t3code-cli 0.2.0 → 0.4.0

package/dist/src/runtime.d.ts

@@ -0,0 +1,3 @@
+import * as Layer from "effect/Layer";
+export declare const AuthAppLayer: Layer.Layer<import("./config/service.ts").T3Config | import("./auth/service.ts").T3Auth, never, import("./environment/service.ts").Environment | import("effect/Path").Path | import("effect/FileSystem").FileSystem | import("effect/Crypto").Crypto>;
+export declare const AppLayer: Layer.Layer<import("./index.ts").T3Application | import("./config/service.ts").T3Config | import("./auth/service.ts").T3Auth | import("./orchestration/service.ts").T3Orchestration | import("./rpc/service.ts").T3Rpc, never, import("./environment/service.ts").Environment | import("effect/Path").Path | import("effect/FileSystem").FileSystem | import("effect/Crypto").Crypto>;

package/dist/src/sql/node-sqlite-client.d.ts

@@ -0,0 +1,10 @@
+import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
+import * as Scope from "effect/Scope";
+import * as Reactivity from "effect/unstable/reactivity/Reactivity";
+import * as SqlClient from "effect/unstable/sql/SqlClient";
+import { SqlError } from "effect/unstable/sql/SqlError";
+import { SqlClientFactory, type SqliteClientConfig } from "./service.ts";
+export declare const makeNodeSqliteClient: (config: SqliteClientConfig) => Effect.Effect<SqlClient.SqlClient, SqlError, Scope.Scope | Reactivity.Reactivity>;
+export declare const NodeSqliteClientLive: (config: SqliteClientConfig) => Layer.Layer<SqlClient.SqlClient, SqlError, never>;
+export declare const NodeSqlClientFactoryLive: Layer.Layer<SqlClientFactory, never, never>;

package/dist/src/sql/service.d.ts

@@ -0,0 +1,17 @@
+import type * as Effect from "effect/Effect";
+import * as Context from "effect/Context";
+import type * as Scope from "effect/Scope";
+import type * as SqlClient from "effect/unstable/sql/SqlClient";
+import type { SqlError } from "effect/unstable/sql/SqlError";
+export type SqliteClientConfig = {
+    readonly filename: string;
+    readonly transformResultNames?: ((str: string) => string) | undefined;
+    readonly transformQueryNames?: ((str: string) => string) | undefined;
+};
+export type SqlClientFactoryShape = {
+    readonly sqliteClient: (config: SqliteClientConfig) => Effect.Effect<SqlClient.SqlClient, SqlError, Scope.Scope>;
+};
+declare const SqlClientFactory_base: Context.ServiceClass<SqlClientFactory, "t3cli/SqlClientFactory", SqlClientFactoryShape>;
+export declare class SqlClientFactory extends SqlClientFactory_base {
+}
+export {};

package/dist/upstream-t3code/packages/contracts/src/auth.d.ts

@@ -0,0 +1,441 @@
+import * as Schema from "effect/Schema";
+/**
+ * Declares the server's overall authentication posture.
+ *
+ * This is a high-level policy label that tells clients how the environment is
+ * expected to be accessed, not a transport detail and not an exhaustive list
+ * of every accepted credential.
+ *
+ * Typical usage:
+ * - rendered in auth/pairing UI so the user understands what kind of
+ *   environment they are connecting to
+ * - used by clients to decide whether silent desktop bootstrap is expected or
+ *   whether an explicit pairing flow should be shown
+ *
+ * Meanings:
+ * - `desktop-managed-local`: local desktop-managed environment with narrow
+ *   trusted bootstrap, intended to avoid login prompts on the same machine
+ * - `loopback-browser`: standalone local server intended for browser pairing on
+ *   the same machine
+ * - `remote-reachable`: environment intended to be reached from other devices
+ *   or networks, where explicit pairing/auth is expected
+ * - `unsafe-no-auth`: intentionally unauthenticated mode; this is an explicit
+ *   unsafe escape hatch, not a normal deployment mode
+ */
+export declare const ServerAuthPolicy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
+export type ServerAuthPolicy = typeof ServerAuthPolicy.Type;
+/**
+ * A credential type that can be exchanged for a real authenticated session.
+ *
+ * Bootstrap methods are for establishing trust at the start of a connection or
+ * pairing flow. They are not the long-lived credential used for ordinary
+ * authenticated HTTP / WebSocket traffic after pairing succeeds.
+ *
+ * Current methods:
+ * - `desktop-bootstrap`: a trusted local desktop handoff, used so the desktop
+ *   shell can pair the renderer without a login screen
+ * - `one-time-token`: a short-lived pairing token, suitable for manual pairing
+ *   flows such as `/pair?token=...`
+ */
+export declare const ServerAuthBootstrapMethod: Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>;
+export type ServerAuthBootstrapMethod = typeof ServerAuthBootstrapMethod.Type;
+/**
+ * A credential type accepted for steady-state authenticated requests after a
+ * client has already paired.
+ *
+ * These methods are used by the server-wide auth layer for privileged HTTP and
+ * WebSocket access. They are distinct from bootstrap methods so clients can
+ * reason clearly about "pair first, then use session auth".
+ *
+ * Current methods:
+ * - `browser-session-cookie`: cookie-backed browser session, used by the web
+ *   app after bootstrap/pairing
+ * - `bearer-access-token`: scoped token suitable for non-cookie or
+ *   non-browser clients
+ * - `dpop-access-token`: scoped proof-of-possession token used by managed
+ *   relay connections
+ */
+export declare const ServerAuthSessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+export type ServerAuthSessionMethod = typeof ServerAuthSessionMethod.Type;
+export declare const AuthOrchestrationReadScope: "orchestration:read";
+export declare const AuthOrchestrationOperateScope: "orchestration:operate";
+export declare const AuthTerminalOperateScope: "terminal:operate";
+export declare const AuthReviewWriteScope: "review:write";
+export declare const AuthAccessReadScope: "access:read";
+export declare const AuthAccessWriteScope: "access:write";
+export declare const AuthRelayReadScope: "relay:read";
+export declare const AuthRelayWriteScope: "relay:write";
+export declare const AuthEnvironmentScope: Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>;
+export type AuthEnvironmentScope = typeof AuthEnvironmentScope.Type;
+export declare const AuthEnvironmentScopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+export type AuthEnvironmentScopes = typeof AuthEnvironmentScopes.Type;
+export declare const AuthStandardClientScopes: readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "relay:read"];
+export declare const AuthAdministrativeScopes: readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "relay:read", "access:read", "access:write", "relay:write"];
+export declare const AuthTokenExchangeGrantType: "urn:ietf:params:oauth:grant-type:token-exchange";
+export declare const AuthAccessTokenType: "urn:ietf:params:oauth:token-type:access_token";
+export declare const AuthEnvironmentBootstrapTokenType: "urn:t3:params:oauth:token-type:environment-bootstrap";
+/**
+ * Server-advertised auth capabilities for a specific execution environment.
+ *
+ * Clients should treat this as the authoritative description of how that
+ * environment expects to be paired and how authenticated requests should be
+ * made afterward.
+ *
+ * Field meanings:
+ * - `policy`: high-level auth posture for the environment
+ * - `bootstrapMethods`: pairing/bootstrap methods the server is currently
+ *   willing to accept
+ * - `sessionMethods`: authenticated request/session methods the server supports
+ *   once pairing is complete
+ * - `sessionCookieName`: cookie name clients should expect when
+ *   `browser-session-cookie` is in use
+ *
+ * This descriptor is intentionally capability-oriented. It lets clients choose
+ * the right UX without embedding server-specific auth logic or assuming a
+ * single access method.
+ */
+export declare const ServerAuthDescriptor: Schema.Struct<{
+    readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
+    readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
+    readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
+    readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+}>;
+export type ServerAuthDescriptor = typeof ServerAuthDescriptor.Type;
+export declare const AuthBrowserSessionRequest: Schema.Struct<{
+    readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+}>;
+export type AuthBrowserSessionRequest = typeof AuthBrowserSessionRequest.Type;
+export declare const AuthBrowserSessionResult: Schema.Struct<{
+    readonly authenticated: Schema.Literal<true>;
+    readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+    readonly sessionMethod: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+    readonly expiresAt: Schema.DateTimeUtc;
+}>;
+export type AuthBrowserSessionResult = typeof AuthBrowserSessionResult.Type;
+export declare const AuthClientMetadataDeviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+export type AuthClientMetadataDeviceType = typeof AuthClientMetadataDeviceType.Type;
+export declare const AuthClientPresentationMetadata: Schema.Struct<{
+    readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly deviceType: Schema.optionalKey<Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>>;
+    readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+}>;
+export type AuthClientPresentationMetadata = typeof AuthClientPresentationMetadata.Type;
+export declare const AuthTokenExchangeRequest: Schema.Struct<{
+    readonly grant_type: Schema.Literal<"urn:ietf:params:oauth:grant-type:token-exchange">;
+    readonly subject_token: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly subject_token_type: Schema.Literal<"urn:t3:params:oauth:token-type:environment-bootstrap">;
+    readonly requested_token_type: Schema.Literal<"urn:ietf:params:oauth:token-type:access_token">;
+    readonly scope: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly client_label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly client_device_type: Schema.optionalKey<Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>>;
+    readonly client_os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+}>;
+export type AuthTokenExchangeRequest = typeof AuthTokenExchangeRequest.Type;
+export declare const AuthAccessTokenResult: Schema.Struct<{
+    readonly access_token: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly issued_token_type: Schema.Literal<"urn:ietf:params:oauth:token-type:access_token">;
+    readonly token_type: Schema.Literals<readonly ["Bearer", "DPoP"]>;
+    readonly expires_in: Schema.Number;
+    readonly scope: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+}>;
+export type AuthAccessTokenResult = typeof AuthAccessTokenResult.Type;
+export declare const AuthWebSocketTicketResult: Schema.Struct<{
+    readonly ticket: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly expiresAt: Schema.DateTimeUtc;
+}>;
+export type AuthWebSocketTicketResult = typeof AuthWebSocketTicketResult.Type;
+export declare const AuthPairingCredentialResult: Schema.Struct<{
+    readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly expiresAt: Schema.DateTimeUtc;
+}>;
+export type AuthPairingCredentialResult = typeof AuthPairingCredentialResult.Type;
+export declare const AuthPairingLink: Schema.Struct<{
+    readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+    readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly createdAt: Schema.DateTimeUtc;
+    readonly expiresAt: Schema.DateTimeUtc;
+}>;
+export type AuthPairingLink = typeof AuthPairingLink.Type;
+export declare const AuthClientMetadata: Schema.Struct<{
+    readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+    readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+}>;
+export type AuthClientMetadata = typeof AuthClientMetadata.Type;
+export declare const AuthClientSession: Schema.Struct<{
+    readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+    readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+    readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+    readonly client: Schema.Struct<{
+        readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+        readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    }>;
+    readonly issuedAt: Schema.DateTimeUtc;
+    readonly expiresAt: Schema.DateTimeUtc;
+    readonly lastConnectedAt: Schema.NullOr<Schema.DateTimeUtc>;
+    readonly connected: Schema.Boolean;
+    readonly current: Schema.Boolean;
+}>;
+export type AuthClientSession = typeof AuthClientSession.Type;
+export declare const AuthAccessSnapshot: Schema.Struct<{
+    readonly pairingLinks: Schema.$Array<Schema.Struct<{
+        readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+        readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly createdAt: Schema.DateTimeUtc;
+        readonly expiresAt: Schema.DateTimeUtc;
+    }>>;
+    readonly clientSessions: Schema.$Array<Schema.Struct<{
+        readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+        readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+        readonly client: Schema.Struct<{
+            readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+            readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        }>;
+        readonly issuedAt: Schema.DateTimeUtc;
+        readonly expiresAt: Schema.DateTimeUtc;
+        readonly lastConnectedAt: Schema.NullOr<Schema.DateTimeUtc>;
+        readonly connected: Schema.Boolean;
+        readonly current: Schema.Boolean;
+    }>>;
+}>;
+export type AuthAccessSnapshot = typeof AuthAccessSnapshot.Type;
+export declare const AuthAccessStreamSnapshotEvent: Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"snapshot">;
+    readonly payload: Schema.Struct<{
+        readonly pairingLinks: Schema.$Array<Schema.Struct<{
+            readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+            readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly createdAt: Schema.DateTimeUtc;
+            readonly expiresAt: Schema.DateTimeUtc;
+        }>>;
+        readonly clientSessions: Schema.$Array<Schema.Struct<{
+            readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+            readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+            readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+            readonly client: Schema.Struct<{
+                readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+                readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            }>;
+            readonly issuedAt: Schema.DateTimeUtc;
+            readonly expiresAt: Schema.DateTimeUtc;
+            readonly lastConnectedAt: Schema.NullOr<Schema.DateTimeUtc>;
+            readonly connected: Schema.Boolean;
+            readonly current: Schema.Boolean;
+        }>>;
+    }>;
+}>;
+export type AuthAccessStreamSnapshotEvent = typeof AuthAccessStreamSnapshotEvent.Type;
+export declare const AuthAccessStreamPairingLinkUpsertedEvent: Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"pairingLinkUpserted">;
+    readonly payload: Schema.Struct<{
+        readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+        readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly createdAt: Schema.DateTimeUtc;
+        readonly expiresAt: Schema.DateTimeUtc;
+    }>;
+}>;
+export type AuthAccessStreamPairingLinkUpsertedEvent = typeof AuthAccessStreamPairingLinkUpsertedEvent.Type;
+export declare const AuthAccessStreamPairingLinkRemovedEvent: Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"pairingLinkRemoved">;
+    readonly payload: Schema.Struct<{
+        readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    }>;
+}>;
+export type AuthAccessStreamPairingLinkRemovedEvent = typeof AuthAccessStreamPairingLinkRemovedEvent.Type;
+declare const AuthAccessStreamError_base: Schema.Class<AuthAccessStreamError, Schema.TaggedStruct<"AuthAccessStreamError", {
+    readonly message: Schema.String;
+}>, import("effect/Cause").YieldableError>;
+export declare class AuthAccessStreamError extends AuthAccessStreamError_base {
+}
+declare const EnvironmentAuthorizationError_base: Schema.Class<EnvironmentAuthorizationError, Schema.TaggedStruct<"EnvironmentAuthorizationError", {
+    readonly message: Schema.String;
+    readonly requiredScope: Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>;
+}>, import("effect/Cause").YieldableError>;
+export declare class EnvironmentAuthorizationError extends EnvironmentAuthorizationError_base {
+}
+export declare const AuthAccessStreamClientUpsertedEvent: Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"clientUpserted">;
+    readonly payload: Schema.Struct<{
+        readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+        readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+        readonly client: Schema.Struct<{
+            readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+            readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        }>;
+        readonly issuedAt: Schema.DateTimeUtc;
+        readonly expiresAt: Schema.DateTimeUtc;
+        readonly lastConnectedAt: Schema.NullOr<Schema.DateTimeUtc>;
+        readonly connected: Schema.Boolean;
+        readonly current: Schema.Boolean;
+    }>;
+}>;
+export type AuthAccessStreamClientUpsertedEvent = typeof AuthAccessStreamClientUpsertedEvent.Type;
+export declare const AuthAccessStreamClientRemovedEvent: Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"clientRemoved">;
+    readonly payload: Schema.Struct<{
+        readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+    }>;
+}>;
+export type AuthAccessStreamClientRemovedEvent = typeof AuthAccessStreamClientRemovedEvent.Type;
+export declare const AuthAccessStreamEvent: Schema.Union<readonly [Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"snapshot">;
+    readonly payload: Schema.Struct<{
+        readonly pairingLinks: Schema.$Array<Schema.Struct<{
+            readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+            readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly createdAt: Schema.DateTimeUtc;
+            readonly expiresAt: Schema.DateTimeUtc;
+        }>>;
+        readonly clientSessions: Schema.$Array<Schema.Struct<{
+            readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+            readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+            readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+            readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+            readonly client: Schema.Struct<{
+                readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+                readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+                readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            }>;
+            readonly issuedAt: Schema.DateTimeUtc;
+            readonly expiresAt: Schema.DateTimeUtc;
+            readonly lastConnectedAt: Schema.NullOr<Schema.DateTimeUtc>;
+            readonly connected: Schema.Boolean;
+            readonly current: Schema.Boolean;
+        }>>;
+    }>;
+}>, Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"pairingLinkUpserted">;
+    readonly payload: Schema.Struct<{
+        readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly credential: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+        readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        readonly createdAt: Schema.DateTimeUtc;
+        readonly expiresAt: Schema.DateTimeUtc;
+    }>;
+}>, Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"pairingLinkRemoved">;
+    readonly payload: Schema.Struct<{
+        readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    }>;
+}>, Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"clientUpserted">;
+    readonly payload: Schema.Struct<{
+        readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+        readonly subject: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+        readonly scopes: Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>;
+        readonly method: Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>;
+        readonly client: Schema.Struct<{
+            readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly ipAddress: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly userAgent: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly deviceType: Schema.Literals<readonly ["desktop", "mobile", "tablet", "bot", "unknown"]>;
+            readonly os: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+            readonly browser: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+        }>;
+        readonly issuedAt: Schema.DateTimeUtc;
+        readonly expiresAt: Schema.DateTimeUtc;
+        readonly lastConnectedAt: Schema.NullOr<Schema.DateTimeUtc>;
+        readonly connected: Schema.Boolean;
+        readonly current: Schema.Boolean;
+    }>;
+}>, Schema.Struct<{
+    readonly version: Schema.Literal<1>;
+    readonly revision: Schema.Number;
+    readonly type: Schema.Literal<"clientRemoved">;
+    readonly payload: Schema.Struct<{
+        readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+    }>;
+}>]>;
+export type AuthAccessStreamEvent = typeof AuthAccessStreamEvent.Type;
+export declare const AuthRevokePairingLinkInput: Schema.Struct<{
+    readonly id: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+}>;
+export type AuthRevokePairingLinkInput = typeof AuthRevokePairingLinkInput.Type;
+export declare const AuthRevokeClientSessionInput: Schema.Struct<{
+    readonly sessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+}>;
+export type AuthRevokeClientSessionInput = typeof AuthRevokeClientSessionInput.Type;
+export declare const AuthCreatePairingCredentialInput: Schema.Struct<{
+    readonly label: Schema.optionalKey<Schema.decodeTo<Schema.String, Schema.String, never, never>>;
+    readonly scopes: Schema.optionalKey<Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>>;
+}>;
+export type AuthCreatePairingCredentialInput = typeof AuthCreatePairingCredentialInput.Type;
+export declare const AuthSessionState: Schema.Struct<{
+    readonly authenticated: Schema.Boolean;
+    readonly auth: Schema.Struct<{
+        readonly policy: Schema.Literals<readonly ["desktop-managed-local", "loopback-browser", "remote-reachable", "unsafe-no-auth"]>;
+        readonly bootstrapMethods: Schema.$Array<Schema.Literals<readonly ["desktop-bootstrap", "one-time-token"]>>;
+        readonly sessionMethods: Schema.$Array<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
+        readonly sessionCookieName: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+    }>;
+    readonly scopes: Schema.optionalKey<Schema.$Array<Schema.Literals<readonly ["orchestration:read", "orchestration:operate", "terminal:operate", "review:write", "access:read", "access:write", "relay:read", "relay:write"]>>>;
+    readonly sessionMethod: Schema.optionalKey<Schema.Literals<readonly ["browser-session-cookie", "bearer-access-token", "dpop-access-token"]>>;
+    readonly expiresAt: Schema.optionalKey<Schema.DateTimeUtc>;
+}>;
+export type AuthSessionState = typeof AuthSessionState.Type;
+export {};

package/dist/upstream-t3code/packages/contracts/src/baseSchemas.d.ts

@@ -0,0 +1,38 @@
+import * as Schema from "effect/Schema";
+export declare const TrimmedString: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+export declare const TrimmedNonEmptyString: Schema.decodeTo<Schema.String, Schema.String, never, never>;
+export declare const NonNegativeInt: Schema.Int;
+export declare const PositiveInt: Schema.Int;
+export declare const PortSchema: Schema.Int;
+export declare const IsoDateTime: Schema.String;
+export type IsoDateTime = typeof IsoDateTime.Type;
+export declare const ThreadId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ThreadId">;
+export type ThreadId = typeof ThreadId.Type;
+export declare const ProjectId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProjectId">;
+export type ProjectId = typeof ProjectId.Type;
+export declare const EnvironmentId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EnvironmentId">;
+export type EnvironmentId = typeof EnvironmentId.Type;
+export declare const CommandId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "CommandId">;
+export type CommandId = typeof CommandId.Type;
+export declare const EventId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "EventId">;
+export type EventId = typeof EventId.Type;
+export declare const MessageId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "MessageId">;
+export type MessageId = typeof MessageId.Type;
+export declare const TurnId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "TurnId">;
+export type TurnId = typeof TurnId.Type;
+export declare const AuthSessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "AuthSessionId">;
+export type AuthSessionId = typeof AuthSessionId.Type;
+export declare const ProviderItemId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ProviderItemId">;
+export type ProviderItemId = typeof ProviderItemId.Type;
+export declare const RuntimeSessionId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeSessionId">;
+export type RuntimeSessionId = typeof RuntimeSessionId.Type;
+export declare const RuntimeItemId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeItemId">;
+export type RuntimeItemId = typeof RuntimeItemId.Type;
+export declare const RuntimeRequestId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeRequestId">;
+export type RuntimeRequestId = typeof RuntimeRequestId.Type;
+export declare const RuntimeTaskId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "RuntimeTaskId">;
+export type RuntimeTaskId = typeof RuntimeTaskId.Type;
+export declare const ApprovalRequestId: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "ApprovalRequestId">;
+export type ApprovalRequestId = typeof ApprovalRequestId.Type;
+export declare const CheckpointRef: Schema.brand<Schema.decodeTo<Schema.String, Schema.String, never, never>, "CheckpointRef">;
+export type CheckpointRef = typeof CheckpointRef.Type;

package/dist/upstream-t3code/packages/contracts/src/desktopBootstrap.d.ts

@@ -0,0 +1,14 @@
+import * as Schema from "effect/Schema";
+export declare const DesktopBackendBootstrap: Schema.Struct<{
+    readonly mode: Schema.Literal<"desktop">;
+    readonly noBrowser: Schema.Boolean;
+    readonly port: Schema.Int;
+    readonly t3Home: Schema.String;
+    readonly host: Schema.String;
+    readonly desktopBootstrapToken: Schema.String;
+    readonly tailscaleServeEnabled: Schema.Boolean;
+    readonly tailscaleServePort: Schema.Int;
+    readonly otlpTracesUrl: Schema.optional<Schema.String>;
+    readonly otlpMetricsUrl: Schema.optional<Schema.String>;
+}>;
+export type DesktopBackendBootstrap = typeof DesktopBackendBootstrap.Type;