sh3-core 0.5.4 → 0.5.5

package/dist/auth/SignInWall.svelte

@@ -0,0 +1,213 @@
+<script lang="ts">
+  /**
+   * SignInWall — standalone sign-in screen shown before shell boots.
+   * Mounted directly to the target element by createShell().
+   */
+
+  import { login, register } from './index';
+
+  interface Props {
+    serverUrl: string;
+    selfRegistration: boolean;
+    onSuccess: () => void;
+  }
+
+  let { serverUrl, selfRegistration, onSuccess }: Props = $props();
+
+  let mode = $state<'login' | 'register'>('login');
+  let username = $state('');
+  let password = $state('');
+  let displayName = $state('');
+  let error = $state<string | null>(null);
+  let loading = $state(false);
+
+  async function handleLogin() {
+    if (!username.trim() || !password.trim() || loading) return;
+    loading = true;
+    error = null;
+    const result = await login(username.trim(), password.trim());
+    loading = false;
+    if (result.ok) {
+      onSuccess();
+    } else {
+      error = result.error;
+    }
+  }
+
+  async function handleRegister() {
+    if (!username.trim() || !password.trim() || loading) return;
+    loading = true;
+    error = null;
+    const result = await register(
+      username.trim(),
+      password.trim(),
+      displayName.trim() || undefined,
+    );
+    loading = false;
+    if (result.ok) {
+      onSuccess();
+    } else {
+      error = result.error;
+    }
+  }
+
+  function switchMode(m: 'login' | 'register') {
+    mode = m;
+    error = null;
+  }
+</script>
+
+<div class="signin-wall">
+  <div class="signin-card">
+    <h1 class="signin-brand">SH3</h1>
+
+    {#if mode === 'login'}
+      <form class="signin-form" onsubmit={(e) => { e.preventDefault(); handleLogin(); }}>
+        <input
+          class="signin-input"
+          type="text"
+          placeholder="Username"
+          bind:value={username}
+          disabled={loading}
+          autocomplete="username"
+        />
+        <input
+          class="signin-input"
+          type="password"
+          placeholder="Password"
+          bind:value={password}
+          disabled={loading}
+          autocomplete="current-password"
+        />
+        <button type="submit" class="signin-btn" disabled={loading || !username.trim() || !password.trim()}>
+          {loading ? 'Signing in...' : 'Sign in'}
+        </button>
+      </form>
+      {#if selfRegistration}
+        <button type="button" class="signin-link" onclick={() => switchMode('register')}>
+          Create an account
+        </button>
+      {/if}
+    {:else}
+      <form class="signin-form" onsubmit={(e) => { e.preventDefault(); handleRegister(); }}>
+        <input
+          class="signin-input"
+          type="text"
+          placeholder="Username"
+          bind:value={username}
+          disabled={loading}
+          autocomplete="username"
+        />
+        <input
+          class="signin-input"
+          type="text"
+          placeholder="Display name (optional)"
+          bind:value={displayName}
+          disabled={loading}
+        />
+        <input
+          class="signin-input"
+          type="password"
+          placeholder="Password"
+          bind:value={password}
+          disabled={loading}
+          autocomplete="new-password"
+        />
+        <button type="submit" class="signin-btn" disabled={loading || !username.trim() || !password.trim()}>
+          {loading ? 'Creating...' : 'Create account'}
+        </button>
+      </form>
+      <button type="button" class="signin-link" onclick={() => switchMode('login')}>
+        Back to sign in
+      </button>
+    {/if}
+
+    {#if error}
+      <div class="signin-error">{error}</div>
+    {/if}
+  </div>
+</div>
+
+<style>
+  .signin-wall {
+    position: absolute;
+    inset: 0;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: var(--shell-grad-bg, var(--shell-bg, #1a1a2e));
+    color: var(--shell-fg, #e0e0e0);
+    font-family: system-ui, sans-serif;
+  }
+  .signin-card {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 16px;
+    padding: 48px 40px;
+    background: var(--shell-grad-bg-elevated, var(--shell-bg-elevated, #252540));
+    border: 1px solid var(--shell-border, #3a3a5c);
+    border-radius: var(--shell-radius-lg, 12px);
+    min-width: 320px;
+  }
+  .signin-brand {
+    margin: 0 0 8px;
+    font-size: 42px;
+    color: var(--shell-accent, #7c7cf0);
+    letter-spacing: 2px;
+  }
+  .signin-form {
+    display: flex;
+    flex-direction: column;
+    gap: 12px;
+    width: 100%;
+  }
+  .signin-input {
+    padding: 10px 14px;
+    background: var(--shell-bg, #1a1a2e);
+    color: var(--shell-fg, #e0e0e0);
+    border: 1px solid var(--shell-border, #3a3a5c);
+    border-radius: var(--shell-radius, 6px);
+    font-size: 14px;
+  }
+  .signin-input::placeholder {
+    color: var(--shell-fg-muted, #888);
+  }
+  .signin-btn {
+    padding: 10px 16px;
+    background: var(--shell-accent, #7c7cf0);
+    color: var(--shell-bg, #1a1a2e);
+    border: none;
+    border-radius: var(--shell-radius, 6px);
+    font-weight: 600;
+    font-size: 14px;
+    cursor: pointer;
+  }
+  .signin-btn:disabled {
+    opacity: 0.6;
+    cursor: not-allowed;
+  }
+  .signin-btn:hover:not(:disabled) {
+    filter: brightness(1.1);
+  }
+  .signin-link {
+    background: none;
+    border: none;
+    color: var(--shell-accent, #7c7cf0);
+    cursor: pointer;
+    font-size: 13px;
+    padding: 0;
+  }
+  .signin-link:hover {
+    text-decoration: underline;
+  }
+  .signin-error {
+    padding: 8px 12px;
+    font-size: 13px;
+    color: var(--shell-error, #d32f2f);
+    background: color-mix(in srgb, var(--shell-error, #d32f2f) 10%, transparent);
+    border-radius: var(--shell-radius, 6px);
+    width: 100%;
+    text-align: center;
+  }
+</style>

package/dist/auth/SignInWall.svelte.d.ts

@@ -0,0 +1,8 @@
+interface Props {
+    serverUrl: string;
+    selfRegistration: boolean;
+    onSuccess: () => void;
+}
+declare const SignInWall: import("svelte").Component<Props, {}, "">;
+type SignInWall = ReturnType<typeof SignInWall>;
+export default SignInWall;

package/dist/auth/auth.svelte.d.ts

@@ -1,50 +1,61 @@
 /**
- * Client-side admin mode — API key elevation for SH3.
+ * Client-side auth — session-based identity for SH3.
  *
- * Stores the key in the user state zone so it persists across sessions.
- * Provides reactive `isAdmin` for gating admin apps. The key is verified
- * against the server on elevation and on boot (via initAuth).
+ * The boot flow (createShell) calls initFromBoot() with the server's
+ * boot config. After that, login/logout call the server and update
+ * the reactive state. isAdmin/isGuest/isAuthenticated are reactive
+ * getters consumed by shell components.
  *
- * Boot-time verification uses a short timeout and fails open — the shell
- * remains usable without admin access when the server is slow or offline.
- *
- * OS analogy: sudo / elevated permissions, not web login.
- *
- * .svelte.ts because it uses $state for reactive admin status.
+ * .svelte.ts because it uses $state for reactive auth status.
  */
+import type { AuthUser, AuthSession, BootConfig } from './types';
 /**
- * Initialize auth at boot. Call once from bootstrap().
- *
- * If a key is stored from a previous session, verifies it against the
- * server with a 3-second timeout. If verification fails (key revoked,
- * server down, timeout), the shell boots without admin access — the
- * stored key is cleared only on explicit rejection (401), not on
- * network failure (so a temporary outage doesn't force re-entry).
- *
- * @param url - Server base URL ('' for same-origin).
+ * Initialize auth from boot config. Called once by createShell()
+ * after fetching /api/boot.
  */
-export declare function initAuth(url?: string): Promise<void>;
+export declare function initFromBoot(url: string, config: BootConfig): void;
 /**
- * Elevate to admin mode with an API key. Verifies against the server
- * before storing. Returns true on success, false if the key is invalid.
+ * Log in with username + password. On success, updates reactive state.
+ * Returns { ok: true } or { ok: false, error: string }.
  */
-export declare function elevate(key: string): Promise<boolean>;
+export declare function login(username: string, password: string): Promise<{
+    ok: true;
+} | {
+    ok: false;
+    error: string;
+}>;
 /**
- * De-escalate from admin mode — clear the stored key and drop elevation.
+ * Register a new account (when self-registration is enabled).
+ * On success, auto-logs in and updates reactive state.
  */
-export declare function deescalate(): void;
+export declare function register(username: string, password: string, displayName?: string): Promise<{
+    ok: true;
+} | {
+    ok: false;
+    error: string;
+}>;
 /**
- * Reactive getter — true when the user has elevated to admin mode.
+ * Log out — clear session on server and client.
  */
-export declare function isAdmin(): boolean;
+export declare function logout(): Promise<void>;
 /**
  * Mark this session as local-owner — auto-elevate to admin without
- * key verification. Called by the host in Tauri / dev environments
- * where the user owns the machine. Idempotent.
+ * server verification. Called by the host in Tauri / dev environments.
  */
 export declare function setLocalOwner(): void;
+/** Reactive — true when the user has admin role. */
+export declare function isAdmin(): boolean;
+/** Reactive — true when the user has a valid session. */
+export declare function isAuthenticated(): boolean;
+/** Reactive — true when browsing without a session. */
+export declare function isGuest(): boolean;
+/** Get the current user (reactive). */
+export declare function getUser(): AuthUser | null;
+/** Get the current session (reactive). */
+export declare function getSession(): AuthSession | null;
 /**
- * Build an Authorization header value for authenticated fetch calls.
- * Returns null if not elevated.
+ * Build an Authorization header value for authenticated fetch calls
+ * that need explicit headers (e.g. non-cookie contexts).
+ * Returns null if not authenticated.
  */
 export declare function getAuthHeader(): string | null;

package/dist/auth/auth.svelte.js

@@ -1,127 +1,144 @@
 /**
- * Client-side admin mode — API key elevation for SH3.
+ * Client-side auth — session-based identity for SH3.
  *
- * Stores the key in the user state zone so it persists across sessions.
- * Provides reactive `isAdmin` for gating admin apps. The key is verified
- * against the server on elevation and on boot (via initAuth).
+ * The boot flow (createShell) calls initFromBoot() with the server's
+ * boot config. After that, login/logout call the server and update
+ * the reactive state. isAdmin/isGuest/isAuthenticated are reactive
+ * getters consumed by shell components.
  *
- * Boot-time verification uses a short timeout and fails open — the shell
- * remains usable without admin access when the server is slow or offline.
- *
- * OS analogy: sudo / elevated permissions, not web login.
- *
- * .svelte.ts because it uses $state for reactive admin status.
+ * .svelte.ts because it uses $state for reactive auth status.
  */
-import { createStateZones } from '../state/zones.svelte';
-const state = createStateZones('__shell__:auth', {
-    user: { apiKey: null },
-});
-/** Reactive admin status. */
-let admin = $state(false);
-/** Server base URL, set once during initAuth. */
+/** Reactive auth state. */
+let currentUser = $state(null);
+let currentSession = $state(null);
+let guest = $state(false);
+/** Server base URL, set during boot. */
 let serverUrl = '';
 /**
- * Verify a key against the server. Returns true if valid.
- * Accepts an optional AbortSignal for timeout control.
+ * Initialize auth from boot config. Called once by createShell()
+ * after fetching /api/boot.
  */
-async function verifyKey(key, signal) {
+export function initFromBoot(url, config) {
+    serverUrl = url;
+    currentUser = config.user;
+    currentSession = config.session;
+    guest = !config.session && !config.user;
+}
+/**
+ * Log in with username + password. On success, updates reactive state.
+ * Returns { ok: true } or { ok: false, error: string }.
+ */
+export async function login(username, password) {
     try {
-        const response = await fetch(`${serverUrl}/api/auth/verify`, {
+        const res = await fetch(`${serverUrl}/api/auth/login`, {
             method: 'POST',
-            headers: { Authorization: `Bearer ${key}` },
-            signal,
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ username, password }),
         });
-        if (!response.ok)
-            return false;
-        const body = await response.json();
-        return body.valid === true;
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            return { ok: false, error: body.error || 'Login failed' };
+        }
+        const body = await res.json();
+        currentUser = body.user;
+        currentSession = body.session;
+        guest = false;
+        return { ok: true };
     }
     catch (_a) {
-        return false;
+        return { ok: false, error: 'Network error' };
     }
 }
 /**
- * Initialize auth at boot. Call once from bootstrap().
- *
- * If a key is stored from a previous session, verifies it against the
- * server with a 3-second timeout. If verification fails (key revoked,
- * server down, timeout), the shell boots without admin access — the
- * stored key is cleared only on explicit rejection (401), not on
- * network failure (so a temporary outage doesn't force re-entry).
- *
- * @param url - Server base URL ('' for same-origin).
+ * Register a new account (when self-registration is enabled).
+ * On success, auto-logs in and updates reactive state.
  */
-export async function initAuth(url = '') {
-    serverUrl = url;
-    const stored = state.user.apiKey;
-    if (!stored)
-        return;
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), 3000);
+export async function register(username, password, displayName) {
     try {
-        const response = await fetch(`${serverUrl}/api/auth/verify`, {
+        const res = await fetch(`${serverUrl}/api/auth/register`, {
             method: 'POST',
-            headers: { Authorization: `Bearer ${stored}` },
-            signal: controller.signal,
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ username, password, displayName }),
         });
-        clearTimeout(timeout);
-        if (response.ok) {
-            const body = await response.json();
-            if (body.valid === true) {
-                admin = true;
-                return;
-            }
-        }
-        // Server explicitly rejected the key — clear it.
-        if (response.status === 401 || response.status === 403) {
-            state.user.apiKey = null;
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            return { ok: false, error: body.error || 'Registration failed' };
         }
-        // Other errors (5xx, etc.): keep the key, boot unelevated.
+        const body = await res.json();
+        currentUser = body.user;
+        currentSession = body.session;
+        guest = false;
+        return { ok: true };
     }
     catch (_a) {
-        clearTimeout(timeout);
-        // Network error or timeout: keep the key, boot unelevated.
-        // User can re-elevate manually once connectivity returns.
+        return { ok: false, error: 'Network error' };
     }
 }
 /**
- * Elevate to admin mode with an API key. Verifies against the server
- * before storing. Returns true on success, false if the key is invalid.
+ * Log out — clear session on server and client.
  */
-export async function elevate(key) {
-    const valid = await verifyKey(key);
-    if (valid) {
-        state.user.apiKey = key;
-        admin = true;
+export async function logout() {
+    try {
+        await fetch(`${serverUrl}/api/auth/logout`, {
+            method: 'POST',
+            credentials: 'include',
+        });
     }
-    return valid;
+    catch (_a) {
+        // Best effort
+    }
+    currentUser = null;
+    currentSession = null;
+    guest = true;
 }
 /**
- * De-escalate from admin mode — clear the stored key and drop elevation.
+ * Mark this session as local-owner — auto-elevate to admin without
+ * server verification. Called by the host in Tauri / dev environments.
  */
-export function deescalate() {
-    state.user.apiKey = null;
-    admin = false;
+export function setLocalOwner() {
+    currentUser = {
+        id: 'local',
+        username: 'local',
+        displayName: 'Local Owner',
+        role: 'admin',
+        createdAt: '',
+        updatedAt: '',
+    };
+    currentSession = {
+        token: 'local',
+        userId: 'local',
+        role: 'admin',
+        expiresAt: Infinity,
+    };
+    guest = false;
 }
-/**
- * Reactive getter — true when the user has elevated to admin mode.
- */
+/** Reactive — true when the user has admin role. */
 export function isAdmin() {
-    return admin;
+    return (currentSession === null || currentSession === void 0 ? void 0 : currentSession.role) === 'admin';
 }
-/**
- * Mark this session as local-owner — auto-elevate to admin without
- * key verification. Called by the host in Tauri / dev environments
- * where the user owns the machine. Idempotent.
- */
-export function setLocalOwner() {
-    admin = true;
+/** Reactive — true when the user has a valid session. */
+export function isAuthenticated() {
+    return currentSession !== null;
+}
+/** Reactive — true when browsing without a session. */
+export function isGuest() {
+    return guest;
+}
+/** Get the current user (reactive). */
+export function getUser() {
+    return currentUser;
+}
+/** Get the current session (reactive). */
+export function getSession() {
+    return currentSession;
 }
 /**
- * Build an Authorization header value for authenticated fetch calls.
- * Returns null if not elevated.
+ * Build an Authorization header value for authenticated fetch calls
+ * that need explicit headers (e.g. non-cookie contexts).
+ * Returns null if not authenticated.
  */
 export function getAuthHeader() {
-    const key = state.user.apiKey;
-    return key ? `Bearer ${key}` : null;
+    return currentSession ? `Bearer ${currentSession.token}` : null;
 }

package/dist/auth/index.d.ts

@@ -1 +1,2 @@
-export { initAuth, elevate, deescalate, isAdmin, getAuthHeader, setLocalOwner } from './auth.svelte';
+export { initFromBoot, login, logout, register, isAdmin, isAuthenticated, isGuest, getUser, getSession, getAuthHeader, setLocalOwner, } from './auth.svelte';
+export type { AuthUser, AuthSession, BootConfig, GlobalSettings } from './types';

package/dist/auth/index.js

@@ -1 +1 @@
-export { initAuth, elevate, deescalate, isAdmin, getAuthHeader, setLocalOwner } from './auth.svelte';
+export { initFromBoot, login, logout, register, isAdmin, isAuthenticated, isGuest, getUser, getSession, getAuthHeader, setLocalOwner, } from './auth.svelte';

package/dist/auth/types.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Shared auth types — used by both client and server.
+ * Kept in sh3-core so the server can import them at build time
+ * and the client uses them directly.
+ */
+/** Public user shape (never includes passwordHash). */
+export interface AuthUser {
+    id: string;
+    username: string;
+    displayName: string;
+    role: 'admin' | 'user';
+    createdAt: string;
+    updatedAt: string;
+}
+/** Session shape returned to the client. */
+export interface AuthSession {
+    token: string;
+    userId: string;
+    role: 'admin' | 'user';
+    expiresAt: number;
+}
+/** Response from GET /api/boot. */
+export interface BootConfig {
+    auth: {
+        required: boolean;
+        guestAllowed: boolean;
+        selfRegistration: boolean;
+    };
+    user: AuthUser | null;
+    session: AuthSession | null;
+    tenantId: string;
+}
+/** Global settings shape. */
+export interface GlobalSettings {
+    auth: {
+        required: boolean;
+        guestAllowed: boolean;
+        sessionTTL: number;
+        selfRegistration: boolean;
+    };
+}

package/dist/auth/types.js

@@ -0,0 +1,6 @@
+/**
+ * Shared auth types — used by both client and server.
+ * Kept in sh3-core so the server can import them at build time
+ * and the client uses them directly.
+ */
+export {};