sh3-core 0.6.0

package/dist/assets.d.ts

@@ -0,0 +1,13 @@
+// Ambient module declarations for static asset imports.
+// Vite resolves these to URL strings at bundle time; svelte-check/tsc
+// need a type declaration so that `import url from './foo.svg'` typechecks.
+
+declare module '*.svg' {
+  const url: string;
+  export default url;
+}
+
+declare module '*.png' {
+  const url: string;
+  export default url;
+}

package/dist/auth/GuestBanner.svelte

@@ -0,0 +1,134 @@
+<script lang="ts">
+  /**
+   * GuestBanner — persistent bar shown when browsing as guest.
+   * Clicking "Sign in" opens a modal-like overlay with the sign-in form.
+   */
+
+  import { isGuest, login } from './index';
+
+  let showSignIn = $state(false);
+  let username = $state('');
+  let password = $state('');
+  let error = $state<string | null>(null);
+  let loading = $state(false);
+
+  async function handleLogin() {
+    if (!username.trim() || !password.trim() || loading) return;
+    loading = true;
+    error = null;
+    const result = await login(username.trim(), password.trim());
+    loading = false;
+    if (result.ok) {
+      showSignIn = false;
+    } else {
+      error = result.error;
+    }
+  }
+</script>
+
+<div class="guest-banner-slot">
+{#if isGuest()}
+  <div class="guest-banner">
+    <span class="guest-banner-text">Browsing as guest. Sign in to save your work.</span>
+    <button type="button" class="guest-banner-action" onclick={() => { showSignIn = true; }}>
+      Sign in
+    </button>
+  </div>
+
+  {#if showSignIn}
+    <div class="guest-signin-overlay" role="dialog">
+      <div class="guest-signin-card">
+        <form class="guest-signin-form" onsubmit={(e) => { e.preventDefault(); handleLogin(); }}>
+          <input class="guest-signin-input" type="text" placeholder="Username" bind:value={username} disabled={loading} autocomplete="username" />
+          <input class="guest-signin-input" type="password" placeholder="Password" bind:value={password} disabled={loading} autocomplete="current-password" />
+          <div class="guest-signin-actions">
+            <button type="submit" class="guest-signin-btn" disabled={loading || !username.trim() || !password.trim()}>
+              {loading ? 'Signing in...' : 'Sign in'}
+            </button>
+            <button type="button" class="guest-signin-cancel" onclick={() => { showSignIn = false; error = null; }}>
+              Cancel
+            </button>
+          </div>
+        </form>
+        {#if error}
+          <div class="guest-signin-error">{error}</div>
+        {/if}
+      </div>
+    </div>
+  {/if}
+{/if}
+</div>
+
+<style>
+  .guest-banner {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    gap: 12px;
+    padding: 6px var(--shell-pad-md, 12px);
+    background: color-mix(in srgb, var(--shell-accent, #7c7cf0) 15%, transparent);
+    border-bottom: 1px solid var(--shell-border, #3a3a5c);
+    font-size: 12px;
+    color: var(--shell-fg, #e0e0e0);
+  }
+  .guest-banner-action {
+    padding: 3px 10px;
+    color: var(--shell-bg, #1a1a2e);
+    font-size: 11px;
+    font-weight: 600;
+  }
+  .guest-signin-overlay {
+    position: fixed;
+    inset: 0;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: rgba(0, 0, 0, 0.5);
+    z-index: 9999;
+  }
+  .guest-signin-card {
+    display: flex;
+    flex-direction: column;
+    gap: 12px;
+    padding: 32px;
+    background: var(--shell-bg-elevated, #252540);
+    border: 1px solid var(--shell-border, #3a3a5c);
+    border-radius: var(--shell-radius-lg, 12px);
+    min-width: 300px;
+  }
+  .guest-signin-form {
+    display: flex;
+    flex-direction: column;
+    gap: 10px;
+  }
+  .guest-signin-input {
+    padding: 8px 12px;
+    background: var(--shell-bg, #1a1a2e);
+    color: var(--shell-fg, #e0e0e0);
+    border: 1px solid var(--shell-border, #3a3a5c);
+    border-radius: var(--shell-radius, 6px);
+    font-size: 13px;
+  }
+  .guest-signin-input::placeholder { color: var(--shell-fg-muted, #888); }
+  .guest-signin-actions { display: flex; gap: 8px; }
+  .guest-signin-btn {
+    flex: 1;
+    padding: 8px;
+    color: var(--shell-bg, #1a1a2e);
+    font-weight: 600;
+  }
+  .guest-signin-btn:disabled { opacity: 0.6; cursor: not-allowed; }
+  .guest-signin-cancel {
+    padding: 8px 12px;
+    background: transparent;
+    color: var(--shell-fg-subtle, #aaa);
+    border: 1px solid var(--shell-border, #3a3a5c);
+  }
+  .guest-signin-error {
+    padding: 6px 10px;
+    font-size: 12px;
+    color: var(--shell-error, #d32f2f);
+    background: color-mix(in srgb, var(--shell-error, #d32f2f) 10%, transparent);
+    border-radius: var(--shell-radius, 6px);
+  }
+</style>

package/dist/auth/GuestBanner.svelte.d.ts

@@ -0,0 +1,3 @@
+declare const GuestBanner: import("svelte").Component<Record<string, never>, {}, "">;
+type GuestBanner = ReturnType<typeof GuestBanner>;
+export default GuestBanner;

package/dist/auth/SignInWall.svelte

@@ -0,0 +1,203 @@
+<script lang="ts">
+  /**
+   * SignInWall — standalone sign-in screen shown before shell boots.
+   * Mounted directly to the target element by createShell().
+   */
+
+  import { login, register } from './index';
+
+  interface Props {
+    selfRegistration: boolean;
+    onSuccess: () => void;
+  }
+
+  let { selfRegistration, onSuccess }: Props = $props();
+
+  let mode = $state<'login' | 'register'>('login');
+  let username = $state('');
+  let password = $state('');
+  let displayName = $state('');
+  let error = $state<string | null>(null);
+  let loading = $state(false);
+
+  async function handleLogin() {
+    if (!username.trim() || !password.trim() || loading) return;
+    loading = true;
+    error = null;
+    const result = await login(username.trim(), password.trim());
+    loading = false;
+    if (result.ok) {
+      onSuccess();
+    } else {
+      error = result.error;
+    }
+  }
+
+  async function handleRegister() {
+    if (!username.trim() || !password.trim() || loading) return;
+    loading = true;
+    error = null;
+    const result = await register(
+      username.trim(),
+      password.trim(),
+      displayName.trim() || undefined,
+    );
+    loading = false;
+    if (result.ok) {
+      onSuccess();
+    } else {
+      error = result.error;
+    }
+  }
+
+  function switchMode(m: 'login' | 'register') {
+    mode = m;
+    error = null;
+  }
+</script>
+
+<div class="signin-wall">
+  <div class="signin-card">
+    <h1 class="signin-brand">SH3</h1>
+
+    {#if mode === 'login'}
+      <form class="signin-form" onsubmit={(e) => { e.preventDefault(); handleLogin(); }}>
+        <input
+          class="signin-input"
+          type="text"
+          placeholder="Username"
+          bind:value={username}
+          disabled={loading}
+          autocomplete="username"
+        />
+        <input
+          class="signin-input"
+          type="password"
+          placeholder="Password"
+          bind:value={password}
+          disabled={loading}
+          autocomplete="current-password"
+        />
+        <button type="submit" class="signin-btn" disabled={loading || !username.trim() || !password.trim()}>
+          {loading ? 'Signing in...' : 'Sign in'}
+        </button>
+      </form>
+      {#if selfRegistration}
+        <button type="button" class="signin-link" onclick={() => switchMode('register')}>
+          Create an account
+        </button>
+      {/if}
+    {:else}
+      <form class="signin-form" onsubmit={(e) => { e.preventDefault(); handleRegister(); }}>
+        <input
+          class="signin-input"
+          type="text"
+          placeholder="Username"
+          bind:value={username}
+          disabled={loading}
+          autocomplete="username"
+        />
+        <input
+          class="signin-input"
+          type="text"
+          placeholder="Display name (optional)"
+          bind:value={displayName}
+          disabled={loading}
+        />
+        <input
+          class="signin-input"
+          type="password"
+          placeholder="Password"
+          bind:value={password}
+          disabled={loading}
+          autocomplete="new-password"
+        />
+        <button type="submit" class="signin-btn" disabled={loading || !username.trim() || !password.trim()}>
+          {loading ? 'Creating...' : 'Create account'}
+        </button>
+      </form>
+      <button type="button" class="signin-link" onclick={() => switchMode('login')}>
+        Back to sign in
+      </button>
+    {/if}
+
+    {#if error}
+      <div class="signin-error">{error}</div>
+    {/if}
+  </div>
+</div>
+
+<style>
+  .signin-wall {
+    position: absolute;
+    inset: 0;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: var(--shell-grad-bg, var(--shell-bg, #1a1a2e));
+    color: var(--shell-fg, #e0e0e0);
+    font-family: system-ui, sans-serif;
+  }
+  .signin-card {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 16px;
+    padding: 48px 40px;
+    background: var(--shell-grad-bg-elevated, var(--shell-bg-elevated, #252540));
+    border: 1px solid var(--shell-border, #3a3a5c);
+    border-radius: var(--shell-radius-lg, 12px);
+    min-width: 320px;
+  }
+  .signin-brand {
+    margin: 0 0 8px;
+    font-size: 42px;
+    color: var(--shell-accent, #7c7cf0);
+    letter-spacing: 2px;
+  }
+  .signin-form {
+    display: flex;
+    flex-direction: column;
+    gap: 12px;
+    width: 100%;
+  }
+  .signin-input {
+    padding: 10px 14px;
+    background: var(--shell-bg, #1a1a2e);
+    color: var(--shell-fg, #e0e0e0);
+    border: 1px solid var(--shell-border, #3a3a5c);
+    border-radius: var(--shell-radius, 6px);
+    font-size: 14px;
+  }
+  .signin-input::placeholder {
+    color: var(--shell-fg-muted, #888);
+  }
+  .signin-btn {
+    padding: 10px 16px;
+    color: var(--shell-bg, #1a1a2e);
+    font-weight: 600;
+    font-size: 14px;
+  }
+  .signin-btn:disabled {
+    opacity: 0.6;
+    cursor: not-allowed;
+  }
+  .signin-link {
+    background: none;
+    color: var(--shell-accent, #7c7cf0);
+    font-size: 13px;
+    padding: 0;
+  }
+  .signin-link:hover {
+    text-decoration: underline;
+  }
+  .signin-error {
+    padding: 8px 12px;
+    font-size: 13px;
+    color: var(--shell-error, #d32f2f);
+    background: color-mix(in srgb, var(--shell-error, #d32f2f) 10%, transparent);
+    border-radius: var(--shell-radius, 6px);
+    width: 100%;
+    text-align: center;
+  }
+</style>

package/dist/auth/SignInWall.svelte.d.ts

@@ -0,0 +1,7 @@
+interface Props {
+    selfRegistration: boolean;
+    onSuccess: () => void;
+}
+declare const SignInWall: import("svelte").Component<Props, {}, "">;
+type SignInWall = ReturnType<typeof SignInWall>;
+export default SignInWall;

package/dist/auth/auth.svelte.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Client-side auth — session-based identity for SH3.
+ *
+ * The boot flow (createShell) calls initFromBoot() with the server's
+ * boot config. After that, login/logout call the server and update
+ * the reactive state. isAdmin/isGuest/isAuthenticated are reactive
+ * getters consumed by shell components.
+ *
+ * .svelte.ts because it uses $state for reactive auth status.
+ */
+import type { AuthUser, AuthSession, BootConfig } from './types';
+/**
+ * Initialize auth from boot config. Called once by createShell()
+ * after fetching /api/boot.
+ */
+export declare function initFromBoot(url: string, config: BootConfig): void;
+/**
+ * Log in with username + password. On success, updates reactive state.
+ * Returns { ok: true } or { ok: false, error: string }.
+ */
+export declare function login(username: string, password: string): Promise<{
+    ok: true;
+} | {
+    ok: false;
+    error: string;
+}>;
+/**
+ * Register a new account (when self-registration is enabled).
+ * On success, auto-logs in and updates reactive state.
+ */
+export declare function register(username: string, password: string, displayName?: string): Promise<{
+    ok: true;
+} | {
+    ok: false;
+    error: string;
+}>;
+/**
+ * Log out — clear session on server and client.
+ *
+ * If the boot policy forbids guest browsing (auth.required &&
+ * !auth.guestAllowed), trigger a full page reload so the boot-time
+ * hard gate in createShell.ts re-runs and shows the sign-in wall.
+ * This keeps the policy authoritative in a single place rather than
+ * duplicating it here.
+ */
+export declare function logout(): Promise<void>;
+/**
+ * Mark this session as local-owner — auto-elevate to admin without
+ * server verification. Called by the host in Tauri / dev environments.
+ */
+export declare function setLocalOwner(): void;
+/** Reactive — true when running as local owner (Tauri / dev). */
+export declare function isLocalOwner(): boolean;
+/** Reactive — true when the user has admin role. */
+export declare function isAdmin(): boolean;
+/** Reactive — true when the user has a valid session. */
+export declare function isAuthenticated(): boolean;
+/** Reactive — true when browsing without a session. */
+export declare function isGuest(): boolean;
+/** Get the current user (reactive). */
+export declare function getUser(): AuthUser | null;
+/** Get the current session (reactive). */
+export declare function getSession(): AuthSession | null;
+/**
+ * Build an Authorization header value for authenticated fetch calls
+ * that need explicit headers (e.g. non-cookie contexts).
+ * Returns null if not authenticated.
+ */
+export declare function getAuthHeader(): string | null;

package/dist/auth/auth.svelte.js

@@ -0,0 +1,165 @@
+/**
+ * Client-side auth — session-based identity for SH3.
+ *
+ * The boot flow (createShell) calls initFromBoot() with the server's
+ * boot config. After that, login/logout call the server and update
+ * the reactive state. isAdmin/isGuest/isAuthenticated are reactive
+ * getters consumed by shell components.
+ *
+ * .svelte.ts because it uses $state for reactive auth status.
+ */
+/** Reactive auth state. */
+let currentUser = $state(null);
+let currentSession = $state(null);
+let guest = $state(false);
+/** Server base URL, set during boot. */
+let serverUrl = '';
+/** Boot auth policy, captured at initFromBoot. Used by logout() to
+ *  decide whether a post-logout reload is required to re-run the
+ *  boot-time hard gate. Non-reactive — no consumer observes this. */
+let authConfig = null;
+/**
+ * Initialize auth from boot config. Called once by createShell()
+ * after fetching /api/boot.
+ */
+export function initFromBoot(url, config) {
+    serverUrl = url;
+    authConfig = config.auth;
+    currentUser = config.user;
+    currentSession = config.session;
+    guest = !config.session && !config.user;
+}
+/**
+ * Log in with username + password. On success, updates reactive state.
+ * Returns { ok: true } or { ok: false, error: string }.
+ */
+export async function login(username, password) {
+    try {
+        const res = await fetch(`${serverUrl}/api/auth/login`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ username, password }),
+        });
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            return { ok: false, error: body.error || 'Login failed' };
+        }
+        const body = await res.json();
+        currentUser = body.user;
+        currentSession = body.session;
+        guest = false;
+        return { ok: true };
+    }
+    catch (_a) {
+        return { ok: false, error: 'Network error' };
+    }
+}
+/**
+ * Register a new account (when self-registration is enabled).
+ * On success, auto-logs in and updates reactive state.
+ */
+export async function register(username, password, displayName) {
+    try {
+        const res = await fetch(`${serverUrl}/api/auth/register`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            credentials: 'include',
+            body: JSON.stringify({ username, password, displayName }),
+        });
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            return { ok: false, error: body.error || 'Registration failed' };
+        }
+        const body = await res.json();
+        currentUser = body.user;
+        currentSession = body.session;
+        guest = false;
+        return { ok: true };
+    }
+    catch (_a) {
+        return { ok: false, error: 'Network error' };
+    }
+}
+/**
+ * Log out — clear session on server and client.
+ *
+ * If the boot policy forbids guest browsing (auth.required &&
+ * !auth.guestAllowed), trigger a full page reload so the boot-time
+ * hard gate in createShell.ts re-runs and shows the sign-in wall.
+ * This keeps the policy authoritative in a single place rather than
+ * duplicating it here.
+ */
+export async function logout() {
+    try {
+        await fetch(`${serverUrl}/api/auth/logout`, {
+            method: 'POST',
+            credentials: 'include',
+        });
+    }
+    catch (_a) {
+        // Best effort
+    }
+    if ((authConfig === null || authConfig === void 0 ? void 0 : authConfig.required) && !authConfig.guestAllowed) {
+        // Policy forbids guest browsing — re-run the boot-time hard gate.
+        // Do not touch reactive state: the page is leaving.
+        window.location.reload();
+        return;
+    }
+    currentUser = null;
+    currentSession = null;
+    guest = true;
+}
+/**
+ * Mark this session as local-owner — auto-elevate to admin without
+ * server verification. Called by the host in Tauri / dev environments.
+ */
+export function setLocalOwner() {
+    currentUser = {
+        id: 'local',
+        username: 'local',
+        displayName: 'Local Owner',
+        role: 'admin',
+        createdAt: '',
+        updatedAt: '',
+    };
+    currentSession = {
+        token: 'local',
+        userId: 'local',
+        role: 'admin',
+        expiresAt: Infinity,
+    };
+    guest = false;
+}
+/** Reactive — true when running as local owner (Tauri / dev). */
+export function isLocalOwner() {
+    return (currentSession === null || currentSession === void 0 ? void 0 : currentSession.token) === 'local';
+}
+/** Reactive — true when the user has admin role. */
+export function isAdmin() {
+    return (currentSession === null || currentSession === void 0 ? void 0 : currentSession.role) === 'admin';
+}
+/** Reactive — true when the user has a valid session. */
+export function isAuthenticated() {
+    return currentSession !== null;
+}
+/** Reactive — true when browsing without a session. */
+export function isGuest() {
+    return guest;
+}
+/** Get the current user (reactive). */
+export function getUser() {
+    return currentUser;
+}
+/** Get the current session (reactive). */
+export function getSession() {
+    return currentSession;
+}
+/**
+ * Build an Authorization header value for authenticated fetch calls
+ * that need explicit headers (e.g. non-cookie contexts).
+ * Returns null if not authenticated.
+ */
+export function getAuthHeader() {
+    return currentSession ? `Bearer ${currentSession.token}` : null;
+}

package/dist/auth/index.d.ts

@@ -0,0 +1,2 @@
+export { initFromBoot, login, logout, register, isAdmin, isLocalOwner, isAuthenticated, isGuest, getUser, getSession, getAuthHeader, setLocalOwner, } from './auth.svelte';
+export type { AuthUser, AuthSession, BootConfig, GlobalSettings } from './types';

package/dist/auth/index.js

@@ -0,0 +1 @@
+export { initFromBoot, login, logout, register, isAdmin, isLocalOwner, isAuthenticated, isGuest, getUser, getSession, getAuthHeader, setLocalOwner, } from './auth.svelte';

package/dist/auth/types.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Shared auth types — used by both client and server.
+ * Kept in sh3-core so the server can import them at build time
+ * and the client uses them directly.
+ */
+/** Public user shape (never includes passwordHash). */
+export interface AuthUser {
+    id: string;
+    username: string;
+    displayName: string;
+    role: 'admin' | 'user';
+    createdAt: string;
+    updatedAt: string;
+}
+/** Session shape returned to the client. */
+export interface AuthSession {
+    token: string;
+    userId: string;
+    role: 'admin' | 'user';
+    expiresAt: number;
+}
+/** Response from GET /api/boot. */
+export interface BootConfig {
+    auth: {
+        required: boolean;
+        guestAllowed: boolean;
+        selfRegistration: boolean;
+    };
+    user: AuthUser | null;
+    session: AuthSession | null;
+    tenantId: string;
+}
+/** Global settings shape. */
+export interface GlobalSettings {
+    auth: {
+        required: boolean;
+        guestAllowed: boolean;
+        sessionTTL: number;
+        selfRegistration: boolean;
+    };
+}

package/dist/auth/types.js

@@ -0,0 +1,6 @@
+/**
+ * Shared auth types — used by both client and server.
+ * Kept in sh3-core so the server can import them at build time
+ * and the client uses them directly.
+ */
+export {};