woodsportal-client-sdk 1.1.5-dev.0 → 4.0.0-dev.0

package/CHANGELOG.md

@@ -5,10 +5,119 @@ All notable changes to **woodsportal-client-sdk** are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.0.0] - 2026-06-06
+
+### Removed (breaking)
+
+- **`state/legacy/`** — legacy table UI store (`use-table-ui`, `create-store`, `table-stores`, `resolve-table-list-params`).
+- **Flat root `api.*` shims** — only `api.auth`, `api.crm`, `api.navigation` remain.
+- **Top-level navigation exports** — `url`, `routeParam`, `breadcrumbsDetails` (use `api.navigation.*`).
+- **`config` export** — use `hubContext` / `setHubContext`.
+- **`store.useTable` / `store.legacyTableUi`** — use `store.tableUi` or `useTableUi()` from framework adapters.
+
+### Changed (breaking)
+
+- **Table UI state:** canonical `state/crm/table-ui.ts` + `table-ui-actions.ts`; reactive hook **`useTableUi()`** (replaces `useLegacyTableUi`).
+- **List mutations:** `api.crm.objects.list()` and `api.crm.pipelines.list()` **require** `payload.tableParams` (no global store fallback).
+- **`setObjectsData`** accepts `{ stageId }` from resolved list params (board append no longer reads global legacy store).
+
+### Added
+
+- `store.tableUi: { store, actions }` on root `store` export.
+- `features/crm/helpers/normalize-table-list-params.ts` — validates required `tableParams`.
+- Tests updated for nested-only API surface.
+
+### Migration (3.x → 4.0)
+
+| 3.x | 4.0 |
+|-----|-----|
+| `useLegacyTableUi()` | `useTableUi()` |
+| `store.legacyTableUi()` | `store.tableUi.actions` / `useTableUi()` |
+| `api.login()` | `api.auth.login()` |
+| `url.makeLink()` | `api.navigation.url.makeLink()` |
+| `list({ hubspotObjectTypeId })` | `list({ hubspotObjectTypeId, tableParams: getTableParam() })` |
+
+See [docs/PUBLIC-API-NAMING.md](docs/PUBLIC-API-NAMING.md).
+
+## [3.0.0] - 2026-06-06
+
+### Changed (breaking)
+
+- **Nested public API:** `api.auth`, `api.crm`, `api.navigation` replace the flat `api.*` spread as the canonical surface. See [docs/PUBLIC-API-NAMING.md](docs/PUBLIC-API-NAMING.md).
+- **Mutation aliases:** primary alias matches nested leaf (`api.crm.objects.list()` → `{ list, mutate, isLoading }`).
+- **Session helpers:** `api.auth.session.isAuthenticated()`, `refreshAccessToken()`, `isAccessTokenExpired()` (flat names deprecated).
+- **Profile update:** nested key `api.auth.updateProfile()` (was `profileUpdate`).
+- **Store:** `store.legacyTableUi` (was `store.useTable` — shim retained until 4.0).
+- **Hub context:** prefer `hubContext` export; `config` deprecated.
+
+### Added
+
+- [docs/PUBLIC-API-NAMING.md](docs/PUBLIC-API-NAMING.md) — full 2.x→3.x migration matrix.
+- `src/test/apis/nested-api.test.ts`, `flat-api-governance.test.ts` — nested paths + shim registry guards.
+- Concurrent `me()` dedup (in-flight share).
+
+### Deprecated (remove in 4.0)
+
+- Flat root `api.*` keys (`api.objects`, `api.login`, …) — delegate to nested paths.
+- Top-level `url`, `routeParam`, `breadcrumbsDetails` — use `api.navigation.*`.
+- `store.useTable`, `config` export.
+
+### Migration
+
+See [docs/PUBLIC-API-NAMING.md](docs/PUBLIC-API-NAMING.md) for the full table. Examples:
+
+| 2.x | 3.0 |
+|-----|-----|
+| `api.login()` | `api.auth.login()` |
+| `api.objects()` / `{ getObjects }` | `api.crm.objects.list()` / `{ list }` |
+| `api.getAccessToken()` | `api.auth.session.getAccessToken()` |
+| `url.makeLink()` | `api.navigation.url.makeLink()` |
+
+## [2.0.0] - 2026-06-05
+
+### Changed (breaking)
+
+- **Folder structure:** layered layout — `core/`, `features/auth|crm|navigation`, `state/crm/`. See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md).
+- **Subpath entries:** `woodsportal-client-sdk/auth` and `/crm` no longer re-import the monolithic `index.ts` graph.
+- **Navigation URL helpers:** `url.useMakeLink` → `url.makeLink`, `url.useUpdateLink` → `url.updateLink` (factory functions; not React hooks).
+
+### Removed (breaking)
+
+- `clint` namespace export
+- `http-clint.ts`, `localStoraget.ts` typo shims
+- `routing/route-param.ts` (use `routeParam` from main or `/crm` entry)
+
+### Migration
+
+| Before (1.x)                                          | After (2.0)                  |
+| ----------------------------------------------------- | ---------------------------- |
+| `url.useMakeLink()`                                   | `url.makeLink()`             |
+| `url.useUpdateLink()`                                 | `url.updateLink()`           |
+| `import … from 'woodsportal-client-sdk'` (deep paths) | Use documented subpaths only |
+| `clint`                                               | `Client` from main export    |
+
+### Added
+
+- [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md), [CONTRIBUTING.md](CONTRIBUTING.md), [SECURITY.md](SECURITY.md)
+- CRM entry bundle budget in `npm run size:check`
+- `examples/smoke-consumer/smoke-auth-only.mjs` — auth subpath isolation smoke
+
 ## [Unreleased]
 
 ### Added
 
+- **Client-lane MFA APIs:** `verifyOtp`, `sendMfaOtp`, pending passkey MFA step, enrollment (TOTP, phone verify, WebAuthn/passkeys), passwordless passkey login, and `getMfaStatus` / `setMfaPreferences`.
+- **Client-lane security settings APIs:** `getSecurityOverview`, `getSecurityLoginActivity`, `getSecuritySessions`, `revokeSecuritySession`, `revokeOtherSecuritySessions`.
+- **MFA-aware login:** `api.login()` stores only the temp access JWT when `twoFactorRequired` is true (no refresh token until MFA completes).
+- Exported TypeScript types for MFA and security DTOs (`MfaMethod`, `SecurityOverview`, `ActiveSession`, etc.).
+- **Docs:** [`docs/MFA-SECURITY-SDK.md`](docs/MFA-SECURITY-SDK.md) — full SDK method → API reference with examples; JSDoc on all MFA/security facades for IDE hover.
+
+### Changed
+
+- **Source layout:** production code under `src/main/`, unit tests under `src/test/` (Spring Boot / Maven mirror). Update local imports or docs that referenced `src/` directly.
+
+### Added
+
 - **`formatHubSpotActivityDateTime`**, **`formatHubSpotActivityDateTimeParts`**, **`formatGmtOffset`**, **`normalizeToTimestamp`**, and **`DEFAULT_HUBSPOT_TIMEZONE`** (`Asia/Kolkata`) for HubSpot-style activity timestamps (e.g. `May 27, 2026 at 11:31 PM GMT+5:30`).
 
 ### Added

package/README.md

@@ -2,13 +2,30 @@
 
 TypeScript/JavaScript **ESM** client for the **WoodsPortal** HTTP API: authentication, SSO, users, pipelines, HubSpot-aligned objects, notes, emails, uploads, and files.
 
-| | |
-|---|---|
-| **npm** | [`woodsportal-client-sdk`](https://www.npmjs.com/package/woodsportal-client-sdk) |
-| **Source** | [`Digital-Woods/digitalwoods.io-woodsportal-client-sdk`](https://github.com/Digital-Woods/digitalwoods.io-woodsportal-client-sdk) |
-| **Issues** | [GitHub Issues](https://github.com/Digital-Woods/digitalwoods.io-woodsportal-client-sdk/issues) |
-| **Runtime** | Node **≥ 18**; **ESM only** (`"type": "module"` in consuming apps is recommended) |
-| **License** | **ISC** — see [`LICENSE`](./LICENSE) |
+|             |                                                                                                                                   |
+| ----------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| **npm**     | [`woodsportal-client-sdk`](https://www.npmjs.com/package/woodsportal-client-sdk)                                                  |
+| **Source**  | [`Digital-Woods/digitalwoods.io-woodsportal-client-sdk`](https://github.com/Digital-Woods/digitalwoods.io-woodsportal-client-sdk) |
+| **Issues**  | [GitHub Issues](https://github.com/Digital-Woods/digitalwoods.io-woodsportal-client-sdk/issues)                                   |
+| **Runtime** | Node **≥ 18**; **ESM only** (`"type": "module"` in consuming apps is recommended)                                                 |
+| **License** | **ISC** — see [`LICENSE`](./LICENSE)                                                                                              |
+
+---
+
+## Project layout (Spring Boot–style)
+
+Production and test sources are split like WoodsPortal Java services:
+
+| Path        | Role                                                                                                              |
+| ----------- | ----------------------------------------------------------------------------------------------------------------- |
+| `src/main/` | Library source — `core/`, `features/`, `state/`, `adapters/` (see [docs/ARCHITECTURE.md](./docs/ARCHITECTURE.md)) |
+| `src/test/` | Unit tests mirroring `src/main/` package paths                                                                    |
+
+Example: `src/main/client/auth-headers.ts` ↔ `src/test/client/login-session.test.ts`.
+
+See [`src/test/README.md`](src/test/README.md). Run tests with `npm test`.
+
+**Contributors:** [docs/DEVELOPER-GUIDE.md](./docs/DEVELOPER-GUIDE.md) · [CONTRIBUTING.md](./CONTRIBUTING.md)
 
 ---
 
@@ -19,7 +36,7 @@ TypeScript/JavaScript **ESM** client for the **WoodsPortal** HTTP API: authentic
 3. **Use HTTPS** for `baseURL` in every deployed environment.
 4. **Do not log** passwords, refresh tokens, access tokens, or full API error bodies in production telemetry.
 5. **Handle errors** with `try/await catch` around `mutate()`, and map user-visible text with **`getFormErrors`** / **`getFieldErrors`** when the API returns validation payloads.
-6. **Align hub context** with how your shell stores HubSpot data (`utils/config.ts` reads hub / dev-portal identifiers from app storage).
+6. **Align hub context** with how your shell stores HubSpot data (`core/utils/hub-context.ts` reads hub / dev-portal identifiers from app storage).
 
 ---
 
@@ -42,70 +59,71 @@ The SDK uses one shared Axios instance. If **`initializeHttpClient` has never be
 Call **`initializeHttpClient` once** during application bootstrap (before any `api.*` calls):
 
 ```typescript
-import { initializeHttpClient } from "woodsportal-client-sdk";
+import { initializeHttpClient } from 'woodsportal-client-sdk'
 
 initializeHttpClient({
-  baseURL: process.env.VITE_API_BASE_URL!, // example: Vite — use your env mechanism
-  timeout: 50_000,
-  hubId: process.env.VITE_HUB_ID,
-  devPortalId: process.env.VITE_DEV_PORTAL_ID,
-  skipCurrentPublicPath: () => false,
-  routes: {
-    unauthorized: "/unauthorized",
-    login: "/login",
-  },
-  onLogout: async () => {
-    // Clear cookies / storage and route to login — implementation is app-specific
-  },
-});
+    baseURL: process.env.VITE_API_BASE_URL!, // example: Vite — use your env mechanism
+    timeout: 50_000,
+    hubId: process.env.VITE_HUB_ID,
+    devPortalId: process.env.VITE_DEV_PORTAL_ID,
+    skipCurrentPublicPath: () => false,
+    routes: {
+        unauthorized: '/unauthorized',
+        login: '/login'
+    },
+    onLogout: async () => {
+        // Clear cookies / storage and route to login — implementation is app-specific
+    }
+})
 ```
 
-Hub and dev-portal identifiers are **also** read from browser storage in `src/utils/config.ts`. Keep that storage in sync with your HubSpot / portal shell so authenticated routes resolve the correct tenant context.
+Hub and dev-portal identifiers are **also** read from browser storage in `core/utils/hub-context.ts`. Keep that storage in sync with your HubSpot / portal shell so authenticated routes resolve the correct tenant context.
 
 ---
 
-## Public API
+## Public API (3.0)
 
-| Export | Purpose |
-|--------|---------|
-| **`api`** | Auth, SSO, users, pipelines, objects, notes, emails, uploads, files, token helpers. |
-| **`store`** | `storage` helpers and **`useTable`** (table state; name is historical — not a React hook). |
-| **`url`** | **`useMakeLink`**, **`useUpdateLink`** — breadcrumb / URL helpers (not React hooks). |
-| **`routeParam`** | **`getRouteDetails`**, **`getParamDetails`**. |
-| **`breadcrumbsDetails`** | **`getBreadcrumbs`**, **`getTableTitle`**, **`getFormTitle`**. |
-| **`initializeHttpClient`** | Axios base URL, timeouts, hub headers, auth callbacks. |
-| **`getFormErrors`**, **`getFieldErrors`** | Map Axios errors to form-level / field-level messages. |
-| **Types** | `LoginPayload`, `MutationOptions`, `ChangePasswordPayload`, … |
+| Export                                    | Purpose                                                                    |
+| ----------------------------------------- | -------------------------------------------------------------------------- |
+| **`api.auth`**                            | Login, MFA, security, SSO, users, session helpers (`api.auth.session.*`).  |
+| **`api.crm`**                             | Pipelines, objects, notes, emails, files, uploads, cache purge.            |
+| **`api.navigation`**                      | URL factories (`makeLink`, `updateLink`), route params, breadcrumbs.       |
+| **`store`**                               | `storage`, CRM nanostores (`table`, `user`, …), `tableUi` (pagination UI). |
+| **`hubContext`**                          | Hub / portal identifiers from browser storage.                             |
+| **`initializeHttpClient`**                | Axios base URL, timeouts, hub headers, auth callbacks.                     |
+| **`getFormErrors`**, **`getFieldErrors`** | Map Axios errors to form-level / field-level messages.                     |
 
-There is **no** `api.all()` or generic “invoke any route” helper — call the specific member on **`api`**.
+**4.0:** nested `api.*` only; `useTableUi()` + required `tableParams` on list mutations. See [CHANGELOG.md](./CHANGELOG.md).
+
+Naming rules and migration: [docs/PUBLIC-API-NAMING.md](./docs/PUBLIC-API-NAMING.md).
 
 ---
 
-## Mutation-style methods (`api.login`, …)
+## Mutation-style methods (`api.auth.login`, …)
 
-Most `api.*` factories wrap **`createMutation`**: invoke the factory **once** with optional **`MutationOptions`**, then call the returned **`mutate`** (often aliased, e.g. **`login`**) with a payload.
+Most nested factories wrap **`createMutation`**: invoke once with optional **`MutationOptions`**, then call the returned **`mutate`** or the **leaf alias** (e.g. **`login`**, **`list`**).
 
 **Loading:** **`isLoading()`** returns whether **any** in-flight call exists for that factory (overlapping calls are supported).
 
 **Errors:** **`onError`** runs when the request fails; the returned promise **still rejects** — use `try/catch` or `.catch()` in addition to `onError` when you need local control flow.
 
 ```typescript
-import type { LoginPayload } from "woodsportal-client-sdk";
-import { api } from "woodsportal-client-sdk";
-
-const { login, mutate, isLoading } = api.login({
-  onSuccess: async (data, payload) => {
-    // Persist session in app state if needed; tokens are handled inside the SDK login path
-  },
-  onError: (error, payload) => {
-    // Log a redacted message; map to UI state — avoid logging credentials
-  },
-  onLoadingChange: (loading) => {
-    // Drive a global or local spinner
-  },
-});
-
-await login({ username: "user@example.com", password: "…" });
+import type { LoginPayload } from 'woodsportal-client-sdk'
+import { api } from 'woodsportal-client-sdk'
+
+const { login, mutate, isLoading } = api.auth.login({
+    onSuccess: async (data, payload) => {
+        // Persist session in app state if needed; tokens are handled inside the SDK login path
+    },
+    onError: (error, payload) => {
+        // Log a redacted message; map to UI state — avoid logging credentials
+    },
+    onLoadingChange: (loading) => {
+        // Drive a global or local spinner
+    }
+})
+
+await login({ username: 'user@example.com', password: '…' })
 // `mutate` is identical to `login` here
 ```
 
@@ -114,23 +132,23 @@ await login({ username: "user@example.com", password: "…" });
 ## React example (login form)
 
 ```tsx
-import type { LoginPayload } from "woodsportal-client-sdk";
-import { api } from "woodsportal-client-sdk";
+import type { LoginPayload } from 'woodsportal-client-sdk'
+import { api } from 'woodsportal-client-sdk'
 
 const { login } = api.login({
-  onSuccess: () => undefined,
-  onError: () => undefined,
-  onLoadingChange: () => undefined,
-});
+    onSuccess: () => undefined,
+    onError: () => undefined,
+    onLoadingChange: () => undefined
+})
 
 export async function submitLogin(e: React.FormEvent<HTMLFormElement>) {
-  e.preventDefault();
-  const formData = new FormData(e.currentTarget);
-  const payload: LoginPayload = {
-    username: String(formData.get("username") ?? ""),
-    password: String(formData.get("password") ?? ""),
-  };
-  await login(payload);
+    e.preventDefault()
+    const formData = new FormData(e.currentTarget)
+    const payload: LoginPayload = {
+        username: String(formData.get('username') ?? ''),
+        password: String(formData.get('password') ?? '')
+    }
+    await login(payload)
 }
 ```
 
@@ -178,8 +196,8 @@ npm link woodsportal-client-sdk
 Consume with the same import paths as npm:
 
 ```ts
-import { api } from "woodsportal-client-sdk";
-import { useTable, useSync } from "woodsportal-client-sdk/react";
+import { api } from 'woodsportal-client-sdk'
+import { useTable, useSync } from 'woodsportal-client-sdk/react'
 // import { useTable, useSync } from "woodsportal-client-sdk/vue";
 // import { useTable, useSync } from "woodsportal-client-sdk/angular";
 ```
@@ -189,11 +207,11 @@ After `npm run build`, the main entry and framework adapters (`/react`, `/vue`,
 ### React
 
 ```tsx
-import { useTable } from "woodsportal-client-sdk/react";
+import { useTable } from 'woodsportal-client-sdk/react'
 
 function ObjectsTable() {
-  const table = useTable();
-  // table.tableData, table.setTableData(...)
+    const table = useTable()
+    // table.tableData, table.setTableData(...)
 }
 ```
 
@@ -203,9 +221,9 @@ Call composables inside `setup()` (or `<script setup>`):
 
 ```vue
 <script setup lang="ts">
-import { useTable } from "woodsportal-client-sdk/vue";
+import { useTable } from 'woodsportal-client-sdk/vue'
 
-const table = useTable();
+const table = useTable()
 </script>
 ```
 
@@ -214,17 +232,93 @@ const table = useTable();
 Call composables in an injection context (constructor, field initializer, or `runInInjectionContext`):
 
 ```typescript
-import { Component } from "@angular/core";
-import { useTable } from "woodsportal-client-sdk/angular";
+import { Component } from '@angular/core'
+import { useTable } from 'woodsportal-client-sdk/angular'
 
-@Component({ /* ... */ })
+@Component({
+    /* ... */
+})
 export class ObjectsTableComponent {
-  readonly table = useTable();
+    readonly table = useTable()
 }
 ```
 
 ---
 
+## Cache purge (CRM Sync)
+
+Prefer **`POST /api/{hubId}/{portalId}/cache-purge-jobs`** over habitual `cache=false` on list reads. Requires `FEATURE_CACHE_PURGE_API_ENABLED` on the API.
+
+| Export                                                  | Use                                                 |
+| ------------------------------------------------------- | --------------------------------------------------- |
+| `createCachePurgeJob`                                   | POST + optional warm job poll                       |
+| `buildCrmListPurgeTarget` / `buildCrmSinglePurgeTarget` | List or detail scope                                |
+| `buildEngagementPurgeTarget`                            | `notes` / `emails` / `files` (requires `recordIds`) |
+| `purgeCrmListCache` / `purgeEngagementCaches`           | Convenience wrappers returning `PurgeResult`        |
+| `purgeCrmObjectDataCache`                               | Legacy list-only boolean shorthand                  |
+
+API guide: `woodsportal-api/docs/CACHE-PURGE-API.md` in the monorepo. Types: `src/types/cache-purge.ts`; helpers: `src/utils/cache/`.
+
+---
+
+## MFA & login (client lane)
+
+When `POST /api/auth/login` returns `twoFactorRequired: true`, the SDK stores **only** the temporary access JWT — **not** the refresh token. Complete MFA with `api.verifyOtp()` (or pending passkey verify); on success the SDK persists the full session.
+
+**Full guide:** [`docs/MFA-SECURITY-SDK.md`](docs/MFA-SECURITY-SDK.md) (every method, payload, and example).
+
+Backend reference: `woodsportal-api/docs/MFA-FRONTEND-DEVELOPER-GUIDE.md`.
+
+### Login & MFA step (unauthenticated)
+
+| SDK method                                                            | HTTP                                                            | Purpose                                                    |
+| --------------------------------------------------------------------- | --------------------------------------------------------------- | ---------------------------------------------------------- |
+| `login({ username, password })`                                       | `POST /api/auth/login?hubId=`                                   | Password login; may return `twoFactorRequired`             |
+| `verifyOtp({ token, otp, method })`                                   | `POST /api/auth/verify-otp?hubId=`                              | Complete OTP/TOTP/backup MFA step; full session on success |
+| `sendMfaOtp({ token, method })`                                       | `POST /api/auth/mfa/pending/otp/send`                           | Resend OTP or switch to email/SMS on MFA gate              |
+| `pendingPasskeyOptions({ token, portalId? })`                         | `POST /api/auth/mfa/pending/passkey/authenticate/options`       | Start passkey MFA-step ceremony                            |
+| `pendingPasskeyVerify({ token, challengeId, credential, portalId? })` | `POST /api/auth/mfa/pending/passkey/authenticate/verify?hubId=` | Finish passkey MFA step; full session on success           |
+| `passkeyLoginOptions({ email, hubId?, portalId? })`                   | `POST /api/auth/passkey/login/options?hubId=`                   | Passwordless passkey login start                           |
+| `passkeyLoginVerify({ challengeId, credential, portalId? })`          | `POST /api/auth/passkey/login/verify?hubId=`                    | Passwordless login finish; may still require MFA           |
+
+### MFA enrollment (authenticated)
+
+| SDK method                                                                  | HTTP                                                         | Purpose                                  |
+| --------------------------------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------------- |
+| `getMfaStatus({ portalId? })`                                               | `GET /api/auth/mfa/status?portalId=`                         | Enrollment + policy snapshot             |
+| `setMfaPreferences({ defaultMethod, portalId? })`                           | `PUT /api/auth/mfa/preferences?portalId=`                    | Set scoped default MFA method            |
+| `startPhoneVerify({ phone })`                                               | `POST /api/auth/mfa/phone/verify/start`                      | Send phone verification OTP (E.164)      |
+| `confirmPhoneVerify({ phone, code })`                                       | `POST /api/auth/mfa/phone/verify/confirm`                    | Confirm phone; enables SMS at login      |
+| `totpEnrollStart({ portalId? })`                                            | `POST /api/auth/mfa/totp/enroll/start?portalId=`             | Start TOTP; returns QR/`otpauthUri`      |
+| `totpEnrollVerify({ code, portalId? })`                                     | `POST /api/auth/mfa/totp/enroll/verify?portalId=`            | Confirm TOTP; backup codes returned once |
+| `totpDisable({ password })`                                                 | `POST /api/auth/mfa/totp/disable`                            | Disable TOTP for current scope           |
+| `webauthnRegisterOptions({ portalId? })`                                    | `POST /api/auth/mfa/webauthn/register/options?portalId=`     | Passkey registration ceremony            |
+| `webauthnRegisterVerify({ challengeId, credential, nickname?, portalId? })` | `POST /api/auth/mfa/webauthn/register/verify?portalId=`      | Complete passkey registration            |
+| `webauthnAuthOptions({ portalId? })`                                        | `POST /api/auth/mfa/webauthn/authenticate/options?portalId=` | Logged-in passkey re-verify              |
+| `webauthnAuthVerify({ challengeId, credential, portalId? })`                | `POST /api/auth/mfa/webauthn/authenticate/verify?portalId=`  | Complete logged-in passkey verify        |
+| `listWebauthnCredentials({ portalId? })`                                    | `GET /api/auth/mfa/webauthn/credentials?portalId=`           | List passkeys                            |
+| `deleteWebauthnCredential({ credentialRecordId, portalId? })`               | `DELETE /api/auth/mfa/webauthn/credentials/{id}?portalId=`   | Remove a passkey                         |
+
+WebAuthn ceremonies use `@simplewebauthn/browser` in the host app; the SDK transports credential JSON only.
+
+---
+
+## Security settings (client lane)
+
+Use dedicated security endpoints for the account Security page — **not** `GET /me` + `GET /mfa/status`. Full contract: `woodsportal-api/docs/SECURITY-FRONTEND-DEVELOPER-GUIDE.md`. **Examples:** [`docs/MFA-SECURITY-SDK.md`](docs/MFA-SECURITY-SDK.md).
+
+| SDK method                                                 | HTTP                                                 | Purpose                                       |
+| ---------------------------------------------------------- | ---------------------------------------------------- | --------------------------------------------- |
+| `getSecurityOverview({ portalId? })`                       | `GET /api/auth/security/overview?portalId=`          | Password age, MFA methods, policy flags       |
+| `getSecurityLoginActivity({ page?, limit?, sort? })`       | `GET /api/auth/security/login-activity`              | Paginated login history                       |
+| `getSecuritySessions({ currentFamilyId?, refreshToken? })` | `GET /api/auth/security/sessions`                    | Active sessions; pass refresh to mark current |
+| `revokeSecuritySession({ familyId, refreshToken? })`       | `POST /api/auth/security/sessions/{familyId}/revoke` | Sign out one device                           |
+| `revokeOtherSecuritySessions({ refreshToken? })`           | `POST /api/auth/security/sessions/revoke-others`     | Sign out all other devices                    |
+
+Pass `refreshToken` (or use `getRefreshToken()` from SDK cookies) so the API can mark the current session when listing or revoking others.
+
+---
+
 ## Security & privacy
 
 - Send credentials and tokens **only over HTTPS** in production.

package/dist/adapters/angular/index.d.ts

@@ -1,21 +1,70 @@
-import { E as EmailState, N as NoteState, S as SyncState, T as TableState } from '../../use-sync-LbURBOs_.js';
+import { M as MultiObjectTableState, U as UploaderState } from '../../use-uploader-2F1zc7Cl.js';
+import { E as EmailState, N as NoteState, S as SyncState, a as TableState, T as TableUiState, U as UserState } from '../../use-sync-DpazhM4d.js';
 
 declare const useTable: () => TableState & {
-    setObjectsData(response: any): Promise<void>;
+    setObjectsQueryParams(params: any): void;
+    setMultiObjectsQueryParams(hubspotObjectTypeId: string, params: any): void;
+    setObjectsData(response: any, context?: {
+        stageId?: string | number;
+    }): Promise<void>;
     setTableData(response: any, payload: any): void;
     modifiedObjectsData(results: any): void;
     clearTablePrependData(): void;
     setTablePrependData(response: any, props?: any): Promise<void>;
 };
+declare const useTableUi: () => TableUiState & {
+    setTableUniqueId(v: string | null): void;
+    setSort(v: string): void;
+    setLimit(v: number): void;
+    setAfter(v: string): void;
+    setPage(v: number | string): void;
+    setNextPage(v: number | string): void;
+    setStageId(v: number | string): void;
+    setTotalItems(v: number): void;
+    setNumOfPages(v: number): void;
+    setCurrentPage(v: number): void;
+    setSearch(v: string): void;
+    setFilterPropertyName(v: string): void;
+    setFilterOperator(v: string): void;
+    setFilterValue(v: string): void;
+    setIsPrimaryCompany(v: boolean | null): void;
+    setTableFilterData(v: Record<string, unknown>): void;
+    setTableDefPermissions(v: Record<string, unknown>): void;
+    setView(mView: string | null): void;
+    changePipeline(mView: string | null): void;
+    setSelectedPipeline(pipelines: any[], pipeLineId?: string): void;
+    resetTableParam(): void;
+    getTableParam(companyAsMediator?: boolean, currentPageOverride?: number): {
+        after: string | number;
+    } | {
+        after?: string | undefined;
+        limit: number;
+        page: string | number;
+    };
+    setGridData(type: string, deals: any[]): Promise<any[]>;
+    setDefaultPipeline(data: any, hubspotObjectTypeId: string): any;
+};
+declare const useMultiObjectActions: () => MultiObjectTableState & {
+    setMultiObjectData(response: any, payload: any): void;
+    clearMultiObjectPrependData(hubspotObjectTypeId?: string): void;
+    setMultiObjectPrependData(response: any, props?: any): Promise<void>;
+};
 declare const useNote: () => NoteState & {
+    setListQueryParams(params: any): void;
     setNotes(response: any, payload: any): void;
     setPrependNote(response: any): Promise<void>;
-    updatePrependNote(response: any): Promise<void>;
+    clearPrependNotes(): void;
+    updatePrependNote(response: any): Promise<any>;
 };
 declare const useEmail: () => EmailState & {
+    setListQueryParams(params: any): void;
     setEmails(response: any, payload: any): void;
     setPrependEmail(response: any): Promise<void>;
-    updatePrependEmail(response: any): Promise<void>;
+    clearPrependEmails(): void;
+    updatePrependEmail(response: any): Promise<any>;
+};
+declare const useUser: () => UserState & {
+    setProfile(response: any): void;
 };
 declare const useSync: () => SyncState & {
     setIsSyncLoading(status: boolean): void;
@@ -23,5 +72,9 @@ declare const useSync: () => SyncState & {
     setApiSync(status: boolean): void;
     setSyncDisable(status: boolean): void;
 };
+declare const useUploader: () => UploaderState & {
+    setAttachment(response: any): void;
+    clearAttachments(): void;
+};
 
-export { useEmail, useNote, useSync, useTable };
+export { useEmail, useMultiObjectActions, useNote, useSync, useTable, useTableUi, useUploader, useUser };

package/dist/adapters/angular/index.js

@@ -1,7 +1,8 @@
-import { bindStoreWithActions } from '../../chunk-Y5MRAAGK.js';
-import { createAdapterHooks } from '../../chunk-J7MDPY5P.js';
-import '../../chunk-RDCT25UV.js';
-import '../../chunk-NB7AINV4.js';
+import { bindStoreWithActions } from '../../chunk-AYTO6ND7.js';
+import { createAdapterHooks } from '../../chunk-H57IQHVF.js';
+import '../../chunk-SSS4DNXP.js';
+import '../../chunk-KBXI2JBA.js';
+import '../../chunk-3FUHGFAQ.js';
 import { inject, DestroyRef, signal } from '@angular/core';
 
 function createAngularStoreComposable(store, actions) {
@@ -26,9 +27,9 @@ function createAngularStoreComposable(store, actions) {
   };
 }
 
-// src/adapters/angular/index.ts
-var { useTable, useNote, useEmail, useSync } = createAdapterHooks(createAngularStoreComposable);
+// src/main/adapters/angular/index.ts
+var { useTable, useTableUi, useMultiObjectActions, useNote, useEmail, useUser, useSync, useUploader } = createAdapterHooks(createAngularStoreComposable);
 
-export { useEmail, useNote, useSync, useTable };
+export { useEmail, useMultiObjectActions, useNote, useSync, useTable, useTableUi, useUploader, useUser };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map

package/dist/adapters/angular/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/adapters/shared/createAngularComposable.ts","../../../src/adapters/angular/index.ts"],"names":[],"mappings":";;;;;;AAGO,SAAS,4BAAA,CAGd,OAAkC,OAAA,EAAmB;AACnD,EAAA,OAAO,SAAS,QAAA,GAA8B;AAC1C,IAAA,MAAM,UAAA,GAAa,OAAO,UAAU,CAAA;AACpC,IAAA,MAAM,OAAA,GAAU,oBAAA,CAAqB,KAAA,EAAO,OAAO,CAAA;AACnD,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,OAAA,CAAQ,WAAA,EAAa,CAAA;AAE7C,IAAA,UAAA,CAAW,SAAA;AAAA,MACP,OAAA,CAAQ,UAAU,MAAM;AACpB,QAAA,QAAA,CAAS,GAAA,CAAI,OAAA,CAAQ,WAAA,EAAa,CAAA;AAAA,MACtC,CAAC;AAAA,KACL;AAEA,IAAA,OAAO,IAAI,KAAA,CAAM,EAAC,EAAwB;AAAA,MACtC,GAAA,CAAI,SAAS,IAAA,EAAM;AACf,QAAA,MAAM,GAAA,GAAM,OAAO,IAAI,CAAA;AACvB,QAAA,IAAI,OAAO,OAAA,EAAS;AAChB,UAAA,OAAQ,QAAoC,GAAG,CAAA;AAAA,QACnD;AACA,QAAA,OAAO,QAAA,GAAW,GAAmB,CAAA;AAAA,MACzC;AAAA,KACH,CAAA;AAAA,EACL,CAAA;AACJ;;;ACzBO,IAAM,EAAE,QAAA,EAAU,OAAA,EAAS,UAAU,OAAA,EAAQ,GAAI,mBAAmB,4BAA4B","file":"index.js","sourcesContent":["import { DestroyRef, inject, signal } from \"@angular/core\";\nimport { bindStoreWithActions, type SubscribableStore } from \"./bindStoreWithActions\";\n\nexport function createAngularStoreComposable<\n    TState extends object,\n    TActions extends object,\n>(store: SubscribableStore<TState>, actions: TActions) {\n    return function useStore(): TState & TActions {\n        const destroyRef = inject(DestroyRef);\n        const binding = bindStoreWithActions(store, actions);\n        const snapshot = signal(binding.getSnapshot());\n\n        destroyRef.onDestroy(\n            binding.subscribe(() => {\n                snapshot.set(binding.getSnapshot());\n            }),\n        );\n\n        return new Proxy({} as TState & TActions, {\n            get(_target, prop) {\n                const key = String(prop);\n                if (key in actions) {\n                    return (actions as Record<string, unknown>)[key];\n                }\n                return snapshot()[key as keyof TState];\n            },\n        });\n    };\n}\n","import { createAdapterHooks } from \"../shared/createAdapterHooks\";\nimport { createAngularStoreComposable } from \"../shared/createAngularComposable\";\n\nexport const { useTable, useNote, useEmail, useSync } = createAdapterHooks(createAngularStoreComposable);\n"]}
+{"version":3,"sources":["../../../src/main/adapters/shared/createAngularComposable.ts","../../../src/main/adapters/angular/index.ts"],"names":[],"mappings":";;;;;;;AAGO,SAAS,4BAAA,CAA6E,OAAkC,OAAA,EAAmB;AAC9I,EAAA,OAAO,SAAS,QAAA,GAA8B;AAC1C,IAAA,MAAM,UAAA,GAAa,OAAO,UAAU,CAAA;AACpC,IAAA,MAAM,OAAA,GAAU,oBAAA,CAAqB,KAAA,EAAO,OAAO,CAAA;AACnD,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,OAAA,CAAQ,WAAA,EAAa,CAAA;AAE7C,IAAA,UAAA,CAAW,SAAA;AAAA,MACP,OAAA,CAAQ,UAAU,MAAM;AACpB,QAAA,QAAA,CAAS,GAAA,CAAI,OAAA,CAAQ,WAAA,EAAa,CAAA;AAAA,MACtC,CAAC;AAAA,KACL;AAEA,IAAA,OAAO,IAAI,KAAA,CAAM,EAAC,EAAwB;AAAA,MACtC,GAAA,CAAI,SAAS,IAAA,EAAM;AACf,QAAA,MAAM,GAAA,GAAM,OAAO,IAAI,CAAA;AACvB,QAAA,IAAI,OAAO,OAAA,EAAS;AAChB,UAAA,OAAQ,QAAoC,GAAG,CAAA;AAAA,QACnD;AACA,QAAA,OAAO,QAAA,GAAW,GAAmB,CAAA;AAAA,MACzC;AAAA,KACH,CAAA;AAAA,EACL,CAAA;AACJ;;;ACtBO,IAAM,EAAE,QAAA,EAAU,UAAA,EAAY,qBAAA,EAAuB,OAAA,EAAS,QAAA,EAAU,OAAA,EAAS,OAAA,EAAS,WAAA,EAAY,GACzG,kBAAA,CAAmB,4BAA4B","file":"index.js","sourcesContent":["import { DestroyRef, inject, signal } from '@angular/core'\nimport { bindStoreWithActions, type SubscribableStore } from './bindStoreWithActions'\n\nexport function createAngularStoreComposable<TState extends object, TActions extends object>(store: SubscribableStore<TState>, actions: TActions) {\n    return function useStore(): TState & TActions {\n        const destroyRef = inject(DestroyRef)\n        const binding = bindStoreWithActions(store, actions)\n        const snapshot = signal(binding.getSnapshot())\n\n        destroyRef.onDestroy(\n            binding.subscribe(() => {\n                snapshot.set(binding.getSnapshot())\n            })\n        )\n\n        return new Proxy({} as TState & TActions, {\n            get(_target, prop) {\n                const key = String(prop)\n                if (key in actions) {\n                    return (actions as Record<string, unknown>)[key]\n                }\n                return snapshot()[key as keyof TState]\n            }\n        })\n    }\n}\n","import { createAdapterHooks } from '../shared/createAdapterHooks'\nimport { createAngularStoreComposable } from '../shared/createAngularComposable'\n\nexport const { useTable, useTableUi, useMultiObjectActions, useNote, useEmail, useUser, useSync, useUploader } =\n    createAdapterHooks(createAngularStoreComposable)\n"]}