        required: boolean;
+        guestAllowed: boolean;
+        selfRegistration: boolean;
+    };
+    user: AuthUser | null;
+    session: AuthSession | null;
+    tenantId: string;
+}
+/** Global settings shape. */
+export interface GlobalSettings {
+    auth: {
+        required: boolean;
+        guestAllowed: boolean;
+        sessionTTL: number;
+        selfRegistration: boolean;
+    };
+}

package/dist/auth/types.js

@@ -0,0 +1,6 @@
+/**
+ * Shared auth types — used by both client and server.
+ * Kept in sh3-core so the server can import them at build time
+ * and the client uses them directly.
+ */
+export {};

package/dist/build.js

@@ -112,7 +112,7 @@ export function sh3Artifact(options = {}) {
             }
         },
         async closeBundle() {
-            var _a, _b, _c, _d;
+            var _a, _b, _c, _d, _e;
             if (!entryFileName)
                 return;
             const clientSrc = join(outDir, entryFileName);
@@ -122,7 +122,7 @@ export function sh3Artifact(options = {}) {
             try {
                 source = readFileSync(clientSrc, 'utf-8');
             }
-            catch (_e) {
+            catch (_f) {
                 console.warn('[sh3-artifact] Could not read entry chunk:', clientSrc);
                 return;
             }
@@ -131,17 +131,71 @@ export function sh3Artifact(options = {}) {
                 writeFileSync(clientDest, source);
                 unlinkSync(clientSrc);
             }
-            // --- Extract manifest fields via regex ---
-            const extract = (pattern) => {
-                const m = source.match(pattern);
-                return m ? m[1] : '';
-            };
-            const id = extract(/\bid\s*:\s*["']([^"']+)["']/);
-            const label = extract(/\blabel\s*:\s*["']([^"']+)["']/);
-            const version = extract(/\bversion\s*:\s*["']([^"']+)["']/);
-            const hasShard = /\bviews\s*:\s*\[/.test(source);
+            // --- Extract manifest fields from App or Shard block ---
+            //
+            // The bundle may contain both an App manifest (has `requiredShards`)
+            // and a Shard manifest (has `views: [`). We extract id/label/version
+            // from the App block first, then fall back to the Shard block.
+            // If neither block exists, the build fails with a clear error.
             const hasApp = /\brequiredShards\s*:\s*\[/.test(source);
+            const hasShard = /\bviews\s*:\s*\[/.test(source);
+            if (!hasApp && !hasShard) {
+                throw new Error('[sh3-artifact] Could not find an App manifest (requiredShards) or Shard manifest (views) in the entry chunk. '
+                    + 'Ensure the entry exports an App or Shard object.');
+            }
             const type = hasShard && hasApp ? 'combo' : hasApp ? 'app' : 'shard';
+            /**
+             * Extract id, label, and version from the manifest object block that
+             * contains `anchor`. Walks backwards from the anchor to find the
+             * opening `{`, then forward to find the matching `}`, and extracts
+             * fields from within that slice.
+             */
+            function extractFromBlock(anchor) {
+                const anchorMatch = anchor.exec(source);
+                if (!anchorMatch)
+                    return null;
+                // Walk backwards from the anchor to find the enclosing `{`.
+                let depth = 0;
+                let blockStart = anchorMatch.index;
+                for (let i = anchorMatch.index - 1; i >= 0; i--) {
+                    if (source[i] === '}')
+                        depth++;
+                    if (source[i] === '{') {
+                        if (depth === 0) {
+                            blockStart = i;
+                            break;
+                        }
+                        depth--;
+                    }
+                }
+                // Walk forwards from the anchor to find the matching `}`.
+                depth = 0;
+                let blockEnd = source.length;
+                for (let i = blockStart; i < source.length; i++) {
+                    if (source[i] === '{')
+                        depth++;
+                    if (source[i] === '}') {
+                        depth--;
+                        if (depth === 0) {
+                            blockEnd = i + 1;
+                            break;
+                        }
+                    }
+                }
+                const block = source.slice(blockStart, blockEnd);
+                const get = (pattern) => {
+                    const m = block.match(pattern);
+                    return m ? m[1] : '';
+                };
+                return {
+                    id: get(/\bid\s*:\s*["']([^"']+)["']/),
+                    label: get(/\blabel\s*:\s*["']([^"']+)["']/),
+                    version: get(/\bversion\s*:\s*["']([^"']+)["']/),
+                };
+            }
+            // App first, then Shard.
+            const extracted = (_a = extractFromBlock(/\brequiredShards\s*:\s*\[/)) !== null && _a !== void 0 ? _a : extractFromBlock(/\bviews\s*:\s*\[/);
+            const { id, label, version } = extracted;
             // --- Optional server bundle ---
             let hasServer = false;
             if (options.serverEntry && existsSync(options.serverEntry)) {
@@ -156,13 +210,13 @@ export function sh3Artifact(options = {}) {
                 pkgDescription = typeof pkg.description === 'string' ? pkg.description : undefined;
                 pkgAuthor = typeof pkg.author === 'string'
                     ? pkg.author
-                    : typeof ((_a = pkg.author) === null || _a === void 0 ? void 0 : _a.name) === 'string' ? pkg.author.name : undefined;
+                    : typeof ((_b = pkg.author) === null || _b === void 0 ? void 0 : _b.name) === 'string' ? pkg.author.name : undefined;
             }
-            catch ( /* no package.json or unreadable */_f) { /* no package.json or unreadable */ }
+            catch ( /* no package.json or unreadable */_g) { /* no package.json or unreadable */ }
             // --- Write manifest.json ---
-            const overrides = (_b = options.manifest) !== null && _b !== void 0 ? _b : {};
-            const finalDescription = (_c = overrides.description) !== null && _c !== void 0 ? _c : pkgDescription;
-            const finalAuthor = (_d = overrides.author) !== null && _d !== void 0 ? _d : pkgAuthor;
+            const overrides = (_c = options.manifest) !== null && _c !== void 0 ? _c : {};
+            const finalDescription = (_d = overrides.description) !== null && _d !== void 0 ? _d : pkgDescription;
+            const finalAuthor = (_e = overrides.author) !== null && _e !== void 0 ? _e : pkgAuthor;
             if (!finalDescription) {
                 throw new Error('[sh3-artifact] Missing "description". Add it to package.json or pass it via sh3Artifact({ manifest: { description } }).');
             }

package/dist/createShell.d.ts

@@ -2,8 +2,6 @@ import type { Shard, App } from './index';
 export interface ShellConfig {
     /** Framework shard IDs to exclude (all included by default) */
     excludeShards?: string[];
-    /** Framework app IDs to exclude (all included by default) */
-    excludeApps?: string[];
     /** Additional shards to register */
     shards?: Shard[];
     /** Additional apps to register */
@@ -20,5 +18,7 @@ export interface ShellConfig {
     }>;
     /** Mount target — CSS selector or element (defaults to '#app') */
     target?: string | HTMLElement;
+    /** Server base URL ('' for same-origin) */
+    serverUrl?: string;
 }
 export declare function createShell(config?: ShellConfig): Promise<void>;

package/dist/createShell.js

@@ -3,20 +3,22 @@
  *
  * Consumers call this from their own main.ts instead of manually
  * importing registerShard / registerApp / bootstrap / Shell. The
- * factory handles platform detection, registration, bootstrap, and
- * mounting in the correct order.
+ * factory handles platform detection, boot config, auth gating,
+ * registration, bootstrap, and mounting in the correct order.
  */
-import { mount } from 'svelte';
+import { mount, unmount } from 'svelte';
 import { Shell } from './index';
 import { registerShard, registerApp, bootstrap, __setBackend, setLocalOwner, } from './host';
 import { resolvePlatform } from './platform/index';
 import { hydrateTokenOverrides } from './theme';
 import { __setEnvServerUrl } from './env/index';
+import { __setTenantId } from './documents/config';
+import { initFromBoot } from './auth/index';
+import SignInWall from './auth/SignInWall.svelte';
 export async function createShell(config) {
-    var _a, _b;
-    // 1. Platform detection — must run before bootstrap so state zones
-    //    hydrate from the right backend, and local-owner environments
-    //    auto-elevate to admin.
+    var _a, _b, _c;
+    const sUrl = (_a = config === null || config === void 0 ? void 0 : config.serverUrl) !== null && _a !== void 0 ? _a : '';
+    // 1. Platform detection
     const platform = await resolvePlatform();
     if (platform.backends) {
         __setBackend('workspace', platform.backends.workspace);
@@ -25,15 +27,52 @@ export async function createShell(config) {
     if (platform.localOwner) {
         setLocalOwner();
     }
-    // 1d. Default env state to same-origin. The server frontend overrides
-    //     this if it knows a specific URL, but this ensures env() works for
-    //     same-origin deployments without explicit configuration.
-    __setEnvServerUrl('');
-    // 1c. Apply persisted theme token overrides before any component mounts,
-    //     so the first frame renders with the user's chosen theme.
+    __setEnvServerUrl(sUrl);
     hydrateTokenOverrides();
-    // 1b. Load server-discovered packages (fetched by frontend from /api/packages).
-    if ((_a = config === null || config === void 0 ? void 0 : config.discoveredPackages) === null || _a === void 0 ? void 0 : _a.length) {
+    // 2. Resolve mount target early (needed for both sign-in wall and shell)
+    const target = typeof (config === null || config === void 0 ? void 0 : config.target) === 'string'
+        ? document.querySelector(config.target)
+        : (_b = config === null || config === void 0 ? void 0 : config.target) !== null && _b !== void 0 ? _b : document.getElementById('app');
+    if (!target) {
+        throw new Error('SH3: mount target not found');
+    }
+    // 3. Fetch boot config (skip for local-owner platforms like Tauri/dev)
+    let bootConfig = null;
+    if (!platform.localOwner) {
+        try {
+            const res = await fetch(`${sUrl}/api/boot`, { credentials: 'include' });
+            if (res.ok) {
+                bootConfig = await res.json();
+            }
+        }
+        catch (_d) {
+            // Server unreachable — boot without auth (offline mode)
+        }
+    }
+    // 4. Auth decision point
+    if (platform.localOwner) {
+        // Local-owner (Tauri/dev): no auth, no sign-in, tenant is 'local'.
+        // setLocalOwner() already called above — admin is assumed.
+        __setTenantId('local');
+    }
+    else if (bootConfig) {
+        initFromBoot(sUrl, bootConfig);
+        __setTenantId(bootConfig.tenantId);
+        const { auth, session } = bootConfig;
+        // Hard gate: no session, auth required, no guest allowed → sign-in wall
+        if (!session && auth.required && !auth.guestAllowed) {
+            await showSignInWall(target, sUrl, bootConfig);
+            // After successful sign-in, re-fetch boot config
+            const res = await fetch(`${sUrl}/api/boot`, { credentials: 'include' });
+            if (res.ok) {
+                bootConfig = await res.json();
+                initFromBoot(sUrl, bootConfig);
+                __setTenantId(bootConfig.tenantId);
+            }
+        }
+    }
+    // 5. Load server-discovered packages
+    if ((_c = config === null || config === void 0 ? void 0 : config.discoveredPackages) === null || _c === void 0 ? void 0 : _c.length) {
         const { loadBundleModule } = await import('./registry/loader');
         for (const pkg of config.discoveredPackages) {
             try {
@@ -55,33 +94,39 @@ export async function createShell(config) {
             }
         }
     }
-    // 2. Register consumer-provided shards and apps. These go in before
-    //    bootstrap() so they appear in registeredShards, but framework
-    //    shards activate first (insertion-order guarantee in bootstrap).
+    // 6. Register consumer-provided shards and apps
     if (config === null || config === void 0 ? void 0 : config.shards) {
-        for (const shard of config.shards) {
+        for (const shard of config.shards)
             registerShard(shard);
-        }
     }
     if (config === null || config === void 0 ? void 0 : config.apps) {
-        for (const app of config.apps) {
+        for (const app of config.apps)
             registerApp(app);
-        }
     }
-    // 3. Bootstrap — framework shards/apps registered internally,
-    //    filtered by the exclude lists.
+    // 7. Bootstrap
     const bootstrapConfig = {};
     if (config === null || config === void 0 ? void 0 : config.excludeShards)
         bootstrapConfig.excludeShards = config.excludeShards;
-    if (config === null || config === void 0 ? void 0 : config.excludeApps)
-        bootstrapConfig.excludeApps = config.excludeApps;
     await bootstrap(bootstrapConfig);
-    // 4. Mount the shell.
-    const target = typeof (config === null || config === void 0 ? void 0 : config.target) === 'string'
-        ? document.querySelector(config.target)
-        : (_b = config === null || config === void 0 ? void 0 : config.target) !== null && _b !== void 0 ? _b : document.getElementById('app');
-    if (!target) {
-        throw new Error('SH3: mount target not found');
-    }
+    // 8. Mount the shell
     mount(Shell, { target });
 }
+/**
+ * Show the sign-in wall and wait until the user authenticates.
+ * Returns a promise that resolves after successful login.
+ */
+function showSignInWall(target, serverUrl, bootConfig) {
+    return new Promise((resolve) => {
+        const instance = mount(SignInWall, {
+            target,
+            props: {
+                serverUrl,
+                selfRegistration: bootConfig.auth.selfRegistration,
+                onSuccess: () => {
+                    unmount(instance);
+                    resolve();
+                },
+            },
+        });
+    });
+}

package/dist/diagnostic/DiagnosticPromptModal.svelte

@@ -73,7 +73,7 @@
     background: var(--shell-accent-muted);
     color: var(--shell-fg);
     border: 1px solid var(--shell-border-strong);
-    border-radius: 3px;
+    border-radius: var(--shell-radius-sm);
     cursor: pointer;
   }
   button:hover { background: var(--shell-accent); }

package/dist/host-entry.d.ts

@@ -7,6 +7,7 @@ export { HttpDocumentBackend } from './documents/http-backend';
 export { __setEnvServerUrl } from './env/index';
 export { installPackage, uninstallPackage, listInstalledPackages, loadInstalledPackages, } from './registry/index';
 export type { InstalledPackage, InstallResult, PackageMeta } from './registry/types';
-export { initAuth, elevate, deescalate } from './auth/index';
+export { initFromBoot, login, logout, register, setLocalOwner as setLocalOwnerAuth } from './auth/index';
+export type { AuthUser, AuthSession, BootConfig, GlobalSettings } from './auth/types';
 export { createShell } from './createShell';
 export type { ShellConfig } from './createShell';

package/dist/host-entry.js

@@ -11,7 +11,7 @@ export { HttpDocumentBackend } from './documents/http-backend';
 export { __setEnvServerUrl } from './env/index';
 // Install API (host-only).
 export { installPackage, uninstallPackage, listInstalledPackages, loadInstalledPackages, } from './registry/index';
-// Admin mode (host-only — elevate/deescalate drive the shell UI, initAuth runs at boot).
-export { initAuth, elevate, deescalate } from './auth/index';
+// Auth (host-only — session lifecycle, boot initialization).
+export { initFromBoot, login, logout, register, setLocalOwner as setLocalOwnerAuth } from './auth/index';
 // Shell boot factory.
 export { createShell } from './createShell';

package/dist/host.d.ts

@@ -10,8 +10,6 @@ export { registerApp };
 export interface BootstrapConfig {
     /** Framework shard IDs to skip registration for */
     excludeShards?: string[];
-    /** Framework app IDs to skip registration for */
-    excludeApps?: string[];
 }
 export declare function bootstrap(config?: BootstrapConfig): Promise<void>;
 export { installPackage, listInstalledPackages } from './registry/installer';