wcz-layout 7.6.0 → 7.6.2

package/dist/query.js

@@ -1,3 +1,3 @@
-import { n as e, t } from "./queries-DzKY6YXz.js";
-import { t as n } from "./queryClient-uWNhcABg.js";
+import { n as e, t } from "./queries-D-DV5lCw.js";
+import { t as n } from "./queryClient-B__OEZ70.js";
 export { t as query, n as queryClient, e as useUploadFile };

package/dist/{queryClient-uWNhcABg.js → queryClient-B__OEZ70.js}

@@ -4,4 +4,4 @@ var t = new e();
 //#endregion
 export { t };
 
-//# sourceMappingURL=queryClient-uWNhcABg.js.map
+//# sourceMappingURL=queryClient-B__OEZ70.js.map

package/dist/{queryClient-uWNhcABg.js.map → queryClient-B__OEZ70.js.map}

@@ -1 +1 @@
-{"version":3,"file":"queryClient-uWNhcABg.js","names":["QueryClient","queryClient"],"sources":["../src/lib/queryClient.ts"],"sourcesContent":["import { QueryClient } from \"@tanstack/react-query\";\n\nexport const queryClient = new QueryClient();\n"],"mappings":";;AAEA,IAAaC,IAAc,IAAID,GAAa"}
+{"version":3,"file":"queryClient-B__OEZ70.js","names":["QueryClient","queryClient"],"sources":["../src/lib/queryClient.ts"],"sourcesContent":["import { QueryClient } from \"@tanstack/react-query\";\n\nexport const queryClient = new QueryClient();\n"],"mappings":";;AAEA,IAAaC,IAAc,IAAID,GAAa"}

package/dist/{msalClient-BLrbVP5z.js → utils-C4oJ0tr5.js}

@@ -1,10 +1,10 @@
 import { permissions as e, scopes as t } from "virtual:wcz-layout";
 import { z as n } from "zod";
-import { EventType as r, InteractionRequiredAuthError as i, PublicClientApplication as a } from "@azure/msal-browser";
-import { createEnv as o } from "@t3-oss/env-core";
-import { createClientOnlyFn as s, createIsomorphicFn as c } from "@tanstack/react-start";
+import { EventType as r, InteractionRequiredAuthError as i, NavigationClient as a, PublicClientApplication as o } from "@azure/msal-browser";
+import { createEnv as s } from "@t3-oss/env-core";
+import { createClientOnlyFn as c, createIsomorphicFn as l } from "@tanstack/react-start";
 //#region src/env.ts
-var l = o({
+var u = s({
 	clientPrefix: "VITE_",
 	client: {
 		VITE_ENTRA_CLIENT_ID: n.string(),
@@ -14,7 +14,7 @@ var l = o({
 	},
 	runtimeEnv: import.meta.env,
 	emptyStringAsUndefined: !0
-}), u = o({
+}), d = s({
 	server: {
 		ENTRA_CLIENT_ID: n.string(),
 		ENTRA_TENANT_ID: n.string(),
@@ -22,7 +22,49 @@ var l = o({
 	},
 	runtimeEnv: process.env,
 	emptyStringAsUndefined: !0
-}), d = "#00506E", f = "#64DC00", p = class {
+}), f = new o({ auth: {
+	clientId: u.VITE_ENTRA_CLIENT_ID,
+	authority: `https://login.microsoftonline.com/${u.VITE_ENTRA_TENANT_ID}`,
+	redirectUri: "/"
+} });
+f.initialize().then(() => (f.addEventCallback((e) => {
+	if (e.eventType === r.LOGIN_SUCCESS && e.payload) {
+		let t = e.payload.account;
+		f.setActiveAccount(t);
+	}
+}), f.handleRedirectPromise())).then((e) => {
+	e?.account && f.setActiveAccount(e.account);
+});
+var p = class extends a {
+	constructor(e) {
+		super(), this.navigate = e;
+	}
+	async navigateInternal(e, t) {
+		let n = e.replace(location.origin, "");
+		return this.navigate({
+			to: n,
+			replace: t.noHistory
+		}), !1;
+	}
+}, m = /* @__PURE__ */ new Set(), h = (e) => (m.add(e), () => {
+	m.delete(e);
+}), g = l().server(() => null).client(async () => {
+	let e = f.getActiveAccount();
+	return e?.idToken ? E(T(e.idToken)) : null;
+}), _ = c(async (e) => {
+	let n = f.getActiveAccount();
+	if (!n) throw Error("No active account. User not signed in.");
+	let r = [...t[e]];
+	try {
+		let { accessToken: e } = await f.acquireTokenSilent({
+			scopes: r,
+			account: n
+		});
+		return e;
+	} catch (e) {
+		throw e instanceof i && m.forEach((e) => e(r)), e;
+	}
+}), v = "#00506E", y = "#64DC00", b = class {
 	static get isAndroid() {
 		return /android/i.test(this.userAgent);
 	}
@@ -38,21 +80,21 @@ var l = o({
 	static get userAgent() {
 		return typeof navigator > "u" ? "" : navigator.userAgent;
 	}
-}, m = (e) => ({
+}, x = (e) => ({
 	meta: [
 		{ charSet: "utf-8" },
 		{
 			name: "viewport",
 			content: "width=device-width, initial-scale=1"
 		},
-		{ title: l.VITE_APP_TITLE },
+		{ title: u.VITE_APP_TITLE },
 		{
 			name: "og:type",
 			content: "website"
 		},
 		{
 			name: "og:title",
-			content: l.VITE_APP_TITLE
+			content: u.VITE_APP_TITLE
 		},
 		{
 			name: "og:image",
@@ -86,21 +128,21 @@ var l = o({
 			href: "/favicon.ico"
 		}
 	]
-}), h = (e) => async () => {
-	let t = await C();
+}), S = (e) => async () => {
+	let t = await g();
 	if (!t?.hasPermission(e)) throw Error("You do not have permission to access this page.");
 	return { user: t };
-}, g = (e) => {
+}, C = (e) => {
 	let { meta: t } = e.state;
 	return {
 		isTouched: t.isTouched,
 		hasError: !!t.errors.length,
 		helperText: t.errors[0]?.message
 	};
-}, _ = (e) => e.replaceAll(/([a-z])([A-Z])/g, "$1-$2").replaceAll(/[\s_]+/g, "-").replaceAll(/[^a-zA-Z0-9-]/g, "").toLowerCase().replaceAll(/-+/g, "-").replaceAll(/(^-|-$)/g, ""), v = (e) => {
+}, w = (e) => e.replaceAll(/([a-z])([A-Z])/g, "$1-$2").replaceAll(/[\s_]+/g, "-").replaceAll(/[^a-zA-Z0-9-]/g, "").toLowerCase().replaceAll(/-+/g, "-").replaceAll(/(^-|-$)/g, ""), T = (e) => {
 	let t = e.split(".")[1].replace(/-/g, "+").replace(/_/g, "/"), n = decodeURIComponent(atob(t).split("").map((e) => "%" + ("00" + e.charCodeAt(0).toString(16)).slice(-2)).join(""));
 	return JSON.parse(n);
-}, y = (t) => ({
+}, E = (t) => ({
 	id: t.sub,
 	name: t.name?.split("/")[0],
 	email: t.preferred_username?.toLowerCase(),
@@ -108,39 +150,8 @@ var l = o({
 	employeeId: t.employeeId?.toUpperCase() || "",
 	companyName: t.companyName || "",
 	hasPermission: (n) => e[n].some((e) => (t.groups ?? []).includes(e))
-}), b = new a({ auth: {
-	clientId: l.VITE_ENTRA_CLIENT_ID,
-	authority: `https://login.microsoftonline.com/${l.VITE_ENTRA_TENANT_ID}`,
-	redirectUri: "/"
-} });
-await b.initialize().then(() => (b.addEventCallback((e) => {
-	if (e.eventType === r.LOGIN_SUCCESS && e.payload) {
-		let t = e.payload.account;
-		b.setActiveAccount(t);
-	}
-}), b.handleRedirectPromise())).then((e) => {
-	e?.account && b.setActiveAccount(e.account);
-});
-var x = /* @__PURE__ */ new Set(), S = (e) => (x.add(e), () => {
-	x.delete(e);
-}), C = c().server(() => null).client(async () => {
-	let e = b.getActiveAccount();
-	return e?.idToken ? y(v(e.idToken)) : null;
-}), w = s(async (e) => {
-	let n = b.getActiveAccount();
-	if (!n) throw Error("No active account. User not signed in.");
-	let r = [...t[e]];
-	try {
-		let { accessToken: e } = await b.acquireTokenSilent({
-			scopes: r,
-			account: n
-		});
-		return e;
-	} catch (e) {
-		throw e instanceof i && x.forEach((e) => e(r)), e;
-	}
 });
 //#endregion
-export { p as a, y as c, m as d, _ as f, S as i, g as l, u as m, C as n, d as o, l as p, b as r, f as s, w as t, h as u };
+export { C as a, w as c, g as d, f, d as h, E as i, p as l, u as m, v as n, S as o, h as p, y as r, x as s, b as t, _ as u };
 
-//# sourceMappingURL=msalClient-BLrbVP5z.js.map
+//# sourceMappingURL=utils-C4oJ0tr5.js.map

package/dist/utils-C4oJ0tr5.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils-C4oJ0tr5.js","names":["AuthenticationResult","EventMessage","EventType","InteractionRequiredAuthError","NavigationClient","NavigationOptions","PublicClientApplication","useNavigate","createClientOnlyFn","createIsomorphicFn","scopes","definedScopes","clientEnv","buildUser","decodeJwt","User","pca","auth","clientId","VITE_ENTRA_CLIENT_ID","authority","VITE_ENTRA_TENANT_ID","redirectUri","initialize","then","addEventCallback","event","eventType","LOGIN_SUCCESS","payload","account","setActiveAccount","handleRedirectPromise","response","TanStackNavigationClient","constructor","navigate","ReturnType","navigateInternal","url","options","relative","replace","location","origin","to","noHistory","TokenInteractionListener","Array","tokenInteractionListeners","Set","subscribeToTokenInteractionRequired","listener","add","delete","getUser","server","client","Promise","getActiveAccount","idToken","getAccessToken","scopeKey","Error","accessToken","acquireTokenSilent","error","forEach","AnyFieldApi","permissions","clientEnv","TokenPayload","User","getUser","WISTRON_PRIMARY_COLOR","WISTRON_SECONDARY_COLOR","Platform","isAndroid","test","userAgent","isIOS","isWindows","isMacOS","navigator","RootRouteHeadOptions","manifest","rootRouteHead","options","meta","charSet","name","content","title","VITE_APP_TITLE","links","rel","sizes","href","type","requirePermission","permissionKey","user","hasPermission","Error","FormOmittedProps","getFieldStatus","field","state","isTouched","hasError","errors","length","helperText","message","toKebabCase","str","replaceAll","toLowerCase","decodeJwt","token","base64Payload","split","base64","replace","payload","decodeURIComponent","atob","map","c","charCodeAt","toString","slice","join","JSON","parse","buildUser","id","sub","email","preferred_username","department","toUpperCase","employeeId","companyName","key","allowedGroups","some","k","groups","includes"],"sources":["../src/env.ts","../src/lib/auth/msalClient.ts","../src/lib/utils.ts"],"sourcesContent":["import { createEnv } from \"@t3-oss/env-core\";\nimport { z } from \"zod\";\n\nexport const clientEnv = createEnv({\n  clientPrefix: \"VITE_\",\n  client: {\n    VITE_ENTRA_CLIENT_ID: z.string(),\n    VITE_ENTRA_TENANT_ID: z.string(),\n    VITE_APP_TITLE: z.string(),\n    VITE_MUI_LICENSE_KEY: z.string(),\n  },\n  runtimeEnv: import.meta.env,\n  emptyStringAsUndefined: true,\n});\n\nexport const serverEnv = createEnv({\n  server: {\n    ENTRA_CLIENT_ID: z.string(),\n    ENTRA_TENANT_ID: z.string(),\n    ENTRA_CLIENT_SECRET: z.string(),\n  },\n  runtimeEnv: process.env,\n  emptyStringAsUndefined: true,\n});\n","import {\r\n  AuthenticationResult,\r\n  EventMessage,\r\n  EventType,\r\n  InteractionRequiredAuthError,\r\n  NavigationClient,\r\n  NavigationOptions,\r\n  PublicClientApplication,\r\n} from \"@azure/msal-browser\";\r\nimport { useNavigate } from \"@tanstack/react-router\";\r\nimport { createClientOnlyFn, createIsomorphicFn } from \"@tanstack/react-start\";\r\nimport { scopes as definedScopes } from \"virtual:wcz-layout\";\r\nimport { clientEnv } from \"~/env\";\r\nimport { buildUser, decodeJwt } from \"~/lib/utils\";\r\nimport type { User } from \"~/models/User\";\r\n\r\nexport const pca = new PublicClientApplication({\r\n  auth: {\r\n    clientId: clientEnv.VITE_ENTRA_CLIENT_ID,\r\n    authority: `https://login.microsoftonline.com/${clientEnv.VITE_ENTRA_TENANT_ID}`,\r\n    redirectUri: \"/\",\r\n  },\r\n});\r\n\r\npca\r\n  .initialize()\r\n  .then(() => {\r\n    pca.addEventCallback((event: EventMessage) => {\r\n      if (event.eventType === EventType.LOGIN_SUCCESS && event.payload) {\r\n        const payload = event.payload as AuthenticationResult;\r\n        const account = payload.account;\r\n        pca.setActiveAccount(account);\r\n      }\r\n    });\r\n\r\n    return pca.handleRedirectPromise();\r\n  })\r\n  .then((response) => {\r\n    if (response?.account) pca.setActiveAccount(response.account);\r\n  });\r\n\r\nexport class TanStackNavigationClient extends NavigationClient {\r\n  constructor(private navigate: ReturnType<typeof useNavigate>) {\r\n    super();\r\n  }\r\n  async navigateInternal(url: string, options: NavigationOptions) {\r\n    const relative = url.replace(location.origin, \"\");\r\n    this.navigate({ to: relative, replace: options.noHistory });\r\n    return false;\r\n  }\r\n}\r\n\r\ntype TokenInteractionListener = (scopes: Array<string>) => void;\r\n\r\nconst tokenInteractionListeners = new Set<TokenInteractionListener>();\r\n\r\nexport const subscribeToTokenInteractionRequired = (listener: TokenInteractionListener) => {\r\n  tokenInteractionListeners.add(listener);\r\n\r\n  return () => {\r\n    tokenInteractionListeners.delete(listener);\r\n  };\r\n};\r\n\r\nexport const getUser = createIsomorphicFn()\r\n  .server(() => null)\r\n  .client(async (): Promise<User | null> => {\r\n    const account = pca.getActiveAccount();\r\n    if (!account?.idToken) return null;\r\n\r\n    return buildUser(decodeJwt(account.idToken));\r\n  });\r\n\r\n/**\r\n * Token Acquisition: Get authenticated access token.\r\n * Use when: Making API calls from the browser to secured endpoints\r\n */\r\nexport const getAccessToken = createClientOnlyFn(async (scopeKey: keyof typeof definedScopes) => {\r\n  const account = pca.getActiveAccount();\r\n  if (!account) throw new Error(\"No active account. User not signed in.\");\r\n\r\n  const scopes = [...definedScopes[scopeKey]];\r\n\r\n  try {\r\n    const { accessToken } = await pca.acquireTokenSilent({ scopes, account });\r\n    return accessToken;\r\n  } catch (error) {\r\n    if (error instanceof InteractionRequiredAuthError) {\r\n      tokenInteractionListeners.forEach((listener) => listener(scopes));\r\n    }\r\n\r\n    throw error;\r\n  }\r\n});\r\n","import type { AnyFieldApi } from \"@tanstack/react-form\";\r\nimport { permissions } from \"virtual:wcz-layout\";\r\nimport { clientEnv } from \"~/env\";\r\nimport type { TokenPayload } from \"~/models/TokenPayload\";\r\nimport type { User } from \"~/models/User\";\r\nimport { getUser } from \"./auth/msalClient\";\r\n\r\nexport const WISTRON_PRIMARY_COLOR = \"#00506E\";\r\nexport const WISTRON_SECONDARY_COLOR = \"#64DC00\";\r\n\r\nexport class Platform {\r\n  static get isAndroid() {\r\n    return /android/i.test(this.userAgent);\r\n  }\r\n  static get isIOS() {\r\n    return /iPad|iPhone|iPod/.test(this.userAgent);\r\n  }\r\n  static get isWindows() {\r\n    return /windows/i.test(this.userAgent);\r\n  }\r\n  static get isMacOS() {\r\n    return /Macintosh|MacIntel|MacPPC|Mac68K/.test(this.userAgent);\r\n  }\r\n\r\n  private static get userAgent() {\r\n    return typeof navigator === \"undefined\" ? \"\" : navigator.userAgent;\r\n  }\r\n}\r\n\r\ninterface RootRouteHeadOptions {\r\n  manifest?: string;\r\n}\r\n\r\nexport const rootRouteHead = (options?: RootRouteHeadOptions) => ({\r\n  meta: [\r\n    { charSet: \"utf-8\" },\r\n    { name: \"viewport\", content: \"width=device-width, initial-scale=1\" },\r\n    { title: clientEnv.VITE_APP_TITLE },\r\n    { name: \"og:type\", content: \"website\" },\r\n    { name: \"og:title\", content: clientEnv.VITE_APP_TITLE },\r\n    { name: \"og:image\", content: \"/favicon-32x32.png\" },\r\n  ],\r\n  links: [\r\n    { rel: \"apple-touch-icon\", sizes: \"180x180\", href: \"/apple-touch-icon.png\" },\r\n    { rel: \"icon\", type: \"image/png\", sizes: \"32x32\", href: \"/favicon-32x32.png\" },\r\n    { rel: \"icon\", type: \"image/png\", sizes: \"16x16\", href: \"/favicon-16x16.png\" },\r\n    { rel: \"manifest\", href: options?.manifest || \"/manifest.json\" },\r\n    { rel: \"icon\", href: \"/favicon.ico\" },\r\n  ],\r\n});\r\n\r\nexport const requirePermission = (permissionKey: keyof typeof permissions) => {\r\n  return async () => {\r\n    const user = await getUser();\r\n\r\n    if (!user?.hasPermission(permissionKey))\r\n      throw new Error(\"You do not have permission to access this page.\");\r\n\r\n    return { user };\r\n  };\r\n};\r\n\r\n/* Internal Utils */\r\nexport type FormOmittedProps =\r\n  | \"name\"\r\n  | \"value\"\r\n  | \"onChange\"\r\n  | \"onBlur\"\r\n  | \"error\"\r\n  | \"helperText\"\r\n  | \"renderInput\"\r\n  | \"type\"\r\n  | \"aria-label\";\r\n\r\nexport const getFieldStatus = (field: AnyFieldApi) => {\r\n  const { meta } = field.state;\r\n\r\n  const isTouched = meta.isTouched;\r\n  const hasError = !!meta.errors.length;\r\n  const helperText = meta.errors[0]?.message;\r\n\r\n  return { isTouched, hasError, helperText };\r\n};\r\n\r\nexport const toKebabCase = (str: string): string => {\r\n  return str\r\n    .replaceAll(/([a-z])([A-Z])/g, \"$1-$2\")\r\n    .replaceAll(/[\\s_]+/g, \"-\")\r\n    .replaceAll(/[^a-zA-Z0-9-]/g, \"\")\r\n    .toLowerCase()\r\n    .replaceAll(/-+/g, \"-\")\r\n    .replaceAll(/(^-|-$)/g, \"\");\r\n};\r\n\r\nexport const decodeJwt = (token: string) => {\r\n  const base64Payload = token.split(\".\")[1];\r\n  const base64 = base64Payload.replace(/-/g, \"+\").replace(/_/g, \"/\");\r\n  const payload = decodeURIComponent(\r\n    atob(base64)\r\n      .split(\"\")\r\n      .map((c) => \"%\" + (\"00\" + c.charCodeAt(0).toString(16)).slice(-2))\r\n      .join(\"\"),\r\n  );\r\n  return JSON.parse(payload) as TokenPayload;\r\n};\r\n\r\nexport const buildUser = (payload: TokenPayload): User => ({\r\n  id: payload.sub,\r\n  name: payload.name?.split(\"/\")[0],\r\n  email: payload.preferred_username?.toLowerCase(),\r\n  department: payload.department?.toUpperCase() || \"\",\r\n  employeeId: payload.employeeId?.toUpperCase() || \"\",\r\n  companyName: payload.companyName || \"\",\r\n  hasPermission: (key: keyof typeof permissions) => {\r\n    const allowedGroups = permissions[key];\r\n    return allowedGroups.some((k) => (payload.groups ?? []).includes(k));\r\n  },\r\n});\r\n"],"mappings":";;;;;;AAGA,IAAa,IAAY,EAAU;CACjC,cAAc;CACd,QAAQ;EACN,sBAAsB,EAAE,QAAQ;EAChC,sBAAsB,EAAE,QAAQ;EAChC,gBAAgB,EAAE,QAAQ;EAC1B,sBAAsB,EAAE,QAAO;EAChC;CACD,YAAY,OAAA,KAAA;CACZ,wBAAwB;CACzB,CAAC,EAEW,IAAY,EAAU;CACjC,QAAQ;EACN,iBAAiB,EAAE,QAAQ;EAC3B,iBAAiB,EAAE,QAAQ;EAC3B,qBAAqB,EAAE,QAAO;EAC/B;CACD,YAAY,QAAQ;CACpB,wBAAwB;CACzB,CAAC,ECPWgB,IAAM,IAAIV,EAAwB,EAC7CW,MAAM;CACJC,UAAUN,EAAUO;CACpBC,WAAW,qCAAqCR,EAAUS;CAC1DC,aAAa;CACf,EACD,CAAC;AAEFN,EACGO,YAAY,CACZC,YACCR,EAAIS,kBAAkBC,MAAwB;AAC5C,KAAIA,EAAMC,cAAczB,EAAU0B,iBAAiBF,EAAMG,SAAS;EAEhE,IAAMC,IADUJ,EAAMG,QACEC;AACxBd,IAAIe,iBAAiBD,EAAQ;;EAE/B,EAEKd,EAAIgB,uBAAuB,EAClC,CACDR,MAAMS,MAAa;AAClB,CAAIA,GAAUH,WAASd,EAAIe,iBAAiBE,EAASH,QAAQ;EAC7D;AAEJ,IAAaI,IAAb,cAA8C9B,EAAiB;CAC7D+B,YAAY,GAAkD;AAA1CC,EAClB,OAAO,EADWA,KAAAA,WAAAA;;CAGpB,MAAME,iBAAiBC,GAAaC,GAA4B;EAC9D,IAAMC,IAAWF,EAAIG,QAAQC,SAASC,QAAQ,GAAG;AAEjD,SADA,KAAKR,SAAS;GAAES,IAAIJ;GAAUC,SAASF,EAAQM;GAAW,CAAC,EACpD;;GAMLG,oBAA4B,IAAIC,KAA+B,EAExDC,KAAuCC,OAClDH,EAA0BI,IAAID,EAAS,QAE1B;AACXH,GAA0BK,OAAOF,EAAS;IAIjCG,IAAU9C,GAAoB,CACxC+C,aAAa,KAAK,CAClBC,OAAO,YAAkC;CACxC,IAAM3B,IAAUd,EAAI2C,kBAAkB;AAGtC,QAFK7B,GAAS8B,UAEP/C,EAAUC,EAAUgB,EAAQ8B,QAAQ,CAAC,GAFd;EAG9B,EAMSC,IAAiBrD,EAAmB,OAAOsD,MAAyC;CAC/F,IAAMhC,IAAUd,EAAI2C,kBAAkB;AACtC,KAAI,CAAC7B,EAAS,OAAUiC,MAAM,yCAAyC;CAEvE,IAAMrD,IAAS,CAAC,GAAGC,EAAcmD,GAAU;AAE3C,KAAI;EACF,IAAM,EAAEE,mBAAgB,MAAMhD,EAAIiD,mBAAmB;GAAEvD,QAAAA;GAAQoB;GAAS,CAAC;AACzE,SAAOkC;UACAE,GAAO;AAKd,QAJIA,aAAiB/D,KACnB8C,EAA0BkB,SAASf,MAAaA,EAAS1C,EAAO,CAAC,EAG7DwD;;EAER,ECtFWQ,IAAwB,WACxBC,IAA0B,WAE1BC,IAAb,MAAsB;CACpB,WAAWC,YAAY;AACrB,SAAO,WAAWC,KAAK,KAAKC,UAAU;;CAExC,WAAWC,QAAQ;AACjB,SAAO,mBAAmBF,KAAK,KAAKC,UAAU;;CAEhD,WAAWE,YAAY;AACrB,SAAO,WAAWH,KAAK,KAAKC,UAAU;;CAExC,WAAWG,UAAU;AACnB,SAAO,mCAAmCJ,KAAK,KAAKC,UAAU;;CAGhE,WAAmBA,YAAY;AAC7B,SAAO,OAAOI,YAAc,MAAc,KAAKA,UAAUJ;;GAQhDO,KAAiBC,OAAoC;CAChEC,MAAM;EACJ,EAAEC,SAAS,SAAS;EACpB;GAAEC,MAAM;GAAYC,SAAS;GAAuC;EACpE,EAAEC,OAAOtB,EAAUuB,gBAAgB;EACnC;GAAEH,MAAM;GAAWC,SAAS;GAAW;EACvC;GAAED,MAAM;GAAYC,SAASrB,EAAUuB;GAAgB;EACvD;GAAEH,MAAM;GAAYC,SAAS;GAAsB;EACpD;CACDG,OAAO;EACL;GAAEC,KAAK;GAAoBC,OAAO;GAAWC,MAAM;GAAyB;EAC5E;GAAEF,KAAK;GAAQG,MAAM;GAAaF,OAAO;GAASC,MAAM;GAAsB;EAC9E;GAAEF,KAAK;GAAQG,MAAM;GAAaF,OAAO;GAASC,MAAM;GAAsB;EAC9E;GAAEF,KAAK;GAAYE,MAAMV,GAASF,YAAY;GAAkB;EAChE;GAAEU,KAAK;GAAQE,MAAM;GAAgB;EAAA;CAExC,GAEYE,KAAqBC,MACzB,YAAY;CACjB,IAAMC,IAAO,MAAM5B,GAAS;AAE5B,KAAI,CAAC4B,GAAMC,cAAcF,EAAc,CACrC,OAAUG,MAAM,kDAAkD;AAEpE,QAAO,EAAEF,SAAM;GAgBNI,KAAkBC,MAAuB;CACpD,IAAM,EAAElB,YAASkB,EAAMC;AAMvB,QAAO;EAAEC,WAJSpB,EAAKoB;EAIHC,UAHH,CAAC,CAACrB,EAAKsB,OAAOC;EAGDC,YAFXxB,EAAKsB,OAAO,IAAIG;EAEO;GAG/BC,KAAeC,MACnBA,EACJC,WAAW,mBAAmB,QAAQ,CACtCA,WAAW,WAAW,IAAI,CAC1BA,WAAW,kBAAkB,GAAG,CAChCC,aAAa,CACbD,WAAW,OAAO,IAAI,CACtBA,WAAW,YAAY,GAAG,EAGlBE,KAAaC,MAAkB;CAE1C,IAAMG,IADgBH,EAAME,MAAM,IAAI,CAAC,GACVE,QAAQ,MAAM,IAAI,CAACA,QAAQ,MAAM,IAAI,EAC5DC,IAAUC,mBACdC,KAAKJ,EAAO,CACTD,MAAM,GAAG,CACTM,KAAKC,MAAM,OAAO,OAAOA,EAAEC,WAAW,EAAE,CAACC,SAAS,GAAG,EAAEC,MAAM,GAAG,CAAC,CACjEC,KAAK,GACV,CAAC;AACD,QAAOC,KAAKC,MAAMV,EAAQ;GAGfW,KAAaX,OAAiC;CACzDY,IAAIZ,EAAQa;CACZ/C,MAAMkC,EAAQlC,MAAM+B,MAAM,IAAI,CAAC;CAC/BiB,OAAOd,EAAQe,oBAAoBtB,aAAa;CAChDuB,YAAYhB,EAAQgB,YAAYC,aAAa,IAAI;CACjDC,YAAYlB,EAAQkB,YAAYD,aAAa,IAAI;CACjDE,aAAanB,EAAQmB,eAAe;CACpCzC,gBAAgB0C,MACQ3E,EAAY2E,GACbE,MAAMC,OAAOvB,EAAQwB,UAAU,EAAE,EAAEC,SAASF,EAAE,CAAC;CAEvE"}

package/dist/utils.js

@@ -1,4 +1,4 @@
-import { a as e, m as t, t as n, u as r } from "./msalClient-BLrbVP5z.js";
+import { h as e, o as t, t as n, u as r } from "./utils-C4oJ0tr5.js";
 import { t as i } from "./dist-Bxzg1_9c.js";
 import { t as a } from "i18next";
 import { scopes as o } from "virtual:wcz-layout";
@@ -9,9 +9,9 @@ import { ConfidentialClientApplication as l } from "@azure/msal-node";
 var u = null;
 function d() {
 	return u ??= new l({ auth: {
-		clientId: t.ENTRA_CLIENT_ID,
-		clientSecret: t.ENTRA_CLIENT_SECRET,
-		authority: `https://login.microsoftonline.com/${t.ENTRA_TENANT_ID}`
+		clientId: e.ENTRA_CLIENT_ID,
+		clientSecret: e.ENTRA_CLIENT_SECRET,
+		authority: `https://login.microsoftonline.com/${e.ENTRA_TENANT_ID}`
 	} }), u;
 }
 var f = c(async (e, t) => {
@@ -30,6 +30,6 @@ var f = c(async (e, t) => {
 	return i.accessToken;
 });
 //#endregion
-export { e as Platform, s as createEnv, n as getAccessToken, p as getAppToken, f as getTokenOnBehalfOf, r as requirePermission, a as t, i as uuidv7 };
+export { n as Platform, s as createEnv, r as getAccessToken, p as getAppToken, f as getTokenOnBehalfOf, t as requirePermission, a as t, i as uuidv7 };
 
 //# sourceMappingURL=utils.js.map

package/package.json

@@ -1,12 +1,43 @@
 {
   "name": "wcz-layout",
-  "version": "7.6.0",
+  "version": "7.6.2",
   "private": false,
+  "keywords": [
+    "tanstack-intent"
+  ],
   "files": [
-    "dist"
+    "dist",
+    "skills",
+    "!skills/_artifacts"
   ],
   "type": "module",
   "sideEffects": false,
+  "types": "./dist/exports/index.d.ts",
+  "typesVersions": {
+    "*": {
+      "components": [
+        "./dist/exports/components.d.ts"
+      ],
+      "hooks": [
+        "./dist/exports/hooks.d.ts"
+      ],
+      "middleware": [
+        "./dist/exports/middleware.d.ts"
+      ],
+      "models": [
+        "./dist/exports/models.d.ts"
+      ],
+      "query": [
+        "./dist/exports/query.d.ts"
+      ],
+      "utils": [
+        "./dist/exports/utils.d.ts"
+      ],
+      "vite": [
+        "./dist/exports/vite.d.ts"
+      ]
+    }
+  },
   "exports": {
     ".": {
       "types": "./dist/exports/index.d.ts",
@@ -55,12 +86,13 @@
     "@azure/msal-node": "^5.1.1",
     "@azure/msal-react": "^5.1.0",
     "@t3-oss/env-core": "^0.13.11",
-    "i18next": "^25.10.5",
+    "i18next": "^25.10.9",
     "i18next-browser-languagedetector": "^8.2.1",
-    "react-i18next": "^16.6.3"
+    "react-i18next": "^16.6.6"
   },
   "devDependencies": {
     "@rolldown/plugin-babel": "^0.2.2",
+    "@tanstack/intent": "^0.0.23",
     "@types/file-saver": "^2.0.7",
     "@types/node": "^25.3.5",
     "@types/react": "^19.2.14",
@@ -71,8 +103,8 @@
     "husky": "^9.1.7",
     "jose": "^6.2.2",
     "nitro": "^3.0.1-alpha.2",
-    "oxfmt": "^0.41.0",
-    "oxlint": "^1.56.0",
+    "oxfmt": "^0.42.0",
+    "oxlint": "^1.57.0",
     "react-dropzone": "^15.0.0",
     "react-intersection-observer": "^10.0.3",
     "react-number-format": "^5.4.5",

package/skills/api-routes/SKILL.md

@@ -0,0 +1,251 @@
+---
+name: api-routes
+description: >
+  Create TanStack Start file-based API routes with createFileRoute or
+  createServerFn. Wire authorizationMiddleware(permissionKey) and
+  validationMiddleware(schema) in server.middleware. Use createHandlers
+  for CRUD with Drizzle queries. Response.json patterns. Covers the
+  { middleware, handler } object shape for handlers needing validation.
+  Activate when creating or modifying API endpoints or server functions.
+type: core
+library: wcz-layout
+library_version: "7.6.1"
+requires:
+  - database-schema
+sources:
+  - "wcz-layout:src/middleware/authMiddleware.ts"
+  - "wcz-layout:src/middleware/validationMiddleware.ts"
+  - "wcz-layout:src/routes/api/"
+---
+
+# API Routes & Server Functions
+
+## Setup
+
+API routes live under `src/routes/api/` and follow TanStack Router file-based conventions:
+
+```
+src/routes/api/
+├── health.ts           # GET /api/health
+└── todos/
+    ├── index.ts        # GET /api/todos, POST /api/todos
+    └── $id.ts          # GET /api/todos/:id, PUT /api/todos/:id, DELETE /api/todos/:id
+```
+
+## Core Patterns
+
+### Basic CRUD API route
+
+```typescript
+// src/routes/api/todos/index.ts
+import { createFileRoute } from "@tanstack/react-router";
+import { createHandlers } from "@tanstack/start/api";
+import { authorizationMiddleware, validationMiddleware } from "wcz-layout/middleware";
+import { todoTable } from "~/lib/db/schemas/todo";
+import { TodoInsertSchema } from "~/schemas/todo";
+
+export const Route = createFileRoute("/api/todos")({
+  server: {
+    middleware: [authorizationMiddleware("all")],
+    handlers: createHandlers({
+      GET: async ({ context }) => {
+        const items = await context.db.select().from(todoTable);
+        return Response.json(items);
+      },
+      POST: {
+        middleware: [validationMiddleware(TodoInsertSchema)],
+        handler: async ({ context }) => {
+          const [item] = await context.db.insert(todoTable).values(context.data).returning();
+          return Response.json(item, { status: 201 });
+        },
+      },
+    }),
+  },
+});
+```
+
+### Route with path parameters
+
+```typescript
+// src/routes/api/todos/$id.ts
+import { createFileRoute } from "@tanstack/react-router";
+import { createHandlers } from "@tanstack/start/api";
+import { eq } from "drizzle-orm";
+import { authorizationMiddleware, validationMiddleware } from "wcz-layout/middleware";
+import { todoTable } from "~/lib/db/schemas/todo";
+import { TodoSchema } from "~/schemas/todo";
+
+export const Route = createFileRoute("/api/todos/$id")({
+  server: {
+    middleware: [authorizationMiddleware("all")],
+    handlers: createHandlers({
+      GET: async ({ context, params }) => {
+        const [item] = await context.db.select().from(todoTable).where(eq(todoTable.id, params.id));
+        if (!item) return new Response(null, { status: 404 });
+        return Response.json(item);
+      },
+      PUT: {
+        middleware: [validationMiddleware(TodoSchema)],
+        handler: async ({ context, params }) => {
+          const [item] = await context.db
+            .update(todoTable)
+            .set(context.data)
+            .where(eq(todoTable.id, params.id))
+            .returning();
+          return Response.json(item);
+        },
+      },
+      DELETE: async ({ context, params }) => {
+        await context.db.delete(todoTable).where(eq(todoTable.id, params.id));
+        return new Response(null, { status: 204 });
+      },
+    }),
+  },
+});
+```
+
+### Server functions (RPC-style)
+
+```typescript
+import { createServerFn } from "@tanstack/start";
+
+const getTodos = createServerFn({ method: "GET" })
+  .middleware([authorizationMiddleware("all")])
+  .handler(async ({ context }) => {
+    return context.db.select().from(todoTable);
+  });
+```
+
+Server functions are typed end-to-end. Use them for operations that don't need REST semantics.
+
+### Middleware composition
+
+`authorizationMiddleware(permissionKey)` already includes `authenticationMiddleware` internally. It verifies the JWT token and injects `context.user` with a `User` object that has `hasPermission()`. If the user lacks the permission, it returns 403.
+
+`validationMiddleware(schema)` parses `request.json()` against the Zod schema and injects `context.data` with the typed result. On failure, returns 400 with the first field error.
+
+## Common Mistakes
+
+### HIGH Chaining authenticationMiddleware then authorizationMiddleware
+
+Wrong:
+
+```typescript
+middleware: [authenticationMiddleware(), authorizationMiddleware("admin")],
+```
+
+Correct:
+
+```typescript
+middleware: [authorizationMiddleware("admin")],
+```
+
+`authorizationMiddleware` already composes `authenticationMiddleware` internally. Chaining both duplicates JWT verification.
+
+Source: maintainer interview
+
+Cross-skill: See also skills/auth/SKILL.md § Common Mistakes
+
+### HIGH Forgetting validationMiddleware for mutations
+
+Wrong:
+
+```typescript
+POST: async ({ request, context }) => {
+  const data = await request.json();
+  await context.db.insert(todoTable).values(data).returning();
+},
+```
+
+Correct:
+
+```typescript
+POST: {
+  middleware: [validationMiddleware(TodoInsertSchema)],
+  handler: async ({ context }) => {
+    const [item] = await context.db
+      .insert(todoTable)
+      .values(context.data)
+      .returning();
+    return Response.json(item, { status: 201 });
+  },
+},
+```
+
+POST/PUT handlers without `validationMiddleware` accept unvalidated JSON. The middleware parses `request.json()` with Zod and injects typed `context.data`.
+
+Source: wcz-layout:src/middleware/validationMiddleware.ts
+
+### HIGH Returning data without Response.json wrapper
+
+Wrong:
+
+```typescript
+GET: async ({ context }) => {
+  return await context.db.select().from(todoTable);
+},
+```
+
+Correct:
+
+```typescript
+GET: async ({ context }) => {
+  const items = await context.db.select().from(todoTable);
+  return Response.json(items);
+},
+```
+
+TanStack Start API route handlers must return `Response` objects. Returning raw objects doesn't set content-type headers correctly.
+
+Source: consumer project example
+
+### MEDIUM Using plain function for POST instead of middleware object
+
+Wrong:
+
+```typescript
+POST: async ({ request, context }) => {
+  // no way to attach validationMiddleware
+},
+```
+
+Correct:
+
+```typescript
+POST: {
+  middleware: [validationMiddleware(TodoInsertSchema)],
+  handler: async ({ context }) => {
+    // context.data is typed from schema
+  },
+},
+```
+
+When a handler needs per-method middleware (like validation), it must use the `{ middleware, handler }` object shape, not a plain async function.
+
+Source: consumer project example
+
+### MEDIUM Using invalid permission key string
+
+`authorizationMiddleware(permissionKey)` is typed to `keyof typeof permissions` from your app's `permissions.ts`. Using a string not defined there causes a compile error.
+
+Source: wcz-layout:src/middleware/authMiddleware.ts
+
+### HIGH Tension: Simplicity vs. full-stack rigor
+
+Quick prototypes may skip middleware to move fast. Always include `authorizationMiddleware` and `validationMiddleware` from the start — retrofitting security later is error-prone.
+
+See also: skills/project-initialization/SKILL.md § Common Mistakes
+
+### HIGH Tension: Client-side first vs. server-side data
+
+`defaultSsr: false` means pages render on the client. Do not use SSR data fetching patterns (loader + dehydrate). API routes serve data to TanStack DB collections which manage client-side state.
+
+See also: skills/tanstack-db-collections/SKILL.md § Core Patterns
+
+---
+
+See also:
+
+- skills/tanstack-db-collections/SKILL.md — Collections consume these API routes via axios.
+- skills/auth/SKILL.md — Every API route uses authorizationMiddleware.
+- skills/database-schema/SKILL.md — Schemas feed into validationMiddleware.