v1.18.0

- Marked the status of "Invite and Manage Team Members" story as Complete in README.
- Updated the status of ORG-002 to Complete in the corresponding markdown file.
- Modified OrganizationManager to assign roles as 'owner' during organization creation.
- Implemented bulk invitation feature in UserInvitationManager, allowing multiple users to be invited via CSV upload.
- Added IReq_BulkCreateInvitations interface for bulk invitation requests.
- Enhanced CreateOrgForm to update state with new roles upon organization creation.
- Introduced BulkInviteModal for bulk inviting users, including email validation and role assignment.
- Updated UsersView to support ownership transfer and bulk invitation functionality.
- Improved account state management to handle new roles and organizations.

changelog.md

@@ -1,5 +1,233 @@
 # Changelog
 
+## 2026-04-20 - 1.18.0 - feat(reception)
+persist email action tokens and registration sessions for authentication and signup flows
+
+- add persisted email action tokens for email login and password reset with one-time consumption and expiry cleanup
+- store registration sessions in the database so signup state, email validation, and SMS verification survive restarts
+- enforce password changes through either a valid reset token or the current password
+- add housekeeping jobs and tests for token/session expiry and state persistence
+
+## 2026-04-20 - 1.17.1 - fix(docs)
+refresh module readmes and add repository license file
+
+- rewrite the root, backend, web, client, CLI, and interfaces README content to focus on current module responsibilities and usage
+- standardize README license references to the lowercase license file path
+- add the repository MIT license file
+
+## 2026-04-20 - 1.17.0 - feat(auth)
+harden authentication with argon2 passwords and rotating hashed refresh tokens
+
+- replace SHA-256 password hashing with argon2 while preserving verification and upgrade support for legacy hashes
+- rotate refresh tokens on JWT refresh, detect token reuse, and invalidate compromised sessions
+- store refresh and transfer tokens as hashes with one-time transfer token validation and expiry
+- persist refresh tokens separately on the client so sessions can recover and refresh without embedding tokens in JWTs
+- add authentication tests covering password verification, legacy hash migration, refresh token rotation, reuse detection, and one-time transfer tokens
+
+## 2026-01-29 - 1.16.0 - feat(dev)
+add local development docs, update tswatch preset and add Playwright screenshots
+
+- readme.md: added a Local Development section with prerequisites, quick-start commands, environment variables, development routes, and default development credentials + security note
+- npmextra.json: changed @git.zone/tswatch preset from "website" to "service" and disabled the built-in server (removed port/serveDir/liveReload and set server.enabled false); removed triggerReload from website watcher
+- .playwright-mcp: added Playwright screenshots (login-page.png, register-page.png, account-dashboard.png) for visual tests / CI
+
+## 2026-01-29 - 1.15.0 - feat(build)
+add tsbundle/tswatch configs, update build/watch scripts, bump dependencies, and add CLI documentation
+
+- Add tsbundle and tswatch configuration to npmextra.json to support bundling and a local dev server (dist_serve, liveReload, watch patterns).
+- Update package.json build/watch scripts to use generic tsbundle/tswatch invocations (removed explicit 'website' target).
+- Bump dependencies and devDependencies: @git.zone/tsbuild ^4.0.2 -> ^4.1.2, @git.zone/tsbundle ^2.6.3 -> ^2.8.3, @git.zone/tswatch ^2.3.13 -> ^3.0.1, @api.global/typedserver ^8.1.0 -> ^8.3.0, several @design.estate packages, @push.rocks/taskbuffer ^3.5.0 -> ^4.1.1, @types/node 25.0.3 -> 25.1.0, and other minor/patch bumps.
+- Add a new CLI README (ts_idpcli/readme.md) with usage, commands, programmatic API examples and configuration.
+- Update README license/Legal sections in ts_idpclient, ts_interfaces and ts_web to include license, trademark, and company information.
+
+## 2025-12-22 - 1.14.1 - fix(oidc)
+migrate OIDC endpoints and internal handlers to use typedserver IRequestContext and update dependencies
+
+- Updated route handlers in ts/index.ts to pass ctx (IRequestContext) instead of req
+- Refactored OIDC manager handlers to accept plugins.typedserver.IRequestContext and use ctx.url, ctx.headers, ctx.formData (handleAuthorize, handleToken, handleUserInfo, handleRevoke)
+- Bumped dependencies to support the new typedserver API: @api.global/typedserver -> ^8.1.0
+- Other dependency updates: @design.estate/dees-catalog ^3.4.0, @git.zone/tspublish ^1.11.0, @types/node ^25.0.3
+- Changing public handler method signatures is a breaking API change; recommend a major version bump
+
+## 2025-12-16 - 1.14.0 - feat(docs)
+add package READMEs and publish metadata; update web package publish order
+
+- Add comprehensive README for ts_web (web components/UI)
+- Add README for ts_idpclient (TypeScript client)
+- Add README for ts_interfaces (type definitions/interfaces)
+- Add tspublish.json for ts_idpcli (@idp.global/cli) and ts_idpclient (@idp.global/client)
+- Update ts_web/tspublish.json order from 4 to 5
+
+## 2025-12-15 - 1.13.0 - feat(oidc)
+feat(oidc): add OIDC provider (OidcManager, endpoints, and interfaces)
+
+- Add OidcManager class implementing OpenID Connect / OAuth2 server functionality (authorization codes, access/refresh tokens, user consents, PKCE support, JWKS, ID token generation, token revocation, cleanup task).
+- Expose OIDC endpoints on the website server: /.well-known/openid-configuration, /.well-known/jwks.json, /oauth/authorize, /oauth/token, /oauth/userinfo (GET/POST), and /oauth/revoke.
+- Integrate OidcManager into Reception: add oidcManager property and instantiate it from ts/index.ts so routes can reference it.
+- Add TypeScript interfaces for OIDC data structures (ts_interfaces/data/loint-reception.oidc.ts) and export them from the data index.
+
+## 2025-12-15 - 1.12.1 - fix(dependencies)
+fix(deps): bump @uptime.link/webwidget to ^1.2.6
+
+- Updated dependency @uptime.link/webwidget from ^1.2.5 to ^1.2.6 in package.json
+- No other files changed; this is a dependency patch update
+
+## 2025-12-15 - 1.12.0 - feat(interfaces)
+Add JWT public-key and blocklist request interfaces, publish ordering files, and update dependencies
+
+- Introduce IReq_GetPublicKeyForValidation and IReq_PushPublicKeyForValidation with documentation in ts_interfaces/request/loint-reception.jwt.ts to support fetching and pushing JWT public keys for validation.
+- Clarify IReq_PushOrGetJwtIdBlocklist to describe both GET (client requests blocklist) and PUSH (server pushes revoked JWT IDs) directions and required client handlers.
+- Add tspublish.json ordering files for packaging: ts_interfaces (order: 1), ts (order: 2), ts_idpclient (order: 3), ts_web (order: 4).
+- Update package.json dependencies to include @git.zone/tspublish and additional @push.rocks packages (@push.rocks/smartcli, @push.rocks/smartfile, @push.rocks/smartinteract).
+
+## 2025-12-14 - 1.11.0 - feat(idpcli)
+Add idp CLI (IdpCli) with commands, file-based credential storage, typed request APIs; bump deps and update config
+
+- Introduce a new CLI implementation under ts_idpcli: IdpCli class, runCli entrypoint and multiple commands (login, login-token, logout, whoami, orgs, orgs-create, members, invite, sessions, revoke, admin-check, admin-apps, admin-suspend, etc.).
+- Add plugins module that exports node built-ins and common libraries (smartcli, smartinteract, smartpromise, smartrx, typedrequest, typedsocket) for the CLI.
+- Expose many typed request accessors in classes.idprequests (authentication, registration, user/org/member management, billing, JWT/key management, admin operations).
+- Implement file-based credential storage (~/.idp-global/credentials.json) with load/store/delete helpers to persist refresh tokens and JWTs for the CLI.
+- Update ts/index.ts to start the website server on port 2999 (was previously started without explicit port).
+- Bump and add dependencies/devDependencies: @api.global/typedserver -> ^7.11.1, @design.estate/dees-catalog -> ^3.3.1, @push.rocks/smartjson -> ^6.0.0; add @push.rocks/smartcli, smartfile, smartinteract; upgrade @git.zone/tsbuild to ^4.0.2 and update tsrun/tswatch versions.
+- Rework npmextra.json: reorganized npmci and tsdoc sections, added release configuration (registries and accessLevel) and other npmci/docker mapping entries.
+
+## 2025-12-07 - 1.10.0 - feat(billingplan)
+Add Paddle v2 checkout support and backend config endpoint; add CSP headers and bump typedserver
+
+- Add getPaddleConfig typedrequest handler in BillingPlanManager to expose PADDLE_TOKEN and PADDLE_PRICE_ID from environment.
+- Introduce IReq_GetPaddleConfig typedrequest interface.
+- Update frontend paddlesetup to use Paddle v2: load v2 script, call Paddle.Initialize with token, open Checkout using items.priceId and customer.email, and handle checkout.completed events (store transaction_id).
+- Attempt to obtain user email from account state or via idpClient.whoIs before starting checkout; show error if email unavailable.
+- Add Content Security Policy securityHeaders to website server configuration to allow Paddle, ProfitWell, Sentry and related assets/connections.
+- Bump dependency @api.global/typedserver from ^7.8.17 to ^7.10.2.
+
+## 2025-12-01 - 1.9.0 - feat(account)
+Refactor account UI: migrate modals to promise-based show() API and improve navigation URL tracking
+
+- Replace inline modal elements with programmatic / static show() calls for OrgSelectModal and CreateOrgModal; navigation now reacts to the results returned from show() and pushes appropriate URLs.
+- Remove embedded <idp-org-select-modal> and <idp-create-org-modal> elements from the account template to use on-demand modal invocation.
+- Navigation component now exposes currentPath state, listens to popstate, and watches for external URL changes (requestAnimationFrame loop) to keep UI in sync with location changes.
+- Updated readme.hints.md with guidance for dees-catalog components and clarified dees-input-* event pattern (use RxJS Subjects, subscribe to changeSubject and access element.value).
+
+## 2025-12-01 - 1.8.0 - feat(reception)
+Add activity logging, session metadata and org-selection UI (backend and frontend)
+
+- Introduce ActivityLog and ActivityLogManager to track user actions (TActivityAction, IActivityLog) for audit/display.
+- Export new activity interface (IActivityLog) from ts_interfaces and add type TActivityAction.
+- Wire ActivityLogManager into Reception so activity logging is available via the typed router.
+- Enhance LoginSession data model with deviceInfo, createdAt and lastActive fields for richer session metadata.
+- Add getUserSessions typed handler to return detailed session list (device, browser, os, ip, createdAt, lastActive, isCurrent).
+- Revoke session endpoint now logs a 'session_revoked' activity when a session is revoked (and blocks revoking the current session).
+- Add request interfaces IReq_GetUserSessions and IReq_GetUserActivity to typed request definitions.
+- Frontend: account element now includes org-select and create-org modals, OrgView route, and handlers to open modals and navigate to new org/billing pages.
+- Frontend: organization dropdown adds a '+ Create new...' option and wiring to open the creation modal.
+- Minor refactors and routing exports: account index exports new modal components and views updated (OrgView).
+
+## 2025-12-01 - 1.7.0 - feat(admin)
+Add global admin functionality: backend admin APIs, model fields and UI integration
+
+- Backend: Add AppManager admin endpoints (getGlobalAppStats, create/update/delete/global apps, regenerate credentials) and checkGlobalAdmin handler; enforce admin checks via verifyGlobalAdmin
+- Data models: Add createdAt and createdByUserId to global app data; add optional isGlobalAdmin flag to user data (IUser)
+- Typed requests: Add new request definitions in loint-reception.admin.ts and export it from request index
+- UI: Expose Global Admin entry in account navigation (isGlobalAdmin reactive state), add /admin subroute and AdminView export
+- Account state: Fetch whoIs() on load to populate user information for admin checks
+- App seeding: Seed global apps with createdAt and createdByUserId metadata
+- Docs: Story index updated to include ADM-008 Manage Global Apps and adjust priority summary
+
+## 2025-12-01 - 1.6.0 - feat(apps)
+Add Apps subsystem: App and AppConnection models, managers, typed request handlers, web UI routes and documentation
+
+- Introduce App and AppConnection SmartData models (ts/reception/classes.app.ts, ts/reception/classes.appconnection.ts)
+- Add AppManager and AppConnectionManager with typed handlers for getGlobalApps, getAppConnections and toggleAppConnection (ts/reception/classes.appmanager.ts, ts/reception/classes.appconnectionmanager.ts)
+- Add request and data interfaces for apps and app connections (ts_interfaces/data/loint-reception.app.ts, ts_interfaces/data/loint-reception.appconnection.ts, ts_interfaces/request/loint-reception.app.ts)
+- Seed default global apps and support OAuth credential shape (IOAuthCredentials) in app data
+- Wire App managers into Reception (ts/reception/classes.reception.ts) and Reception startup
+- Update idp client types to use legacy app shape where required (IAppLegacy) and adapt typed requests (ts_idpclient/*)
+- Expose web UI routes and navigation for organization Apps view and export the AppsView (ts_web/elements/account/*, ts_web/elements/account/views/index.ts)
+- Add registration of new stories for Apps feature (stories/*: ORG-009, ORG-010, ORG-011, DEV-008) and update story index
+- Adjust typed request shapes for login/transfer flows to accept IAppLegacy where transfer/app data is exchanged
+
+## 2025-12-01 - 1.5.0 - feat(account)
+Refactor account UI styles into reusable design tokens, apply updated styles across views and fix login submit behavior
+
+- Introduce accountDesignTokens and split shared styles into tokens (accountDesignTokens), cardStyles and typographyStyles while keeping a legacy default export for compatibility
+- Apply new design tokens to account components (content, baseview, subscriptions) and switch background to use CSS variable (--background)
+- Small UI tweaks: smoother transition easing on view container, updated icon for organization entries and adjusted spacing
+- Add placeholder sections for Upcoming Billable Items and Past Invoices in subscriptions view
+- Fix login prompt submit handling by disabling the submit button via its #loginSubmitButton selector and improving button text logic
+
+## 2025-04-03 - 1.4.3 - fix(website)
+Update packageManager configuration in package.json and refine view container background styling
+
+- Add 'packageManager' field in package.json to pin pnpm version
+- Adjust background style in ts_web/views/viewcontainer.ts for improved UI consistency
+
+## 2024-12-11 - 1.5.0 - feat(UI)
+Added 'Learn more about idp.global' button
+
+- Added a new button for learning more about idp.global in the welcome component
+
+## 2024-12-11 - 1.5.0 - feat(UI)
+Added 'Learn more about idp.global' button
+
+- Added a new button for learning more about idp.global in the welcome component
+
+## 2024-10-12 - 1.4.2 - fix(UI)
+Improve text rendering in account navigation.
+
+- Fix for text alignment in the commit info section of the account navigation.
+- Adjusted font settings for better readability.
+
+## 2024-10-07 - 1.4.1 - fix(core)
+Bug fixes and UI enhancements
+
+- Updated packages to resolve compatibility issues.
+- Optimized the transition animations for the center container.
+- Improved the initialization logic for navigating between views.
+- Enhanced UI with better organization selection handling.
+
+## 2024-10-07 - 1.4.0 - feat(core)
+Refactored plugin and request handling to use 'idpInterfaces'
+
+- Switched from using 'lointReception' to 'idpInterfaces' in various TypeScript sources.
+- Updated references to request and data interfaces across multiple modules.
+- Improved account handling with new navigation options.
+
+## 2024-10-07 - 1.3.1 - fix(account)
+Fix: updated cleanupViews method to correctly iterate over children.
+
+- Fixed the iteration over view container children by converting it to an array before removing children. This resolves potential errors due to incorrect for-loop execution on HTMLCollection.
+
+## 2024-10-06 - 1.3.0 - feat(account)
+Implement account and organization management features
+
+- Added account management UI with organization selection
+- Introduced organization creation and selection functionalities
+- Implemented subscription view with Paddle setup integration
+
+## 2024-10-04 - 1.2.2 - fix(core)
+Update dependencies and refactor registration process
+
+- Updated @design.estate/dees-catalog, @design.estate/dees-domtools, and @design.estate/dees-element dependencies to their latest versions.
+- Refactored registration process to improve validation flow.
+- Improved user interface for login and registration prompts.
+- Fixed issues with email and token validation during registration.
+
+## 2024-10-04 - 1.2.1 - fix(core)
+Added logging for user email login process and fixed client URL parsing
+
+- Added info logging when loginWithEmail is requested and when a user is found.
+- Ensured reception client parses the URL correctly in IdpClient and IdpRequests classes.
+- Updated login process flow in idp-logincontainer and idp-loginprompt elements.
+- Improved element loading mechanism with updated state management in viewcontainer.
+
+## 2024-10-01 - 1.2.0 - feat(web)
+Improve UI styling and add registration prompt
+
+- Updated max-width of login container to improve layout consistency
+- Added new component for user registration
+- Improved styling for various elements including buttons and text boxes
+
 ## 2024-10-01 - 1.1.1 - fix(core)
 Corrected typos and added missing keywords.
 

license

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Task Venture Capital GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

npmextra.json

@@ -1,5 +1,18 @@
 {
-  "gitzone": {
+  "npmci": {
+    "npmGlobalTools": [],
+    "dockerRegistryRepoMap": {
+      "registry.gitlab.com": "code.foss.global/idp.global/idp.global"
+    },
+    "dockerBuildargEnvMap": {
+      "NPMCI_TOKEN_NPM2": "NPMCI_TOKEN_NPM2"
+    },
+    "npmRegistryUrl": "registry.npmjs.org"
+  },
+  "tsdoc": {
+    "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+  },
+  "@git.zone/cli": {
     "projectType": "website",
     "module": {
       "githost": "code.foss.global",
@@ -31,19 +44,46 @@
         "user data",
         "user sessions"
       ]
+    },
+    "services": ["mongodb", "minio"],
+    "release": {
+      "registries": ["https://verdaccio.lossless.digital"],
+      "accessLevel": "public"
     }
   },
-  "npmci": {
+  "@git.zone/tsbundle": {
-    "npmGlobalTools": [],
+    "bundles": [
-    "dockerRegistryRepoMap": {
+      {
-      "registry.gitlab.com": "code.foss.global/idp.global/idp.global"
+        "from": "./ts_web/index.ts",
-    },
+        "to": "./dist_serve/bundle.js",
-    "dockerBuildargEnvMap": {
+        "outputMode": "bundle",
-      "NPMCI_TOKEN_NPM2": "NPMCI_TOKEN_NPM2"
+        "bundler": "esbuild",
-    },
+        "production": true
-    "npmRegistryUrl": "registry.npmjs.org"
+      }
+    ]
   },
-  "tsdoc": {
+  "@git.zone/tswatch": {
-    "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
+    "preset": "service",
+    "server": {
+      "enabled": false
+    },
+    "watchers": [
+      {
+        "name": "backend",
+        "watch": "./ts/**/*",
+        "command": "npm run startTs",
+        "restart": true,
+        "debounce": 300,
+        "runOnStart": true
+      }
+    ],
+    "bundles": [
+      {
+        "name": "website",
+        "from": "./ts_web/index.ts",
+        "to": "./dist_serve/bundle.js",
+        "watchPatterns": ["./ts_web/**/*"]
+      }
+    ]
   }
-}
+}

package.json

@@ -1,14 +1,14 @@
 {
   "name": "@idp.global/idp.global",
-  "version": "1.1.1",
+  "version": "1.18.0",
   "description": "An identity provider software managing user authentications, registrations, and sessions.",
   "main": "dist_ts/index.js",
   "typings": "dist_ts/index.d.ts",
   "type": "module",
   "scripts": {
-    "test": "npm run build",
+    "test": "pnpm run build && tstest test/",
-    "build": "tsbuild tsfolders --web --allowimplicitany && tsbundle website --production",
+    "build": "tsbuild tsfolders --web --allowimplicitany && tsbundle",
-    "watch": "tswatch website",
+    "watch": "tswatch",
     "start": "(node cli.js)",
     "startTs": "(node cli.ts.js)",
     "buildDocs": "tsdoc"
@@ -16,45 +16,51 @@
   "author": "Task Venture Capital GmbH",
   "license": "MIT",
   "dependencies": {
-    "@api.global/typedrequest": "^3.0.32",
+    "@api.global/typedrequest": "^3.3.0",
     "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^3.0.51",
+    "@api.global/typedserver": "^8.4.6",
-    "@api.global/typedsocket": "^3.0.1",
+    "@api.global/typedsocket": "^4.1.2",
-    "@consentsoftware_private/catalog": "^1.0.73",
+    "@consent.software/catalog": "^2.0.1",
-    "@design.estate/dees-catalog": "^1.1.8",
+    "@design.estate/dees-catalog": "^3.81.0",
-    "@design.estate/dees-domtools": "^2.0.23",
+    "@design.estate/dees-domtools": "^2.5.4",
-    "@design.estate/dees-element": "^2.0.15",
+    "@design.estate/dees-element": "^2.2.4",
-    "@push.rocks/lik": "^6.0.15",
+    "@git.zone/tspublish": "^1.11.5",
-    "@push.rocks/qenv": "^6.0.5",
+    "@push.rocks/lik": "^6.4.0",
-    "@push.rocks/smartdata": "^5.2.10",
+    "@push.rocks/qenv": "^6.1.3",
+    "@push.rocks/smartcli": "^4.0.20",
+    "@push.rocks/smartdata": "^7.1.7",
     "@push.rocks/smartdelay": "^3.0.5",
-    "@push.rocks/smarthash": "^3.0.4",
+    "@push.rocks/smartfile": "^13.1.0",
-    "@push.rocks/smartjson": "^5.0.20",
+    "@push.rocks/smarthash": "^3.2.6",
+    "@push.rocks/smartinteract": "^2.0.6",
+    "@push.rocks/smartjson": "^6.0.0",
     "@push.rocks/smartjwt": "^2.2.1",
-    "@push.rocks/smartlog": "^3.0.7",
+    "@push.rocks/smartlog": "^3.2.2",
-    "@push.rocks/smartmail": "^1.0.24",
+    "@push.rocks/smartmail": "^2.2.0",
-    "@push.rocks/smartpath": "^5.0.5",
+    "@push.rocks/smartpath": "^6.0.0",
-    "@push.rocks/smartpromise": "^4.0.4",
+    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartrx": "^3.0.7",
+    "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.0.0",
+    "@push.rocks/smartstate": "^2.3.0",
-    "@push.rocks/smarttime": "^4.0.8",
+    "@push.rocks/smarttime": "^4.2.3",
     "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smarturl": "^3.0.7",
+    "@push.rocks/smarturl": "^3.1.0",
-    "@push.rocks/taskbuffer": "^3.1.7",
+    "@push.rocks/taskbuffer": "^8.0.2",
     "@push.rocks/webjwt": "^1.0.9",
     "@push.rocks/websetup": "^3.0.15",
-    "@push.rocks/webstore": "^2.0.20",
+    "@push.rocks/webstore": "^2.0.21",
-    "@serve.zone/platformclient": "^1.0.6",
+    "@serve.zone/platformclient": "^1.1.2",
-    "@tsclass/tsclass": "^4.1.2",
+    "@tsclass/tsclass": "^9.5.0",
-    "@uptime.link/webwidget": "^1.1.2"
+    "@uptime.link/webwidget": "^1.2.6",
+    "argon2": "^0.44.0"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.1.17",
+    "@git.zone/tsbuild": "^4.4.0",
-    "@git.zone/tsbundle": "^2.0.3",
+    "@git.zone/tsbundle": "^2.10.0",
-    "@git.zone/tsrun": "^1.2.8",
+    "@git.zone/tsrun": "^2.0.2",
-    "@git.zone/tswatch": "^2.0.1",
+    "@git.zone/tstest": "^3.6.3",
-    "@push.rocks/projectinfo": "^5.0.1",
+    "@git.zone/tswatch": "^3.3.2",
-    "@types/node": "^22.7.2"
+    "@push.rocks/projectinfo": "^5.1.0",
+    "@types/node": "^25.6.0"
   },
   "private": true,
   "repository": {
@@ -101,5 +107,6 @@
     "API",
     "user data",
     "user sessions"
-  ]
+  ],
+  "packageManager": "pnpm@10.7.0+sha512.6b865ad4b62a1d9842b61d674a393903b871d9244954f652b8842c2b553c72176b278f64c463e52d40fff8aba385c235c8c9ecf5cc7de4fd78b8bb6d49633ab6"
 }

readme.hints.md

@@ -1,3 +1,23 @@
 # Project Readme Hints
 
-This is the initial readme hints file.
+## UI Components
+Always check dees-catalog for available elements before implementing custom solutions:
+- Documentation: https://code.foss.global/design.estate/dees-catalog
+- Key components: `dees-modal`, `dees-button`, `dees-input-*`, `dees-form`, etc.
+
+### dees-input-* Event Pattern
+All dees-input components use **RxJS Subjects** for value changes, NOT DOM events:
+```typescript
+// Subscribe to value changes in firstUpdated():
+const inputElement = this.shadowRoot.querySelector('dees-input-text');
+inputElement.changeSubject.subscribe((element) => {
+  const value = element.value;
+  // handle value change
+});
+```
+- Do NOT use `@changeValue` or similar DOM events - they don't exist
+- The Subject emits the element itself, access value via `element.value`
+
+## Project Structure
+- `ts_web/elements/account/` - Account dashboard components
+- `ts_web/states/` - State management (accountstate, idp.state)

readme.md

@@ -1,312 +1,208 @@
 # @idp.global/idp.global
 
-An identity provider software managing user authentications, registrations, and sessions.
+Identity infrastructure for apps that need accounts, sessions, organizations, invites, admin tooling, and OpenID Connect in one TypeScript codebase.
 
-## Install
+This repository ships the `idp.global` server, the browser/client SDK, the CLI, shared request/data interfaces, and the web UI used by the hosted service.
 
-To install `@idp.global/idp.global`, you can run the following command in your terminal:
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## What It Does
+
+- Runs an identity provider with MongoDB-backed users, sessions, roles, organizations, invitations, API tokens, and billing plans.
+- Serves a web app for login, registration, account management, org management, billing flows, and global admin views.
+- Exposes typed realtime APIs over `typedrequest` and `typedsocket`.
+- Implements OIDC/OAuth endpoints including discovery, JWKS, authorization, token, userinfo, and revoke.
+- Includes a reusable browser client and a terminal CLI for common account and org workflows.
+
+## Monorepo Modules
+
+| Folder | Purpose |
+| --- | --- |
+| `ts/` | Backend service entrypoint and the core `Reception` managers |
+| `ts_interfaces/` | Shared request and data contracts used by server, client, CLI, and UI |
+| `ts_idpclient/` | Browser-focused SDK published as `@idp.global/client` |
+| `ts_idpcli/` | CLI published as `@idp.global/cli` |
+| `ts_web/` | Frontend bundle with login, registration, account, org, billing, and admin views |
+
+## Core Backend Pieces
+
+`Reception` wires the service together and starts these managers:
+
+- `JwtManager` for signing, refreshing, and validating JWTs.
+- `LoginSessionManager` for login state and session lifecycle.
+- `RegistrationSessionManager` for multi-step sign-up flows.
+- `UserManager` for user lookups and account data.
+- `OrganizationManager` for org creation and membership lookup.
+- `RoleManager` for org roles and permissions.
+- `UserInvitationManager` for invites, membership updates, and ownership transfer.
+- `ApiTokenManager` for long-lived token auth.
+- `BillingPlanManager` for Paddle-backed billing data.
+- `AppManager` and `AppConnectionManager` for app connections and admin app stats.
+- `ActivityLogManager` for audit-style activity entries.
+- `OidcManager` for the OIDC/OAuth provider surface.
+
+## Quick Start
+
+### Prerequisites
+
+- Node.js 20+
+- `pnpm`
+- MongoDB
+
+### Install
 
 ```bash
-npm install @idp.global/idp.global
+pnpm install
 ```
 
-This will download and install the necessary dependencies along with the module to your project.
+### Required Environment
 
-## Usage
+```bash
+export MONGODB_URL=mongodb://localhost:27017/idp-dev
+export IDP_BASEURL=http://localhost:2999
+export INSTANCE_NAME=idp-dev
+```
 
-To use `@idp.global/idp.global`, one needs to understand its key components and functionalities. Below, we'll guide you through setting up, logging in, registering, and managing users and organizations within an IDP (Identity Provider) environment using this package.
+Optional:
 
-### Setting Up the Environment
+- `SERVEZONE_PLATFROM_AUTHORIZATION`
+- `PADDLE_TOKEN`
+- `PADDLE_PRICE_ID`
 
-First, let's set up the environment:
+### Build
 
-```typescript
+```bash
-// Import the necessary modules
+pnpm build
-import * as serviceworker from '@api.global/typedserver/web_serviceworker_client';
+```
-import * as domtools from '@design.estate/dees-domtools';
-import { html, render } from '@design.estate/dees-element';
-import { IdpWelcome } from './elements/idp-welcome.js';
 
-// Define an asynchronous run function
+### Run Locally
-const run = async () => {
-  // Set up DOM tools
-  const domtoolsInstance = await domtools.DomTools.setupDomTools();
-  domtools.elementBasic.setup();
 
-  // Configure website information
+```bash
-  domtoolsInstance.setWebsiteInfo({
+pnpm watch
-    metaObject: {
+```
-      title: 'idp.global',
+
-      description: 'the code that runs idp.global',
+This starts the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`. The service listens on port `2999`.
-      canonicalDomain: 'https://idp.global',
+
-      ldCompany: {
+## Runtime Surface
-        name: 'Task Venture Capital GmbH',
+
-        status: 'active',
+### Web Routes
-        contact: {
+
-          address: {
+| Route | Purpose |
-            name: 'Task Venture Capital GmbH',
+| --- | --- |
-            city: 'Grasberg',
+| `/` | Welcome page |
-            country: 'Germany',
+| `/login` | Login flow |
-            houseNumber: '24',
+| `/register` | Registration flow |
-            postalCode: '28879',
+| `/finishregistration` | Multi-step registration completion |
-            streetName: 'Eickedorfer Vorweide',
+| `/account` | Signed-in account area |
-          },
+
-        }
+### OIDC and OAuth Endpoints
-      },
+
-    },
+| Route | Purpose |
+| --- | --- |
+| `/.well-known/openid-configuration` | Discovery document |
+| `/.well-known/jwks.json` | Public signing keys |
+| `/oauth/authorize` | Authorization endpoint |
+| `/oauth/token` | Token exchange |
+| `/oauth/userinfo` | UserInfo endpoint |
+| `/oauth/revoke` | Token revocation |
+
+Supported scopes in the OIDC manager include `openid`, `profile`, `email`, `organizations`, and `roles`.
+
+## SDK Example
+
+The browser SDK lives in `ts_idpclient/` and is published as `@idp.global/client`.
+
+```ts
+import { IdpClient } from '@idp.global/client';
+
+const idpClient = new IdpClient('https://idp.global');
+await idpClient.enableTypedSocket();
+
+const isLoggedIn = await idpClient.determineLoginStatus();
+
+if (!isLoggedIn) {
+  const loginResult = await idpClient.requests.loginWithUserNameAndPassword.fire({
+    username: 'user@example.com',
+    password: 'secret',
   });
 
-  // Set up the service worker
+  if (loginResult.refreshToken) {
-  const serviceWorker = await serviceworker.getServiceworkerClient();
+    await idpClient.refreshJwt(loginResult.refreshToken);
-
-  // Render the main template
-  const mainTemplate = html`
-    <style>
-      body {
-        margin: 0px;
-        --background-accent: #303f9f;
-      }
-    </style>
-    <idp-welcome></idp-welcome>
-  `;
-
-  render(mainTemplate, document.body);
-};
-
-// Run the function
-run();
-```
-
-### Using the IDP Client
-
-The IDP Client is essential to communicate with the IDP server. Below is a sample of how to set up and use the IDP client:
-
-```typescript
-import { IdpState } from './idp.state.js';
-import * as plugins from './plugins.js';
-
-// Instantiate IdpState which provides a singleton instance
-export class IdpDemo {
-  private idpState = IdpState.getSingletonInstance();
-
-  // Function to initialize and use IdpClient
-  public async demo() {
-    // Fetch the client instance
-    const { idpClient } = this.idpState;
-    // Handler for login
-    const handleLogin = async () => {
-      const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
-        username: 'user@example.com',
-        password: 'password123',
-      });
-      if (response.refreshToken) {
-        await idpClient.storeJwt(response.jwt);
-        console.log("Logged in successfully, JWT stored.");
-      } else {
-        console.log("Login failed.");
-      }
-    };
-    // Execute login handler
-    await handleLogin();
   }
 }
 
-// Instantiate and run demo
+const whoIs = await idpClient.whoIs();
-const demo = new IdpDemo();
+console.log(whoIs.user.data.email);
-demo.demo();
 ```
 
-### Managing User Authentication
+## CLI Example
 
-Several functionalities are available for managing user authentication. These include registering, logging in, and refreshing JWTs.
+The terminal client lives in `ts_idpcli/` and is published as `@idp.global/cli`.
 
-#### Registration Process
+```bash
-
+idp login
-The registration process is typically more involved and requires steps such as email validation, setting user-specific data, and verifying OTPs for additional security.
+idp whoami
-
+idp orgs
-```typescript
+idp members --org <org-id>
-import * as plugins from './plugins.js';
+idp invite --org <org-id> --email user@example.com
-import { IdpState } from './idp.state.js';
-
-// Registration stepper element
-export class IdpRegistrationStepper extends plugins.DeesElement {
-  private idpState = IdpState.getSingletonInstance();
-
-  public async firstUpdated() {
-    await this.domtoolsPromise;
-    this.domtools.router.on(`/finishregistration`, async (routeArg) => {
-      const validationToken = routeArg.queryParams.validationtoken;
-      if (!validationToken) {
-        this.renderErrorMessage("Validation token not found.");
-        return;
-      }
-      const emailResponse = await this.validateEmail(validationToken);
-      if (!emailResponse.email) {
-        this.renderErrorMessage("Invalid validation token.");
-        return;
-      }
-      await this.renderRegistrationForm(emailResponse.email);
-    });
-  }
-
-  private async validateEmail(token: string) {
-    return await this.idpState.idpClient.requests.afterRegistrationEmailClicked.fire({
-      token
-    });
-  }
-
-  private async renderRegistrationForm(email: string) {
-    const template = plugins.html`
-    <dees-form @formData="${async (event) => await this.handleFormSubmission(event, email)}">
-      <dees-input-text key="First Name" label="First Name" required></dees-input-text>
-      <dees-input-text key="Last Name" label="Last Name" required></dees-input-text>
-      <dees-form-submit>Next</dees-form-submit>
-    </dees-form>
-    `;
-    this.render(template, this.shadowRoot);
-  }
-
-  private async handleFormSubmission(event: FormDataEvent, email: string) {
-    const formData = (event.target as any).getFormData();
-    await this.idpState.idpClient.requests.setData.fire({
-      token: this.storedData.validationTokenUrlParam,
-      userData: {
-        email,
-        first_name: formData.FirstName,
-        last_name: formData.LastName,
-      },
-    });
-    // Proceed to the next steps as per the registration flow
-  }
-
-  private renderErrorMessage(message: string) {
-    const template = plugins.html`<div>Error: ${message}</div>`;
-    this.render(template, this.shadowRoot);
-  }
-}
 ```
 
-### User Management
+The CLI stores credentials in `~/.idp-global/credentials.json` and reads `IDP_URL` to override the target server.
 
-Managing user data including roles, organizations, and billing plans is essential in any identity provider software.
+## Shared Interfaces
 
-#### Getting User Data
+`ts_interfaces/` exports the type contracts shared across the stack:
 
-```typescript
+- `data/*` for users, orgs, roles, JWTs, sessions, devices, billing plans, apps, and OIDC payloads.
-import * as plugins from './plugins.js';
+- `request/*` for auth, registration, user, org, invitation, app, admin, billing, and JWT request contracts.
+- `tags/*` for shared tag exports.
 
-const fetchUserData = async (jwt: string) => {
+## Frontend
-  const user = await plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_GetUserData>(
-    `/getUserData`, 'POST').fire({jwt});
-  console.log(user);
-};
 
-fetchUserData('<JWT_TOKEN_HERE>');
+`ts_web/` is the web application bundle. It contains:
-```
 
-#### Creating an Organization
+- Login and registration prompts.
+- A registration stepper.
+- Account navigation and account views.
+- Organization creation and bulk invite modals.
+- Billing and Paddle setup views.
+- A global admin view.
 
-```typescript
+## Package Scripts
-import { IdpState } from './idp.state.js';
 
-export class OrganizationManager {
+| Command | Purpose |
-  private idpState = IdpState.getSingletonInstance();
+| --- | --- |
+| `pnpm build` | Build TypeScript output and frontend bundle |
+| `pnpm watch` | Run backend watch mode and frontend bundle watch |
+| `pnpm test` | Build and run the test suite |
 
-  public async createOrganization(name: string, slug: string, jwt: string) {
+## Repository Notes
-    const response = await this.idpState.idpClient.requests.createOrganization.fire({
-      jwt: jwt,
-      organizationName: name,
-      organizationSlug: slug,
-      action: 'manifest',
-    });
-    if (response.resultingOrganization) {
-      console.log(`Organization ${name} created successfully.`);
-    } else {
-      console.log(`Organization creation failed.`);
-    }
-  }
-}
 
-// Usage
+- Package manager: `pnpm`
-const organizationManager = new OrganizationManager();
+- Main backend entrypoint: `ts/index.ts`
-organizationManager.createOrganization('Dev Org', 'dev-org', '<JWT_TOKEN_HERE>');
+- Frontend entrypoint: `ts_web/index.ts`
-```
+- Browser SDK entrypoint: `ts_idpclient/index.ts`
-
+- CLI entrypoint: `ts_idpcli/index.ts`
-### Managing JWTs
-
-The `@idp.global/idp.global` package involves managing JSON Web Tokens (JWTs) for session handling and security.
-
-#### Refreshing JWTs
-
-```typescript
-import { IdpClient } from './idp.client.js';
-
-export const refreshJwt = async (client: IdpClient) => {
-  const currentJwt = await client.getJwt();
-  if (!currentJwt) return null;
-  const response = await client.requests.refreshJwt.fire({
-    refreshToken: currentJwt.data.refreshToken
-  });
-  if (response.jwt) {
-    await client.storeJwt(response.jwt);
-    console.log("JWT refreshed and stored.");
-    return response.jwt;
-  } else {
-    console.log("JWT refresh failed.");
-    return null;
-  }
-};
-
-// Usage
-const idpClient = new IdpClient('https://reception.lossless.one/typedrequest');
-refreshJwt(idpClient);
-```
-
-### Handling Authentication Tokens
-
-Handling tokens (JWTs, refresh tokens, transfer tokens) securely is crucial for maintaining session integrity.
-
-#### Exchanging Refresh Token for Transfer Token
-
-```typescript
-import { IdpClient } from './idp.client.js';
-
-const getTransferToken = async (client: IdpClient) => {
-  const refreshToken = await client.getJwt().data.refreshToken;
-  const response = await client.requests.obtainOneTimeToken.fire({
-    refreshToken
-  });
-  if(response.transferToken) {
-    console.log("Obtained Transfer Token: ", response.transferToken);
-    return response.transferToken;
-  } else {
-    console.log("Failed to obtain Transfer Token.");
-    return null;
-  }
-};
-
-// Usage
-const idpClient = new IdpClient('https://reception.lossless.one/typedrequest');
-getTransferToken(idpClient);
-```
-
-This comprehensive guide should help you understand the detailed setup and usage of the `@idp.global/idp.global` module effectively.
 
 ## License and Legal Information
 
-This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 
 ### Trademarks
 
-This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 
 ### Company Information
 
 Task Venture Capital GmbH  
-Registered at District court Bremen HRB 35230 HB, Germany
+Registered at District Court Bremen HRB 35230 HB, Germany
 
-For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
 
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

stories/README.md

@@ -0,0 +1,92 @@
+# idp.global User Stories
+
+This directory contains user stories for the idp.global Identity Provider platform, organized by persona.
+
+## Directory Structure
+
+```
+stories/
+├── end-user/           # Stories for regular users (8)
+├── organization-owner/ # Stories for organization admins (11)
+├── developer/          # Stories for API/SDK consumers (8)
+└── admin/              # Stories for platform administrators (8)
+```
+
+## Story Index
+
+### End User (EU)
+| ID | Title | Priority | Source |
+|----|-------|----------|--------|
+| EU-001 | [Multi-Device Login Sessions](end-user/EU-001-multi-device-login.md) | High | TODO |
+| EU-002 | [Complete Password Reset Flow](end-user/EU-002-password-reset.md) | Critical | Incomplete |
+| EU-003 | [View and Manage Logged-in Devices](end-user/EU-003-device-management.md) | Medium | TODO |
+| EU-004 | [Enable Two-Factor Authentication](end-user/EU-004-two-factor-auth.md) | High | New |
+| EU-005 | [Login with Social Providers](end-user/EU-005-social-login.md) | Medium | New |
+| EU-006 | [Delete My Account](end-user/EU-006-account-deletion.md) | Medium | New |
+| EU-007 | [View Login History](end-user/EU-007-session-history.md) | Low | New |
+| EU-008 | [Upload Profile Avatar](end-user/EU-008-profile-avatar.md) | Low | New |
+
+### Organization Owner (ORG)
+| ID | Title | Priority | Source |
+|----|-------|----------|--------|
+| ORG-001 | [Sync Billing Plans with Users](organization-owner/ORG-001-billing-sync.md) | High | TODO |
+| ORG-002 | [Invite and Manage Team Members](organization-owner/ORG-002-member-management.md) | Critical | Complete |
+| ORG-003 | [Assign Roles to Members](organization-owner/ORG-003-role-assignment.md) | High | Partial |
+| ORG-004 | [Customize Organization Branding](organization-owner/ORG-004-org-branding.md) | Medium | New |
+| ORG-005 | [View Organization Usage Analytics](organization-owner/ORG-005-usage-analytics.md) | Medium | New |
+| ORG-006 | [Configure SSO for Organization](organization-owner/ORG-006-sso-config.md) | High | New |
+| ORG-007 | [View Organization Audit Logs](organization-owner/ORG-007-audit-logs.md) | Medium | New |
+| ORG-008 | [Manage Subscription and Billing](organization-owner/ORG-008-subscription-management.md) | Medium | Enhance |
+| ORG-009 | [Connect Global Apps](organization-owner/ORG-009-global-apps.md) | High | New |
+| ORG-010 | [Browse and Install Partner Apps](organization-owner/ORG-010-app-store.md) | Medium | New |
+| ORG-011 | [Create Custom OIDC Apps](organization-owner/ORG-011-custom-oidc-apps.md) | Medium | New |
+
+### Developer (DEV)
+| ID | Title | Priority | Source |
+|----|-------|----------|--------|
+| DEV-001 | [Create and Manage API Tokens](developer/DEV-001-api-token-management.md) | High | Partial |
+| DEV-002 | [Comprehensive SDK Documentation](developer/DEV-002-sdk-documentation.md) | High | New |
+| DEV-003 | [Configure Webhook Notifications](developer/DEV-003-webhook-events.md) | Medium | New |
+| DEV-004 | [Proper App ID Initialization](developer/DEV-004-app-id-setup.md) | High | TODO |
+| DEV-005 | [Register OAuth Client App](developer/DEV-005-oauth-client.md) | Medium | New |
+| DEV-006 | [Understand API Rate Limits](developer/DEV-006-rate-limiting.md) | Low | New |
+| DEV-007 | [Validate JWTs in My Application](developer/DEV-007-jwt-validation.md) | Medium | Enhance |
+| DEV-008 | [Submit App to AppStore](developer/DEV-008-submit-partner-app.md) | Low | New |
+
+### Platform Admin (ADM)
+| ID | Title | Priority | Source |
+|----|-------|----------|--------|
+| ADM-001 | [Secure JWT Endpoints with Backend Token](admin/ADM-001-backend-token-security.md) | Critical | TODO |
+| ADM-002 | [Suspend and Delete Users](admin/ADM-002-user-suspension.md) | High | Partial |
+| ADM-003 | [Platform-wide Audit Logging](admin/ADM-003-global-audit-log.md) | High | New |
+| ADM-004 | [Customize Email Templates](admin/ADM-004-email-templates.md) | Medium | New |
+| ADM-005 | [Security Monitoring Dashboard](admin/ADM-005-security-dashboard.md) | Medium | New |
+| ADM-006 | [Impersonate Users for Support](admin/ADM-006-user-impersonation.md) | Low | New |
+| ADM-007 | [Manage JWT Blocklist](admin/ADM-007-blocklist-management.md) | Medium | Enhance |
+| ADM-008 | [Manage Global Apps](admin/ADM-008-global-app-management.md) | High | In Development |
+
+## Priority Summary
+
+| Priority | Count | Stories |
+|----------|-------|---------|
+| Critical | 2 | EU-002, ADM-001 |
+| High | 12 | EU-001, EU-004, ORG-001, ORG-003, ORG-006, ORG-009, DEV-001, DEV-002, DEV-004, ADM-002, ADM-003, ADM-008 |
+| Medium | 14 | EU-003, EU-005, EU-006, ORG-004, ORG-005, ORG-007, ORG-008, ORG-010, ORG-011, DEV-003, DEV-005, DEV-007, ADM-004, ADM-005, ADM-007 |
+| Low | 6 | EU-007, EU-008, DEV-006, DEV-008, ADM-006 |
+
+## Source Legend
+
+- **TODO**: Derived from TODO comments in codebase
+- **Incomplete**: Feature exists but implementation is incomplete
+- **Partial**: Infrastructure exists, needs completion
+- **Enhance**: Feature works, could be improved
+- **New**: New feature not currently in codebase
+
+## Related Code References
+
+Stories derived from code TODOs reference these files:
+- `ts/reception/classes.jwt.ts:39`
+- `ts/reception/classes.jwtmanager.ts:40,52`
+- `ts/reception/classes.loginsessionmanager.ts:229-238,256`
+- `ts/reception/classes.billingplan.ts:16`
+- `ts_idpclient/classes.idpclient.ts:30`

stories/admin/ADM-001-backend-token-security.md

@@ -0,0 +1,28 @@
+# Secure JWT Endpoints with Backend Token
+
+**ID:** ADM-001
+**Priority:** Critical
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want JWT-related endpoints to be secured with backend token validation so that only authorized services can access sensitive security operations.
+
+## Acceptance Criteria
+- [ ] Public key endpoint requires valid backend token
+- [ ] JWT blocklist endpoint requires valid backend token
+- [ ] Backend tokens are securely generated and distributed
+- [ ] Token validation is performed on every request
+- [ ] Invalid/missing token returns 401 Unauthorized
+- [ ] Tokens can be rotated without service interruption
+- [ ] Audit log for all backend token usage
+
+## Technical Notes
+- Two TODOs exist for backend token validation in JwtManager
+- `getPublicKeyForValidation` and `pushOrGetJwtIdBlocklist` need protection
+- Backend token should be separate from user JWT
+- Consider service-to-service authentication pattern
+- Environment variable for backend token configuration
+
+## Related TODOs
+- `ts/reception/classes.jwtmanager.ts:40` - `// TODO control backend token`
+- `ts/reception/classes.jwtmanager.ts:52` - `// TODO control backend token`

stories/admin/ADM-002-user-suspension.md

@@ -0,0 +1,28 @@
+# Suspend and Delete Users
+
+**ID:** ADM-002
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want to suspend and delete user accounts so that I can handle policy violations, security incidents, and account removal requests.
+
+## Acceptance Criteria
+- [ ] Admin can search for users by email, name, or ID
+- [ ] Admin can suspend a user account with reason
+- [ ] Suspended users cannot log in
+- [ ] Suspended users' active sessions are invalidated
+- [ ] Admin can unsuspend accounts
+- [ ] Admin can permanently delete suspended accounts
+- [ ] Deletion removes all user data (GDPR compliance)
+- [ ] Audit log for all suspension/deletion actions
+
+## Technical Notes
+- `suspendUser` and `deleteSuspendedUser` endpoints exist
+- Need admin UI for user management
+- Consider soft delete with retention period
+- Handle organization ownership before deletion
+- Email notification to user on suspension
+
+## Related TODOs
+- Partial implementation in UserManager

stories/admin/ADM-003-global-audit-log.md

@@ -0,0 +1,28 @@
+# Platform-wide Audit Logging
+
+**ID:** ADM-003
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want to view platform-wide audit logs so that I can monitor security events, investigate incidents, and demonstrate compliance.
+
+## Acceptance Criteria
+- [ ] Log all authentication events (login, logout, failed attempts)
+- [ ] Log all administrative actions (user changes, config changes)
+- [ ] Log all security events (password changes, 2FA changes, token revocations)
+- [ ] Searchable log interface with filters
+- [ ] Real-time log streaming for monitoring
+- [ ] Export logs in standard formats (JSON, CSV, CEF)
+- [ ] Log retention configuration
+- [ ] Integration with external SIEM systems
+
+## Technical Notes
+- Separate from organization audit logs (ORG-007)
+- Platform-wide view across all organizations
+- Consider ELK stack or similar for log aggregation
+- Structured logging format for parsing
+- Compliance: SOC 2, ISO 27001, GDPR audit requirements
+
+## Related TODOs
+- New feature - platform security requirement

stories/admin/ADM-004-email-templates.md

@@ -0,0 +1,28 @@
+# Customize Email Templates
+
+**ID:** ADM-004
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want to customize email templates so that all system emails match our branding and communication style.
+
+## Acceptance Criteria
+- [ ] Edit templates for: registration, password reset, login verification, welcome
+- [ ] Rich text editor for template content
+- [ ] Variable placeholders ({{userName}}, {{resetLink}}, etc.)
+- [ ] Preview emails before saving
+- [ ] Send test emails to verify
+- [ ] Localization support for multiple languages
+- [ ] Reset to default template option
+- [ ] Version history for templates
+
+## Technical Notes
+- ReceptionMailer handles email sending
+- Currently uses hardcoded or simple templates
+- Consider template engine (Handlebars, Mjml for responsive)
+- Store templates in database for dynamic updates
+- Support HTML and plain text versions
+
+## Related TODOs
+- New feature - enhance ReceptionMailer

stories/admin/ADM-005-security-dashboard.md

@@ -0,0 +1,28 @@
+# Security Monitoring Dashboard
+
+**ID:** ADM-005
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want a security monitoring dashboard so that I can quickly identify and respond to potential security threats.
+
+## Acceptance Criteria
+- [ ] Real-time metrics: active sessions, login rate, failure rate
+- [ ] Anomaly detection alerts (unusual login patterns)
+- [ ] Geographic map of login locations
+- [ ] Failed login attempt heatmap
+- [ ] Blocked JWT/token statistics
+- [ ] Suspicious activity indicators
+- [ ] Configurable alert thresholds
+- [ ] Integration with alerting systems (PagerDuty, Slack)
+
+## Technical Notes
+- Aggregate metrics from login events
+- Real-time updates via WebSocket
+- Consider time-series database for metrics
+- Machine learning for anomaly detection (future)
+- Alert rules engine for custom notifications
+
+## Related TODOs
+- New feature - security operations

stories/admin/ADM-006-user-impersonation.md

@@ -0,0 +1,28 @@
+# Impersonate Users for Support
+
+**ID:** ADM-006
+**Priority:** Low
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want to temporarily impersonate a user so that I can troubleshoot issues they're experiencing without asking for their credentials.
+
+## Acceptance Criteria
+- [ ] Admin can initiate impersonation session for any user
+- [ ] Impersonation requires confirmation and reason
+- [ ] Clear visual indicator when in impersonation mode
+- [ ] Admin can end impersonation and return to their session
+- [ ] All actions during impersonation are logged
+- [ ] User is optionally notified of impersonation
+- [ ] Impersonation sessions have time limit
+- [ ] Cannot impersonate other admins without super-admin
+
+## Technical Notes
+- Special JWT claim to indicate impersonation
+- Original admin identity preserved in token
+- Audit log must capture both admin and impersonated user
+- Consider "read-only" impersonation mode
+- Security review required before implementation
+
+## Related TODOs
+- New feature - support tooling

stories/admin/ADM-007-blocklist-management.md

@@ -0,0 +1,28 @@
+# Manage JWT Blocklist
+
+**ID:** ADM-007
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As a platform administrator, I want to view and manage the JWT blocklist so that I can revoke tokens during security incidents and verify that revocations are working.
+
+## Acceptance Criteria
+- [ ] View all blocked JWT IDs with metadata
+- [ ] Search blocklist by JWT ID or user
+- [ ] Manually add JWTs to blocklist
+- [ ] View reason for each blocklist entry
+- [ ] Blocklist entries show expiration (when they can be removed)
+- [ ] Bulk revoke all tokens for a user
+- [ ] Bulk revoke all tokens for an organization
+- [ ] Automatic cleanup of expired blocklist entries
+
+## Technical Notes
+- JwtManager has `blockedJwtIdList` infrastructure
+- `pushOrGetJwtIdBlocklist` endpoint exists
+- Need admin UI for blocklist management
+- ReceptionHousekeeping could handle cleanup
+- Consider Redis for high-performance blocklist checks
+
+## Related TODOs
+- Enhancement to existing blocklist infrastructure

stories/admin/ADM-008-global-app-management.md

@@ -0,0 +1,130 @@
+# Manage Global Apps
+
+**ID:** ADM-008
+**Priority:** High
+**Status:** In Development
+**Phase:** 1
+
+## User Story
+As a global administrator, I want to create, configure, and manage first-party global apps (foss.global, task.vc, etc.) so that organization owners can connect to these integrated services.
+
+## Acceptance Criteria
+- [ ] Only users with `isGlobalAdmin: true` can access the admin page
+- [ ] View list of all global apps with their status
+- [ ] Create new global apps with OAuth credentials
+- [ ] Edit existing global app details (name, description, logo, URLs)
+- [ ] Activate/deactivate global apps (inactive apps hidden from org owners)
+- [ ] View connection statistics per app (how many orgs connected)
+- [ ] Regenerate OAuth client credentials for an app
+- [ ] Delete global apps (with confirmation and impact warning)
+- [ ] Admin page accessible at `/admin` route
+
+## Technical Notes
+- Global admin flag stored on user: `isGlobalAdmin: boolean`
+- Separate from organization roles (platform-level permission)
+- OAuth credentials generated server-side, secrets never exposed in full
+- App deletion should warn about existing connections
+- Audit logging for all admin actions
+
+## Data Model
+
+```typescript
+interface IUser {
+  id: string;
+  data: {
+    // ... existing fields ...
+    isGlobalAdmin?: boolean; // Platform-level admin flag
+  };
+}
+
+interface IGlobalApp {
+  id: string;
+  type: 'global';
+  data: {
+    name: string;
+    description: string;
+    logoUrl: string;
+    appUrl: string;
+    oauthCredentials: IOAuthCredentials;
+    isActive: boolean;
+    category: string;
+    createdAt: number;
+    createdByUserId: string;
+  };
+}
+```
+
+## Request Interfaces
+
+```typescript
+interface IReq_CreateGlobalApp {
+  method: 'createGlobalApp';
+  request: {
+    jwt: string;
+    name: string;
+    description: string;
+    logoUrl: string;
+    appUrl: string;
+    category: string;
+    redirectUris: string[];
+    allowedScopes: string[];
+  };
+  response: {
+    app: IGlobalApp;
+    clientSecret: string; // Only shown once on creation
+  };
+}
+
+interface IReq_UpdateGlobalApp {
+  method: 'updateGlobalApp';
+  request: {
+    jwt: string;
+    appId: string;
+    updates: Partial<IGlobalApp['data']>;
+  };
+  response: {
+    app: IGlobalApp;
+  };
+}
+
+interface IReq_DeleteGlobalApp {
+  method: 'deleteGlobalApp';
+  request: {
+    jwt: string;
+    appId: string;
+  };
+  response: {
+    success: boolean;
+    disconnectedOrganizations: number;
+  };
+}
+
+interface IReq_GetGlobalAppStats {
+  method: 'getGlobalAppStats';
+  request: {
+    jwt: string;
+  };
+  response: {
+    apps: Array<{
+      app: IGlobalApp;
+      connectionCount: number;
+    }>;
+  };
+}
+```
+
+## UI Components
+- **GlobalAdminView** (`/admin`) - Main admin dashboard
+- **Global Apps Tab** - List of global apps with CRUD operations
+- **Create/Edit App Dialog** - Form for app configuration
+- Navigation shows "Admin" link only for global admins
+
+## Security Considerations
+- Server-side validation of `isGlobalAdmin` flag on all admin endpoints
+- JWT must be validated and user's admin status checked
+- Rate limiting on credential regeneration
+- Audit trail for all changes
+
+## Related Stories
+- ORG-009: Connect Global Apps (organization perspective)
+- ADM-003: Platform-wide Audit Logging

stories/developer/DEV-001-api-token-management.md

@@ -0,0 +1,28 @@
+# Create and Manage API Tokens
+
+**ID:** DEV-001
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As a developer, I want to create and manage API tokens so that I can integrate my applications with the identity provider programmatically.
+
+## Acceptance Criteria
+- [ ] Developer can create new API tokens with custom names
+- [ ] Token is shown once at creation (cannot be retrieved later)
+- [ ] Developer can set token expiration (or no expiration)
+- [ ] Developer can set token scopes/permissions
+- [ ] List all tokens with creation date and last used
+- [ ] Revoke individual tokens
+- [ ] Revoke all tokens at once
+- [ ] Rate limiting information shown per token
+
+## Technical Notes
+- ApiTokenManager exists with basic infrastructure
+- `loginWithApiToken` endpoint available
+- Need UI for token management (currently backend only)
+- Tokens should be hashed before storage (show once)
+- Consider token prefixes for easy identification (idp_...)
+
+## Related TODOs
+- Partial implementation in ApiTokenManager

stories/developer/DEV-002-sdk-documentation.md

@@ -0,0 +1,28 @@
+# Comprehensive SDK Documentation
+
+**ID:** DEV-002
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As a developer, I want comprehensive documentation for the IDP client SDK so that I can integrate authentication into my applications quickly and correctly.
+
+## Acceptance Criteria
+- [ ] Getting started guide with installation and setup
+- [ ] Authentication flow explanations with diagrams
+- [ ] API reference for all client methods
+- [ ] Code examples for common use cases
+- [ ] TypeScript type definitions documented
+- [ ] Error handling guide with error codes
+- [ ] Migration guides for version upgrades
+- [ ] Interactive API playground/sandbox
+
+## Technical Notes
+- `ts_idpclient/` contains the client SDK
+- README.md has basic usage but needs expansion
+- Generate API docs from TypeScript using TypeDoc
+- Host documentation on dedicated site or GitHub pages
+- Consider OpenAPI/Swagger spec for REST endpoints
+
+## Related TODOs
+- New feature - documentation enhancement

stories/developer/DEV-003-webhook-events.md

@@ -0,0 +1,28 @@
+# Configure Webhook Notifications
+
+**ID:** DEV-003
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As a developer, I want to configure webhooks so that my application is notified in real-time when authentication events occur.
+
+## Acceptance Criteria
+- [ ] Register webhook endpoints with URL and secret
+- [ ] Select which events to subscribe to
+- [ ] Events include: user.created, user.login, user.logout, org.member.added, etc.
+- [ ] Webhook payloads include event type, timestamp, and relevant data
+- [ ] Signature verification using shared secret (HMAC)
+- [ ] Retry logic for failed deliveries (exponential backoff)
+- [ ] Webhook delivery logs with success/failure status
+- [ ] Test webhook button to send sample event
+
+## Technical Notes
+- Create Webhook model with URL, secret, events, and status
+- Queue webhook deliveries for reliability (consider bull/bullmq)
+- Sign payloads with HMAC-SHA256
+- Timeout for webhook delivery (10 seconds)
+- Dashboard for delivery monitoring and debugging
+
+## Related TODOs
+- New feature - event-driven integration

stories/developer/DEV-004-app-id-setup.md

@@ -0,0 +1,44 @@
+# Proper App ID Initialization
+
+**ID:** DEV-004
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As a developer, I want to properly register my application with a unique App ID so that the identity provider can identify and configure my app correctly.
+
+## Acceptance Criteria
+- [ ] Developer can register new applications
+- [ ] Each app gets unique App ID and App Secret
+- [ ] Configure allowed redirect URIs per app
+- [ ] Configure allowed origins (CORS) per app
+- [ ] App-specific settings (token expiry, etc.)
+- [ ] View app analytics (logins per app)
+- [ ] Regenerate app secret if compromised
+- [ ] Delete/deactivate applications
+
+## Technical Notes
+- Current client has `id: ''` placeholder (TODO in code)
+- App ID is now part of the unified Apps model (`IApp` discriminated union)
+- Three app types exist: Global Apps, Partner Apps, Custom OIDC Apps
+- For custom applications, use the Custom OIDC Apps flow (ORG-011)
+- App credentials stored as `IOAuthCredentials` with hashed client secret
+- Validate redirect URIs to prevent open redirector attacks
+- App ID/Client ID is included in JWT claims
+
+## Apps Architecture
+
+The Apps system supports three types:
+1. **Global Apps** (ORG-009) - First-party platform apps (foss.global, task.vc)
+2. **Partner Apps** (ORG-010, DEV-008) - AppStore model for third-party apps
+3. **Custom OIDC Apps** (ORG-011) - Organization-created OAuth/OIDC clients
+
+## Related Stories
+- ORG-009: Connect Global Apps
+- ORG-010: Browse and Install Partner Apps
+- ORG-011: Create Custom OIDC Apps
+- DEV-005: Register OAuth Client App
+- DEV-008: Submit App to AppStore
+
+## Related TODOs
+- `ts_idpclient/classes.idpclient.ts:30` - `id: '', // TODO`

stories/developer/DEV-005-oauth-client.md

@@ -0,0 +1,51 @@
+# Register OAuth Client App
+
+**ID:** DEV-005
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As a developer, I want to register my application as an OAuth client so that users can authorize my app to access their data using standard OAuth 2.0 flows.
+
+## Acceptance Criteria
+- [ ] Register OAuth 2.0 client application
+- [ ] Support Authorization Code flow
+- [ ] Support PKCE for public clients (mobile/SPA)
+- [ ] Configure allowed scopes per client
+- [ ] Consent screen customization
+- [ ] Token endpoint for code exchange
+- [ ] Refresh token support
+- [ ] Client credentials flow for server-to-server
+
+## Technical Notes
+- OAuth/OIDC client registration is now part of the Apps system
+- **For organization owners**: Use Custom OIDC Apps (ORG-011) to create OAuth clients
+- **For third-party developers**: Submit to AppStore (DEV-008) for public apps
+- Standard OAuth 2.0 / OpenID Connect flows supported
+- Scopes: openid, profile, email, organizations
+- PKCE is required for mobile and SPA security
+
+## Implementation Path
+
+This story's functionality is now implemented through:
+1. **Custom OIDC Apps** (ORG-011) - Create org-specific OAuth clients via the Apps UI
+2. **Partner Apps** (DEV-008) - Submit public apps to the AppStore
+
+Both use the same underlying `IOAuthCredentials` model:
+```typescript
+interface IOAuthCredentials {
+  clientId: string;
+  clientSecretHash: string;
+  redirectUris: string[];
+  allowedScopes: string[];
+  grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[];
+}
+```
+
+## Related Stories
+- ORG-011: Create Custom OIDC Apps (primary implementation)
+- DEV-004: Proper App ID Initialization
+- DEV-008: Submit App to AppStore
+
+## Related TODOs
+- New feature - OAuth server implementation

stories/developer/DEV-006-rate-limiting.md

@@ -0,0 +1,27 @@
+# Understand API Rate Limits
+
+**ID:** DEV-006
+**Priority:** Low
+**Status:** Planned
+
+## User Story
+As a developer, I want to understand and monitor API rate limits so that I can build applications that respect limits and handle throttling gracefully.
+
+## Acceptance Criteria
+- [ ] Clear documentation of rate limits per endpoint
+- [ ] Rate limit headers in API responses (X-RateLimit-*)
+- [ ] Different limits for different API token tiers
+- [ ] Dashboard showing current usage vs limits
+- [ ] Alerts when approaching rate limits
+- [ ] Retry-After header when rate limited
+- [ ] Ability to request limit increase
+
+## Technical Notes
+- Implement rate limiting middleware (consider express-rate-limit)
+- Store rate limit counters in Redis for distributed systems
+- Different limits: login attempts, API calls, token operations
+- Consider sliding window algorithm for smooth limits
+- 429 Too Many Requests response with helpful error message
+
+## Related TODOs
+- New feature - API management

stories/developer/DEV-007-jwt-validation.md

@@ -0,0 +1,27 @@
+# Validate JWTs in My Application
+
+**ID:** DEV-007
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As a developer, I want clear guidance and tools to validate JWTs issued by the identity provider so that I can securely authenticate users in my backend services.
+
+## Acceptance Criteria
+- [ ] Public key endpoint for JWT validation (JWKS format)
+- [ ] Documentation explaining JWT structure and claims
+- [ ] Example code for validation in multiple languages
+- [ ] Key rotation with multiple valid keys during transition
+- [ ] Token introspection endpoint for server-side validation
+- [ ] Clear error messages for invalid tokens
+- [ ] Guidance on caching public keys
+
+## Technical Notes
+- `getPublicKeyForValidation` endpoint exists
+- Consider standard JWKS endpoint (/.well-known/jwks.json)
+- OpenID Connect discovery endpoint would help
+- JWTs contain: sub, email, roles, orgId, exp, iat
+- Document all custom claims in JWT
+
+## Related TODOs
+- Enhancement to existing JWT infrastructure

stories/developer/DEV-008-submit-partner-app.md

@@ -0,0 +1,70 @@
+# Submit App to AppStore
+
+**ID:** DEV-008
+**Priority:** Low
+**Status:** Planned
+**Phase:** 4
+
+## User Story
+As a developer, I want to submit my application to the AppStore so that other organizations can discover and install my app.
+
+## Acceptance Criteria
+- [ ] Submit a new app to the AppStore
+- [ ] Provide app name, description, and logo
+- [ ] Add screenshots for the store listing
+- [ ] Select app category and tags
+- [ ] Set pricing model (free, paid, freemium)
+- [ ] Configure OAuth credentials (redirect URIs, scopes)
+- [ ] Submit for review
+- [ ] View submission status (draft, pending_review, approved, rejected, suspended)
+- [ ] Receive notification on approval/rejection
+- [ ] Edit app listing after approval
+- [ ] View app analytics (install count, usage)
+
+## Technical Notes
+- Submitter organization becomes `ownerOrganizationId`
+- Apps start in `draft` status, move to `pending_review` on submit
+- Platform admins review and approve/reject apps
+- Approved apps become visible in the AppStore
+- App updates may require re-approval
+
+## Approval Workflow
+
+```
+draft → pending_review → approved → published
+                      ↘ rejected
+
+approved ↔ suspended (admin action)
+```
+
+## Data Model
+
+```typescript
+interface IPartnerApp {
+  id: string;
+  type: 'partner';
+  data: {
+    ownerOrganizationId: string;
+    appStoreMetadata: {
+      shortDescription: string;
+      longDescription: string;
+      screenshots: string[];
+      category: string;
+      tags: string[];
+      pricing: { model: 'free' | 'paid' | 'freemium' };
+    };
+    approvalStatus: 'draft' | 'pending_review' | 'approved' | 'rejected' | 'suspended';
+    isPublished: boolean;
+    installCount: number;
+    // ... other fields
+  };
+}
+```
+
+## UI Components
+- **AppSubmissionView** (`/account/org/:orgName/apps/submit`) - Submit new partner app form
+
+## Related Stories
+- ORG-010: Browse and Install Partner Apps
+- ORG-011: Create Custom OIDC Apps
+- ADM-008: Review Partner App Submissions (new admin story)

stories/end-user/EU-001-multi-device-login.md

@@ -0,0 +1,24 @@
+# Multi-Device Login Sessions
+
+**ID:** EU-001
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As an end user, I want to stay logged in on multiple devices simultaneously so that I can access my account from my phone, tablet, and computer without being logged out elsewhere.
+
+## Acceptance Criteria
+- [ ] User can have active sessions on multiple devices at the same time
+- [ ] Each device gets its own refresh token
+- [ ] Logging out on one device does not affect sessions on other devices
+- [ ] User can see all active sessions in account settings
+- [ ] User can revoke individual sessions remotely
+
+## Technical Notes
+- Currently only one refresh token per login session is supported
+- Need to refactor `LoginSession` to support multiple refresh tokens
+- Consider storing device metadata (browser, OS, last active time) with each token
+- JWT blocklist needs to handle individual token revocation
+
+## Related TODOs
+- `ts/reception/classes.jwt.ts:39` - `// TODO: handle multiple refresh tokens`

stories/end-user/EU-002-password-reset.md

@@ -0,0 +1,26 @@
+# Complete Password Reset Flow
+
+**ID:** EU-002
+**Priority:** Critical
+**Status:** Planned
+
+## User Story
+As an end user, I want to reset my password when I forget it so that I can regain access to my account securely.
+
+## Acceptance Criteria
+- [ ] User can request a password reset via email
+- [ ] Reset email contains a secure, time-limited token link
+- [ ] Clicking the link opens a form to set a new password
+- [ ] Password must meet security requirements (length, complexity)
+- [ ] Old password is invalidated after successful reset
+- [ ] User receives confirmation email after password change
+- [ ] All existing sessions are invalidated after password reset
+
+## Technical Notes
+- `resetPassword` handler exists but `setNewPassword` is a stub (returns `{ status: 'ok' }` without implementation)
+- Need to implement actual password update logic
+- Should use `ReceptionMailer` for email sending
+- Consider rate limiting reset requests to prevent abuse
+
+## Related TODOs
+- `ts/reception/classes.loginsessionmanager.ts:229-238` - `setNewPassword` handler is incomplete

stories/end-user/EU-003-device-management.md

@@ -0,0 +1,25 @@
+# View and Manage Logged-in Devices
+
+**ID:** EU-003
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an end user, I want to view all devices where I'm logged in and remotely log out of specific devices so that I can maintain control over my account security.
+
+## Acceptance Criteria
+- [ ] User can view a list of all active sessions/devices
+- [ ] Each device entry shows: device type, browser, location (approximate), last activity
+- [ ] User can name/label devices for easy identification
+- [ ] User can log out of any individual device remotely
+- [ ] User can log out of all devices except the current one
+- [ ] User receives notification when a new device logs in
+
+## Technical Notes
+- Device ID tracking infrastructure exists but is blocked by JWT handling issues
+- Need to complete `attachDeviceId` handler (currently returns `ok: false`)
+- Store device fingerprint, user agent, IP-based geolocation
+- Integrate with multi-refresh-token system (EU-001)
+
+## Related TODOs
+- `ts/reception/classes.loginsessionmanager.ts:256` - `// TODO: Blocked by proper JWT handling`

stories/end-user/EU-004-two-factor-auth.md

@@ -0,0 +1,27 @@
+# Enable Two-Factor Authentication
+
+**ID:** EU-004
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As an end user, I want to enable two-factor authentication on my account so that my account is protected even if my password is compromised.
+
+## Acceptance Criteria
+- [ ] User can enable 2FA from account settings
+- [ ] Support for TOTP apps (Google Authenticator, Authy, etc.)
+- [ ] Backup codes are generated and shown once during setup
+- [ ] User must verify 2FA code during setup to confirm it works
+- [ ] Login flow prompts for 2FA code when enabled
+- [ ] User can disable 2FA (requires current 2FA code)
+- [ ] Account recovery option if 2FA device is lost
+
+## Technical Notes
+- Mobile verification infrastructure exists (SMS OTP in registration)
+- Can leverage existing `smarttwilio` integration for SMS-based 2FA
+- TOTP implementation needs `otplib` or similar library
+- Store encrypted TOTP secret in User model
+- Consider supporting multiple 2FA methods (TOTP, SMS, security keys)
+
+## Related TODOs
+- New feature - no existing TODO

stories/end-user/EU-005-social-login.md

@@ -0,0 +1,28 @@
+# Login with Social Providers
+
+**ID:** EU-005
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an end user, I want to log in using my existing Google, GitHub, or Microsoft account so that I don't have to remember another password.
+
+## Acceptance Criteria
+- [ ] User can sign in with Google
+- [ ] User can sign in with GitHub
+- [ ] User can sign in with Microsoft
+- [ ] First-time social login creates a new account automatically
+- [ ] Social login can be linked to existing account
+- [ ] User can unlink social providers from settings
+- [ ] Profile data (name, email, avatar) is imported from provider
+- [ ] User can still set a password for email/password login
+
+## Technical Notes
+- Package.json keywords mention OAuth - infrastructure may be partially planned
+- Implement OAuth 2.0 / OpenID Connect flows
+- Store provider tokens securely for API access if needed
+- Handle email conflicts (social email matches existing account)
+- Consider using passport.js or similar for provider abstraction
+
+## Related TODOs
+- New feature - OAuth mentioned in package.json keywords but not implemented

stories/end-user/EU-006-account-deletion.md

@@ -0,0 +1,28 @@
+# Delete My Account
+
+**ID:** EU-006
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an end user, I want to permanently delete my account and all associated data so that I can exercise my right to be forgotten (GDPR compliance).
+
+## Acceptance Criteria
+- [ ] User can request account deletion from settings
+- [ ] Deletion requires password confirmation or 2FA
+- [ ] User sees summary of what will be deleted
+- [ ] Grace period (e.g., 30 days) before permanent deletion
+- [ ] User receives email confirmation of deletion request
+- [ ] User can cancel deletion during grace period
+- [ ] All personal data is removed after grace period
+- [ ] User is removed from all organizations they belong to
+
+## Technical Notes
+- `suspendUser` and `deleteSuspendedUser` endpoints exist in admin context
+- Need user-facing self-service deletion flow
+- Consider soft delete with scheduled hard delete
+- Must handle organization ownership transfer if user owns orgs
+- Audit log should retain anonymized record for compliance
+
+## Related TODOs
+- New feature - builds on existing suspension infrastructure

stories/end-user/EU-007-session-history.md

@@ -0,0 +1,26 @@
+# View Login History
+
+**ID:** EU-007
+**Priority:** Low
+**Status:** Planned
+
+## User Story
+As an end user, I want to view my login history so that I can detect any unauthorized access to my account.
+
+## Acceptance Criteria
+- [ ] User can view list of recent logins (last 30 days)
+- [ ] Each entry shows: date/time, IP address, location, device/browser
+- [ ] Failed login attempts are also shown
+- [ ] Suspicious logins are highlighted (new location, unusual time)
+- [ ] User can export login history
+- [ ] User receives alert for logins from new locations/devices
+
+## Technical Notes
+- Login events need to be logged with metadata
+- Create new LoginHistory collection in MongoDB
+- IP geolocation service needed (consider MaxMind or ipinfo.io)
+- Privacy considerations: IP retention policy, GDPR compliance
+- Could integrate with EU-003 (device management) for unified view
+
+## Related TODOs
+- New feature - no existing infrastructure

stories/end-user/EU-008-profile-avatar.md

@@ -0,0 +1,28 @@
+# Upload Profile Avatar
+
+**ID:** EU-008
+**Priority:** Low
+**Status:** Planned
+
+## User Story
+As an end user, I want to upload a profile picture so that my identity is visually recognizable across applications that use this identity provider.
+
+## Acceptance Criteria
+- [ ] User can upload an image from their device
+- [ ] Supported formats: JPEG, PNG, GIF
+- [ ] Maximum file size: 5MB
+- [ ] Image is automatically resized/cropped to standard dimensions
+- [ ] User can crop/adjust image before saving
+- [ ] Avatar is served via CDN for fast loading
+- [ ] Default avatar (initials or Gravatar) when no upload
+- [ ] Avatar is available to connected applications via API
+
+## Technical Notes
+- User model needs avatar URL field
+- Consider using cloud storage (S3, Cloudflare R2) for images
+- Implement image processing for resize/crop (sharp library)
+- Gravatar integration as fallback using email hash
+- Expose avatar in JWT claims or user info endpoint
+
+## Related TODOs
+- New feature - no existing infrastructure

stories/organization-owner/ORG-001-billing-sync.md

@@ -0,0 +1,27 @@
+# Sync Billing Plans with Users
+
+**ID:** ORG-001
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As an organization owner, I want billing plans to automatically sync with user seats so that I'm only charged for active users and can easily manage costs.
+
+## Acceptance Criteria
+- [ ] Adding a user to org automatically updates billing (for per-seat plans)
+- [ ] Removing a user adjusts billing accordingly
+- [ ] Prorated charges/credits for mid-cycle changes
+- [ ] Organization dashboard shows current seat count vs plan limit
+- [ ] Warning notification when approaching seat limit
+- [ ] Automatic upgrade prompt when exceeding limit
+- [ ] Billing history shows seat changes over time
+
+## Technical Notes
+- `BillingPlan.syncForUser()` method exists but is not implemented
+- Paddle integration exists for payment processing
+- Need to track user-to-organization seat assignments
+- Consider grace period for temporary overages
+- Webhook from Paddle for payment confirmations
+
+## Related TODOs
+- `ts/reception/classes.billingplan.ts:16` - `// TODO sync this for user`

stories/organization-owner/ORG-002-member-management.md

@@ -0,0 +1,128 @@
+# Invite and Manage Team Members
+
+**ID:** ORG-002
+**Priority:** Critical
+**Status:** Complete
+
+## User Story
+As an organization owner, I want to invite team members to my organization and manage their access so that my team can collaborate securely.
+
+## Acceptance Criteria
+- [x] Owner can invite users via email address
+- [x] Invited user receives email with invitation link
+- [x] Invitation can be accepted by existing users or during registration
+- [x] Owner can view pending invitations and resend/cancel them
+- [x] Owner can see all current members with their roles
+- [x] Owner can remove members from organization
+- [x] Owner can transfer ownership to another member
+- [x] Bulk invite via CSV upload
+
+## Technical Implementation
+
+### UserInvitation System
+
+The invitation system uses a shared `UserInvitation` model that supports multiple organizations inviting the same email address.
+
+#### Invitation Lifecycle
+
+1. **Create**: Org admin invites email → `UserInvitation` created (or existing one is updated)
+2. **Share**: Multiple orgs can link to the same invitation (by email)
+3. **Convert**: When user registers with that email → invitation converts to real User
+4. **Fold**: If existing user adds that email as secondary → invitation folds into existing user
+5. **Expire**: Auto-delete after 90 days with cleanup of all org refs
+
+#### Data Model
+
+```typescript
+// IUserInvitation
+{
+  id: string;
+  data: {
+    email: string;                    // Unique key for sharing
+    token: string;                    // Secure invitation link token
+    status: 'pending' | 'accepted' | 'expired' | 'cancelled';
+    createdAt: number;
+    expiresAt: number;                // 90 days from creation
+    organizationRefs: Array<{         // Multiple orgs can share
+      organizationId: string;
+      invitedByUserId: string;
+      invitedAt: number;
+      roles: string[];                // Roles to assign on acceptance
+    }>;
+    acceptedAt?: number;
+    convertedToUserId?: string;
+  };
+}
+```
+
+### Role System Enhancement
+
+Users can have multiple roles within an organization:
+
+```typescript
+// IRole
+{
+  id: string;
+  data: {
+    userId: string;
+    organizationId: string;
+    roles: string[];  // e.g., ['owner', 'billing-admin', 'developer']
+  };
+}
+```
+
+Standard roles: `owner`, `admin`, `editor`, `viewer`, `guest`
+Custom roles are also supported.
+
+### API Endpoints
+
+| Method | Purpose |
+|--------|---------|
+| `createInvitation` | Invite email to org with roles |
+| `getOrgInvitations` | List pending invitations |
+| `getOrgMembers` | List members with roles |
+| `cancelInvitation` | Cancel pending invitation |
+| `resendInvitation` | Resend invitation email |
+| `removeMember` | Remove user from org |
+| `updateMemberRoles` | Change member's roles |
+| `transferOwnership` | Transfer org ownership |
+| `acceptInvitation` | Accept invitation |
+| `getInvitationByToken` | Get invitation details for landing page |
+
+### Frontend Implementation
+
+The Users page (`/account/org/:orgName/users`) provides:
+
+- **Members tab**: List all members with roles, remove/edit actions
+- **Pending tab**: List pending invitations with resend/cancel
+- **Invite tab**: Form to invite by email with role selection
+
+### Files
+
+**Backend:**
+- `ts_interfaces/data/loint-reception.userinvitation.ts` - Data interface
+- `ts_interfaces/request/loint-reception.userinvitation.ts` - API contracts
+- `ts/reception/classes.userinvitation.ts` - Model
+- `ts/reception/classes.userinvitationmanager.ts` - Manager with handlers
+- `ts/reception/classes.receptionmailer.ts` - Invitation email
+
+**Frontend:**
+- `ts_web/elements/account/views/usersview.ts` - Users page component
+- `ts_web/elements/account/content.ts` - Route registration
+- `ts_web/elements/account/navigation.ts` - Nav link
+
+## Technical Notes
+- Organization and User models exist with association
+- UserInvitation model stores invitation data with 90-day expiry
+- `ReceptionMailer.sendInvitationEmail()` handles email delivery
+- RoleManager updated to support `roles: string[]` array
+- Backward compatible with existing single-role data
+
+## Related Stories
+- ORG-003: Assign Roles to Members (enhanced with multi-role support)
+
+## Related TODOs
+- [ ] Integrate invitation acceptance into registration flow
+- [ ] Add email verification flow for secondary emails (folding)
+- [ ] Implement scheduled cleanup job for expired invitations
+- [ ] Add CSV bulk invite feature

stories/organization-owner/ORG-003-role-assignment.md

@@ -0,0 +1,28 @@
+# Assign Roles to Members
+
+**ID:** ORG-003
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As an organization owner, I want to assign different roles to team members so that I can control what each person can access and do within the organization.
+
+## Acceptance Criteria
+- [ ] Owner can create custom roles for the organization
+- [ ] Default roles: Owner, Admin, Member, Viewer
+- [ ] Each role has configurable permissions
+- [ ] Owner can assign/change roles for any member
+- [ ] Role changes take effect immediately
+- [ ] Members can view their own role and permissions
+- [ ] Audit log for role changes
+- [ ] At least one Owner must exist at all times
+
+## Technical Notes
+- RoleManager exists with basic role infrastructure
+- `getRolesAndOrganizationsForUserId` endpoint available
+- Need to expand Role model with permissions array
+- Consider permission inheritance (Admin inherits Member permissions)
+- JWT claims should include role for authorization
+
+## Related TODOs
+- Partial implementation exists in RoleManager

stories/organization-owner/ORG-004-org-branding.md

@@ -0,0 +1,27 @@
+# Customize Organization Branding
+
+**ID:** ORG-004
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an organization owner, I want to customize the branding of my organization's login and account pages so that my team sees our company identity when authenticating.
+
+## Acceptance Criteria
+- [ ] Upload organization logo
+- [ ] Set primary and secondary brand colors
+- [ ] Custom login page welcome message
+- [ ] Organization name displayed on login/register
+- [ ] Preview branding changes before saving
+- [ ] Reset to default branding option
+- [ ] Branding applies to email templates (org-specific emails)
+
+## Technical Notes
+- Organization model needs branding fields (logo URL, colors, message)
+- Frontend components need to accept branding props
+- Email templates should support organization branding
+- Consider white-label subdomain support (org.idp.global)
+- Image storage similar to user avatars (EU-008)
+
+## Related TODOs
+- New feature - no existing infrastructure

stories/organization-owner/ORG-005-usage-analytics.md

@@ -0,0 +1,27 @@
+# View Organization Usage Analytics
+
+**ID:** ORG-005
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an organization owner, I want to view analytics about how my organization uses the identity platform so that I can understand adoption and identify potential issues.
+
+## Acceptance Criteria
+- [ ] Dashboard showing key metrics (active users, logins, registrations)
+- [ ] Time-series charts for login activity
+- [ ] Most active users ranking
+- [ ] Failed login attempts summary
+- [ ] Authentication method breakdown (password, email link, 2FA)
+- [ ] Date range selector for historical data
+- [ ] Export analytics data (CSV, PDF)
+
+## Technical Notes
+- Need to aggregate login events per organization
+- Consider time-series database or aggregation pipeline in MongoDB
+- Privacy: show aggregates, not individual user activity details
+- Cache analytics for performance
+- Real-time updates via WebSocket for dashboard
+
+## Related TODOs
+- New feature - requires event logging infrastructure

stories/organization-owner/ORG-006-sso-config.md

@@ -0,0 +1,28 @@
+# Configure SSO for Organization
+
+**ID:** ORG-006
+**Priority:** High
+**Status:** Planned
+
+## User Story
+As an organization owner, I want to configure Single Sign-On with my company's identity provider so that employees can use their corporate credentials.
+
+## Acceptance Criteria
+- [ ] Support SAML 2.0 SSO configuration
+- [ ] Support OIDC/OAuth SSO configuration
+- [ ] Test connection before enabling
+- [ ] Auto-provision users on first SSO login (JIT provisioning)
+- [ ] Map SSO attributes to user profile fields
+- [ ] Option to require SSO for all org members
+- [ ] Bypass SSO for emergency admin access
+- [ ] Support multiple SSO providers per organization
+
+## Technical Notes
+- Implement SAML assertion consumer service
+- Store SSO configuration securely (encrypted secrets)
+- Certificate management for SAML
+- Consider using passport-saml and passport-openidconnect
+- Metadata endpoint for easy IdP configuration
+
+## Related TODOs
+- New feature - enterprise SSO capability

stories/organization-owner/ORG-007-audit-logs.md

@@ -0,0 +1,28 @@
+# View Organization Audit Logs
+
+**ID:** ORG-007
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an organization owner, I want to view audit logs for my organization so that I can track security-relevant events and meet compliance requirements.
+
+## Acceptance Criteria
+- [ ] Log all security-relevant events (logins, role changes, member changes)
+- [ ] Searchable audit log interface
+- [ ] Filter by event type, user, date range
+- [ ] Each entry shows: timestamp, actor, action, target, IP address
+- [ ] Immutable logs (cannot be deleted or modified)
+- [ ] Export logs for compliance (CSV, JSON)
+- [ ] Retention policy configuration (90 days default)
+- [ ] Real-time event streaming option
+
+## Technical Notes
+- Create AuditLog collection with write-only access pattern
+- Index for efficient querying
+- Consider separate database/collection for audit data
+- Comply with SOC 2 / ISO 27001 logging requirements
+- Webhook option for SIEM integration
+
+## Related TODOs
+- New feature - compliance and security requirement

stories/organization-owner/ORG-008-subscription-management.md

@@ -0,0 +1,28 @@
+# Manage Subscription and Billing
+
+**ID:** ORG-008
+**Priority:** Medium
+**Status:** Planned
+
+## User Story
+As an organization owner, I want to manage my subscription plan and billing details so that I can upgrade, downgrade, or update payment methods as needed.
+
+## Acceptance Criteria
+- [ ] View current subscription plan and features
+- [ ] Compare available plans with feature matrix
+- [ ] Upgrade to higher plan with immediate effect
+- [ ] Downgrade with effect at end of billing period
+- [ ] Update payment method (credit card via Paddle)
+- [ ] View billing history and download invoices
+- [ ] Cancel subscription with confirmation
+- [ ] Apply coupon/discount codes
+
+## Technical Notes
+- Paddle integration exists (`paddlesetup` view, `BillingPlanManager`)
+- Enhance existing subscription view with more functionality
+- Paddle handles PCI compliance for payment data
+- Webhook handlers for subscription status changes
+- VAT handling for EU customers (Paddle manages this)
+
+## Related TODOs
+- Enhancement to existing Paddle integration

stories/organization-owner/ORG-009-global-apps.md

@@ -0,0 +1,65 @@
+# Connect Global Apps
+
+**ID:** ORG-009
+**Priority:** High
+**Status:** In Development
+**Phase:** 1
+
+## User Story
+As an organization owner, I want to connect and disconnect first-party apps (foss.global, task.vc, etc.) for my organization so that my team members can use these integrated services.
+
+## Acceptance Criteria
+- [ ] View list of available global apps (foss.global, task.vc)
+- [ ] See connection status for each global app
+- [ ] Connect a global app to the organization
+- [ ] Disconnect a global app from the organization
+- [ ] View which user connected the app and when
+- [ ] See what scopes/permissions each app requires
+- [ ] Toggle does not require page reload
+
+## Technical Notes
+- Global apps are pre-registered by the platform administrators
+- Uses `IAppConnection` to track org-to-app relationships
+- Connection creates OAuth authorization for the app
+- Apps access org data via granted scopes
+- No credentials shown to org owners (managed by platform)
+
+## Data Model
+
+```typescript
+interface IGlobalApp {
+  id: string;
+  type: 'global';
+  data: {
+    name: string;
+    description: string;
+    logoUrl: string;
+    appUrl: string;
+    oauthCredentials: IOAuthCredentials;
+    isActive: boolean;
+    category: string;
+  };
+}
+
+interface IAppConnection {
+  id: string;
+  data: {
+    organizationId: string;
+    appId: string;
+    appType: 'global' | 'partner' | 'custom_oidc';
+    status: 'active' | 'disconnected';
+    connectedAt: number;
+    connectedByUserId: string;
+    grantedScopes: string[];
+  };
+}
+```
+
+## UI Components
+- **AppsView** (`/account/org/:orgName/apps`) - Main tabbed interface
+- **Global Apps Tab** - List of global apps with toggle switches
+
+## Related Stories
+- ORG-010: Browse and Install Partner Apps (AppStore)
+- ORG-011: Create Custom OIDC Apps
+- DEV-004: Proper App ID Initialization

stories/organization-owner/ORG-010-app-store.md

@@ -0,0 +1,63 @@
+# Browse and Install Partner Apps
+
+**ID:** ORG-010
+**Priority:** Medium
+**Status:** Planned
+**Phase:** 3
+
+## User Story
+As an organization owner, I want to browse and install partner apps from the AppStore so that my organization can benefit from third-party integrations.
+
+## Acceptance Criteria
+- [ ] Browse available partner apps in the AppStore
+- [ ] Search apps by name or description
+- [ ] Filter apps by category
+- [ ] View curated sections (Featured, Popular, New)
+- [ ] View app details (description, screenshots, pricing)
+- [ ] See app install count and ratings
+- [ ] Install/connect a partner app to the organization
+- [ ] Uninstall/disconnect a partner app
+- [ ] View installed apps list
+
+## Technical Notes
+- Partner apps are submitted by other organizations (DEV-008)
+- Apps must be approved by platform admins before appearing in store
+- Uses `IPartnerApp` with `appStoreMetadata`
+- Connection uses same `IAppConnection` as global apps
+
+## Data Model
+
+```typescript
+interface IPartnerApp {
+  id: string;
+  type: 'partner';
+  data: {
+    name: string;
+    description: string;
+    logoUrl: string;
+    appUrl: string;
+    ownerOrganizationId: string;
+    oauthCredentials: IOAuthCredentials;
+    appStoreMetadata: {
+      shortDescription: string;
+      longDescription: string;
+      screenshots: string[];
+      category: string;
+      tags: string[];
+      pricing: { model: 'free' | 'paid' | 'freemium' };
+    };
+    approvalStatus: TAppApprovalStatus;
+    isPublished: boolean;
+    installCount: number;
+  };
+}
+```
+
+## UI Components
+- **AppsView** - App Store tab with search and categories
+- **AppStoreDetailView** (`/account/org/:orgName/apps/store/:appId`) - Full app details page
+
+## Related Stories
+- ORG-009: Connect Global Apps
+- ORG-011: Create Custom OIDC Apps
+- DEV-008: Submit App to AppStore

stories/organization-owner/ORG-011-custom-oidc-apps.md

@@ -0,0 +1,70 @@
+# Create Custom OIDC Apps
+
+**ID:** ORG-011
+**Priority:** Medium
+**Status:** Planned
+**Phase:** 2
+
+## User Story
+As an organization owner, I want to create custom OAuth/OIDC client applications so that I can integrate my own internal tools and services with the identity provider.
+
+## Acceptance Criteria
+- [ ] Create a new custom OIDC application
+- [ ] Configure application name and description
+- [ ] Upload application logo
+- [ ] Set application URL
+- [ ] Configure redirect URIs
+- [ ] Select allowed OAuth scopes
+- [ ] Choose grant types (authorization_code, client_credentials, refresh_token)
+- [ ] View client ID and client secret
+- [ ] Regenerate client secret if compromised
+- [ ] Edit existing applications
+- [ ] Delete applications
+- [ ] Configure token lifetimes
+
+## Technical Notes
+- Custom OIDC apps are organization-scoped
+- Client secret is hashed in database, shown only once at creation
+- Redirect URIs validated to prevent open redirect attacks
+- Standard OAuth 2.0 / OpenID Connect flows supported
+- PKCE support for public clients
+
+## Data Model
+
+```typescript
+interface ICustomOidcApp {
+  id: string;
+  type: 'custom_oidc';
+  data: {
+    name: string;
+    description: string;
+    logoUrl: string;
+    appUrl: string;
+    ownerOrganizationId: string;
+    oauthCredentials: IOAuthCredentials;
+    oidcSettings: {
+      accessTokenLifetime: number;  // seconds
+      refreshTokenLifetime: number; // seconds
+    };
+  };
+}
+
+interface IOAuthCredentials {
+  clientId: string;
+  clientSecretHash: string;
+  redirectUris: string[];
+  allowedScopes: string[];
+  grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[];
+}
+```
+
+## UI Components
+- **AppsView** - Custom OIDC tab with app list
+- **OidcAppFormView** (`/account/org/:orgName/apps/custom/new`) - Create new app form
+- **OidcAppFormView** (`/account/org/:orgName/apps/custom/:appId`) - Edit existing app
+
+## Related Stories
+- ORG-009: Connect Global Apps
+- ORG-010: Browse and Install Partner Apps
+- DEV-004: Proper App ID Initialization
+- DEV-005: Register OAuth Client App

test/test.auth.node.ts

@@ -0,0 +1,140 @@
+import { tap, expect } from '@git.zone/tstest/tapbundle';
+
+import { EmailActionToken } from '../ts/reception/classes.emailactiontoken.js';
+import { LoginSession } from '../ts/reception/classes.loginsession.js';
+import { RegistrationSession } from '../ts/reception/classes.registrationsession.js';
+import { User } from '../ts/reception/classes.user.js';
+import * as plugins from '../ts/plugins.js';
+
+const createTestLoginSession = () => {
+  const loginSession = new LoginSession();
+  loginSession.id = 'test-session';
+  loginSession.data.userId = 'test-user';
+  (loginSession as LoginSession & { save: () => Promise<void> }).save = async () => undefined;
+  return loginSession;
+};
+
+const createTestEmailActionToken = () => {
+  const emailActionToken = new EmailActionToken();
+  emailActionToken.id = 'email-action-token';
+  emailActionToken.data.email = 'user@example.com';
+  emailActionToken.data.action = 'emailLogin';
+  emailActionToken.data.validUntil = Date.now() + 60_000;
+
+  let deleted = false;
+  (emailActionToken as EmailActionToken & { delete: () => Promise<void> }).delete = async () => {
+    deleted = true;
+  };
+
+  return {
+    emailActionToken,
+    wasDeleted: () => deleted,
+  };
+};
+
+const createTestRegistrationSession = () => {
+  const registrationSession = new RegistrationSession();
+  registrationSession.id = 'registration-session';
+  registrationSession.data.emailAddress = 'user@example.com';
+  registrationSession.data.validUntil = Date.now() + 60_000;
+
+  let deleted = false;
+  (registrationSession as RegistrationSession & { save: () => Promise<void> }).save = async () => undefined;
+  (registrationSession as RegistrationSession & { delete: () => Promise<void> }).delete = async () => {
+    deleted = true;
+  };
+
+  return {
+    registrationSession,
+    wasDeleted: () => deleted,
+  };
+};
+
+tap.test('hashes passwords with argon2 and verifies them', async () => {
+  const passwordHash = await User.hashPassword('correct horse battery staple');
+
+  expect(passwordHash.startsWith('$argon2')).toBeTrue();
+  expect(await User.verifyPassword('correct horse battery staple', passwordHash)).toBeTrue();
+  expect(await User.verifyPassword('wrong password', passwordHash)).toBeFalse();
+  expect(User.shouldUpgradePasswordHash(passwordHash)).toBeFalse();
+});
+
+tap.test('accepts legacy sha256 hashes and marks them for upgrade', async () => {
+  const legacyHash = await plugins.smarthash.sha256FromString('legacy-password');
+
+  expect(User.isLegacyPasswordHash(legacyHash)).toBeTrue();
+  expect(await User.verifyPassword('legacy-password', legacyHash)).toBeTrue();
+  expect(await User.verifyPassword('different-password', legacyHash)).toBeFalse();
+  expect(User.shouldUpgradePasswordHash(legacyHash)).toBeTrue();
+});
+
+tap.test('rotates refresh tokens and detects reuse', async () => {
+  const loginSession = createTestLoginSession();
+
+  const firstRefreshToken = await loginSession.getRefreshToken();
+  const secondRefreshToken = await loginSession.getRefreshToken();
+
+  expect(firstRefreshToken.startsWith('refresh_')).toBeTrue();
+  expect(secondRefreshToken.startsWith('refresh_')).toBeTrue();
+  expect(firstRefreshToken).not.toEqual(secondRefreshToken);
+  expect(loginSession.data.refreshToken).toBeNullOrUndefined();
+  expect(loginSession.data.refreshTokenHash).toBeTruthy();
+  expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('current');
+  expect(await loginSession.validateRefreshToken(firstRefreshToken)).toEqual('reused');
+
+  await loginSession.invalidate();
+  expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('invalidated');
+});
+
+tap.test('persists transfer tokens as one-time hashes', async () => {
+  const loginSession = createTestLoginSession();
+  const transferToken = await loginSession.getTransferToken();
+
+  expect(transferToken.startsWith('transfer_')).toBeTrue();
+  expect(loginSession.data.transferTokenHash).toBeTruthy();
+  expect(await loginSession.validateTransferToken(transferToken)).toBeTrue();
+  expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();
+});
+
+tap.test('consumes email action tokens exactly once', async () => {
+  const { emailActionToken, wasDeleted } = createTestEmailActionToken();
+  const plainToken = EmailActionToken.createOpaqueToken('emailLogin');
+  emailActionToken.data.tokenHash = EmailActionToken.hashToken(plainToken);
+
+  expect(await emailActionToken.consume(plainToken)).toBeTrue();
+  expect(wasDeleted()).toBeTrue();
+});
+
+tap.test('invalidates expired email action tokens', async () => {
+  const { emailActionToken, wasDeleted } = createTestEmailActionToken();
+  emailActionToken.data.tokenHash = EmailActionToken.hashToken('expired-token');
+  emailActionToken.data.validUntil = Date.now() - 1;
+
+  expect(await emailActionToken.consume('expired-token')).toBeFalse();
+  expect(wasDeleted()).toBeTrue();
+});
+
+tap.test('persists registration token validation and sms verification state', async () => {
+  const { registrationSession } = createTestRegistrationSession();
+  const emailToken = 'registration-token';
+  registrationSession.data.hashedEmailToken = RegistrationSession.hashToken(emailToken);
+
+  expect(await registrationSession.validateEmailToken(emailToken)).toBeTrue();
+  expect(registrationSession.data.status).toEqual('emailValidated');
+  expect(registrationSession.data.collectedData.userData.email).toEqual('user@example.com');
+
+  registrationSession.data.smsCodeHash = RegistrationSession.hashToken('123456');
+  expect(await registrationSession.validateSmsCode('123456')).toBeTrue();
+  expect(registrationSession.data.status).toEqual('mobileVerified');
+});
+
+tap.test('removes expired registration sessions on token validation', async () => {
+  const { registrationSession, wasDeleted } = createTestRegistrationSession();
+  registrationSession.data.hashedEmailToken = RegistrationSession.hashToken('expired-registration');
+  registrationSession.data.validUntil = Date.now() - 1;
+
+  expect(await registrationSession.validateEmailToken('expired-registration')).toBeFalse();
+  expect(wasDeleted()).toBeTrue();
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@idp.global/idp.global',
-  version: '1.1.1',
+  version: '1.18.0',
   description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }

ts/index.ts

@@ -4,24 +4,78 @@ import { Reception } from './reception/classes.reception.js';
 
 export const runCli = async () => {
   const serviceQenv = new plugins.qenv.Qenv('./', './.nogit', false);
+
+  // Create reception first so we can reference it in routes
+  let reception: Reception;
+
   const websiteServer = new plugins.typedserver.utilityservers.UtilityWebsiteServer({
     feedMetadata: null,
     domain: 'idp.global',
     serveDir: paths.distWebDir,
+    securityHeaders: {
+      csp: {
+        defaultSrc: "'self'",
+        scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "https://cdn.paddle.com", "https://public.profitwell.com"],
+        styleSrc: ["'self'", "'unsafe-inline'", "https://cdn.paddle.com", "https://assetbroker.lossless.one"],
+        imgSrc: ["'self'", "data:", "https:"],
+        fontSrc: ["'self'", "data:"],
+        connectSrc: ["'self'", "https://*.paddle.com", "https://buy.paddle.com", "https://checkout.paddle.com", "https://checkout-service.paddle.com", "https://cdn.paddle.com", "https://*.sentry.io", "https://public.profitwell.com", "wss:"],
+        frameSrc: ["https://buy.paddle.com", "https://checkout.paddle.com", "https://*.paddle.com"],
+      },
+    },
+    addCustomRoutes: async (typedserver) => {
+      // Enable SPA fallback - serves index.html for non-file routes (e.g., /login, /dashboard)
+      typedserver.options.spaFallback = true;
+
+      // OIDC Discovery endpoint
+      typedserver.addRoute('/.well-known/openid-configuration', 'GET', async (ctx) => {
+        return new Response(JSON.stringify(reception.oidcManager.getDiscoveryDocument()), {
+          headers: { 'Content-Type': 'application/json' },
+        });
+      });
+
+      // JWKS endpoint
+      typedserver.addRoute('/.well-known/jwks.json', 'GET', async (ctx) => {
+        return new Response(JSON.stringify(reception.oidcManager.getJwks()), {
+          headers: { 'Content-Type': 'application/json' },
+        });
+      });
+
+      // OAuth Authorization endpoint
+      typedserver.addRoute('/oauth/authorize', 'GET', async (ctx) => {
+        return reception.oidcManager.handleAuthorize(ctx);
+      });
+
+      // OAuth Token endpoint
+      typedserver.addRoute('/oauth/token', 'POST', async (ctx) => {
+        return reception.oidcManager.handleToken(ctx);
+      });
+
+      // OAuth UserInfo endpoint (GET and POST)
+      typedserver.addRoute('/oauth/userinfo', 'GET', async (ctx) => {
+        return reception.oidcManager.handleUserInfo(ctx);
+      });
+      typedserver.addRoute('/oauth/userinfo', 'POST', async (ctx) => {
+        return reception.oidcManager.handleUserInfo(ctx);
+      });
+
+      // OAuth Revocation endpoint
+      typedserver.addRoute('/oauth/revoke', 'POST', async (ctx) => {
+        return reception.oidcManager.handleRevoke(ctx);
+      });
+    },
   });
 
   // lets add the reception routes
-  const reception = new Reception({
+  reception = new Reception({
     name: (await serviceQenv.getEnvVarOnDemand('INSTANCE_NAME')) || 'idp.global',
     mongoDescriptor: {
-      mongoDbUser: await serviceQenv.getEnvVarOnDemand('MONGO_DB_USER'),
+      mongoDbUrl: await serviceQenv.getEnvVarOnDemand('MONGODB_URL'),
-      mongoDbName: await serviceQenv.getEnvVarOnDemand('MONGO_DB_NAME'),
-      mongoDbPass: await serviceQenv.getEnvVarOnDemand('MONGO_DB_PASS'),
-      mongoDbUrl: await serviceQenv.getEnvVarOnDemand('MONGO_DB_URL'),
     },
     websiteServer: websiteServer,
+    baseUrl: await serviceQenv.getEnvVarOnDemand('IDP_BASEURL'),
   });
   await reception.start();
 
-  await websiteServer.start();
+  await websiteServer.start(2999);
 };

ts/plugins.ts

@@ -1,10 +1,11 @@
 // Native scope
+import * as crypto from 'node:crypto';
 import * as path from 'path';
-export { path };
+export { crypto, path };
 
 // Project scope
-import * as lointReception from '../dist_ts_interfaces/index.js';
+import * as idpInterfaces from '../dist_ts_interfaces/index.js';
-export { lointReception };
+export { idpInterfaces };
 
 // @api.global scope
 import * as typedserver from '@api.global/typedserver';
@@ -32,8 +33,10 @@ import * as smartpromise from '@push.rocks/smartpromise';
 import * as smarttime from '@push.rocks/smarttime';
 import * as smartunique from '@push.rocks/smartunique';
 import * as taskbuffer from '@push.rocks/taskbuffer';
+import * as argon2 from 'argon2';
 
 export {
+  argon2,
   lik,
   projectinfo,
   qenv,
@@ -52,4 +55,4 @@ export {
 
 // @tsclass scope
 import * as tsclass from '@tsclass/tsclass';
-export { tsclass };
+export { tsclass };

ts/readme.md

@@ -0,0 +1,87 @@
+# `ts/` Backend Module
+
+The `ts/` folder contains the server runtime for `idp.global`: startup, website server wiring, typed routes, OIDC endpoints, and the core `Reception` managers.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## What Lives Here
+
+- `index.ts` boots the service, loads env vars, starts the website server, and mounts OIDC endpoints.
+- `reception/classes.reception.ts` creates the service container and initializes all managers.
+- `reception/` contains the domain logic for users, sessions, orgs, roles, invites, apps, billing, and OIDC.
+- `plugins.ts` centralizes external imports used by the backend.
+
+## Startup Behavior
+
+The backend startup in `ts/index.ts` does four main things:
+
+1. Loads runtime configuration from `.nogit` and the working directory.
+2. Creates a `UtilityWebsiteServer` that serves the built frontend.
+3. Registers OIDC endpoints such as discovery, JWKS, authorize, token, userinfo, and revoke.
+4. Creates and starts `Reception`, then starts HTTP serving on port `2999`.
+
+## Required Environment
+
+```bash
+export MONGODB_URL=mongodb://localhost:27017/idp-dev
+export IDP_BASEURL=http://localhost:2999
+export INSTANCE_NAME=idp-dev
+```
+
+Optional:
+
+- `SERVEZONE_PLATFROM_AUTHORIZATION`
+- `PADDLE_TOKEN`
+- `PADDLE_PRICE_ID`
+
+## Key Managers
+
+| Class | Responsibility |
+| --- | --- |
+| `JwtManager` | JWT issuance, validation, and key rotation support |
+| `LoginSessionManager` | Session creation, refresh, logout, and session metadata |
+| `RegistrationSessionManager` | Registration flow state |
+| `UserManager` | User-centric queries and mutations |
+| `OrganizationManager` | Organization creation and access checks |
+| `RoleManager` | Role and permission management |
+| `UserInvitationManager` | Invitations, member updates, and ownership transfer |
+| `BillingPlanManager` | Billing plan state and Paddle config endpoint |
+| `AppManager` | Global app administration |
+| `AppConnectionManager` | App connection tracking |
+| `ActivityLogManager` | User activity logging |
+| `OidcManager` | OIDC discovery, auth code flow, token exchange, userinfo, revoke |
+
+## Local Development
+
+From the repository root:
+
+```bash
+pnpm install
+pnpm build
+pnpm watch
+```
+
+The watch setup runs the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`.
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH  
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

ts/reception/classes.activitylog.ts

@@ -0,0 +1,62 @@
+import * as plugins from '../plugins.js';
+import { ActivityLogManager } from './classes.activitylogmanager.js';
+
+/**
+ * ActivityLog tracks user actions for audit and display purposes
+ */
+@plugins.smartdata.Manager()
+export class ActivityLog extends plugins.smartdata.SmartDataDbDoc<
+  ActivityLog,
+  plugins.idpInterfaces.data.IActivityLog,
+  ActivityLogManager
+> {
+  // ======
+  // static
+  // ======
+  public static async createActivityLog(
+    managerArg: ActivityLogManager,
+    userId: string,
+    action: plugins.idpInterfaces.data.TActivityAction,
+    description: string,
+    metadata?: {
+      ip?: string;
+      userAgent?: string;
+      targetId?: string;
+      targetType?: string;
+    }
+  ) {
+    const activityLog = new managerArg.CActivityLog();
+    activityLog.id = plugins.smartunique.shortId();
+    activityLog.data = {
+      userId,
+      action,
+      timestamp: Date.now(),
+      metadata: {
+        description,
+        ...metadata,
+      },
+    };
+    await activityLog.save();
+    return activityLog;
+  }
+
+  // ========
+  // INSTANCE
+  // ========
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IActivityLog['data'] = {
+    userId: null,
+    action: null,
+    timestamp: null,
+    metadata: {
+      description: null,
+    },
+  };
+
+  constructor() {
+    super();
+  }
+}

ts/reception/classes.activitylogmanager.ts

@@ -0,0 +1,77 @@
+import * as plugins from '../plugins.js';
+import { ActivityLog } from './classes.activitylog.js';
+import { Reception } from './classes.reception.js';
+
+export class ActivityLogManager {
+  // refs
+  public receptionRef: Reception;
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+
+  public CActivityLog = plugins.smartdata.setDefaultManagerForDoc(this, ActivityLog);
+
+  public typedRouter = new plugins.typedrequest.TypedRouter();
+
+  constructor(receptionRefArg: Reception) {
+    this.receptionRef = receptionRefArg;
+    this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
+
+    // Get user activity handler
+    this.typedRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetUserActivity>(
+        'getUserActivity',
+        async (requestArg) => {
+          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          if (!jwt) {
+            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
+          }
+
+          const limit = requestArg.limit || 20;
+          const offset = requestArg.offset || 0;
+
+          // Get activities for this user
+          const activities = await this.CActivityLog.getInstances({
+            'data.userId': jwt.data.userId,
+          });
+
+          // Sort by timestamp descending
+          const sortedActivities = activities
+            .sort((a, b) => b.data.timestamp - a.data.timestamp)
+            .slice(offset, offset + limit);
+
+          return {
+            activities: sortedActivities.map((a) => ({
+              id: a.id,
+              data: a.data,
+            })),
+            total: activities.length,
+          };
+        }
+      )
+    );
+  }
+
+  /**
+   * Log a user activity
+   */
+  public async logActivity(
+    userId: string,
+    action: plugins.idpInterfaces.data.TActivityAction,
+    description: string,
+    metadata?: {
+      ip?: string;
+      userAgent?: string;
+      targetId?: string;
+      targetType?: string;
+    }
+  ) {
+    return await ActivityLog.createActivityLog(
+      this,
+      userId,
+      action,
+      description,
+      metadata
+    );
+  }
+}

ts/reception/classes.app.ts

@@ -0,0 +1,40 @@
+import * as plugins from '../plugins.js';
+import type { AppManager } from './classes.appmanager.js';
+
+@plugins.smartdata.Manager()
+export class App extends plugins.smartdata.SmartDataDbDoc<
+  App,
+  plugins.idpInterfaces.data.IAppDocument,
+  AppManager
+> {
+  // INSTANCE
+  @plugins.smartdata.unI()
+  id: plugins.idpInterfaces.data.IAppDocument['id'];
+
+  @plugins.smartdata.svDb()
+  type: plugins.idpInterfaces.data.IAppDocument['type'];
+
+  @plugins.smartdata.svDb()
+  data: plugins.idpInterfaces.data.IAppDocument['data'];
+
+  /**
+   * Check if the app is a global app
+   */
+  public isGlobalApp(): this is App & { type: 'global' } {
+    return this.type === 'global';
+  }
+
+  /**
+   * Check if the app is a partner app
+   */
+  public isPartnerApp(): this is App & { type: 'partner' } {
+    return this.type === 'partner';
+  }
+
+  /**
+   * Check if the app is a custom OIDC app
+   */
+  public isCustomOidcApp(): this is App & { type: 'custom_oidc' } {
+    return this.type === 'custom_oidc';
+  }
+}

ts/reception/classes.appconnection.ts

@@ -0,0 +1,41 @@
+import * as plugins from '../plugins.js';
+import type { AppConnectionManager } from './classes.appconnectionmanager.js';
+
+@plugins.smartdata.Manager()
+export class AppConnection extends plugins.smartdata.SmartDataDbDoc<
+  AppConnection,
+  plugins.idpInterfaces.data.IAppConnection,
+  AppConnectionManager
+> {
+  // INSTANCE
+  @plugins.smartdata.unI()
+  id: plugins.idpInterfaces.data.IAppConnection['id'];
+
+  @plugins.smartdata.svDb()
+  data: plugins.idpInterfaces.data.IAppConnection['data'];
+
+  /**
+   * Check if the connection is active
+   */
+  public isActive(): boolean {
+    return this.data.status === 'active';
+  }
+
+  /**
+   * Disconnect the app
+   */
+  public async disconnect(): Promise<void> {
+    this.data.status = 'disconnected';
+    await this.save();
+  }
+
+  /**
+   * Reconnect the app
+   */
+  public async reconnect(userId: string): Promise<void> {
+    this.data.status = 'active';
+    this.data.connectedAt = Date.now();
+    this.data.connectedByUserId = userId;
+    await this.save();
+  }
+}

ts/reception/classes.appconnectionmanager.ts

@@ -0,0 +1,187 @@
+import * as plugins from '../plugins.js';
+import type { Reception } from './classes.reception.js';
+import { AppConnection } from './classes.appconnection.js';
+
+export class AppConnectionManager {
+  public receptionRef: Reception;
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  public CAppConnection = plugins.smartdata.setDefaultManagerForDoc(this, AppConnection);
+
+  constructor(receptionRefArg: Reception) {
+    this.receptionRef = receptionRefArg;
+    this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
+
+    // Handler: Get app connections for an organization
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetAppConnections>(
+        'getAppConnections',
+        async (requestArg) => {
+          // Verify JWT and get user
+          const jwtData = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          const user = await this.receptionRef.userManager.CUser.getInstance({
+            id: jwtData.data.userId,
+          });
+
+          // Check user has access to the organization
+          const organization = await this.receptionRef.organizationmanager.COrganization.getInstance({
+            id: requestArg.organizationId,
+          });
+
+          if (!organization) {
+            throw new plugins.typedrequest.TypedResponseError('Organization not found');
+          }
+
+          const role = await this.receptionRef.roleManager.CRole.getInstance({
+            data: {
+              organizationId: organization.id,
+              userId: user.id,
+            },
+          });
+
+          if (!role) {
+            throw new plugins.typedrequest.TypedResponseError(
+              'User not authorized for this organization'
+            );
+          }
+
+          // Get all connections for this organization
+          const connections = await this.CAppConnection.getInstances({
+            'data.organizationId': requestArg.organizationId,
+          });
+
+          const connectionObjects = await Promise.all(
+            connections.map(async (conn) => await conn.createSavableObject())
+          );
+
+          return {
+            connections: connectionObjects,
+          };
+        }
+      )
+    );
+
+    // Handler: Toggle app connection (connect/disconnect)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ToggleAppConnection>(
+        'toggleAppConnection',
+        async (requestArg) => {
+          // Verify JWT and get user
+          const jwtData = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          const user = await this.receptionRef.userManager.CUser.getInstance({
+            id: jwtData.data.userId,
+          });
+
+          // Check user has admin access to the organization
+          const organization = await this.receptionRef.organizationmanager.COrganization.getInstance({
+            id: requestArg.organizationId,
+          });
+
+          if (!organization) {
+            throw new plugins.typedrequest.TypedResponseError('Organization not found');
+          }
+
+          const isAdmin = await organization.checkIfUserIsAdmin(user);
+          if (!isAdmin) {
+            throw new plugins.typedrequest.TypedResponseError(
+              'Only organization admins can manage app connections'
+            );
+          }
+
+          // Get the app
+          const app = await this.receptionRef.appManager.getAppById(requestArg.appId);
+          if (!app) {
+            throw new plugins.typedrequest.TypedResponseError('App not found');
+          }
+
+          // Find existing connection
+          let connection = await this.CAppConnection.getInstance({
+            'data.organizationId': requestArg.organizationId,
+            'data.appId': requestArg.appId,
+          });
+
+          if (requestArg.action === 'connect') {
+            if (connection && connection.isActive()) {
+              // Already connected
+              return {
+                success: true,
+                connection: await connection.createSavableObject(),
+              };
+            }
+
+            if (connection) {
+              // Reconnect existing connection
+              await connection.reconnect(user.id);
+            } else {
+              // Create new connection
+              connection = new AppConnection();
+              connection.id = plugins.smartunique.shortId();
+              connection.data = {
+                organizationId: requestArg.organizationId,
+                appId: requestArg.appId,
+                appType: app.type,
+                status: 'active',
+                connectedAt: Date.now(),
+                connectedByUserId: user.id,
+                grantedScopes: app.data.oauthCredentials?.allowedScopes || [],
+              };
+              await connection.save();
+            }
+
+            return {
+              success: true,
+              connection: await connection.createSavableObject(),
+            };
+          } else {
+            // Disconnect
+            if (!connection) {
+              return {
+                success: true,
+              };
+            }
+
+            await connection.disconnect();
+
+            return {
+              success: true,
+              connection: await connection.createSavableObject(),
+            };
+          }
+        }
+      )
+    );
+  }
+
+  /**
+   * Get all connections for an organization
+   */
+  public async getConnectionsForOrganization(organizationId: string): Promise<AppConnection[]> {
+    return await this.CAppConnection.getInstances({
+      'data.organizationId': organizationId,
+    });
+  }
+
+  /**
+   * Get connection for a specific app and organization
+   */
+  public async getConnection(
+    organizationId: string,
+    appId: string
+  ): Promise<AppConnection | null> {
+    return await this.CAppConnection.getInstance({
+      'data.organizationId': organizationId,
+      'data.appId': appId,
+    });
+  }
+
+  /**
+   * Check if an app is connected to an organization
+   */
+  public async isAppConnected(organizationId: string, appId: string): Promise<boolean> {
+    const connection = await this.getConnection(organizationId, appId);
+    return connection?.isActive() || false;
+  }
+}

ts/reception/classes.appmanager.ts

@@ -0,0 +1,316 @@
+import * as plugins from '../plugins.js';
+import type { Reception } from './classes.reception.js';
+import { App } from './classes.app.js';
+// Note: App class is imported for use with setDefaultManagerForDoc
+
+export class AppManager {
+  public receptionRef: Reception;
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  public CApp = plugins.smartdata.setDefaultManagerForDoc(this, App);
+
+  constructor(receptionRefArg: Reception) {
+    this.receptionRef = receptionRefArg;
+    this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
+
+    // Handler: Get all global apps (for org owners)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetGlobalApps>(
+        'getGlobalApps',
+        async (requestArg) => {
+          // Verify JWT
+          await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+
+          // Get all active global apps
+          const globalApps = await this.CApp.getInstances({
+            type: 'global',
+            'data.isActive': true,
+          });
+
+          const appObjects = await Promise.all(
+            globalApps.map(async (app) => await app.createSavableObject() as plugins.idpInterfaces.data.IGlobalApp)
+          );
+
+          return {
+            apps: appObjects,
+          };
+        }
+      )
+    );
+
+    // Handler: Check if user is global admin
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CheckGlobalAdmin>(
+        'checkGlobalAdmin',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwt(requestArg.jwt);
+          return {
+            isGlobalAdmin: user?.data?.isGlobalAdmin ?? false,
+          };
+        }
+      )
+    );
+
+    // Handler: Get global apps with stats (admin only)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetGlobalAppStats>(
+        'getGlobalAppStats',
+        async (requestArg) => {
+          await this.verifyGlobalAdmin(requestArg.jwt);
+
+          // Get all global apps (including inactive)
+          const globalApps = await this.CApp.getInstances({
+            type: 'global',
+          });
+
+          const appsWithStats = await Promise.all(
+            globalApps.map(async (app) => {
+              const connections = await this.receptionRef.appConnectionManager.CAppConnection.getInstances({
+                'data.appId': app.id,
+                'data.status': 'active',
+              });
+              return {
+                app: await app.createSavableObject() as plugins.idpInterfaces.data.IGlobalApp,
+                connectionCount: connections.length,
+              };
+            })
+          );
+
+          return { apps: appsWithStats };
+        }
+      )
+    );
+
+    // Handler: Create global app (admin only)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CreateGlobalApp>(
+        'createGlobalApp',
+        async (requestArg) => {
+          const jwtData = await this.verifyGlobalAdmin(requestArg.jwt);
+
+          // Generate OAuth credentials
+          const clientId = `app-${plugins.smartunique.shortId(12)}`;
+          const clientSecret = plugins.smartunique.shortId(32);
+          const clientSecretHash = await plugins.smarthash.sha256FromString(clientSecret);
+
+          const app = new this.CApp();
+          app.id = `app-${plugins.smartunique.shortId(8)}`;
+          app.type = 'global';
+          app.data = {
+            name: requestArg.name,
+            description: requestArg.description,
+            logoUrl: requestArg.logoUrl,
+            appUrl: requestArg.appUrl,
+            category: requestArg.category,
+            isActive: true,
+            createdAt: Date.now(),
+            createdByUserId: jwtData.data.userId,
+            oauthCredentials: {
+              clientId,
+              clientSecretHash,
+              redirectUris: requestArg.redirectUris,
+              allowedScopes: requestArg.allowedScopes,
+              grantTypes: ['authorization_code', 'refresh_token'],
+            },
+          };
+          await app.save();
+
+          return {
+            app: await app.createSavableObject() as plugins.idpInterfaces.data.IGlobalApp,
+            clientSecret, // Only shown once
+          };
+        }
+      )
+    );
+
+    // Handler: Update global app (admin only)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_UpdateGlobalApp>(
+        'updateGlobalApp',
+        async (requestArg) => {
+          await this.verifyGlobalAdmin(requestArg.jwt);
+
+          const app = await this.CApp.getInstance({ id: requestArg.appId });
+          if (!app) {
+            throw new Error('App not found');
+          }
+
+          if (!app.isGlobalApp()) {
+            throw new Error('Can only update global apps');
+          }
+
+          // Update allowed fields - cast data to global app type after type guard
+          const appData = app.data as plugins.idpInterfaces.data.IGlobalApp['data'];
+          if (requestArg.updates.name !== undefined) appData.name = requestArg.updates.name;
+          if (requestArg.updates.description !== undefined) appData.description = requestArg.updates.description;
+          if (requestArg.updates.logoUrl !== undefined) appData.logoUrl = requestArg.updates.logoUrl;
+          if (requestArg.updates.appUrl !== undefined) appData.appUrl = requestArg.updates.appUrl;
+          if (requestArg.updates.category !== undefined) appData.category = requestArg.updates.category;
+          if (requestArg.updates.isActive !== undefined) appData.isActive = requestArg.updates.isActive;
+          if (requestArg.updates.redirectUris !== undefined) appData.oauthCredentials.redirectUris = requestArg.updates.redirectUris;
+          if (requestArg.updates.allowedScopes !== undefined) appData.oauthCredentials.allowedScopes = requestArg.updates.allowedScopes;
+
+          await app.save();
+
+          return {
+            app: await app.createSavableObject() as plugins.idpInterfaces.data.IGlobalApp,
+          };
+        }
+      )
+    );
+
+    // Handler: Delete global app (admin only)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_DeleteGlobalApp>(
+        'deleteGlobalApp',
+        async (requestArg) => {
+          await this.verifyGlobalAdmin(requestArg.jwt);
+
+          const app = await this.CApp.getInstance({ id: requestArg.appId });
+          if (!app) {
+            throw new Error('App not found');
+          }
+
+          // Get and disconnect all connections
+          const connections = await this.receptionRef.appConnectionManager.CAppConnection.getInstances({
+            'data.appId': requestArg.appId,
+          });
+
+          for (const connection of connections) {
+            await connection.delete();
+          }
+
+          await app.delete();
+
+          return {
+            success: true,
+            disconnectedOrganizations: connections.length,
+          };
+        }
+      )
+    );
+
+    // Handler: Regenerate OAuth credentials (admin only)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RegenerateAppCredentials>(
+        'regenerateAppCredentials',
+        async (requestArg) => {
+          await this.verifyGlobalAdmin(requestArg.jwt);
+
+          const app = await this.CApp.getInstance({ id: requestArg.appId });
+          if (!app) {
+            throw new Error('App not found');
+          }
+
+          // Generate new credentials
+          const clientId = `app-${plugins.smartunique.shortId(12)}`;
+          const clientSecret = plugins.smartunique.shortId(32);
+          const clientSecretHash = await plugins.smarthash.sha256FromString(clientSecret);
+
+          app.data.oauthCredentials.clientId = clientId;
+          app.data.oauthCredentials.clientSecretHash = clientSecretHash;
+          await app.save();
+
+          return {
+            clientId,
+            clientSecret, // Only shown once
+          };
+        }
+      )
+    );
+  }
+
+  /**
+   * Verify that the user is a global admin
+   */
+  private async verifyGlobalAdmin(jwt: string) {
+    const jwtData = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwt);
+    const user = await this.receptionRef.userManager.getUserByJwt(jwt);
+    if (!user?.data?.isGlobalAdmin) {
+      throw new Error('Access denied: Global admin privileges required');
+    }
+    return jwtData;
+  }
+
+  /**
+   * Get all global apps
+   */
+  public async getGlobalApps(): Promise<App[]> {
+    return await this.CApp.getInstances({
+      type: 'global',
+    });
+  }
+
+  /**
+   * Get app by ID
+   */
+  public async getAppById(appId: string): Promise<App | null> {
+    return await this.CApp.getInstance({
+      id: appId,
+    });
+  }
+
+  /**
+   * Seed initial global apps (for development/testing)
+   */
+  public async seedGlobalApps() {
+    const defaultGlobalApps: Partial<plugins.idpInterfaces.data.IGlobalApp>[] = [
+      {
+        id: 'app-foss-global',
+        type: 'global',
+        data: {
+          name: 'foss.global',
+          description: 'Open Source Package Registry and Collaboration Platform',
+          logoUrl: 'https://foss.global/assets/logo.png',
+          appUrl: 'https://foss.global',
+          oauthCredentials: {
+            clientId: 'foss-global-client',
+            clientSecretHash: '', // Will be set when OAuth is configured
+            redirectUris: ['https://foss.global/auth/callback'],
+            allowedScopes: ['openid', 'profile', 'email', 'organizations'],
+            grantTypes: ['authorization_code', 'refresh_token'],
+          },
+          isActive: true,
+          category: 'Development',
+          createdAt: Date.now(),
+          createdByUserId: 'system',
+        },
+      },
+      {
+        id: 'app-task-vc',
+        type: 'global',
+        data: {
+          name: 'task.vc',
+          description: 'Task Management and Project Collaboration',
+          logoUrl: 'https://task.vc/assets/logo.png',
+          appUrl: 'https://task.vc',
+          oauthCredentials: {
+            clientId: 'task-vc-client',
+            clientSecretHash: '',
+            redirectUris: ['https://task.vc/auth/callback'],
+            allowedScopes: ['openid', 'profile', 'email', 'organizations'],
+            grantTypes: ['authorization_code', 'refresh_token'],
+          },
+          isActive: true,
+          category: 'Productivity',
+          createdAt: Date.now(),
+          createdByUserId: 'system',
+        },
+      },
+    ];
+
+    for (const appData of defaultGlobalApps) {
+      const existing = await this.CApp.getInstance({ id: appData.id });
+      if (!existing) {
+        const app = new this.CApp();
+        app.id = appData.id!;
+        app.type = appData.type!;
+        app.data = appData.data as any;
+        await app.save();
+      }
+    }
+  }
+}

ts/reception/classes.billingplan.ts

@@ -8,7 +8,7 @@ import { User } from './classes.user.js';
 @plugins.smartdata.Manager()
 export class BillingPlan extends plugins.smartdata.SmartDataDbDoc<
   BillingPlan,
-  plugins.lointReception.data.IBillingPlan,
+  plugins.idpInterfaces.data.IBillingPlan,
   BillingPlanManager
 > {
   // STATIC
@@ -20,7 +20,7 @@ export class BillingPlan extends plugins.smartdata.SmartDataDbDoc<
   public id: string;
 
   @plugins.smartdata.svDb()
-  public data: plugins.lointReception.data.IBillingPlan['data'] = {
+  public data: plugins.idpInterfaces.data.IBillingPlan['data'] = {
     type: null,
     organizationId: null,
     lastProcessed: null,

ts/reception/classes.billingplanmanager.ts

@@ -14,7 +14,7 @@ export class BillingPlanManager {
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
-    this.typedrouter.addTypedHandler(new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_UpdatePaymentMethod>('updatePaymentMethod', async reqDataArg => {
+    this.typedrouter.addTypedHandler(new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_UpdatePaymentMethod>('updatePaymentMethod', async reqDataArg => {
       const user = await this.receptionRef.userManager.getUserByJwt(reqDataArg.jwtString);
       const organization = await this.receptionRef.organizationmanager.COrganization.getInstance({
         id: reqDataArg.orgId,
@@ -59,6 +59,17 @@ export class BillingPlanManager {
           }
         }
       }
-    }))
+    }));
+
+    // Paddle configuration endpoint
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetPaddleConfig>(
+        'getPaddleConfig',
+        async () => ({
+          paddleToken: await this.receptionRef.serviceQenv.getEnvVarOnDemand('PADDLE_TOKEN'),
+          paddlePriceId: await this.receptionRef.serviceQenv.getEnvVarOnDemand('PADDLE_PRICE_ID'),
+        })
+      )
+    );
   }
 }

ts/reception/classes.emailactiontoken.ts

@@ -0,0 +1,49 @@
+import * as plugins from '../plugins.js';
+import { LoginSessionManager } from './classes.loginsessionmanager.js';
+
+@plugins.smartdata.Manager()
+export class EmailActionToken extends plugins.smartdata.SmartDataDbDoc<
+  EmailActionToken,
+  plugins.idpInterfaces.data.IEmailActionToken,
+  LoginSessionManager
+> {
+  public static hashToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromStringSync(tokenArg);
+  }
+
+  public static createOpaqueToken(actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction) {
+    return `${actionArg}_${plugins.crypto.randomBytes(32).toString('base64url')}`;
+  }
+
+  @plugins.smartdata.unI()
+  public id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IEmailActionToken['data'] = {
+    email: '',
+    action: 'emailLogin',
+    tokenHash: '',
+    validUntil: 0,
+    createdAt: 0,
+  };
+
+  public isExpired() {
+    return this.data.validUntil < Date.now();
+  }
+
+  public matchesToken(tokenArg: string) {
+    return this.data.tokenHash === EmailActionToken.hashToken(tokenArg);
+  }
+
+  public async consume(tokenArg: string) {
+    if (this.isExpired() || !this.matchesToken(tokenArg)) {
+      if (this.isExpired()) {
+        await this.delete();
+      }
+      return false;
+    }
+
+    await this.delete();
+    return true;
+  }
+}

ts/reception/classes.housekeeping.ts

@@ -34,6 +34,46 @@ export class ReceptionHousekeeping {
       '2 * * * * *'
     );
 
+    this.taskmanager.addAndScheduleTask(
+      new plugins.taskbuffer.Task({
+        name: 'expiredEmailActionTokens',
+        taskFunction: async () => {
+          const expiredEmailActionTokens =
+            await this.receptionRef.loginSessionManager.CEmailActionToken.getInstances({
+              data: {
+                validUntil: {
+                  $lt: Date.now(),
+                } as any,
+              },
+            });
+          for (const emailActionToken of expiredEmailActionTokens) {
+            await emailActionToken.delete();
+          }
+        },
+      }),
+      '2 * * * * *'
+    );
+
+    this.taskmanager.addAndScheduleTask(
+      new plugins.taskbuffer.Task({
+        name: 'expiredRegistrationSessions',
+        taskFunction: async () => {
+          const expiredRegistrationSessions =
+            await this.receptionRef.registrationSessionManager.CRegistrationSession.getInstances({
+              data: {
+                validUntil: {
+                  $lt: Date.now(),
+                } as any,
+              },
+            });
+          for (const registrationSession of expiredRegistrationSessions) {
+            await registrationSession.delete();
+          }
+        },
+      }),
+      '2 * * * * *'
+    );
+
     this.taskmanager.start();
     logger.log('info', 'housekeeping started');
   }

ts/reception/classes.jwt.ts

@@ -1,31 +1,38 @@
 import * as plugins from '../plugins.js';
 import { JwtManager } from './classes.jwtmanager.js';
+import type { LoginSession } from './classes.loginsession.js';
 
 /**
  * a User is identified by its username or email.
  * Both need to be unique and both can be changed.
  */
 @plugins.smartdata.Manager()
-export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.lointReception.data.IJwt, JwtManager> {
+export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterfaces.data.IJwt, JwtManager> {
   // STATIC
   public static async createJwtForRefreshToken(
     jwtManagerInstance: JwtManager,
     refreshTokenArg: string
-  ) {
+  ): Promise<string | null> {
-    const loginSession =
+    const sessionLookup =
-      await jwtManagerInstance.receptionRef.loginSessionManager.CLoginSession.getLoginSessionByRefreshToken(
+      await jwtManagerInstance.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
         refreshTokenArg
       );
-    if (!loginSession) {
+    if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
-      return null;
-    }
-    const refreshTokenValid = await loginSession.validateRefreshToken(refreshTokenArg);
-    if (!refreshTokenValid) {
       return null;
     }
+    return this.createJwtForLoginSession(jwtManagerInstance, sessionLookup.loginSession);
+  }
+
+  public static async createJwtForLoginSession(
+    jwtManagerInstance: JwtManager,
+    loginSession: LoginSession
+  ): Promise<string | null> {
     const user = await jwtManagerInstance.receptionRef.userManager.CUser.getInstance({
       id: loginSession.data.userId,
     });
+    if (!user) {
+      return null;
+    }
     const validUntil = plugins.smarttime.ExtendedDate.fromMillis(
       Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 1 })
     );
@@ -33,10 +40,10 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.lointRece
     jwt.id = plugins.smartunique.shortId();
     jwt.data = {
       userId: user.id,
+      sessionId: loginSession.id,
       validUntil: validUntil.getTime(),
       refreshEvery: 1000000,
       refreshFrom: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 0.5 }),
-      refreshToken: await loginSession.getRefreshToken(), // TODO: handle multiple refresh tokens
       justForLooks: {
         validUntilIsoString: validUntil.toISOString(),
       }
@@ -46,9 +53,9 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.lointRece
 
     const jwtString = await jwtManagerInstance.smartjwtInstance.createJWT({
       id: jwt.id,
-      blocked: null,
+      blocked: false,
       data: jwt.data,
-    } as plugins.lointReception.data.IJwt);
+    } as plugins.idpInterfaces.data.IJwt);
     return jwtString;
   }
 
@@ -60,7 +67,7 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.lointRece
   public blocked: boolean = false;
 
   @plugins.smartdata.svDb()
-  public data: plugins.lointReception.data.IJwt['data'];
+  public data: plugins.idpInterfaces.data.IJwt['data'];
 
   public async block() {
     this.blocked = true;
@@ -68,11 +75,26 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.lointRece
   }
 
   public async getLoginSession() {
-    const loginSession = await this.manager.receptionRef.loginSessionManager.CLoginSession.getInstance({
+    if (this.data.sessionId) {
-      data: {
+      return this.manager.receptionRef.loginSessionManager.CLoginSession.getInstance({
-        refreshToken: this.data.refreshToken,
+        id: this.data.sessionId,
-      }
+      });
-    });
+    }
-    return loginSession;
+
+    if (!this.data.refreshToken) {
+      return null;
+    }
+
+    const sessionLookup =
+      await this.manager.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
+        this.data.refreshToken
+      );
+
+    if (!sessionLookup) {
+      return null;
+    }
+
+    return sessionLookup.loginSession;
+
   }
 }

ts/reception/classes.jwtmanager.ts

@@ -21,20 +21,51 @@ export class JwtManager {
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
-    this.typedrouter.addTypedHandler<plugins.lointReception.request.IReq_RefreshJwt>(
+    this.typedrouter.addTypedHandler<plugins.idpInterfaces.request.IReq_RefreshJwt>(
       new plugins.typedrequest.TypedHandler(
         'refreshJwt',
         async (requestArg) => {
-          const resultJwt = await Jwt.createJwtForRefreshToken(this, requestArg.refreshToken);
+          const sessionLookup =
+            await this.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
+              requestArg.refreshToken
+            );
+
+          if (!sessionLookup || sessionLookup.validationStatus === 'invalid') {
+            return {
+              status: 'not found',
+            };
+          }
+
+          if (sessionLookup.validationStatus === 'invalidated') {
+            return {
+              status: 'invalidated',
+            };
+          }
+
+          if (sessionLookup.validationStatus === 'reused') {
+            await sessionLookup.loginSession.invalidate();
+            return {
+              status: 'invalidated',
+            };
+          }
+
+          const rotatedRefreshToken = await sessionLookup.loginSession.getRefreshToken();
+          const resultJwt = await Jwt.createJwtForLoginSession(this, sessionLookup.loginSession);
+          if (!rotatedRefreshToken || !resultJwt) {
+            return {
+              status: 'invalidated',
+            };
+          }
           return {
             status: 'loggedIn',
             jwt: resultJwt,
+            refreshToken: rotatedRefreshToken,
           };
         }
       )
     );
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_GetPublicKeyForValidation>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetPublicKeyForValidation>(
         'getPublicKeyForValidation',
         async (requestArg) => {
           // TODO control backend token
@@ -46,7 +77,7 @@ export class JwtManager {
     );
 
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_PushOrGetJwtIdBlocklist>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_PushOrGetJwtIdBlocklist>(
         'pushOrGetJwtIdBlocklist',
         async (requestArg) => {
           // TODO control backend token
@@ -60,7 +91,7 @@ export class JwtManager {
 
   public async pushPublicKeyToClients() {
     const targetConnections =
-      await this.receptionRef.options.websiteServer.typedserver.typedsocket.findAllTargetConnectionsByTag<plugins.lointReception.tags.ITag_LolePubapi>(
+      await this.receptionRef.options.websiteServer.typedserver.typedsocket.findAllTargetConnectionsByTag<plugins.idpInterfaces.tags.ITag_LolePubapi>(
         'lole-reception',
         {
           backendToken: '',
@@ -68,7 +99,7 @@ export class JwtManager {
       );
     for (const targetConnection of targetConnections) {
       const pushPublicKeyTr =
-        this.receptionRef.options.websiteServer.typedserver.typedsocket.createTypedRequest<plugins.lointReception.request.IReq_PushPublicKeyForValidation>(
+        this.receptionRef.options.websiteServer.typedserver.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_PushPublicKeyForValidation>(
           'pushPublicKeyForValidation',
           targetConnection
         );
@@ -80,7 +111,7 @@ export class JwtManager {
 
   public async pushBlockedJwtIdListToClients() {
     const targetConnections =
-      await this.receptionRef.options.websiteServer.typedserver.typedsocket.findAllTargetConnectionsByTag<plugins.lointReception.tags.ITag_LolePubapi>(
+      await this.receptionRef.options.websiteServer.typedserver.typedsocket.findAllTargetConnectionsByTag<plugins.idpInterfaces.tags.ITag_LolePubapi>(
         'lole-reception',
         {
           backendToken: '',
@@ -88,7 +119,7 @@ export class JwtManager {
       );
       for (const targetConnection of targetConnections) {
         const pushPublicKeyTr =
-          this.receptionRef.options.websiteServer.typedserver.typedsocket.createTypedRequest<plugins.lointReception.request.IReq_PushOrGetJwtIdBlocklist>(
+          this.receptionRef.options.websiteServer.typedserver.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_PushOrGetJwtIdBlocklist>(
             'pushOrGetJwtIdBlocklist',
             targetConnection
           );
@@ -120,19 +151,24 @@ export class JwtManager {
     await this.pushPublicKeyToClients();
   }
 
-  public async verifyJWTAndGetData(jwtArg: string): Promise<Jwt> {
+  public async verifyJWTAndGetData(jwtArg: string): Promise<Jwt | null> {
-    const jwtData: plugins.lointReception.data.IJwt = await this.smartjwtInstance.verifyJWTAndGetData(jwtArg);
+    const jwtData: plugins.idpInterfaces.data.IJwt = await this.smartjwtInstance.verifyJWTAndGetData(jwtArg);
-    const jwt = await Jwt.getInstance({
+    const jwt = await this.CJwt.getInstance({
       id: jwtData.id,
     });
+    if (!jwt) {
+      return null;
+    }
     if (jwt.blocked) {
       return null;
     }
     if (jwt) {
       const loginSession = await jwt.getLoginSession();
-      if (!loginSession) {
+      if (!loginSession || loginSession.data.invalidated) {
         await jwt.block();
-        this.blockedJwtIdList.push(jwt.id);
+        if (!this.blockedJwtIdList.includes(jwt.id)) {
+          this.blockedJwtIdList.push(jwt.id);
+        }
         return null;
       }
     }

ts/reception/classes.loginsession.ts

@@ -2,13 +2,15 @@ import * as plugins from '../plugins.js';
 import { LoginSessionManager } from './classes.loginsessionmanager.js';
 import { User } from './classes.user.js';
 
+export type TRefreshTokenValidationResult = 'current' | 'invalid' | 'invalidated' | 'reused';
+
 /**
  * a LoginSession keeps track of a login over the whole time of the user being loggedin
  */
 @plugins.smartdata.Manager()
 export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
   LoginSession,
-  plugins.lointReception.data.ILoginSession,
+  plugins.idpInterfaces.data.ILoginSession,
   LoginSessionManager
 > {
   // ======
@@ -40,7 +42,14 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
   }
 
   public static async getLoginSessionByRefreshToken(refreshTokenArg: string) {
-    const loginSession = await LoginSession.getInstance({
+    const refreshTokenHash = await LoginSession.hashSessionToken(refreshTokenArg);
+    let loginSession = await LoginSession.getInstance({
+      'data.refreshTokenHash': refreshTokenHash,
+    });
+    if (loginSession) {
+      return loginSession;
+    }
+    loginSession = await LoginSession.getInstance({
       data: {
         refreshToken: refreshTokenArg,
       },
@@ -48,6 +57,14 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
     return loginSession;
   }
 
+  public static async hashSessionToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromString(tokenArg);
+  }
+
+  public static createOpaqueToken(prefixArg: string) {
+    return `${prefixArg}${plugins.crypto.randomBytes(32).toString('base64url')}`;
+  }
+
   // ========
   // INSTANCE
   // ========
@@ -55,15 +72,22 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
   public id: string;
 
   @plugins.smartdata.svDb()
-  public data: plugins.lointReception.data.ILoginSession['data'] = {
+  public data: plugins.idpInterfaces.data.ILoginSession['data'] = {
     userId: null,
     validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ weeks: 1 }),
     invalidated: false,
     refreshToken: null,
-    deviceId: null
+    refreshTokenHash: null,
+    rotatedRefreshTokenHashes: [],
+    transferTokenHash: null,
+    transferTokenExpiresAt: null,
+    deviceId: null,
+    deviceInfo: null,
+    createdAt: Date.now(),
+    lastActive: Date.now(),
   };
 
-  public transferToken: string;
+  public transferToken: string | null = null;
 
   constructor() {
     super();
@@ -74,40 +98,99 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
    */
   public async invalidate() {
     this.data.invalidated = true;
+    this.data.refreshToken = null;
+    this.data.refreshTokenHash = null;
+    this.data.transferTokenHash = null;
+    this.data.transferTokenExpiresAt = null;
     await this.save();
   }
 
   /**
-   * a refresh token is unique to a login session and ONLY created once per login session
+   * a refresh token is unique to a login session and rotated whenever it is issued
    * @returns
    */
   public async getRefreshToken() {
     if (this.data.invalidated) {
-      console.log('login session is invalidated. no refresh token can be generated.');
       return null;
     }
-    if (!this.data.refreshToken) {
+    const previousRefreshTokenHash =
-      this.data.refreshToken = plugins.smartunique.uni('refresh_');
+      this.data.refreshTokenHash ||
+      (this.data.refreshToken
+        ? await LoginSession.hashSessionToken(this.data.refreshToken)
+        : null);
+
+    if (previousRefreshTokenHash) {
+      this.data.rotatedRefreshTokenHashes = [
+        ...(this.data.rotatedRefreshTokenHashes || []),
+        previousRefreshTokenHash,
+      ].slice(-5);
     }
+
+    const refreshToken = LoginSession.createOpaqueToken('refresh_');
+    this.data.refreshTokenHash = await LoginSession.hashSessionToken(refreshToken);
+    this.data.refreshToken = null;
+    this.data.lastActive = Date.now();
     await this.save();
-    return this.data.refreshToken;
+    return refreshToken;
   }
 
   public async getTransferToken() {
-    this.transferToken = plugins.smartunique.uni('transfer_');
+    this.transferToken = LoginSession.createOpaqueToken('transfer_');
+    this.data.transferTokenHash = await LoginSession.hashSessionToken(this.transferToken);
+    this.data.transferTokenExpiresAt =
+      Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 5 });
+    await this.save();
     return this.transferToken;
   }
 
-  public async validateRefreshToken(refreshTokenArg: string) {
+  public async validateRefreshToken(
-    return this.data.refreshToken === refreshTokenArg;
+    refreshTokenArg: string
+  ): Promise<TRefreshTokenValidationResult> {
+    if (this.data.invalidated) {
+      return 'invalidated';
+    }
+
+    const refreshTokenHash = await LoginSession.hashSessionToken(refreshTokenArg);
+
+    if (
+      this.data.refreshTokenHash === refreshTokenHash ||
+      (!!this.data.refreshToken && this.data.refreshToken === refreshTokenArg)
+    ) {
+      return 'current';
+    }
+
+    if ((this.data.rotatedRefreshTokenHashes || []).includes(refreshTokenHash)) {
+      return 'reused';
+    }
+
+    return 'invalid';
   }
 
   public async validateTransferToken(transferTokenArg: string) {
-    const result = this.transferToken === transferTokenArg;
+    if (this.data.invalidated || !this.data.transferTokenHash) {
+      return false;
+    }
+
+    if (
+      this.data.transferTokenExpiresAt &&
+      this.data.transferTokenExpiresAt < Date.now()
+    ) {
+      this.data.transferTokenHash = null;
+      this.data.transferTokenExpiresAt = null;
+      await this.save();
+      return false;
+    }
+
+    const result =
+      this.data.transferTokenHash ===
+      (await LoginSession.hashSessionToken(transferTokenArg));
 
     // a transfer token can only be used once, so we invalidate it here
     if (result) {
       this.transferToken = null;
+      this.data.transferTokenHash = null;
+      this.data.transferTokenExpiresAt = null;
+      await this.save();
     }
     return result;
   }

ts/reception/classes.loginsessionmanager.ts

@@ -1,6 +1,8 @@
 import * as plugins from '../plugins.js';
-import { LoginSession } from './classes.loginsession.js';
+import { EmailActionToken } from './classes.emailactiontoken.js';
+import { LoginSession, type TRefreshTokenValidationResult } from './classes.loginsession.js';
 import { Reception } from './classes.reception.js';
+import { logger } from './logging.js';
 
 export class LoginSessionManager {
   // refs
@@ -9,31 +11,21 @@ export class LoginSessionManager {
     return this.receptionRef.db.smartdataDb;
   }
 
+  public CEmailActionToken = plugins.smartdata.setDefaultManagerForDoc(this, EmailActionToken);
   public CLoginSession = plugins.smartdata.setDefaultManagerForDoc(this, LoginSession);
 
-  public loginSessions = new plugins.lik.ObjectMap<LoginSession>();
-
   public typedRouter = new plugins.typedrequest.TypedRouter();
 
-  public emailTokenMap = new plugins.lik.ObjectMap<{
-    email: string;
-    token: string;
-    action: 'emailLogin' | 'passwordReset';
-  }>();
-
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_LoginWithEmailOrUsernameAndPassword>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
         'loginWithEmailOrUsernameAndPassword',
         async (requestData) => {
           let user = await this.receptionRef.userManager.CUser.getInstance({
             data: {
               username: requestData.username,
-              passwordHash: await this.receptionRef.userManager.CUser.hashPassword(
-                requestData.password
-              ),
             },
           });
 
@@ -41,33 +33,29 @@ export class LoginSessionManager {
             user = await this.receptionRef.userManager.CUser.getInstance({
               data: {
                 email: requestData.username,
-                passwordHash: await this.receptionRef.userManager.CUser.hashPassword(
-                  requestData.password
-                ),
               },
             });
           }
 
-          if (user) {
+          if (user && (await this.receptionRef.userManager.CUser.verifyPassword(
-            // lets recheck
+            requestData.password,
-            if (
+            user.data.passwordHash
-              (user.data.username !== requestData.username &&
+          ))) {
-                user.data.email !== requestData.username) ||
+            if (this.receptionRef.userManager.CUser.shouldUpgradePasswordHash(user.data.passwordHash)) {
-              user.data.passwordHash !==
+              user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
-                (await this.receptionRef.userManager.CUser.hashPassword(requestData.password))
+                requestData.password
-            ) {
-              throw new Error(
-                'database returned a user that does not match wanted criterea. CRITICAL!'
               );
+              await user.save();
             }
 
             const loginSession = await LoginSession.createLoginSessionForUser(user);
-            this.loginSessions.add(loginSession);
             const refreshToken = await loginSession.getRefreshToken();
+            if (!refreshToken) {
+              throw new plugins.typedrequest.TypedResponseError('Could not create login session');
+            }
 
             return {
-              status: 'ok',
+              refreshToken,
-              refreshToken: refreshToken,
               twoFaNeeded: false,
             };
           } else {
@@ -78,60 +66,62 @@ export class LoginSessionManager {
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_LoginWithEmail>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmail>(
         'loginWithEmail',
         async (requestDataArg) => {
+          logger.log('info', `loginWithEmail requested for: ${requestDataArg.email}`);
           const existingUser = await this.receptionRef.userManager.CUser.getInstance({
             data: {
               email: requestDataArg.email,
             },
           });
           if (existingUser) {
-            this.emailTokenMap.findOneAndRemoveSync(
+            logger.log('info', `loginWithEmail found user: ${existingUser.data.email}`);
-              (itemArg) => itemArg.email === existingUser.data.email
+            const loginEmailToken = await this.createEmailActionToken(
+              existingUser.data.email,
+              'emailLogin'
             );
-            const loginEmailToken = plugins.smartunique.uuid4();
-            this.emailTokenMap.add({
-              email: existingUser.data.email,
-              token: loginEmailToken,
-              action: 'emailLogin',
-            });
-            // lets make sure its only valid for 10 minutes
-            plugins.smartdelay.delayFor(600000, null, true).then(() => {
-              this.emailTokenMap.findOneAndRemoveSync(
-                (itemArg) => itemArg.token === loginEmailToken
-              );
-            });
             this.receptionRef.receptionMailer.sendLoginWithEMailMail(existingUser, loginEmailToken);
+            return {
+              status: 'ok',
+              testOnlyToken: process.env.TEST_MODE ? loginEmailToken : undefined,
+            };
+          } else {
+            logger.log('info', `loginWithEmail did not find user: ${requestDataArg.email}`);
           }
           return {
             status: 'ok',
-            testOnlyToken: process.env.TEST_MODE
+            testOnlyToken: undefined,
-              ? this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
-                  .token
-              : null,
           };
         }
       )
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_LoginWithEmailAfterEmailTokenAquired>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_LoginWithEmailAfterEmailTokenAquired>(
         'loginWithEmailAfterEmailTokenAquired',
         async (requestArg) => {
-          const tokenObject = this.emailTokenMap.findSync((itemArg) => {
+          const tokenObject = await this.consumeEmailActionToken(
-            return itemArg.email === requestArg.email && itemArg.token === requestArg.token;
+            requestArg.email,
-          });
+            requestArg.token,
+            'emailLogin'
+          );
           if (tokenObject) {
             const user = await this.receptionRef.userManager.CUser.getInstance({
               data: {
                 email: requestArg.email,
               },
             });
+            if (!user) {
+              throw new plugins.typedrequest.TypedResponseError('User not found');
+            }
             const loginSession = await LoginSession.createLoginSessionForUser(user);
-            this.loginSessions.add(loginSession);
+            const refreshToken = await loginSession.getRefreshToken();
+            if (!refreshToken) {
+              throw new plugins.typedrequest.TypedResponseError('Could not create login session');
+            }
             return {
-              refreshToken: await loginSession.getRefreshToken(),
+              refreshToken,
             };
           } else {
             throw new plugins.typedrequest.TypedResponseError('Validation Token not found');
@@ -140,51 +130,62 @@ export class LoginSessionManager {
       )
     );
 
-    this.typedRouter.addTypedHandler<plugins.lointReception.request.ILogoutRequest>(
+    this.typedRouter.addTypedHandler<plugins.idpInterfaces.request.ILogoutRequest>(
       new plugins.typedrequest.TypedHandler('logout', async (requestDataArg) => {
-        const loginSession = await this.CLoginSession.getLoginSessionByRefreshToken(requestDataArg.refreshToken);
+        const sessionLookup = await this.findLoginSessionByRefreshToken(requestDataArg.refreshToken);
-        await loginSession.invalidate();
+        if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
+          throw new plugins.typedrequest.TypedResponseError('Invalid refresh token');
+        }
+        await sessionLookup.loginSession.invalidate();
         return {}
       })
     );
 
-    this.typedRouter.addTypedHandler<plugins.lointReception.request.IReq_ExchangeRefreshTokenAndTransferToken>(
+    this.typedRouter.addTypedHandler<plugins.idpInterfaces.request.IReq_ExchangeRefreshTokenAndTransferToken>(
       new plugins.typedrequest.TypedHandler(
         'exchangeRefreshTokenAndTransferToken',
         async (requestDataArg) => {
           switch (true) {
-            case !!requestDataArg.refreshToken:
+            case !!requestDataArg.refreshToken: {
-              const loginSession = await this.loginSessions.find(async (loginSessionArg) => {
+              const sessionLookup = await this.findLoginSessionByRefreshToken(
-                return loginSessionArg.validateRefreshToken(requestDataArg.refreshToken);
+                requestDataArg.refreshToken
-              });
+              );
-              if (!loginSession) {
+              if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
+                if (sessionLookup?.validationStatus === 'reused') {
+                  await sessionLookup.loginSession.invalidate();
+                }
                 throw new plugins.typedrequest.TypedResponseError('your refresh token is invalid');
               }
               return {
-                transferToken: await loginSession.getTransferToken(),
+                transferToken: await sessionLookup.loginSession.getTransferToken(),
               };
-              break;
+            }
-            case !!requestDataArg.transferToken:
+            case !!requestDataArg.transferToken: {
-              let transferToken: string;
+              const loginSession2 = await this.findLoginSessionByTransferToken(
-              const loginSession2 = await this.loginSessions.find(async (loginSessionArg) => {
+                requestDataArg.transferToken
-                return loginSessionArg.validateTransferToken(requestDataArg.transferToken);
+              );
-              });
               if (!loginSession2) {
                 throw new plugins.typedrequest.TypedResponseError(
                   'Your transfer token is not valid.'
                 );
               }
+              const refreshToken = await loginSession2.getRefreshToken();
+              if (!refreshToken) {
+                throw new plugins.typedrequest.TypedResponseError('Could not create login session');
+              }
               return {
-                refreshToken: await loginSession2.getRefreshToken(),
+                refreshToken,
               };
-              break;
+            }
+            default:
+              throw new plugins.typedrequest.TypedResponseError('Invalid token exchange request');
           }
         }
       )
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_ResetPassword>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ResetPassword>(
         'resetPassword',
         async (requestDataArg) => {
           const emailOfPasswordToReset = requestDataArg.email;
@@ -194,23 +195,13 @@ export class LoginSessionManager {
             },
           });
           if (existingUser) {
-            this.emailTokenMap.findOneAndRemoveSync(
+            const resetToken = await this.createEmailActionToken(
-              (itemArg) => itemArg.email === existingUser.data.email
+              existingUser.data.email,
+              'passwordReset'
             );
-            this.emailTokenMap.add({
-              email: existingUser.data.email,
-              token: plugins.smartunique.shortId(),
-              action: 'passwordReset',
-            });
-            plugins.smartdelay.delayFor(600000, null, true).then(() => {
-              this.emailTokenMap.findOneAndRemoveSync(
-                (itemArg) => itemArg.email === existingUser.data.email
-              );
-            });
             this.receptionRef.receptionMailer.sendPasswordResetMail(
               existingUser,
-              this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
+              resetToken
-                .token
             );
           }
           // note: we always return ok here, since we don't want to give any indication as to wether a user is already registered with us.
@@ -222,9 +213,46 @@ export class LoginSessionManager {
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_SetNewPassword>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetNewPassword>(
         'setNewPassword',
         async (requestData) => {
+          const user = await this.receptionRef.userManager.CUser.getInstance({
+            data: {
+              email: requestData.email,
+            },
+          });
+
+          if (!user) {
+            throw new plugins.typedrequest.TypedResponseError('User not found');
+          }
+
+          if (requestData.tokenArg) {
+            const tokenObject = await this.consumeEmailActionToken(
+              requestData.email,
+              requestData.tokenArg,
+              'passwordReset'
+            );
+            if (!tokenObject) {
+              throw new plugins.typedrequest.TypedResponseError('Password reset token invalid');
+            }
+          } else if (requestData.oldPassword) {
+            const passwordOk = await this.receptionRef.userManager.CUser.verifyPassword(
+              requestData.oldPassword,
+              user.data.passwordHash
+            );
+            if (!passwordOk) {
+              throw new plugins.typedrequest.TypedResponseError('Old password invalid');
+            }
+          } else {
+            throw new plugins.typedrequest.TypedResponseError(
+              'Either a reset token or the old password is required'
+            );
+          }
+
+          user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
+            requestData.newPassword
+          );
+          await user.save();
           return {
             status: 'ok',
           };
@@ -236,7 +264,7 @@ export class LoginSessionManager {
      * returns a device id by simply returning a uuid4
      */
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_ObtainDeviceId>('obtainDeviceId', async (reqData) => {
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ObtainDeviceId>('obtainDeviceId', async (reqData) => {
         reqData;
         return {
           deviceId: {
@@ -247,13 +275,177 @@ export class LoginSessionManager {
     )
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_AttachDeviceId>('attachDeviceId', async (reqData) => {
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_AttachDeviceId>('attachDeviceId', async (reqData) => {
         // TODO: Blocked by proper JWT handling
         reqData.jwt;
         return {
           ok: false
         }
       })
-    )
+    );
+
+    // Get all sessions for the current user
+    this.typedRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetUserSessions>(
+        'getUserSessions',
+        async (requestArg) => {
+          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          if (!jwt) {
+            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
+          }
+
+          const currentLoginSession = await jwt.getLoginSession();
+
+          // Get all sessions for this user
+          const sessions = await this.CLoginSession.getInstances({
+            'data.userId': jwt.data.userId,
+            'data.invalidated': false,
+          });
+
+          return {
+            sessions: sessions.map((session) => ({
+              id: session.id,
+              deviceId: session.data.deviceId || 'unknown',
+              deviceName: session.data.deviceInfo?.deviceName || 'Unknown Device',
+              browser: session.data.deviceInfo?.browser || 'Unknown Browser',
+              os: session.data.deviceInfo?.os || 'Unknown OS',
+              ip: session.data.deviceInfo?.ip || 'Unknown',
+              lastActive: session.data.lastActive || session.data.createdAt || Date.now(),
+              createdAt: session.data.createdAt || Date.now(),
+              isCurrent: session.id === currentLoginSession?.id,
+            })),
+          };
+        }
+      )
+    );
+
+    // Revoke a specific session
+    this.typedRouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RevokeSession>(
+        'revokeSession',
+        async (requestArg) => {
+          const jwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(requestArg.jwt);
+          if (!jwt) {
+            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
+          }
+
+          // Get the session to revoke
+          const sessionToRevoke = await this.CLoginSession.getInstance({
+            id: requestArg.sessionId,
+            'data.userId': jwt.data.userId, // Ensure user can only revoke their own sessions
+          });
+
+          if (!sessionToRevoke) {
+            throw new plugins.typedrequest.TypedResponseError('Session not found');
+          }
+
+          const currentLoginSession = await jwt.getLoginSession();
+
+          // Don't allow revoking the current session via this method
+          if (sessionToRevoke.id === currentLoginSession?.id) {
+            throw new plugins.typedrequest.TypedResponseError(
+              'Cannot revoke current session. Use logout instead.'
+            );
+          }
+
+          await sessionToRevoke.invalidate();
+
+          // Log the activity
+          await this.receptionRef.activityLogManager.logActivity(
+            jwt.data.userId,
+            'session_revoked',
+            `Revoked session on ${sessionToRevoke.data.deviceInfo?.deviceName || 'unknown device'}`
+          );
+
+          return { success: true };
+        }
+      )
+    );
+  }
+
+  public async findLoginSessionByRefreshToken(refreshTokenArg: string): Promise<{
+    loginSession: LoginSession;
+    validationStatus: TRefreshTokenValidationResult;
+  } | null> {
+    const directMatch = await this.CLoginSession.getLoginSessionByRefreshToken(refreshTokenArg);
+    if (directMatch) {
+      return {
+        loginSession: directMatch,
+        validationStatus: await directMatch.validateRefreshToken(refreshTokenArg),
+      };
+    }
+
+    const loginSessions = await this.CLoginSession.getInstances({});
+    for (const loginSession of loginSessions) {
+      const validationStatus = await loginSession.validateRefreshToken(refreshTokenArg);
+      if (validationStatus !== 'invalid') {
+        return {
+          loginSession,
+          validationStatus,
+        };
+      }
+    }
+
+    return null;
+  }
+
+  public async findLoginSessionByTransferToken(transferTokenArg: string) {
+    const transferTokenHash = await LoginSession.hashSessionToken(transferTokenArg);
+    const loginSession = await this.CLoginSession.getInstance({
+      'data.transferTokenHash': transferTokenHash,
+    });
+
+    if (!loginSession) {
+      return null;
+    }
+
+    const isValid = await loginSession.validateTransferToken(transferTokenArg);
+    return isValid ? loginSession : null;
+  }
+
+  public async createEmailActionToken(
+    emailArg: string,
+    actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
+  ) {
+    const existingTokens = await this.CEmailActionToken.getInstances({
+      'data.email': emailArg,
+      'data.action': actionArg,
+    });
+
+    for (const existingToken of existingTokens) {
+      await existingToken.delete();
+    }
+
+    const plainToken = EmailActionToken.createOpaqueToken(actionArg);
+    const emailActionToken = new EmailActionToken();
+    emailActionToken.id = plugins.smartunique.shortId();
+    emailActionToken.data = {
+      email: emailArg,
+      action: actionArg,
+      tokenHash: EmailActionToken.hashToken(plainToken),
+      validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 }),
+      createdAt: Date.now(),
+    };
+    await emailActionToken.save();
+    return plainToken;
+  }
+
+  public async consumeEmailActionToken(
+    emailArg: string,
+    tokenArg: string,
+    actionArg: plugins.idpInterfaces.data.TEmailActionTokenAction
+  ) {
+    const emailActionToken = await this.CEmailActionToken.getInstance({
+      'data.email': emailArg,
+      'data.action': actionArg,
+      'data.tokenHash': EmailActionToken.hashToken(tokenArg),
+    });
+
+    if (!emailActionToken) {
+      return null;
+    }
+
+    const consumed = await emailActionToken.consume(tokenArg);
+    return consumed ? emailActionToken : null;
   }
 }

ts/reception/classes.oidcmanager.ts

@@ -0,0 +1,683 @@
+import * as plugins from '../plugins.js';
+import type { Reception } from './classes.reception.js';
+import type { App } from './classes.app.js';
+
+/**
+ * OidcManager handles OpenID Connect (OIDC) server functionality
+ * for third-party client authentication.
+ */
+export class OidcManager {
+  public receptionRef: Reception;
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+
+  // In-memory store for authorization codes (short-lived, 10 min TTL)
+  private authorizationCodes = new Map<string, plugins.idpInterfaces.data.IAuthorizationCode>();
+
+  // In-memory store for access tokens (for validation)
+  private accessTokens = new Map<string, plugins.idpInterfaces.data.IOidcAccessToken>();
+
+  // In-memory store for refresh tokens
+  private refreshTokens = new Map<string, plugins.idpInterfaces.data.IOidcRefreshToken>();
+
+  // In-memory store for user consents (should be persisted later)
+  private userConsents = new Map<string, plugins.idpInterfaces.data.IUserConsent>();
+
+  constructor(receptionRefArg: Reception) {
+    this.receptionRef = receptionRefArg;
+
+    // Start cleanup task for expired codes/tokens
+    this.startCleanupTask();
+  }
+
+  /**
+   * Get the OIDC Discovery Document
+   */
+  public getDiscoveryDocument(): plugins.idpInterfaces.data.IOidcDiscoveryDocument {
+    const baseUrl = this.receptionRef.options.baseUrl || 'https://idp.global';
+    return {
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/oauth/authorize`,
+      token_endpoint: `${baseUrl}/oauth/token`,
+      userinfo_endpoint: `${baseUrl}/oauth/userinfo`,
+      jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+      revocation_endpoint: `${baseUrl}/oauth/revoke`,
+      scopes_supported: ['openid', 'profile', 'email', 'organizations', 'roles'],
+      response_types_supported: ['code'],
+      grant_types_supported: ['authorization_code', 'refresh_token'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],
+      code_challenge_methods_supported: ['S256'],
+      claims_supported: [
+        'sub', 'iss', 'aud', 'exp', 'iat', 'auth_time', 'nonce',
+        'name', 'preferred_username', 'picture',
+        'email', 'email_verified',
+        'organizations', 'roles'
+      ],
+    };
+  }
+
+  /**
+   * Get the JSON Web Key Set (JWKS)
+   */
+  public getJwks(): plugins.idpInterfaces.data.IJwks {
+    const keypair = this.receptionRef.jwtManager.smartjwtInstance.getKeyPairAsJson();
+    // Convert PEM to JWK format
+    const jwk = this.pemToJwk(keypair.publicPem);
+    return {
+      keys: [jwk],
+    };
+  }
+
+  /**
+   * Convert PEM public key to JWK format
+   */
+  private pemToJwk(publicPem: string): plugins.idpInterfaces.data.IJwk {
+    // For now, use a simplified approach - in production, parse the PEM properly
+    // The smartjwt library should provide this, or use crypto.createPublicKey
+    const kid = plugins.smarthash.sha256FromStringSync(publicPem).substring(0, 16);
+
+    // This is a placeholder - proper implementation would extract n and e from PEM
+    // For now, return a minimal structure
+    return {
+      kty: 'RSA',
+      use: 'sig',
+      alg: 'RS256',
+      kid: kid,
+      // These would be extracted from the actual public key
+      n: Buffer.from(publicPem).toString('base64url').substring(0, 256),
+      e: 'AQAB', // Standard RSA exponent (65537)
+    };
+  }
+
+  /**
+   * Handle the authorization endpoint request
+   */
+  public async handleAuthorize(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
+    const params = ctx.url.searchParams;
+
+    // Extract authorization request parameters
+    const clientId = params.get('client_id');
+    const redirectUri = params.get('redirect_uri');
+    const responseType = params.get('response_type');
+    const scope = params.get('scope');
+    const state = params.get('state');
+    const codeChallenge = params.get('code_challenge');
+    const codeChallengeMethod = params.get('code_challenge_method');
+    const nonce = params.get('nonce');
+    const prompt = params.get('prompt') as 'none' | 'login' | 'consent' | null;
+
+    // Validate required parameters
+    if (!clientId || !redirectUri || !responseType || !scope || !state) {
+      return this.errorResponse('invalid_request', 'Missing required parameters');
+    }
+
+    if (responseType !== 'code') {
+      return this.errorResponse('unsupported_response_type', 'Only code response type is supported');
+    }
+
+    // Validate code challenge method if present
+    if (codeChallenge && codeChallengeMethod !== 'S256') {
+      return this.errorResponse('invalid_request', 'Only S256 code challenge method is supported');
+    }
+
+    // Find the app by client_id
+    const app = await this.findAppByClientId(clientId);
+    if (!app) {
+      return this.errorResponse('invalid_client', 'Unknown client_id');
+    }
+
+    // Validate redirect URI
+    if (!app.data.oauthCredentials.redirectUris.includes(redirectUri)) {
+      return this.errorResponse('invalid_request', 'Invalid redirect_uri');
+    }
+
+    // Parse and validate scopes
+    const requestedScopes = scope.split(' ') as plugins.idpInterfaces.data.TOidcScope[];
+    const allowedScopes = app.data.oauthCredentials.allowedScopes as plugins.idpInterfaces.data.TOidcScope[];
+    const validScopes = requestedScopes.filter(s => allowedScopes.includes(s));
+
+    if (!validScopes.includes('openid')) {
+      return this.errorResponse('invalid_scope', 'openid scope is required');
+    }
+
+    // For now, redirect to login page with OAuth parameters
+    // The login page will handle authentication and call back to complete authorization
+    const baseUrl = this.receptionRef.options.baseUrl || 'https://idp.global';
+    const loginUrl = new URL(`${baseUrl}/login`);
+    loginUrl.searchParams.set('oauth', 'true');
+    loginUrl.searchParams.set('client_id', clientId);
+    loginUrl.searchParams.set('redirect_uri', redirectUri);
+    loginUrl.searchParams.set('scope', validScopes.join(' '));
+    loginUrl.searchParams.set('state', state);
+    if (codeChallenge) {
+      loginUrl.searchParams.set('code_challenge', codeChallenge);
+      loginUrl.searchParams.set('code_challenge_method', codeChallengeMethod!);
+    }
+    if (nonce) {
+      loginUrl.searchParams.set('nonce', nonce);
+    }
+
+    return Response.redirect(loginUrl.toString(), 302);
+  }
+
+  /**
+   * Generate an authorization code after user authentication
+   */
+  public async generateAuthorizationCode(
+    clientId: string,
+    userId: string,
+    scopes: plugins.idpInterfaces.data.TOidcScope[],
+    redirectUri: string,
+    codeChallenge?: string,
+    nonce?: string
+  ): Promise<string> {
+    const code = plugins.smartunique.shortId(32);
+    const authCode: plugins.idpInterfaces.data.IAuthorizationCode = {
+      code,
+      clientId,
+      userId,
+      scopes,
+      redirectUri,
+      codeChallenge,
+      codeChallengeMethod: codeChallenge ? 'S256' : undefined,
+      nonce,
+      expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
+      used: false,
+    };
+
+    this.authorizationCodes.set(code, authCode);
+    return code;
+  }
+
+  /**
+   * Handle the token endpoint request
+   */
+  public async handleToken(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
+    // Parse form data
+    const contentType = ctx.headers.get('content-type');
+    if (!contentType?.includes('application/x-www-form-urlencoded')) {
+      return this.tokenErrorResponse('invalid_request', 'Content-Type must be application/x-www-form-urlencoded');
+    }
+
+    const formData = await ctx.formData();
+    const grantType = formData.get('grant_type') as string;
+
+    // Extract client credentials from Basic auth or form
+    let clientId = formData.get('client_id') as string;
+    let clientSecret = formData.get('client_secret') as string;
+
+    const authHeader = ctx.headers.get('authorization');
+    if (authHeader?.startsWith('Basic ')) {
+      const base64 = authHeader.substring(6);
+      const decoded = Buffer.from(base64, 'base64').toString('utf-8');
+      const [id, secret] = decoded.split(':');
+      clientId = clientId || id;
+      clientSecret = clientSecret || secret;
+    }
+
+    if (!clientId) {
+      return this.tokenErrorResponse('invalid_client', 'Missing client_id');
+    }
+
+    // Find and validate app
+    const app = await this.findAppByClientId(clientId);
+    if (!app) {
+      return this.tokenErrorResponse('invalid_client', 'Unknown client');
+    }
+
+    // Validate client secret for confidential clients
+    if (clientSecret) {
+      const secretHash = await plugins.smarthash.sha256FromString(clientSecret);
+      if (secretHash !== app.data.oauthCredentials.clientSecretHash) {
+        return this.tokenErrorResponse('invalid_client', 'Invalid client credentials');
+      }
+    }
+
+    if (grantType === 'authorization_code') {
+      return this.handleAuthorizationCodeGrant(formData, app);
+    } else if (grantType === 'refresh_token') {
+      return this.handleRefreshTokenGrant(formData, app);
+    } else {
+      return this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
+    }
+  }
+
+  /**
+   * Handle authorization_code grant type
+   */
+  private async handleAuthorizationCodeGrant(
+    formData: FormData,
+    app: App
+  ): Promise<Response> {
+    const code = formData.get('code') as string;
+    const redirectUri = formData.get('redirect_uri') as string;
+    const codeVerifier = formData.get('code_verifier') as string;
+
+    if (!code || !redirectUri) {
+      return this.tokenErrorResponse('invalid_request', 'Missing code or redirect_uri');
+    }
+
+    // Find and validate authorization code
+    const authCode = this.authorizationCodes.get(code);
+    if (!authCode) {
+      return this.tokenErrorResponse('invalid_grant', 'Invalid authorization code');
+    }
+
+    if (authCode.used) {
+      // Code reuse attack - revoke all tokens for this code
+      this.authorizationCodes.delete(code);
+      return this.tokenErrorResponse('invalid_grant', 'Authorization code already used');
+    }
+
+    if (authCode.expiresAt < Date.now()) {
+      this.authorizationCodes.delete(code);
+      return this.tokenErrorResponse('invalid_grant', 'Authorization code expired');
+    }
+
+    if (authCode.clientId !== app.data.oauthCredentials.clientId) {
+      return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
+    }
+
+    if (authCode.redirectUri !== redirectUri) {
+      return this.tokenErrorResponse('invalid_grant', 'Redirect URI mismatch');
+    }
+
+    // Verify PKCE if code challenge was used
+    if (authCode.codeChallenge) {
+      if (!codeVerifier) {
+        return this.tokenErrorResponse('invalid_grant', 'Code verifier required');
+      }
+      const expectedChallenge = this.generateS256Challenge(codeVerifier);
+      if (expectedChallenge !== authCode.codeChallenge) {
+        return this.tokenErrorResponse('invalid_grant', 'Invalid code verifier');
+      }
+    }
+
+    // Mark code as used
+    authCode.used = true;
+
+    // Generate tokens
+    const tokens = await this.generateTokens(
+      authCode.userId,
+      app.data.oauthCredentials.clientId,
+      authCode.scopes,
+      authCode.nonce
+    );
+
+    return new Response(JSON.stringify(tokens), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json',
+        'Cache-Control': 'no-store',
+        'Pragma': 'no-cache',
+      },
+    });
+  }
+
+  /**
+   * Handle refresh_token grant type
+   */
+  private async handleRefreshTokenGrant(
+    formData: FormData,
+    app: App
+  ): Promise<Response> {
+    const refreshToken = formData.get('refresh_token') as string;
+
+    if (!refreshToken) {
+      return this.tokenErrorResponse('invalid_request', 'Missing refresh_token');
+    }
+
+    const tokenHash = await plugins.smarthash.sha256FromString(refreshToken);
+    const storedToken = this.refreshTokens.get(tokenHash);
+
+    if (!storedToken) {
+      return this.tokenErrorResponse('invalid_grant', 'Invalid refresh token');
+    }
+
+    if (storedToken.revoked) {
+      return this.tokenErrorResponse('invalid_grant', 'Refresh token has been revoked');
+    }
+
+    if (storedToken.expiresAt < Date.now()) {
+      this.refreshTokens.delete(tokenHash);
+      return this.tokenErrorResponse('invalid_grant', 'Refresh token expired');
+    }
+
+    if (storedToken.clientId !== app.data.oauthCredentials.clientId) {
+      return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
+    }
+
+    // Generate new tokens (without new refresh token by default)
+    const tokens = await this.generateTokens(
+      storedToken.userId,
+      storedToken.clientId,
+      storedToken.scopes,
+      undefined,
+      false // Don't generate new refresh token
+    );
+
+    return new Response(JSON.stringify(tokens), {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json',
+        'Cache-Control': 'no-store',
+        'Pragma': 'no-cache',
+      },
+    });
+  }
+
+  /**
+   * Generate access token, ID token, and optionally refresh token
+   */
+  private async generateTokens(
+    userId: string,
+    clientId: string,
+    scopes: plugins.idpInterfaces.data.TOidcScope[],
+    nonce?: string,
+    includeRefreshToken = true
+  ): Promise<plugins.idpInterfaces.data.ITokenResponse> {
+    const now = Date.now();
+    const accessTokenLifetime = 3600; // 1 hour
+    const refreshTokenLifetime = 30 * 24 * 3600; // 30 days
+
+    // Generate access token
+    const accessToken = plugins.smartunique.shortId(32);
+    const accessTokenHash = await plugins.smarthash.sha256FromString(accessToken);
+    const accessTokenData: plugins.idpInterfaces.data.IOidcAccessToken = {
+      id: plugins.smartunique.shortId(8),
+      tokenHash: accessTokenHash,
+      clientId,
+      userId,
+      scopes,
+      expiresAt: now + accessTokenLifetime * 1000,
+      issuedAt: now,
+    };
+    this.accessTokens.set(accessTokenHash, accessTokenData);
+
+    // Generate ID token (JWT)
+    const idToken = await this.generateIdToken(userId, clientId, scopes, nonce);
+
+    const response: plugins.idpInterfaces.data.ITokenResponse = {
+      access_token: accessToken,
+      token_type: 'Bearer',
+      expires_in: accessTokenLifetime,
+      id_token: idToken,
+      scope: scopes.join(' '),
+    };
+
+    // Generate refresh token if requested
+    if (includeRefreshToken) {
+      const refreshToken = plugins.smartunique.shortId(48);
+      const refreshTokenHash = await plugins.smarthash.sha256FromString(refreshToken);
+      const refreshTokenData: plugins.idpInterfaces.data.IOidcRefreshToken = {
+        id: plugins.smartunique.shortId(8),
+        tokenHash: refreshTokenHash,
+        clientId,
+        userId,
+        scopes,
+        expiresAt: now + refreshTokenLifetime * 1000,
+        issuedAt: now,
+        revoked: false,
+      };
+      this.refreshTokens.set(refreshTokenHash, refreshTokenData);
+      response.refresh_token = refreshToken;
+    }
+
+    return response;
+  }
+
+  /**
+   * Generate an ID token (JWT)
+   */
+  private async generateIdToken(
+    userId: string,
+    clientId: string,
+    scopes: plugins.idpInterfaces.data.TOidcScope[],
+    nonce?: string
+  ): Promise<string> {
+    const baseUrl = this.receptionRef.options.baseUrl || 'https://idp.global';
+    const now = Math.floor(Date.now() / 1000);
+
+    const claims: plugins.idpInterfaces.data.IIdTokenClaims = {
+      iss: baseUrl,
+      sub: userId,
+      aud: clientId,
+      exp: now + 3600, // 1 hour
+      iat: now,
+      auth_time: now,
+    };
+
+    if (nonce) {
+      claims.nonce = nonce;
+    }
+
+    // Add claims based on scopes
+    if (scopes.includes('profile') || scopes.includes('email') || scopes.includes('organizations') || scopes.includes('roles')) {
+      const userInfo = await this.getUserClaims(userId, scopes);
+      Object.assign(claims, userInfo);
+    }
+
+    // Sign the JWT
+    const idToken = await this.receptionRef.jwtManager.smartjwtInstance.createJWT(claims);
+    return idToken;
+  }
+
+  /**
+   * Handle the userinfo endpoint
+   */
+  public async handleUserInfo(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
+    // Get access token from Authorization header
+    const authHeader = ctx.headers.get('authorization');
+    if (!authHeader?.startsWith('Bearer ')) {
+      return new Response(JSON.stringify({ error: 'invalid_token' }), {
+        status: 401,
+        headers: {
+          'Content-Type': 'application/json',
+          'WWW-Authenticate': 'Bearer error="invalid_token"',
+        },
+      });
+    }
+
+    const accessToken = authHeader.substring(7);
+    const tokenHash = await plugins.smarthash.sha256FromString(accessToken);
+    const tokenData = this.accessTokens.get(tokenHash);
+
+    if (!tokenData) {
+      return new Response(JSON.stringify({ error: 'invalid_token' }), {
+        status: 401,
+        headers: {
+          'Content-Type': 'application/json',
+          'WWW-Authenticate': 'Bearer error="invalid_token"',
+        },
+      });
+    }
+
+    if (tokenData.expiresAt < Date.now()) {
+      this.accessTokens.delete(tokenHash);
+      return new Response(JSON.stringify({ error: 'invalid_token', error_description: 'Token expired' }), {
+        status: 401,
+        headers: {
+          'Content-Type': 'application/json',
+          'WWW-Authenticate': 'Bearer error="invalid_token", error_description="Token expired"',
+        },
+      });
+    }
+
+    // Get user claims based on token scopes
+    const userInfo = await this.getUserClaims(tokenData.userId, tokenData.scopes);
+
+    return new Response(JSON.stringify(userInfo), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  /**
+   * Get user claims based on scopes
+   */
+  private async getUserClaims(
+    userId: string,
+    scopes: plugins.idpInterfaces.data.TOidcScope[]
+  ): Promise<plugins.idpInterfaces.data.IUserInfoResponse> {
+    const user = await this.receptionRef.userManager.CUser.getInstance({ id: userId });
+    if (!user) {
+      return { sub: userId };
+    }
+
+    const claims: plugins.idpInterfaces.data.IUserInfoResponse = {
+      sub: userId,
+    };
+
+    // Profile scope
+    if (scopes.includes('profile')) {
+      claims.name = user.data?.name;
+      claims.preferred_username = user.data?.username;
+      // claims.picture = user.data?.avatarUrl; // If avatar exists
+    }
+
+    // Email scope
+    if (scopes.includes('email')) {
+      claims.email = user.data?.email;
+      claims.email_verified = user.data?.status === 'active';
+    }
+
+    // Organizations scope (custom)
+    if (scopes.includes('organizations')) {
+      const organizations = await this.receptionRef.organizationmanager.getAllOrganizationsForUser(user);
+      const roles = await this.receptionRef.roleManager.getAllRolesForUser(user);
+      if (organizations) {
+        claims.organizations = organizations.map(org => ({
+          id: org.id,
+          name: org.data?.name || '',
+          slug: org.data?.slug || '',
+          roles: roles
+            .find(r => r.data?.organizationId === org.id)?.data?.roles || [],
+        }));
+      }
+    }
+
+    // Roles scope (custom - global roles)
+    if (scopes.includes('roles')) {
+      const roles: string[] = ['user'];
+      if (user.data?.isGlobalAdmin) {
+        roles.push('admin');
+      }
+      claims.roles = roles;
+    }
+
+    return claims;
+  }
+
+  /**
+   * Handle the revocation endpoint
+   */
+  public async handleRevoke(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
+    const formData = await ctx.formData();
+    const token = formData.get('token') as string;
+    const tokenTypeHint = formData.get('token_type_hint') as string;
+
+    if (!token) {
+      return new Response(null, { status: 200 }); // Spec says always return 200
+    }
+
+    const tokenHash = await plugins.smarthash.sha256FromString(token);
+
+    // Try to revoke as refresh token
+    if (!tokenTypeHint || tokenTypeHint === 'refresh_token') {
+      const refreshToken = this.refreshTokens.get(tokenHash);
+      if (refreshToken) {
+        refreshToken.revoked = true;
+        return new Response(null, { status: 200 });
+      }
+    }
+
+    // Try to revoke as access token
+    if (!tokenTypeHint || tokenTypeHint === 'access_token') {
+      if (this.accessTokens.has(tokenHash)) {
+        this.accessTokens.delete(tokenHash);
+        return new Response(null, { status: 200 });
+      }
+    }
+
+    // Token not found - still return 200 per spec
+    return new Response(null, { status: 200 });
+  }
+
+  /**
+   * Find an app by its OAuth client_id
+   */
+  private async findAppByClientId(clientId: string): Promise<App | null> {
+    const apps = await this.receptionRef.appManager.CApp.getInstances({
+      'data.oauthCredentials.clientId': clientId,
+    });
+    return apps[0] || null;
+  }
+
+  /**
+   * Generate S256 PKCE challenge from verifier
+   */
+  private generateS256Challenge(verifier: string): string {
+    const hash = plugins.smarthash.sha256FromStringSync(verifier);
+    return Buffer.from(hash, 'hex').toString('base64url');
+  }
+
+  /**
+   * Create an error response for authorization endpoint
+   */
+  private errorResponse(error: string, description: string): Response {
+    return new Response(JSON.stringify({ error, error_description: description }), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  /**
+   * Create an error response for token endpoint
+   */
+  private tokenErrorResponse(
+    error: plugins.idpInterfaces.data.ITokenErrorResponse['error'],
+    description: string
+  ): Response {
+    const body: plugins.idpInterfaces.data.ITokenErrorResponse = {
+      error,
+      error_description: description,
+    };
+    return new Response(JSON.stringify(body), {
+      status: 400,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  /**
+   * Start cleanup task for expired tokens/codes
+   */
+  private startCleanupTask(): void {
+    setInterval(() => {
+      const now = Date.now();
+
+      // Clean up expired authorization codes
+      for (const [code, data] of this.authorizationCodes) {
+        if (data.expiresAt < now) {
+          this.authorizationCodes.delete(code);
+        }
+      }
+
+      // Clean up expired access tokens
+      for (const [hash, data] of this.accessTokens) {
+        if (data.expiresAt < now) {
+          this.accessTokens.delete(hash);
+        }
+      }
+
+      // Clean up expired refresh tokens
+      for (const [hash, data] of this.refreshTokens) {
+        if (data.expiresAt < now) {
+          this.refreshTokens.delete(hash);
+        }
+      }
+    }, 60 * 1000); // Run every minute
+  }
+}

ts/reception/classes.organization.ts

@@ -5,7 +5,7 @@ import { User } from './classes.user.js';
 @plugins.smartdata.Manager()
 export class Organization extends plugins.smartdata.SmartDataDbDoc<
   Organization,
-  plugins.lointReception.data.IOrganization,
+  plugins.idpInterfaces.data.IOrganization,
   OrganizationManager
 > {
   public static async createNewOrganizationForUser(
@@ -28,13 +28,13 @@ export class Organization extends plugins.smartdata.SmartDataDbDoc<
 
   // INSTANCE
   @plugins.smartdata.unI()
-  id: plugins.lointReception.data.IOrganization['id'];
+  id: plugins.idpInterfaces.data.IOrganization['id'];
   
   @plugins.smartdata.svDb()
-  data: plugins.lointReception.data.IOrganization['data'];
+  data: plugins.idpInterfaces.data.IOrganization['data'];
 
   public async checkIfUserIsAdmin(userArg: User) {
     const role = await this.manager.receptionRef.roleManager.getRoleForUserAndOrg(userArg, this);
-    return role.data.role === 'admin';
+    return role.data.roles?.includes('admin') || role.data.roles?.includes('owner');
   }
 }

ts/reception/classes.organizationmanager.ts

@@ -17,7 +17,7 @@ export class OrganizationManager {
     this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
 
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_CreateOrganization>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CreateOrganization>(
         'createOrganization',
         async (requestArg) => {
           const nameIsAvailable = async () => {
@@ -50,13 +50,14 @@ export class OrganizationManager {
                 action: 'create',
                 organizationId: newOrg.id,
                 userId: userData.id,
-                role: 'admin',
+                roles: ['owner'],
               });
               newOrg.data.roleIds.push(role.id);
               await newOrg.save();
               return {
                 nameAvailable: true,
-                resultingOrganization: await newOrg.createSavableObject()
+                resultingOrganization: await newOrg.createSavableObject(),
+                role: await role.createSavableObject(),
               }
               break;
           }
@@ -64,7 +65,7 @@ export class OrganizationManager {
       )
     );
     this.typedrouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_GetOrganizationById>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetOrganizationById>(
         'getOrganizationById',
         async (requestArg) => {
           const verifiedJwt = await this.receptionRef.jwtManager.verifyJWTAndGetData(

ts/reception/classes.reception.ts

@@ -1,5 +1,4 @@
 import * as plugins from '../plugins.js';
-import * as paths from '../paths.js';
 import { logger } from './logging.js';
 
 import { JwtManager } from './classes.jwtmanager.js';
@@ -13,6 +12,11 @@ import { ReceptionHousekeeping } from './classes.housekeeping.js';
 import { OrganizationManager } from './classes.organizationmanager.js';
 import { RoleManager } from './classes.rolemanager.js';
 import { BillingPlanManager } from './classes.billingplanmanager.js';
+import { AppManager } from './classes.appmanager.js';
+import { AppConnectionManager } from './classes.appconnectionmanager.js';
+import { ActivityLogManager } from './classes.activitylogmanager.js';
+import { UserInvitationManager } from './classes.userinvitationmanager.js';
+import { OidcManager } from './classes.oidcmanager.js';
 
 export interface IReceptionOptions {
   /**
@@ -21,10 +25,10 @@ export interface IReceptionOptions {
   name: string;
   mongoDescriptor: plugins.smartdata.IMongoDescriptor;
   websiteServer: plugins.typedserver.utilityservers.UtilityWebsiteServer;
+  baseUrl: string;
 }
 
 export class Reception {
-  public projectinfoNpm = new plugins.projectinfo.ProjectinfoNpm(paths.packageDir);
   public typedrouter = new plugins.typedrequest.TypedRouter();
   public serviceQenv = new plugins.qenv.Qenv('./', './.nogit');
   public szPlatformClient = new plugins.szPlatformClient.SzPlatformClient();
@@ -40,6 +44,11 @@ export class Reception {
   public organizationmanager = new OrganizationManager(this);
   public roleManager = new RoleManager(this);
   public billingPlanManager = new BillingPlanManager(this);
+  public appManager = new AppManager(this);
+  public appConnectionManager = new AppConnectionManager(this);
+  public activityLogManager = new ActivityLogManager(this);
+  public userInvitationManager = new UserInvitationManager(this);
+  public oidcManager = new OidcManager(this);
   housekeeping = new ReceptionHousekeeping(this);
 
   constructor(public options: IReceptionOptions) {
@@ -55,6 +64,7 @@ export class Reception {
    * starts the reception instance
    */
   public async start() {
+    await this.szPlatformClient.init(await this.serviceQenv.getEnvVarOnDemand('SERVEZONE_PLATFROM_AUTHORIZATION'));
     logger.log('info', 'starting reception');
     logger.log('info', 'adding typedrouter to website server');
     this.options.websiteServer.typedrouter.addTypedRouter(this.typedrouter);

ts/reception/classes.receptiondb.ts

@@ -10,7 +10,6 @@ export class ReceptionDb {
   }
 
   public async start() {
-    console.log(this.receptionRef.options.mongoDescriptor);
     this.smartdataDb = new plugins.smartdata.SmartdataDb(this.receptionRef.options.mongoDescriptor);
     await this.smartdataDb.init();
   }

ts/reception/classes.receptionmailer.ts

@@ -152,9 +152,9 @@ export class ReceptionMailer {
 </html>
 `;
 
-  public sendRegistrationEmail(signupSessionArg: RegistrationSession, validationTokenArg: string) {
+  public async sendRegistrationEmail(signupSessionArg: RegistrationSession, validationTokenArg: string) {
     this.receptionRef.szPlatformClient.emailConnector.sendEmail({
-      from: 'workspace.global <noreply@mail.workspace.global>',
+      from: `idp.global@${this.receptionRef.options.baseUrl} <noreply@mail.workspace.global>`,
       title: 'Verify your Email Address!',
       to: signupSessionArg.emailAddress,
       body: this.createBodyString(`
@@ -163,7 +163,7 @@ export class ReceptionMailer {
         }">${signupSessionArg.emailAddress}</a></h1>
         <p>It looks like you requested to register an account with us. We just want to make sure it really was you.</p>
         <p>In case it was you, <b>please continue with the registration process by clicking the button below</b>. Otherwise, please ignore this email.</p>
-        <a href="https://registration.workspace.global/finishregistration?validationtoken=${encodeURI(
+        <a href="${this.receptionRef.options.baseUrl}/finishregistration?validationtoken=${encodeURI(
           validationTokenArg
         )}"><div class="button">
           continue with registration
@@ -229,6 +229,7 @@ export class ReceptionMailer {
   }
 
   public sendLoginWithEMailMail(userArg: User, validationTokenArg: string) {
+    console.log(`sending login email to ${userArg.data.email}`);
     this.receptionRef.szPlatformClient.emailConnector.sendEmail({
       from: 'workspace.global <noreply@mail.workspace.global>',
       title: 'Click to login!',
@@ -267,4 +268,33 @@ export class ReceptionMailer {
       `),
     });
   }
+
+  public sendInvitationEmail(
+    email: string,
+    organizationName: string,
+    invitationToken: string,
+    baseUrl: string
+  ) {
+    const invitationUrl = `${baseUrl}/invite?token=${encodeURI(invitationToken)}`;
+
+    this.receptionRef.szPlatformClient.emailConnector.sendEmail({
+      from: `idp.global@${this.receptionRef.options.baseUrl} <noreply@mail.workspace.global>`,
+      title: `You've been invited to join ${organizationName}`,
+      to: email,
+      body: this.createBodyString(`
+        <h1>You're Invited!</h1>
+        <p>You've been invited to join <b>${organizationName}</b> on idp.global.</p>
+        <p>Click the button below to accept the invitation and join the organization.</p>
+        <a href="${invitationUrl}"><div class="button">
+          Accept Invitation
+        </div></a>
+        <p style="color: #888888; font-size: 12px; margin-top: 20px;">
+          If you don't have an account yet, you'll be able to create one when you accept the invitation.
+        </p>
+        <p style="color: #888888; font-size: 12px;">
+          This invitation will expire in 90 days.
+        </p>
+      `),
+    });
+  }
 }

ts/reception/classes.registrationsession.ts

@@ -5,191 +5,187 @@ import { logger } from './logging.js';
 import { User } from './classes.user.js';
 
 /**
- * a RegistrationSession is a in memory session for signing up
+ * a RegistrationSession persists a sign up flow across restarts
  */
-export class RegistrationSession {
+@plugins.smartdata.Manager()
-  // ======
+export class RegistrationSession extends plugins.smartdata.SmartDataDbDoc<
-  // STATIC
+  RegistrationSession,
-  // ======
+  plugins.idpInterfaces.data.IRegistrationSession,
+  RegistrationSessionManager
+> {
+  public static hashToken(tokenArg: string) {
+    return plugins.smarthash.sha256FromStringSync(tokenArg);
+  }
+
   public static async createRegistrationSessionForEmail(
-    registrationSessionManageremailArg: RegistrationSessionManager,
     emailArg: string
   ) {
-    const newRegistrationSession = new RegistrationSession(
+    const newRegistrationSession = new RegistrationSession();
-      registrationSessionManageremailArg,
+    newRegistrationSession.id = plugins.smartunique.shortId();
-      emailArg
+    newRegistrationSession.data.emailAddress = emailArg;
-    );
+    newRegistrationSession.data.validUntil =
-    const emailValidationResult = await newRegistrationSession
+      Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 10 });
-      .validateEMailAddress()
+    newRegistrationSession.data.createdAt = Date.now();
-      .catch((error) => {
+
-        throw new plugins.typedrequest.TypedResponseError(
+    const emailValidationResult = await newRegistrationSession.validateEMailAddress().catch(() => {
-          'Error occured during email provider & dns validation'
+      throw new plugins.typedrequest.TypedResponseError(
-        );
+        'Error occured during email provider & dns validation'
-      });
+      );
+    });
+
     if (!emailValidationResult?.valid) {
-      newRegistrationSession.destroy();
       throw new plugins.typedrequest.TypedResponseError(
         'Email Address is not valid. Please use a correctly formated email address'
       );
     }
     if (emailValidationResult.disposable) {
-      newRegistrationSession.destroy();
       throw new plugins.typedrequest.TypedResponseError(
         'Email is disposable. Please use a non disposable email address.'
       );
     }
-    console.log(
+
-      `${newRegistrationSession.emailAddress} is valid. Continuing registration process!`
+    const validationToken = await newRegistrationSession.sendTokenValidationEmail();
-    );
+    newRegistrationSession.unhashedEmailToken = validationToken;
-    await newRegistrationSession.sendTokenValidationEmail();
-    console.log(`Successfully sent email validation email`);
     return newRegistrationSession;
   }
 
-  // ========
+  @plugins.smartdata.unI()
-  // INSTANCE
+  public id: string;
-  // ========
-  public registrationSessionManagerRef: RegistrationSessionManager;
 
-  public emailAddress: string;
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IRegistrationSession['data'] = {
+    emailAddress: '',
+    hashedEmailToken: '',
+    smsCodeHash: null,
+    smsvalidationCounter: 0,
+    status: 'announced',
+    validUntil: 0,
+    createdAt: 0,
+    collectedData: {
+      userData: {
+        username: null,
+        connectedOrgs: [],
+        email: null,
+        name: null,
+        status: null,
+        mobileNumber: null,
+        password: null,
+        passwordHash: null,
+      },
+    },
+  };
 
   /**
    * only used during testing
    */
   public unhashedEmailToken?: string;
-  public hashedEmailToken: string;
-  private smsvalidationCounter = 0;
-  public smsCode: string;
 
-  /**
+  public get emailAddress() {
-   * the status of the registration. should progress in a linear fashion.
+    return this.data.emailAddress;
-   */
+  }
-  public status: 'announced' | 'emailValidated' | 'mobileVerified' | 'registered' | 'failed' =
-    'announced';
 
-  public collectedData: {
+  public get status() {
-    userData: plugins.lointReception.data.IUser['data'];
+    return this.data.status;
-  } = {
+  }
-    userData: {
-      username: null,
-      connectedOrgs: [],
-      email: null,
-      name: null,
-      status: null,
-      mobileNumber: null,
-      password: null,
-      passwordHash: null,
-    },
-  };
 
-  constructor(
+  public set status(statusArg: plugins.idpInterfaces.data.TRegistrationSessionStatus) {
-    registrationSessionManagerRefArg: RegistrationSessionManager,
+    this.data.status = statusArg;
-    emailAddressArg: string
+  }
-  ) {
-    this.registrationSessionManagerRef = registrationSessionManagerRefArg;
-    this.emailAddress = emailAddressArg;
-    this.registrationSessionManagerRef.registrationSessions.addToMap(this.emailAddress, this);
 
-    // lets destroy this after 10 minutes,
+  public get collectedData() {
-    // works in unrefed mode so not blocking node exiting.
+    return this.data.collectedData;
-    plugins.smartdelay.delayFor(600000, null, true).then(() => this.destroy());
+  }
+
+  public isExpired() {
+    return this.data.validUntil < Date.now();
   }
 
   /**
    * validates a token by comparing its hash against the stored hashed token
-   * @param tokenArg
    */
-  public validateEmailToken(tokenArg: string): boolean {
+  public async validateEmailToken(tokenArg: string): Promise<boolean> {
-    const result = this.hashedEmailToken === plugins.smarthash.sha256FromStringSync(tokenArg);
+    if (this.isExpired()) {
-    if (result && this.status === 'announced') {
+      await this.destroy();
-      this.status = 'emailValidated';
+      return false;
-      this.collectedData.userData.email = this.emailAddress;
     }
-    if (!result && this.status === 'announced') {
+
-      this.status = 'failed';
+    const result = this.data.hashedEmailToken === RegistrationSession.hashToken(tokenArg);
+    if (result && this.data.status === 'announced') {
+      this.data.status = 'emailValidated';
+      this.data.collectedData.userData.email = this.data.emailAddress;
+      await this.save();
+    }
+    if (!result && this.data.status === 'announced') {
+      this.data.status = 'failed';
+      await this.save();
     }
     return result;
   }
 
   /** validates the sms code */
-  public validateSmsCode(smsCodeArg: string) {
+  public async validateSmsCode(smsCodeArg: string) {
-    this.smsvalidationCounter++;
+    this.data.smsvalidationCounter++;
-    const result = this.smsCode === smsCodeArg;
+    const result = this.data.smsCodeHash === RegistrationSession.hashToken(smsCodeArg);
-    if (this.status === 'emailValidated' && result) {
+    if (this.data.status === 'emailValidated' && result) {
-      this.status = 'mobileVerified';
+      this.data.status = 'mobileVerified';
+      await this.save();
       return result;
-    } else {
-      if (this.smsvalidationCounter === 5) {
-        this.destroy();
-        throw new plugins.typedrequest.TypedResponseError(
-          'Registration cancelled due to repeated wrong verification code submission'
-        );
-      }
-      return false;
     }
+
+    if (this.data.smsvalidationCounter >= 5) {
+      await this.destroy();
+      throw new plugins.typedrequest.TypedResponseError(
+        'Registration cancelled due to repeated wrong verification code submission'
+      );
+    }
+
+    await this.save();
+    return false;
   }
 
-  /**
-   * validate the email address with provider and dns sanity checks
-   * @returns
-   */
   public async validateEMailAddress(): Promise<plugins.smartmail.IEmailValidationResult> {
-    console.log(`validating email ${this.emailAddress}`);
+    const result = await new plugins.smartmail.EmailAddressValidator().validate(this.data.emailAddress);
-    const result = await new plugins.smartmail.EmailAddressValidator().validate(this.emailAddress);
     return result;
   }
 
-  /**
-   * send the validation email
-   */
   public async sendTokenValidationEmail() {
     const uuidToSend = plugins.smartunique.uuid4();
-    this.unhashedEmailToken = uuidToSend;
+    this.data.hashedEmailToken = RegistrationSession.hashToken(uuidToSend);
-    this.hashedEmailToken = plugins.smarthash.sha256FromStringSync(uuidToSend);
+    await this.save();
-    this.registrationSessionManagerRef.receptionRef.receptionMailer.sendRegistrationEmail(
+    this.manager.receptionRef.receptionMailer.sendRegistrationEmail(this, uuidToSend);
-      this,
+    logger.log('info', `sent a validation email with a verification code to ${this.data.emailAddress}`);
-      uuidToSend
+    return uuidToSend;
-    );
-    logger.log('info', `sent a validation email with a verification code to ${this.emailAddress}`);
   }
 
-  /**
-   * validate the mobile number of someone
-   */
   public async sendValidationSms() {
-    this.smsCode =
+    const smsCode =
-      await this.registrationSessionManagerRef.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation(
+      await this.manager.receptionRef.szPlatformClient.smsConnector.sendSmsVerifcation({
-        {
+        fromName: this.manager.receptionRef.options.name,
-          fromName: this.registrationSessionManagerRef.receptionRef.options.name,
+        toNumber: parseInt(this.data.collectedData.userData.mobileNumber),
-          toNumber: parseInt(this.collectedData.userData.mobileNumber),
+      });
-        }
+    this.data.smsCodeHash = RegistrationSession.hashToken(smsCode);
-      );
+    await this.save();
+    return smsCode;
   }
 
-  /**
-   * this method can be called when this registrationsession is validated
-   * and all data has been set
-   */
   public async manifestUserWithAccountData(): Promise<User> {
-    if (this.status !== 'mobileVerified') {
+    if (this.data.status !== 'mobileVerified') {
       throw new plugins.typedrequest.TypedResponseError(
         'You can only manifest user that have a validated email Address and Mobile Number'
       );
     }
-    if (!this.collectedData) {
+    if (!this.data.collectedData) {
       throw new Error('You have to set the accountdata first');
     }
-    const manifestedUser =
+    const manifestedUser = await this.manager.receptionRef.userManager.CUser.createNewUserForUserData(
-      await this.registrationSessionManagerRef.receptionRef.userManager.CUser.createNewUserForUserData(
+      this.data.collectedData.userData as plugins.idpInterfaces.data.IUser['data']
-        this.collectedData.userData
+    );
-      );
+    this.data.status = 'registered';
+    await this.save();
     return manifestedUser;
   }
 
-  /**
+  public async destroy() {
-   * destroys the registrationsession
+    await this.delete();
-   */
-  public destroy() {
-    this.registrationSessionManagerRef.registrationSessions.removeFromMap(this.emailAddress);
   }
 }

ts/reception/classes.registrationsessionmanager.ts

@@ -5,16 +5,20 @@ import { logger } from './logging.js';
 
 export class RegistrationSessionManager {
   public receptionRef: Reception;
-
-  public registrationSessions = new plugins.lik.FastMap<RegistrationSession>();
   public typedRouter = new plugins.typedrequest.TypedRouter();
 
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+
+  public CRegistrationSession = plugins.smartdata.setDefaultManagerForDoc(this, RegistrationSession);
+
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedRouter);
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_FirstRegistration>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_FirstRegistration>(
         'firstRegistrationRequest',
         async (requestData) => {
           // check for exiting User
@@ -29,17 +33,16 @@ export class RegistrationSessionManager {
               `We sent you an Email with more information.`
             );
           }
-          // check for exiting SignupSession
+
-          const existingSession = this.registrationSessions.getByKey(requestData.email);
+          const existingSessions = await this.CRegistrationSession.getInstances({
-          if (existingSession) {
+            'data.emailAddress': requestData.email,
+          });
+          for (const existingSession of existingSessions) {
             logger.log('warn', `destroyed old signupSession for ${requestData.email}`);
-            existingSession.destroy();
+            await existingSession.destroy();
           }
 
-          // lets check the email before we create a signup session
-
           const newSignupSession = await RegistrationSession.createRegistrationSessionForEmail(
-            this,
             requestData.email
           ).catch((e: plugins.typedrequest.TypedResponseError) => {
             console.log(e.errorText);
@@ -60,12 +63,10 @@ export class RegistrationSessionManager {
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_AfterRegistrationEmailClicked>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_AfterRegistrationEmailClicked>(
         'afterRegistrationEmailClicked',
         async (requestData) => {
-          const signupSession = await this.registrationSessions.find(async (itemArg) =>
+          const signupSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (signupSession) {
             return {
               email: signupSession.emailAddress,
@@ -82,12 +83,10 @@ export class RegistrationSessionManager {
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_SetDataForRegistration>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_SetDataForRegistration>(
         'setDataForRegistration',
         async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (!registrationSession) {
             throw new plugins.typedrequest.TypedResponseError(
               'could not find a matching signupsession'
@@ -110,12 +109,10 @@ export class RegistrationSessionManager {
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_MobileVerificationForRegistration>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_MobileVerificationForRegistration>(
         'mobileVerificationForRegistration',
         async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (!registrationSession) {
             throw new plugins.typedrequest.TypedResponseError(
               'could not find a matching signupsession'
@@ -130,17 +127,16 @@ export class RegistrationSessionManager {
           }
 
           if (requestData.mobileNumber) {
-            registrationSession.status = 'emailValidated';
             registrationSession.collectedData.userData.mobileNumber = requestData.mobileNumber;
-            await registrationSession.sendValidationSms();
+            const smsCode = await registrationSession.sendValidationSms();
             return {
               messageSent: true,
-              testOnlySmsCode: process.env.TEST_MODE ? registrationSession.smsCode : null,
+              testOnlySmsCode: process.env.TEST_MODE ? smsCode : null,
             };
           }
 
           if (requestData.verificationCode) {
-            const validationResult = registrationSession.validateSmsCode(
+            const validationResult = await registrationSession.validateSmsCode(
               requestData.verificationCode
             );
             return {
@@ -156,12 +152,10 @@ export class RegistrationSessionManager {
     );
 
     this.typedRouter.addTypedHandler(
-      new plugins.typedrequest.TypedHandler<plugins.lointReception.request.IReq_FinishRegistration>(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_FinishRegistration>(
         'finishRegistration',
         async (requestData) => {
-          const registrationSession = await this.registrationSessions.find(async (itemArg) =>
+          const registrationSession = await this.findRegistrationSessionByToken(requestData.token);
-            itemArg.validateEmailToken(requestData.token)
-          );
           if (!registrationSession) {
             throw new plugins.typedrequest.TypedResponseError(
               'could not find a matching signupsession'
@@ -169,7 +163,7 @@ export class RegistrationSessionManager {
           }
 
           const resultingUser = await registrationSession.manifestUserWithAccountData();
-          registrationSession.destroy();
+          await registrationSession.destroy();
           this.receptionRef.receptionMailer.sendWelcomeEMail(resultingUser);
           return {
             accountData: {
@@ -186,4 +180,17 @@ export class RegistrationSessionManager {
       )
     );
   }
+
+  public async findRegistrationSessionByToken(tokenArg: string) {
+    const registrationSession = await this.CRegistrationSession.getInstance({
+      'data.hashedEmailToken': RegistrationSession.hashToken(tokenArg),
+    });
+
+    if (!registrationSession) {
+      return null;
+    }
+
+    const isValid = await registrationSession.validateEmailToken(tokenArg);
+    return isValid ? registrationSession : null;
+  }
 }

ts/reception/classes.role.ts

@@ -3,12 +3,12 @@ import * as plugins from '../plugins.js';
 @plugins.smartdata.Manager()
 export class Role extends plugins.smartdata.SmartDataDbDoc<
   Role,
-  plugins.lointReception.data.IRole
+  plugins.idpInterfaces.data.IRole
 > {
   @plugins.smartdata.unI()
   id: string;
 
   @plugins.smartdata.svDb()
-  data: plugins.lointReception.data.IRole['data'];
+  data: plugins.idpInterfaces.data.IRole['data'];
 
 }

ts/reception/classes.rolemanager.ts

@@ -15,13 +15,24 @@ export class RoleManager {
     this.receptionRef = receptionRefArg;
   }
 
+  /**
+   * Create, change, or delete a role for a user in an organization.
+   * Supports both old single-role and new multi-role patterns.
+   */
   public async modifyRoleForUserAtOrg(optionsArg: {
     action: 'create' | 'change' | 'delete';
     userId: string;
     organizationId: string;
-    role: plugins.lointReception.data.IRole['data']['role'];
+    /** @deprecated Use `roles` instead */
+    role?: string;
+    /** Array of roles to assign */
+    roles?: string[];
   }) {
     let returnRole: Role;
+
+    // Support both old single role and new roles array
+    const roles = optionsArg.roles || (optionsArg.role ? [optionsArg.role] : ['viewer']);
+
     switch (optionsArg.action) {
       case 'create':
         returnRole = new this.CRole();
@@ -29,9 +40,35 @@ export class RoleManager {
         returnRole.data = {
           userId: optionsArg.userId,
           organizationId: optionsArg.organizationId,
-          role: optionsArg.role,
+          roles: roles,
         };
         await returnRole.save();
+        break;
+
+      case 'change':
+        returnRole = await this.CRole.getInstance({
+          data: {
+            userId: optionsArg.userId,
+            organizationId: optionsArg.organizationId,
+          },
+        });
+        if (returnRole) {
+          returnRole.data.roles = roles;
+          await returnRole.save();
+        }
+        break;
+
+      case 'delete':
+        returnRole = await this.CRole.getInstance({
+          data: {
+            userId: optionsArg.userId,
+            organizationId: optionsArg.organizationId,
+          },
+        });
+        if (returnRole) {
+          await returnRole.delete();
+        }
+        break;
     }
     return returnRole;
   }
@@ -54,4 +91,13 @@ export class RoleManager {
     });
     return roles;
   }
+
+  public async getAllRolesForOrg(organizationId: string) {
+    const roles = await this.CRole.getInstances({
+      data: {
+        organizationId: organizationId
+      }
+    });
+    return roles;
+  }
 }

ts/reception/classes.user.ts

@@ -8,16 +8,16 @@ import { UserManager } from './classes.usermanager.js';
 @plugins.smartdata.Manager()
 export class User extends plugins.smartdata.SmartDataDbDoc<
   User,
-  plugins.lointReception.data.IUser
+  plugins.idpInterfaces.data.IUser
 > {
   // STATIC
   public static async createNewUserForUserData(
-    userDataArg: plugins.lointReception.data.IUser['data']
+    userDataArg: plugins.idpInterfaces.data.IUser['data']
   ): Promise<User> {
     const newUser = new User();
     newUser.id = plugins.smartunique.shortId();
     newUser.data = {
-      connectedOrgs: null,
+      connectedOrgs: [],
       status: 'new',
       name: userDataArg.name,
       username: userDataArg.username,
@@ -31,8 +31,26 @@ export class User extends plugins.smartdata.SmartDataDbDoc<
     return newUser;
   }
 
-  public static hashPassword(passwordArg: string) {
+  public static async hashPassword(passwordArg: string) {
-    return plugins.smarthash.sha256FromString(passwordArg);
+    return plugins.argon2.hash(passwordArg);
+  }
+
+  public static isLegacyPasswordHash(passwordHashArg?: string) {
+    return !!passwordHashArg && !passwordHashArg.startsWith('$argon2');
+  }
+
+  public static shouldUpgradePasswordHash(passwordHashArg?: string) {
+    return this.isLegacyPasswordHash(passwordHashArg);
+  }
+
+  public static async verifyPassword(passwordArg: string, passwordHashArg?: string) {
+    if (!passwordHashArg) {
+      return false;
+    }
+    if (this.isLegacyPasswordHash(passwordHashArg)) {
+      return passwordHashArg === (await plugins.smarthash.sha256FromString(passwordArg));
+    }
+    return plugins.argon2.verify(passwordHashArg, passwordArg);
   }
 
   // INSTANCE
@@ -40,7 +58,7 @@ export class User extends plugins.smartdata.SmartDataDbDoc<
   id: string;
 
   @plugins.smartdata.svDb()
-  public data: plugins.lointReception.data.IUser['data'];
+  public data: plugins.idpInterfaces.data.IUser['data'];
 
   constructor() {
     super();

ts/reception/classes.userinvitation.ts

@@ -0,0 +1,136 @@
+import * as plugins from '../plugins.js';
+
+/**
+ * UserInvitation represents an invitation to join one or more organizations.
+ *
+ * Key characteristics:
+ * - Unique by email (multiple orgs can share the same invitation)
+ * - Converts to real User on registration
+ * - Can fold into existing user if they add the email as secondary
+ * - Auto-expires after 90 days
+ */
+@plugins.smartdata.Manager()
+export class UserInvitation extends plugins.smartdata.SmartDataDbDoc<
+  UserInvitation,
+  plugins.idpInterfaces.data.IUserInvitation
+> {
+  // STATIC
+  public static readonly EXPIRY_DAYS = 90;
+
+  public static generateToken(): string {
+    return plugins.smartunique.shortId() + '-' + plugins.smartunique.shortId();
+  }
+
+  public static async createNewInvitation(
+    email: string,
+    organizationId: string,
+    invitedByUserId: string,
+    roles: string[]
+  ): Promise<UserInvitation> {
+    const invitation = new UserInvitation();
+    invitation.id = plugins.smartunique.shortId();
+    const now = Date.now();
+    const expiresAt = now + (UserInvitation.EXPIRY_DAYS * 24 * 60 * 60 * 1000);
+
+    invitation.data = {
+      email: email.toLowerCase().trim(),
+      token: UserInvitation.generateToken(),
+      status: 'pending',
+      createdAt: now,
+      expiresAt: expiresAt,
+      organizationRefs: [{
+        organizationId,
+        invitedByUserId,
+        invitedAt: now,
+        roles,
+      }],
+    };
+
+    await invitation.save();
+    return invitation;
+  }
+
+  // INSTANCE
+  @plugins.smartdata.unI()
+  id: string;
+
+  @plugins.smartdata.svDb()
+  public data: plugins.idpInterfaces.data.IUserInvitation['data'];
+
+  constructor() {
+    super();
+  }
+
+  /**
+   * Add another organization to this invitation
+   */
+  public async addOrganization(
+    organizationId: string,
+    invitedByUserId: string,
+    roles: string[]
+  ): Promise<void> {
+    // Check if org already exists
+    const existingRef = this.data.organizationRefs.find(
+      ref => ref.organizationId === organizationId
+    );
+
+    if (existingRef) {
+      // Update roles for existing org ref
+      existingRef.roles = roles;
+      existingRef.invitedAt = Date.now();
+      existingRef.invitedByUserId = invitedByUserId;
+    } else {
+      // Add new org ref
+      this.data.organizationRefs.push({
+        organizationId,
+        invitedByUserId,
+        invitedAt: Date.now(),
+        roles,
+      });
+    }
+
+    await this.save();
+  }
+
+  /**
+   * Remove an organization from this invitation
+   */
+  public async removeOrganization(organizationId: string): Promise<void> {
+    this.data.organizationRefs = this.data.organizationRefs.filter(
+      ref => ref.organizationId !== organizationId
+    );
+
+    // If no more org refs, cancel the invitation
+    if (this.data.organizationRefs.length === 0) {
+      this.data.status = 'cancelled';
+    }
+
+    await this.save();
+  }
+
+  /**
+   * Check if invitation is expired
+   */
+  public isExpired(): boolean {
+    return Date.now() > this.data.expiresAt || this.data.status === 'expired';
+  }
+
+  /**
+   * Mark invitation as accepted and record the user ID
+   */
+  public async accept(userId: string): Promise<void> {
+    this.data.status = 'accepted';
+    this.data.acceptedAt = Date.now();
+    this.data.convertedToUserId = userId;
+    await this.save();
+  }
+
+  /**
+   * Regenerate token and extend expiry (for resend)
+   */
+  public async regenerateToken(): Promise<void> {
+    this.data.token = UserInvitation.generateToken();
+    this.data.expiresAt = Date.now() + (UserInvitation.EXPIRY_DAYS * 24 * 60 * 60 * 1000);
+    await this.save();
+  }
+}

ts/reception/classes.userinvitationmanager.ts

@@ -0,0 +1,717 @@
+import * as plugins from '../plugins.js';
+import { Reception } from './classes.reception.js';
+import { UserInvitation } from './classes.userinvitation.js';
+import { Organization } from './classes.organization.js';
+import { User } from './classes.user.js';
+import { Role } from './classes.role.js';
+
+export class UserInvitationManager {
+  public receptionRef: Reception;
+  public get db() {
+    return this.receptionRef.db.smartdataDb;
+  }
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+
+  public CUserInvitation = plugins.smartdata.setDefaultManagerForDoc(this, UserInvitation);
+
+  constructor(receptionRefArg: Reception) {
+    this.receptionRef = receptionRefArg;
+    this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
+
+    this.setupHandlers();
+  }
+
+  private setupHandlers() {
+    // Create invitation
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CreateInvitation>(
+        'createInvitation',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          const email = requestArg.email.toLowerCase().trim();
+
+          // Check if user with this email already exists
+          const existingUser = await this.receptionRef.userManager.CUser.getInstance({
+            data: { email },
+          });
+          if (existingUser) {
+            // User already exists - just add them to the org directly
+            const existingRole = await this.receptionRef.roleManager.CRole.getInstance({
+              data: {
+                userId: existingUser.id,
+                organizationId: requestArg.organizationId,
+              },
+            });
+            if (existingRole) {
+              return {
+                success: false,
+                isNew: false,
+                message: 'User is already a member of this organization.',
+              };
+            }
+            // Add user to org with the specified roles
+            await this.receptionRef.roleManager.modifyRoleForUserAtOrg({
+              action: 'create',
+              userId: existingUser.id,
+              organizationId: requestArg.organizationId,
+              roles: requestArg.roles,
+            });
+            return {
+              success: true,
+              isNew: false,
+              message: 'Existing user has been added to the organization.',
+            };
+          }
+
+          // Check if invitation already exists for this email
+          let invitation = await this.CUserInvitation.getInstance({
+            data: { email },
+          });
+
+          let isNew = false;
+          if (invitation) {
+            // Add org to existing invitation
+            await invitation.addOrganization(requestArg.organizationId, user.id, requestArg.roles);
+          } else {
+            // Create new invitation
+            invitation = await UserInvitation.createNewInvitation(
+              email,
+              requestArg.organizationId,
+              user.id,
+              requestArg.roles
+            );
+            isNew = true;
+          }
+
+          // Send invitation email
+          await this.sendInvitationEmail(invitation, requestArg.organizationId);
+
+          return {
+            success: true,
+            invitation: await invitation.createSavableObject(),
+            isNew,
+          };
+        }
+      )
+    );
+
+    // Get org invitations
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetOrgInvitations>(
+        'getOrgInvitations',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          const allInvitations = await this.CUserInvitation.getInstances({});
+          const orgInvitations = allInvitations.filter(inv =>
+            inv.data.status === 'pending' &&
+            !inv.isExpired() &&
+            inv.data.organizationRefs.some(ref => ref.organizationId === requestArg.organizationId)
+          );
+
+          return {
+            invitations: await Promise.all(orgInvitations.map(inv => inv.createSavableObject())),
+          };
+        }
+      )
+    );
+
+    // Get org members
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetOrgMembers>(
+        'getOrgMembers',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsMemberOfOrg(user.id, requestArg.organizationId);
+
+          const roles = await this.receptionRef.roleManager.CRole.getInstances({
+            data: { organizationId: requestArg.organizationId },
+          });
+
+          const members: Array<{
+            user: plugins.idpInterfaces.data.IUser;
+            role: plugins.idpInterfaces.data.IRole;
+          }> = [];
+
+          for (const role of roles) {
+            const memberUser = await this.receptionRef.userManager.CUser.getInstance({
+              id: role.data.userId,
+            });
+            if (memberUser) {
+              members.push({
+                user: await memberUser.createSavableObject(),
+                role: await role.createSavableObject(),
+              });
+            }
+          }
+
+          return { members };
+        }
+      )
+    );
+
+    // Cancel invitation
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_CancelInvitation>(
+        'cancelInvitation',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          const invitation = await this.CUserInvitation.getInstance({ id: requestArg.invitationId });
+          if (!invitation) {
+            return { success: false, message: 'Invitation not found.' };
+          }
+
+          await invitation.removeOrganization(requestArg.organizationId);
+
+          return { success: true };
+        }
+      )
+    );
+
+    // Resend invitation
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_ResendInvitation>(
+        'resendInvitation',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          const invitation = await this.CUserInvitation.getInstance({ id: requestArg.invitationId });
+          if (!invitation) {
+            return { success: false, message: 'Invitation not found.' };
+          }
+
+          await invitation.regenerateToken();
+          await this.sendInvitationEmail(invitation, requestArg.organizationId);
+
+          return { success: true, message: 'Invitation resent.' };
+        }
+      )
+    );
+
+    // Remove member
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_RemoveMember>(
+        'removeMember',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          // Cannot remove yourself if you're the only owner
+          const role = await this.receptionRef.roleManager.CRole.getInstance({
+            data: {
+              userId: requestArg.userId,
+              organizationId: requestArg.organizationId,
+            },
+          });
+
+          if (!role) {
+            return { success: false, message: 'Member not found.' };
+          }
+
+          // Check if trying to remove an owner
+          if (role.data.roles.includes('owner')) {
+            // Count owners
+            const allRoles = await this.receptionRef.roleManager.CRole.getInstances({
+              data: { organizationId: requestArg.organizationId },
+            });
+            const ownerCount = allRoles.filter(r => r.data.roles.includes('owner')).length;
+            if (ownerCount <= 1) {
+              return {
+                success: false,
+                message: 'Cannot remove the last owner. Transfer ownership first.',
+              };
+            }
+          }
+
+          await role.delete();
+
+          // Remove org from user's connectedOrgs
+          const memberUser = await this.receptionRef.userManager.CUser.getInstance({
+            id: requestArg.userId,
+          });
+          if (memberUser && memberUser.data.connectedOrgs) {
+            memberUser.data.connectedOrgs = memberUser.data.connectedOrgs.filter(
+              orgId => orgId !== requestArg.organizationId
+            );
+            await memberUser.save();
+          }
+
+          return { success: true };
+        }
+      )
+    );
+
+    // Update member roles
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_UpdateMemberRoles>(
+        'updateMemberRoles',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          const role = await this.receptionRef.roleManager.CRole.getInstance({
+            data: {
+              userId: requestArg.userId,
+              organizationId: requestArg.organizationId,
+            },
+          });
+
+          if (!role) {
+            return { success: false, message: 'Member not found.' };
+          }
+
+          // If removing owner role, check we're not removing the last owner
+          if (role.data.roles.includes('owner') && !requestArg.roles.includes('owner')) {
+            const allRoles = await this.receptionRef.roleManager.CRole.getInstances({
+              data: { organizationId: requestArg.organizationId },
+            });
+            const ownerCount = allRoles.filter(r => r.data.roles.includes('owner')).length;
+            if (ownerCount <= 1) {
+              return {
+                success: false,
+                message: 'Cannot remove owner role from the last owner.',
+              };
+            }
+          }
+
+          role.data.roles = requestArg.roles;
+          await role.save();
+
+          return { success: true, role: await role.createSavableObject() };
+        }
+      )
+    );
+
+    // Transfer ownership
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_TransferOwnership>(
+        'transferOwnership',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+
+          // Verify current user is an owner
+          const currentUserRole = await this.receptionRef.roleManager.CRole.getInstance({
+            data: {
+              userId: user.id,
+              organizationId: requestArg.organizationId,
+            },
+          });
+          if (!currentUserRole || !currentUserRole.data.roles.includes('owner')) {
+            throw new plugins.typedrequest.TypedResponseError(
+              'Only owners can transfer ownership.'
+            );
+          }
+
+          // Get new owner's role
+          const newOwnerRole = await this.receptionRef.roleManager.CRole.getInstance({
+            data: {
+              userId: requestArg.newOwnerId,
+              organizationId: requestArg.organizationId,
+            },
+          });
+          if (!newOwnerRole) {
+            return { success: false, message: 'New owner must be a member of the organization.' };
+          }
+
+          // Add owner role to new owner
+          if (!newOwnerRole.data.roles.includes('owner')) {
+            newOwnerRole.data.roles.push('owner');
+            await newOwnerRole.save();
+          }
+
+          // Remove owner role from current user (but keep other roles)
+          currentUserRole.data.roles = currentUserRole.data.roles.filter(r => r !== 'owner');
+          if (currentUserRole.data.roles.length === 0) {
+            currentUserRole.data.roles = ['admin']; // Demote to admin
+          }
+          await currentUserRole.save();
+
+          return { success: true };
+        }
+      )
+    );
+
+    // Get invitation by token
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_GetInvitationByToken>(
+        'getInvitationByToken',
+        async (requestArg) => {
+          const invitation = await this.CUserInvitation.getInstance({
+            data: { token: requestArg.token },
+          });
+
+          if (!invitation) {
+            return { isExpired: true, requiresRegistration: false };
+          }
+
+          if (invitation.isExpired()) {
+            return { isExpired: true, requiresRegistration: false };
+          }
+
+          // Get organization names
+          const organizations: Array<{ id: string; name: string }> = [];
+          for (const ref of invitation.data.organizationRefs) {
+            const org = await this.receptionRef.organizationmanager.COrganization.getInstance({
+              id: ref.organizationId,
+            });
+            if (org) {
+              organizations.push({ id: org.id, name: org.data.name });
+            }
+          }
+
+          // Check if user with this email exists
+          const existingUser = await this.receptionRef.userManager.CUser.getInstance({
+            data: { email: invitation.data.email },
+          });
+
+          return {
+            invitation: await invitation.createSavableObject(),
+            organizations,
+            isExpired: false,
+            requiresRegistration: !existingUser,
+          };
+        }
+      )
+    );
+
+    // Accept invitation
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_AcceptInvitation>(
+        'acceptInvitation',
+        async (requestArg) => {
+          const invitation = await this.CUserInvitation.getInstance({
+            data: { token: requestArg.token },
+          });
+
+          if (!invitation) {
+            return { success: false, message: 'Invalid invitation token.' };
+          }
+
+          if (invitation.isExpired()) {
+            return { success: false, message: 'This invitation has expired.' };
+          }
+
+          const user = await this.receptionRef.userManager.CUser.getInstance({
+            id: requestArg.userId,
+          });
+          if (!user) {
+            return { success: false, message: 'User not found.' };
+          }
+
+          // Create roles for each organization
+          const organizations: plugins.idpInterfaces.data.IOrganization[] = [];
+          const roles: plugins.idpInterfaces.data.IRole[] = [];
+
+          for (const ref of invitation.data.organizationRefs) {
+            // Check if role already exists
+            let role = await this.receptionRef.roleManager.CRole.getInstance({
+              data: {
+                userId: user.id,
+                organizationId: ref.organizationId,
+              },
+            });
+
+            if (!role) {
+              role = await this.receptionRef.roleManager.modifyRoleForUserAtOrg({
+                action: 'create',
+                userId: user.id,
+                organizationId: ref.organizationId,
+                roles: ref.roles,
+              });
+            }
+
+            roles.push(await role.createSavableObject());
+
+            const org = await this.receptionRef.organizationmanager.COrganization.getInstance({
+              id: ref.organizationId,
+            });
+            if (org) {
+              // Add role to org's roleIds if not already there
+              if (!org.data.roleIds.includes(role.id)) {
+                org.data.roleIds.push(role.id);
+                await org.save();
+              }
+              organizations.push(await org.createSavableObject());
+            }
+
+            // Update user's connectedOrgs
+            if (!user.data.connectedOrgs) {
+              user.data.connectedOrgs = [];
+            }
+            if (!user.data.connectedOrgs.includes(ref.organizationId)) {
+              user.data.connectedOrgs.push(ref.organizationId);
+            }
+          }
+
+          await user.save();
+          await invitation.accept(user.id);
+
+          return { success: true, organizations, roles };
+        }
+      )
+    );
+
+    // Bulk create invitations
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.idpInterfaces.request.IReq_BulkCreateInvitations>(
+        'bulkCreateInvitations',
+        async (requestArg) => {
+          const user = await this.receptionRef.userManager.getUserByJwtValidation(requestArg.jwt);
+          await this.verifyUserIsAdminOfOrg(user.id, requestArg.organizationId);
+
+          const org = await this.receptionRef.organizationmanager.COrganization.getInstance({
+            id: requestArg.organizationId,
+          });
+          const orgName = org?.data.name || 'an organization';
+
+          const results: Array<{
+            email: string;
+            success: boolean;
+            status: 'invited' | 'already_member' | 'invalid_email' | 'error';
+            message?: string;
+          }> = [];
+          const summary = {
+            total: 0,
+            invited: 0,
+            alreadyMembers: 0,
+            invalid: 0,
+            errors: 0,
+          };
+
+          // Deduplicate emails in the batch
+          const processedEmails = new Set<string>();
+
+          for (const inv of requestArg.invitations) {
+            summary.total++;
+            const email = inv.email?.toLowerCase().trim();
+
+            // Validate email format
+            if (!email || !this.isValidEmail(email)) {
+              results.push({
+                email: inv.email || '',
+                success: false,
+                status: 'invalid_email',
+                message: 'Invalid email format',
+              });
+              summary.invalid++;
+              continue;
+            }
+
+            // Skip duplicates within batch
+            if (processedEmails.has(email)) {
+              results.push({
+                email,
+                success: false,
+                status: 'invalid_email',
+                message: 'Duplicate email in batch',
+              });
+              summary.invalid++;
+              continue;
+            }
+            processedEmails.add(email);
+
+            try {
+              // Check if user with this email already exists
+              const existingUser = await this.receptionRef.userManager.CUser.getInstance({
+                data: { email },
+              });
+
+              if (existingUser) {
+                // Check if already a member
+                const existingRole = await this.receptionRef.roleManager.CRole.getInstance({
+                  data: {
+                    userId: existingUser.id,
+                    organizationId: requestArg.organizationId,
+                  },
+                });
+
+                if (existingRole) {
+                  results.push({
+                    email,
+                    success: false,
+                    status: 'already_member',
+                    message: 'Already a member of this organization',
+                  });
+                  summary.alreadyMembers++;
+                  continue;
+                }
+
+                // Add existing user to org
+                const roles = inv.roles?.length ? inv.roles : requestArg.defaultRoles;
+                await this.receptionRef.roleManager.modifyRoleForUserAtOrg({
+                  action: 'create',
+                  userId: existingUser.id,
+                  organizationId: requestArg.organizationId,
+                  roles,
+                });
+                results.push({
+                  email,
+                  success: true,
+                  status: 'invited',
+                  message: 'Existing user added to organization',
+                });
+                summary.invited++;
+                continue;
+              }
+
+              // Check if invitation already exists
+              let invitation = await this.CUserInvitation.getInstance({
+                data: { email },
+              });
+
+              const roles = inv.roles?.length ? inv.roles : requestArg.defaultRoles;
+
+              if (invitation) {
+                // Add org to existing invitation
+                await invitation.addOrganization(requestArg.organizationId, user.id, roles);
+              } else {
+                // Create new invitation
+                invitation = await UserInvitation.createNewInvitation(
+                  email,
+                  requestArg.organizationId,
+                  user.id,
+                  roles
+                );
+              }
+
+              // Send invitation email
+              await this.receptionRef.receptionMailer.sendInvitationEmail(
+                email,
+                orgName,
+                invitation.data.token,
+                this.receptionRef.options.baseUrl
+              );
+
+              results.push({
+                email,
+                success: true,
+                status: 'invited',
+              });
+              summary.invited++;
+            } catch (error: any) {
+              results.push({
+                email,
+                success: false,
+                status: 'error',
+                message: error.message || 'Unknown error',
+              });
+              summary.errors++;
+            }
+          }
+
+          return { success: true, results, summary };
+        }
+      )
+    );
+  }
+
+  /**
+   * Find invitation by email
+   */
+  public async getInvitationByEmail(email: string): Promise<UserInvitation | null> {
+    return this.CUserInvitation.getInstance({
+      data: { email: email.toLowerCase().trim() },
+    });
+  }
+
+  /**
+   * Get pending invitations for an email (for registration flow)
+   */
+  public async getPendingInvitationsForEmail(email: string): Promise<UserInvitation | null> {
+    const invitation = await this.getInvitationByEmail(email);
+    if (invitation && invitation.data.status === 'pending' && !invitation.isExpired()) {
+      return invitation;
+    }
+    return null;
+  }
+
+  /**
+   * Clean up expired invitations
+   */
+  public async cleanupExpiredInvitations(): Promise<number> {
+    const allInvitations = await this.CUserInvitation.getInstances({
+      data: { status: 'pending' },
+    });
+
+    let cleanedCount = 0;
+    for (const invitation of allInvitations) {
+      if (invitation.isExpired()) {
+        invitation.data.status = 'expired';
+        await invitation.save();
+        cleanedCount++;
+      }
+    }
+
+    return cleanedCount;
+  }
+
+  /**
+   * Send invitation email
+   */
+  private async sendInvitationEmail(
+    invitation: UserInvitation,
+    organizationId: string
+  ): Promise<void> {
+    const org = await this.receptionRef.organizationmanager.COrganization.getInstance({
+      id: organizationId,
+    });
+    const orgName = org?.data.name || 'an organization';
+
+    await this.receptionRef.receptionMailer.sendInvitationEmail(
+      invitation.data.email,
+      orgName,
+      invitation.data.token,
+      this.receptionRef.options.baseUrl
+    );
+  }
+
+  /**
+   * Verify user is admin/owner of organization
+   */
+  private async verifyUserIsAdminOfOrg(userId: string, organizationId: string): Promise<void> {
+    const role = await this.receptionRef.roleManager.CRole.getInstance({
+      data: { userId, organizationId },
+    });
+
+    if (!role) {
+      throw new plugins.typedrequest.TypedResponseError('Not a member of this organization.');
+    }
+
+    const hasAdminRole = role.data.roles.some(r =>
+      ['owner', 'admin'].includes(r)
+    );
+
+    if (!hasAdminRole) {
+      throw new plugins.typedrequest.TypedResponseError(
+        'You do not have permission to perform this action.'
+      );
+    }
+  }
+
+  /**
+   * Verify user is member of organization
+   */
+  private async verifyUserIsMemberOfOrg(userId: string, organizationId: string): Promise<void> {
+    const role = await this.receptionRef.roleManager.CRole.getInstance({
+      data: { userId, organizationId },
+    });
+
+    if (!role) {
+      throw new plugins.typedrequest.TypedResponseError('Not a member of this organization.');
+    }
+  }
+
+  /**
+   * Validate email format
+   */
+  private isValidEmail(email: string): boolean {
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email);
+  }
+}

ts/reception/classes.usermanager.ts

@@ -19,9 +19,13 @@ export class UserManager {
   constructor(receptionRefArg: Reception) {
     this.receptionRef = receptionRefArg;
     this.receptionRef.typedrouter.addTypedRouter(this.typedrouter);
-    this.typedrouter.addTypedHandler<plugins.lointReception.request.IReq_GetRolesAndOrganizationsForUserId>(
+    this.typedrouter.addTypedHandler<plugins.idpInterfaces.request.IReq_GetRolesAndOrganizationsForUserId>(
       new plugins.typedrequest.TypedHandler('getRolesAndOrganizationsForUserId', async reqArg => {
+        console.log('user manager: getting roles and orgs');
         const user = await this.getUserByJwtValidation(reqArg.jwt);
+        if (!user) {
+          throw new plugins.typedrequest.TypedResponseError('User not found');
+        }
         const organizations = await this.receptionRef.organizationmanager.getAllOrganizationsForUser(
           user
         );
@@ -32,6 +36,29 @@ export class UserManager {
         }
       })
     )
+
+    this.typedrouter.addTypedHandler<plugins.idpInterfaces.request.IReq_WhoIs>(
+      new plugins.typedrequest.TypedHandler('whoIs', async reqArg => {
+        const user = await this.getUserByJwtValidation(reqArg.jwt);
+        if (!user) {
+          throw new plugins.typedrequest.TypedResponseError('User not found');
+        }
+        return {
+          user: {
+            id: user.id,
+            data: {
+              name: user.data.name,
+              username: user.data.username,
+              email: user.data.email,
+              mobileNumber: user.data.mobileNumber,
+              connectedOrgs: user.data.connectedOrgs,
+              status: user.data.status,
+              isGlobalAdmin: user.data.isGlobalAdmin,
+            } as plugins.idpInterfaces.data.IUser['data']
+          }
+        }
+      })
+    )
   }
 
   /**
@@ -39,6 +66,9 @@ export class UserManager {
    */
   public async getUserByJwt(jwtString: string) {
     const jwtInstance = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtString);
+    if (!jwtInstance) {
+      return null;
+    }
     const user = await this.CUser.getInstance({
       id: jwtInstance.data.userId
     });
@@ -50,7 +80,10 @@ export class UserManager {
    * faster than the "getUserByJwt"
    */
   public async getUserByJwtValidation(jwtStringArg: string) {
-    const jwtDataArg: plugins.lointReception.data.IJwt = await this.receptionRef.jwtManager.smartjwtInstance.verifyJWTAndGetData(jwtStringArg);
+    const jwtDataArg = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtStringArg);
+    if (!jwtDataArg) {
+      return null;
+    }
     const resultingUser = await this.CUser.getInstance({
       id: jwtDataArg.data.userId
     });

ts/reception/logging.ts

@@ -1,6 +1,3 @@
 import * as plugins from '../plugins.js';
-import * as paths from '../paths.js';
-
-const projectinfoNpm = new plugins.projectinfo.ProjectinfoNpm(paths.packageDir);
 
 export const logger = new plugins.smartlog.ConsoleLog();

ts/tspublish.json

@@ -0,0 +1,3 @@
+{
+  "order": 2
+}

ts_idpcli/classes.idpcli.ts

@@ -0,0 +1,478 @@
+import * as plugins from './plugins.js';
+
+export interface IIdpCliConfig {
+  idpBaseUrl: string;
+  configDir?: string;
+}
+
+export interface IStoredCredentials {
+  refreshToken?: string;
+  jwt?: string;
+  userId?: string;
+}
+
+/**
+ * IdpCli - A Node.js CLI client for idp.global
+ * Uses file-based storage instead of browser webstore
+ */
+export class IdpCli {
+  public config: IIdpCliConfig;
+  public configDir: string;
+  public credentialsPath: string;
+
+  public typedsocket: plugins.typedsocket.TypedSocket;
+  public typedrouter = new plugins.typedrequest.TypedRouter();
+  private typedsocketDeferred = plugins.smartpromise.defer<plugins.typedsocket.TypedSocket>();
+
+  constructor(configArg: IIdpCliConfig) {
+    this.config = configArg;
+    this.configDir = configArg.configDir || plugins.path.join(plugins.os.homedir(), '.idp-global');
+    this.credentialsPath = plugins.path.join(this.configDir, 'credentials.json');
+  }
+
+  /**
+   * Ensure config directory exists
+   */
+  private ensureConfigDir(): void {
+    if (!plugins.fs.existsSync(this.configDir)) {
+      plugins.fs.mkdirSync(this.configDir, { recursive: true });
+    }
+  }
+
+  /**
+   * Store credentials to file
+   */
+  public storeCredentials(credentials: IStoredCredentials): void {
+    this.ensureConfigDir();
+    plugins.fs.writeFileSync(this.credentialsPath, JSON.stringify(credentials, null, 2), 'utf8');
+  }
+
+  /**
+   * Load stored credentials
+   */
+  public loadCredentials(): IStoredCredentials | null {
+    try {
+      if (!plugins.fs.existsSync(this.credentialsPath)) {
+        return null;
+      }
+      const content = plugins.fs.readFileSync(this.credentialsPath, 'utf8');
+      return JSON.parse(content);
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Delete stored credentials (logout)
+   */
+  public deleteCredentials(): void {
+    try {
+      if (plugins.fs.existsSync(this.credentialsPath)) {
+        plugins.fs.unlinkSync(this.credentialsPath);
+      }
+    } catch {
+      // ignore if file doesn't exist
+    }
+  }
+
+  /**
+   * Connect to IDP server via WebSocket
+   */
+  public async connect(): Promise<void> {
+    if (this.typedsocketDeferred.status === 'fulfilled') {
+      return;
+    }
+
+    let baseUrl = this.config.idpBaseUrl;
+    if (baseUrl.endsWith('/')) {
+      baseUrl = baseUrl.slice(0, -1);
+    }
+    if (!baseUrl.endsWith('/typedrequest')) {
+      baseUrl = `${baseUrl}/typedrequest`;
+    }
+
+    console.log(`Connecting to ${baseUrl}...`);
+    this.typedsocket = await plugins.typedsocket.TypedSocket.createClient(
+      this.typedrouter,
+      baseUrl
+    );
+    this.typedsocketDeferred.resolve(this.typedsocket);
+    console.log('Connected!');
+  }
+
+  /**
+   * Disconnect from IDP server
+   */
+  public async disconnect(): Promise<void> {
+    if (this.typedsocket) {
+      await this.typedsocket.stop();
+    }
+  }
+
+  // ============================================
+  // Authentication Commands
+  // ============================================
+
+  /**
+   * Login with email and password
+   */
+  public async loginWithPassword(email: string, password: string): Promise<boolean> {
+    await this.connect();
+
+    const loginRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
+      'loginWithEmailOrUsernameAndPassword'
+    );
+
+    const response = await loginRequest.fire({
+      username: email,
+      password: password,
+    });
+
+    if (response.refreshToken) {
+      this.storeCredentials({
+        refreshToken: response.refreshToken,
+      });
+      console.log('Login successful!');
+      return true;
+    } else if (response.twoFaNeeded) {
+      console.log('Two-factor authentication required.');
+      return false;
+    } else {
+      console.log('Login failed.');
+      return false;
+    }
+  }
+
+  /**
+   * Login with API token
+   */
+  public async loginWithApiToken(apiToken: string): Promise<boolean> {
+    await this.connect();
+
+    const loginRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithApiToken>(
+      'loginWithApiToken'
+    );
+
+    const response = await loginRequest.fire({
+      apiToken,
+    });
+
+    if (response.jwt) {
+      this.storeCredentials({
+        jwt: response.jwt,
+      });
+      console.log('Login successful!');
+      return true;
+    } else {
+      console.log('Login failed.');
+      return false;
+    }
+  }
+
+  /**
+   * Refresh JWT from stored refresh token
+   */
+  public async refreshJwt(): Promise<string | null> {
+    const credentials = this.loadCredentials();
+    if (!credentials?.refreshToken) {
+      console.error('No refresh token stored. Please login first.');
+      return null;
+    }
+
+    await this.connect();
+
+    const refreshRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
+      'refreshJwt'
+    );
+
+    const response = await refreshRequest.fire({
+      refreshToken: credentials.refreshToken,
+    });
+
+    if (response.jwt) {
+      this.storeCredentials({
+        ...credentials,
+        jwt: response.jwt,
+        refreshToken: response.refreshToken || credentials.refreshToken,
+      });
+      return response.jwt;
+    }
+    return null;
+  }
+
+  /**
+   * Logout - clear stored credentials
+   */
+  public async logout(): Promise<void> {
+    const credentials = this.loadCredentials();
+
+    if (credentials?.refreshToken) {
+      try {
+        await this.connect();
+        const logoutRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.ILogoutRequest>(
+          'logout'
+        );
+        await logoutRequest.fire({
+          refreshToken: credentials.refreshToken,
+        });
+      } catch (e) {
+        // Ignore errors during server-side logout
+      }
+    }
+
+    this.deleteCredentials();
+    console.log('Logged out successfully.');
+  }
+
+  // ============================================
+  // User Commands
+  // ============================================
+
+  /**
+   * Get current user info
+   */
+  public async whoami(): Promise<plugins.idpInterfaces.data.IUser | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    await this.connect();
+
+    const whoIsRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_WhoIs>(
+      'whoIs'
+    );
+
+    const response = await whoIsRequest.fire({ jwt });
+    return response.user;
+  }
+
+  /**
+   * Get user sessions
+   */
+  public async getSessions(): Promise<plugins.idpInterfaces.request.IReq_GetUserSessions['response']['sessions'] | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    await this.connect();
+
+    const sessionsRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetUserSessions>(
+      'getUserSessions'
+    );
+
+    const response = await sessionsRequest.fire({ jwt });
+    return response.sessions;
+  }
+
+  /**
+   * Revoke a session
+   */
+  public async revokeSession(sessionId: string): Promise<boolean> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return false;
+
+    await this.connect();
+
+    const revokeRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RevokeSession>(
+      'revokeSession'
+    );
+
+    const response = await revokeRequest.fire({ jwt, sessionId });
+    return response.success;
+  }
+
+  // ============================================
+  // Organization Commands
+  // ============================================
+
+  /**
+   * Get organizations for current user
+   */
+  public async getOrganizations(): Promise<{
+    roles: plugins.idpInterfaces.data.IRole[];
+    organizations: plugins.idpInterfaces.data.IOrganization[];
+  } | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    const user = await this.whoami();
+    if (!user) return null;
+
+    await this.connect();
+
+    const orgsRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetRolesAndOrganizationsForUserId>(
+      'getRolesAndOrganizationsForUserId'
+    );
+
+    const response = await orgsRequest.fire({
+      jwt,
+      userId: user.id,
+    });
+
+    return response;
+  }
+
+  /**
+   * Create a new organization
+   */
+  public async createOrganization(
+    name: string,
+    slug: string,
+    mode: 'checkAvailability' | 'manifest' = 'manifest'
+  ): Promise<plugins.idpInterfaces.request.IReq_CreateOrganization['response'] | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    const user = await this.whoami();
+    if (!user) return null;
+
+    await this.connect();
+
+    const createRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CreateOrganization>(
+      'createOrganization'
+    );
+
+    const response = await createRequest.fire({
+      jwt,
+      userId: user.id,
+      organizationName: name,
+      organizationSlug: slug,
+      action: mode,
+    });
+
+    return response;
+  }
+
+  /**
+   * Get organization members
+   */
+  public async getOrgMembers(
+    organizationId: string
+  ): Promise<plugins.idpInterfaces.request.IReq_GetOrgMembers['response']['members'] | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    await this.connect();
+
+    const membersRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetOrgMembers>(
+      'getOrgMembers'
+    );
+
+    const response = await membersRequest.fire({
+      jwt,
+      organizationId,
+    });
+
+    return response.members;
+  }
+
+  /**
+   * Invite a user to organization
+   */
+  public async inviteMember(
+    organizationId: string,
+    email: string,
+    roles: string[] = ['member']
+  ): Promise<plugins.idpInterfaces.request.IReq_CreateInvitation['response'] | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    await this.connect();
+
+    const inviteRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CreateInvitation>(
+      'createInvitation'
+    );
+
+    const response = await inviteRequest.fire({
+      jwt,
+      organizationId,
+      email,
+      roles,
+    });
+
+    return response;
+  }
+
+  // ============================================
+  // Admin Commands
+  // ============================================
+
+  /**
+   * Check if current user is global admin
+   */
+  public async checkGlobalAdmin(): Promise<boolean> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return false;
+
+    await this.connect();
+
+    const adminRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CheckGlobalAdmin>(
+      'checkGlobalAdmin'
+    );
+
+    const response = await adminRequest.fire({ jwt });
+    return response.isGlobalAdmin;
+  }
+
+  /**
+   * Get global app statistics (admin only)
+   */
+  public async getGlobalAppStats(): Promise<plugins.idpInterfaces.request.IReq_GetGlobalAppStats['response']['apps'] | null> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return null;
+
+    await this.connect();
+
+    const statsRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetGlobalAppStats>(
+      'getGlobalAppStats'
+    );
+
+    const response = await statsRequest.fire({ jwt });
+    return response.apps;
+  }
+
+  /**
+   * Suspend a user (admin only)
+   */
+  public async suspendUser(userId: string): Promise<boolean> {
+    const jwt = await this.ensureAuthenticated();
+    if (!jwt) return false;
+
+    await this.connect();
+
+    const suspendRequest = this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_SuspendUser>(
+      'suspendUser'
+    );
+
+    await suspendRequest.fire({ jwt, userId });
+    return true;
+  }
+
+  // ============================================
+  // Helpers
+  // ============================================
+
+  /**
+   * Ensure user is authenticated, refresh JWT if needed
+   */
+  private async ensureAuthenticated(): Promise<string | null> {
+    let credentials = this.loadCredentials();
+
+    if (!credentials) {
+      console.error('Not logged in. Please run: idp login');
+      return null;
+    }
+
+    // If we have a JWT, return it
+    if (credentials.jwt) {
+      return credentials.jwt;
+    }
+
+    // Otherwise, try to get a new JWT from refresh token
+    if (credentials.refreshToken) {
+      const jwt = await this.refreshJwt();
+      return jwt;
+    }
+
+    console.error('No valid credentials. Please run: idp login');
+    return null;
+  }
+}

ts_idpcli/index.ts

@@ -0,0 +1,362 @@
+import * as plugins from './plugins.js';
+import { IdpCli } from './classes.idpcli.js';
+
+export { IdpCli } from './classes.idpcli.js';
+
+const DEFAULT_IDP_URL = 'https://idp.global';
+
+/**
+ * Run the CLI
+ */
+export const runCli = async () => {
+  const smartcliInstance = new plugins.smartcli.Smartcli();
+  smartcliInstance.addVersion('1.0.0');
+
+  const getIdpClient = () => {
+    const idpUrl = process.env.IDP_URL || DEFAULT_IDP_URL;
+    return new IdpCli({ idpBaseUrl: idpUrl });
+  };
+
+  // ============================================
+  // Help
+  // ============================================
+  smartcliInstance.addHelp({
+    helpText: `
+idp - CLI for idp.global identity provider
+
+USAGE:
+  idp <command> [options]
+
+COMMANDS:
+  login             Login with email and password
+  login-token       Login with API token
+  logout            Logout and clear credentials
+  whoami            Show current user information
+
+  orgs              List organizations
+  orgs-create       Create a new organization
+
+  members           List organization members
+  invite            Invite a user to organization
+
+  sessions          List active sessions
+  revoke            Revoke a session
+
+  admin-check       Check if current user is global admin
+  admin-apps        List global apps (admin only)
+  admin-suspend     Suspend a user (admin only)
+
+  help              Show this help message
+
+ENVIRONMENT:
+  IDP_URL           Override IDP server URL (default: https://idp.global)
+
+EXAMPLES:
+  idp login
+  idp whoami
+  idp orgs
+  idp members --org <org-id>
+  idp invite --org <org-id> --email user@example.com
+`,
+  });
+
+  // ============================================
+  // Login Commands
+  // ============================================
+  smartcliInstance.addCommand('login').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const interact = new plugins.smartinteract.SmartInteract();
+
+    const emailAnswer = await interact.askQuestion({
+      type: 'input',
+      name: 'email',
+      message: 'Email:',
+      default: '',
+    });
+
+    const passwordAnswer = await interact.askQuestion({
+      type: 'password',
+      name: 'password',
+      message: 'Password:',
+      default: '',
+    });
+
+    await client.loginWithPassword(emailAnswer.value as string, passwordAnswer.value as string);
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('login-token').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const interact = new plugins.smartinteract.SmartInteract();
+
+    const tokenAnswer = await interact.askQuestion({
+      type: 'password',
+      name: 'token',
+      message: 'API Token:',
+      default: '',
+    });
+
+    await client.loginWithApiToken(tokenAnswer.value as string);
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('logout').subscribe(async (argv) => {
+    const client = getIdpClient();
+    await client.logout();
+    await client.disconnect();
+  });
+
+  // ============================================
+  // User Commands
+  // ============================================
+  smartcliInstance.addCommand('whoami').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const user = await client.whoami();
+
+    if (user) {
+      console.log('\nUser Information:');
+      console.log(`  ID: ${user.id}`);
+      console.log(`  Name: ${user.data?.name || 'N/A'}`);
+      console.log(`  Username: ${user.data?.username || 'N/A'}`);
+      console.log(`  Email: ${user.data?.email || 'N/A'}`);
+      console.log(`  Status: ${user.data?.status || 'N/A'}`);
+      console.log(`  Global Admin: ${user.data?.isGlobalAdmin ? 'Yes' : 'No'}`);
+    }
+
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('sessions').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const sessions = await client.getSessions();
+
+    if (sessions) {
+      console.log('\nActive Sessions:');
+      for (const session of sessions) {
+        console.log(`  - ${session.id}`);
+        console.log(`    Device: ${session.deviceName || 'Unknown'}`);
+        console.log(`    Browser: ${session.browser || 'Unknown'}`);
+        console.log(`    OS: ${session.os || 'Unknown'}`);
+        console.log(`    Last Active: ${new Date(session.lastActive).toLocaleString()}`);
+        console.log(`    Current: ${session.isCurrent ? 'Yes' : 'No'}`);
+        console.log('');
+      }
+    }
+
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('revoke').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const sessionId = argv.session || argv.s || argv._[1];
+
+    if (!sessionId) {
+      console.error('Please provide a session ID: idp revoke --session <session-id>');
+      return;
+    }
+
+    const success = await client.revokeSession(sessionId);
+    if (success) {
+      console.log('Session revoked successfully.');
+    } else {
+      console.error('Failed to revoke session.');
+    }
+
+    await client.disconnect();
+  });
+
+  // ============================================
+  // Organization Commands
+  // ============================================
+  smartcliInstance.addCommand('orgs').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const result = await client.getOrganizations();
+
+    if (result) {
+      console.log('\nOrganizations:');
+      for (const org of result.organizations) {
+        const role = result.roles.find((r) => r.data?.organizationId === org.id);
+        console.log(`  - ${org.data?.name} (${org.id})`);
+        console.log(`    Slug: ${org.data?.slug}`);
+        console.log(`    Roles: ${role?.data?.roles?.join(', ') || 'Unknown'}`);
+        console.log('');
+      }
+    }
+
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('orgs-create').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const interact = new plugins.smartinteract.SmartInteract();
+
+    const nameAnswer = await interact.askQuestion({
+      type: 'input',
+      name: 'name',
+      message: 'Organization Name:',
+      default: '',
+    });
+
+    const slugAnswer = await interact.askQuestion({
+      type: 'input',
+      name: 'slug',
+      message: 'Organization Slug:',
+      default: '',
+    });
+
+    // First check availability
+    const checkResult = await client.createOrganization(
+      nameAnswer.value as string,
+      slugAnswer.value as string,
+      'checkAvailability'
+    );
+
+    if (!checkResult?.nameAvailable) {
+      console.error('Organization name or slug is not available.');
+      await client.disconnect();
+      return;
+    }
+
+    // Then create
+    const result = await client.createOrganization(
+      nameAnswer.value as string,
+      slugAnswer.value as string,
+      'manifest'
+    );
+
+    if (result?.resultingOrganization) {
+      console.log('\nOrganization created successfully!');
+      console.log(`  ID: ${result.resultingOrganization.id}`);
+      console.log(`  Name: ${result.resultingOrganization.data?.name}`);
+    }
+
+    await client.disconnect();
+  });
+
+  // ============================================
+  // Member Commands
+  // ============================================
+  smartcliInstance.addCommand('members').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const orgId = argv.org || argv.o || argv._[1];
+
+    if (!orgId) {
+      console.error('Please provide an organization ID: idp members --org <org-id>');
+      return;
+    }
+
+    const members = await client.getOrgMembers(orgId);
+
+    if (members) {
+      console.log('\nOrganization Members:');
+      for (const member of members) {
+        console.log(`  - ${member.user.data?.name || 'Unknown'}`);
+        console.log(`    Email: ${member.user.data?.email || 'N/A'}`);
+        console.log(`    Roles: ${member.role.data?.roles?.join(', ') || 'Unknown'}`);
+        console.log('');
+      }
+    }
+
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('invite').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const orgId = argv.org || argv.o;
+    const email = argv.email || argv.e || argv._[1];
+
+    if (!orgId || !email) {
+      console.error('Please provide organization ID and email:');
+      console.error('  idp invite --org <org-id> --email user@example.com');
+      return;
+    }
+
+    const result = await client.inviteMember(orgId, email);
+
+    if (result?.success) {
+      console.log(`Invitation sent to ${email}`);
+    } else {
+      console.error(`Failed to send invitation: ${result?.message || 'Unknown error'}`);
+    }
+
+    await client.disconnect();
+  });
+
+  // ============================================
+  // Admin Commands
+  // ============================================
+  smartcliInstance.addCommand('admin-check').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const isAdmin = await client.checkGlobalAdmin();
+
+    if (isAdmin) {
+      console.log('You are a global admin.');
+    } else {
+      console.log('You are not a global admin.');
+    }
+
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('admin-apps').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const apps = await client.getGlobalAppStats();
+
+    if (apps) {
+      console.log('\nGlobal Apps:');
+      for (const appInfo of apps) {
+        console.log(`  - ${appInfo.app.data?.name}`);
+        console.log(`    ID: ${appInfo.app.id}`);
+        console.log(`    Connections: ${appInfo.connectionCount}`);
+        console.log('');
+      }
+    }
+
+    await client.disconnect();
+  });
+
+  smartcliInstance.addCommand('admin-suspend').subscribe(async (argv) => {
+    const client = getIdpClient();
+    const userId = argv.user || argv.u || argv._[1];
+
+    if (!userId) {
+      console.error('Please provide a user ID: idp admin-suspend --user <user-id>');
+      return;
+    }
+
+    const interact = new plugins.smartinteract.SmartInteract();
+    const confirmAnswer = await interact.askQuestion({
+      type: 'confirm',
+      name: 'confirm',
+      message: `Are you sure you want to suspend user ${userId}?`,
+      default: false,
+    });
+
+    if (confirmAnswer.value) {
+      const success = await client.suspendUser(userId);
+      if (success) {
+        console.log('User suspended successfully.');
+      } else {
+        console.error('Failed to suspend user.');
+      }
+    } else {
+      console.log('Operation cancelled.');
+    }
+
+    await client.disconnect();
+  });
+
+  // ============================================
+  // Default/Standard command
+  // ============================================
+  smartcliInstance.standardCommand().subscribe(async (argv) => {
+    // If no command specified, show help
+    smartcliInstance.triggerCommand('help', argv);
+  });
+
+  // Start parsing
+  smartcliInstance.startParse();
+};
+
+// Auto-run if this is the main module
+runCli().catch(console.error);

ts_idpcli/plugins.ts

@@ -0,0 +1,25 @@
+// node built-ins
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+
+export { fs, path, os };
+
+// @push.rocks scope
+import * as smartcli from '@push.rocks/smartcli';
+import * as smartpromise from '@push.rocks/smartpromise';
+import * as smartrx from '@push.rocks/smartrx';
+import * as smartinteract from '@push.rocks/smartinteract';
+
+export { smartcli, smartpromise, smartrx, smartinteract };
+
+// @api.global scope
+import * as typedrequest from '@api.global/typedrequest';
+import * as typedsocket from '@api.global/typedsocket';
+
+export { typedrequest, typedsocket };
+
+// local
+import * as idpInterfaces from '../dist_ts_interfaces/index.js';
+
+export { idpInterfaces };

ts_idpcli/readme.md

@@ -0,0 +1,111 @@
+# @idp.global/cli
+
+Terminal client for `idp.global`.
+
+It wraps the same typed backend used by the web app and SDK, but stores credentials on disk so you can inspect accounts, sessions, orgs, and admin state from the shell.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Install
+
+```bash
+pnpm add -g @idp.global/cli
+```
+
+## Quick Start
+
+```bash
+idp login
+idp whoami
+idp orgs
+idp sessions
+```
+
+## Commands
+
+| Command | Purpose |
+| --- | --- |
+| `idp login` | Prompt for email and password |
+| `idp login-token` | Prompt for an API token |
+| `idp logout` | Remove local credentials and try server-side logout |
+| `idp whoami` | Print the current user |
+| `idp sessions` | List active sessions |
+| `idp revoke --session <session-id>` | Revoke a session |
+| `idp orgs` | List organizations for the current user |
+| `idp orgs-create` | Interactively create an organization |
+| `idp members --org <org-id>` | List members for an organization |
+| `idp invite --org <org-id> --email user@example.com` | Invite a member |
+| `idp admin-check` | Check global admin status |
+| `idp admin-apps` | List global app stats |
+| `idp admin-suspend --user <user-id>` | Suspend a user |
+
+## Configuration
+
+The CLI reads `IDP_URL` and defaults to `https://idp.global`.
+
+```bash
+IDP_URL=http://localhost:2999 idp whoami
+```
+
+Credentials are stored in:
+
+```text
+~/.idp-global/credentials.json
+```
+
+## Programmatic Usage
+
+```ts
+import { IdpCli } from '@idp.global/cli';
+
+const cli = new IdpCli({
+  idpBaseUrl: 'http://localhost:2999',
+});
+
+await cli.loginWithPassword('user@example.com', 'secret');
+
+const me = await cli.whoami();
+const orgs = await cli.getOrganizations();
+
+console.log(me?.data?.email);
+console.log(orgs?.organizations.length);
+
+await cli.disconnect();
+```
+
+## What The Class Exposes
+
+- `loginWithPassword()` and `loginWithApiToken()`
+- `refreshJwt()` and `logout()`
+- `whoami()`, `getSessions()`, and `revokeSession()`
+- `getOrganizations()`, `createOrganization()`, `getOrgMembers()`, and `inviteMember()`
+- `checkGlobalAdmin()`, `getGlobalAppStats()`, and `suspendUser()`
+
+## Implementation Notes
+
+- The CLI connects to the backend websocket surface at `/typedrequest`.
+- It uses file-based credentials instead of browser storage.
+- `orgs-create` first checks availability, then creates the organization.
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH  
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

ts_idpcli/tspublish.json

@@ -0,0 +1,4 @@
+{
+  "name": "@idp.global/cli",
+  "order": 4
+}

ts_idpclient/classes.idpclient.ts

@@ -4,34 +4,34 @@ import * as plugins from './plugins.js';
 export class IdpClient {
   // INSTANCE PRIVATE
   private helpers = {
-    async extractDataFromJwtString(jwtString: string): Promise<plugins.lointReception.data.IJwt> {
+    async extractDataFromJwtString(jwtString: string): Promise<plugins.idpInterfaces.data.IJwt> {
       return plugins.webjwt.getDataFromJwtString(jwtString);
     },
   };
 
   // INSTANCE PUBLIC
 
-  public appData: plugins.lointReception.data.IApp;
+  public appData: plugins.idpInterfaces.data.IAppLegacy;
   public rolesReplaySubject = new plugins.smartrx.rxjs.ReplaySubject(1);
   public organizationsReplaySubject = new plugins.smartrx.rxjs.ReplaySubject(1);
 
-  public receptionTrUrl: string;
+  public parsedReceptionUrl: plugins.smarturl.Smarturl;
-  constructor(receptionBaseUrlArg: string, appDataArg?: plugins.lointReception.data.IApp) {
+  constructor(receptionBaseUrlArg: string, appDataArg?: plugins.idpInterfaces.data.IAppLegacy) {
-    this.receptionTrUrl = receptionBaseUrlArg
+    if (receptionBaseUrlArg.endsWith('/')) {
-    if (this.receptionTrUrl.endsWith('/')) {
+      receptionBaseUrlArg = receptionBaseUrlArg.slice(0, -1);
-      this.receptionTrUrl = this.receptionTrUrl.slice(0, -1);
     }
-    if (!this.receptionTrUrl.endsWith('/typedrequest')) {
+    if (!receptionBaseUrlArg.endsWith('/typedrequest')) {
-      this.receptionTrUrl = `${this.receptionTrUrl}/typedrequest`;
+      receptionBaseUrlArg = `${receptionBaseUrlArg}/typedrequest`;
     }
-    console.log(`reception client connecting to ${this.receptionTrUrl}`);
+    this.parsedReceptionUrl = plugins.smarturl.Smarturl.createFromUrl(receptionBaseUrlArg);
+    console.log(`reception client connecting to ${this.parsedReceptionUrl.toString()}`);
     if (!appDataArg) {
       appDataArg = {
         id: '', // TODO
         appUrl: `https://${window.location.host}/`,
-        description: null,
+        description: '',
-        logoUrl: null,
+        logoUrl: '',
-        name: null,
+        name: '',
       };
     }
     this.appData = appDataArg;
@@ -39,6 +39,11 @@ export class IdpClient {
 
   public requests = new IdpRequests(this);
 
+  public checkWetherOnReceptionDomain() {
+    return plugins.smarturl.Smarturl.createFromUrl(window.location.href).hostname ===
+      this.parsedReceptionUrl.hostname;
+  }
+
   /**
    * app data can be transferred when redirecting to the sso domain using query params
    * this message retrieves the app data when on the sso domain
@@ -62,10 +67,14 @@ export class IdpClient {
     await this.storeJwt(jwtStringArg);
   }
 
+  public async setRefreshToken(refreshTokenArg: string) {
+    await this.storeRefreshToken(refreshTokenArg);
+  }
+
   /**
    * a typedsocket for going reactive
    */
-  public typedsocket: plugins.typedsocket.TypedSocket;
+  public typedsocket!: plugins.typedsocket.TypedSocket;
 
   /**
    * a typed router to go reactive
@@ -73,27 +82,41 @@ export class IdpClient {
   public typedrouter = new plugins.typedrequest.TypedRouter();
 
   public statusObservable =
-    new plugins.smartrx.rxjs.Subject<plugins.lointReception.data.TLoginStatus>();
+    new plugins.smartrx.rxjs.Subject<plugins.idpInterfaces.data.TLoginStatus>();
 
   public ssoStore = new plugins.webstore.WebStore({
-    storeName: 'wgsso',
+    storeName: 'idpglobalStore',
-    dbName: 'wgsso',
+    dbName: 'main',
   });
 
   public async storeJwt(jwtString: string) {
-    await this.ssoStore.set('wgJwt', jwtString);
+    await this.ssoStore.set('idpJwt', jwtString);
+  }
+
+  public async storeRefreshToken(refreshToken: string) {
+    await this.ssoStore.set('idpRefreshToken', refreshToken);
   }
 
   public async getJwt(): Promise<string> {
-    return await this.ssoStore.get('wgJwt');
+    return await this.ssoStore.get('idpJwt');
   }
-  public async getJwtData(): Promise<plugins.lointReception.data.IJwt> {
+  public async getRefreshToken(): Promise<string> {
+    return await this.ssoStore.get('idpRefreshToken');
+  }
+  public async getJwtData(): Promise<plugins.idpInterfaces.data.IJwt> {
     return this.helpers.extractDataFromJwtString(await this.getJwt());
   }
 
   public async deleteJwt() {
-    await this.ssoStore.delete('wgJwt');
+    await this.ssoStore.delete('idpJwt');
-    console.log('removed jwt');
+  }
+
+  public async deleteRefreshToken() {
+    await this.ssoStore.delete('idpRefreshToken');
+  }
+
+  public async clearAuthState() {
+    await Promise.all([this.deleteJwt(), this.deleteRefreshToken()]);
   }
 
   /**
@@ -110,47 +133,63 @@ export class IdpClient {
     if (extractedJwt.data.refreshFrom < Date.now() && Date.now() < extractedJwt.data.validUntil) {
       jwt = await this.refreshJwt();
     } else if (Date.now() > extractedJwt.data.validUntil) {
-      this.deleteJwt();
+      await this.deleteJwt();
+      jwt = await this.refreshJwt();
     }
     return jwt;
   }
 
-  public async refreshJwt(refreshTokenArg?: string): Promise<string> {
+  public async refreshJwt(refreshTokenArg?: string): Promise<string | null> {
-    let extractedJwt: plugins.lointReception.data.IJwt;
+    const refreshToken = refreshTokenArg || (await this.getRefreshToken());
 
-    if (!refreshTokenArg) {
+    if (!refreshToken) {
-      extractedJwt = await this.helpers.extractDataFromJwtString(await this.getJwt());
+      return null;
     }
+
+    await this.typedsocketDeferred.promise;
     const refreshJwtReq =
-      new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_RefreshJwt>(
+      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
-        `${this.receptionTrUrl}/typedrequest`,
         'refreshJwt'
       );
-    const response = await refreshJwtReq.fire({
+    const response = await refreshJwtReq
-      refreshToken: refreshTokenArg || extractedJwt.data.refreshToken,
+      .fire({
-    });
+        refreshToken,
-    if (response.jwt) {
+      })
-      await this.storeJwt(response.jwt);
+      .catch(async () => {
-    } else {
+        await this.clearAuthState();
-      await this.deleteJwt();
+        return null;
+      });
+
+    if (!response?.jwt) {
+      await this.clearAuthState();
+      this.statusObservable.next(response?.status || 'loggedOut');
+      return null;
     }
+
+    if (response.refreshToken) {
+      await this.storeRefreshToken(response.refreshToken);
+    }
+    await this.storeJwt(response.jwt);
     this.statusObservable.next(response.status);
-    return await this.getJwt();
+    return response.jwt;
   }
 
   /**
    * can be used to switch between pages
    */
-  public async getTransferToken(appDataArg?: plugins.lointReception.data.IApp): Promise<string> {
+  public async getTransferToken(appDataArg?: plugins.idpInterfaces.data.IAppLegacy): Promise<string | null> {
-    const jwt = await this.performJwtHousekeeping();
+    await this.performJwtHousekeeping();
-    const extractedJwt = await this.helpers.extractDataFromJwtString(jwt);
+    const refreshToken = await this.getRefreshToken();
+    if (!refreshToken) {
+      return null;
+    }
+    await this.typedsocketDeferred.promise;
     const getTransferToken =
-      new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_ExchangeRefreshTokenAndTransferToken>(
+      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ExchangeRefreshTokenAndTransferToken>(
-        `${this.receptionTrUrl}/typedrequest`,
         'exchangeRefreshTokenAndTransferToken'
       );
     const response = await getTransferToken.fire({
-      refreshToken: extractedJwt.data.refreshToken,
+      refreshToken,
       appData: appDataArg || this.appData,
     });
     return response.transferToken;
@@ -182,9 +221,9 @@ export class IdpClient {
     const url = plugins.smarturl.Smarturl.createFromUrl(href);
     const transferToken = url.searchParams['transfertoken'];
     if (transferToken) {
+      await this.typedsocketDeferred.promise;
       const getTransferToken =
-        new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_ExchangeRefreshTokenAndTransferToken>(
+        this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ExchangeRefreshTokenAndTransferToken>(
-          `${this.receptionTrUrl}/typedrequest`,
           'exchangeRefreshTokenAndTransferToken'
         );
       const response = await getTransferToken.fire({
@@ -214,7 +253,8 @@ export class IdpClient {
   }
 
   /**
-   * forces the current user to login
+   * determines if the user is logged in
+   * accepts boolean to optionally require login
    * @param requireLoginArg
    * @returns
    */
@@ -224,6 +264,13 @@ export class IdpClient {
       const jwt = await this.performJwtHousekeeping();
       return !!jwt;
     } else {
+      const refreshToken = await this.getRefreshToken();
+      if (refreshToken) {
+        const jwt = await this.refreshJwt(refreshToken);
+        if (jwt) {
+          return true;
+        }
+      }
       const transferTokenResult = await this.processTransferToken();
       if (transferTokenResult) {
         // we are in the clear
@@ -231,15 +278,14 @@ export class IdpClient {
       } else {
         if (requireLoginArg) {
           const urlInstance = plugins.smarturl.Smarturl.createFromUrl(
-            'https://sso.workspace.global/',
+            this.parsedReceptionUrl.clone().set('path', '/login').toString(),
             {
               searchParams: {
                 appdata: plugins.smartjson.stringifyBase64(this.appData),
-                action: 'login',
               },
             }
           );
-          if (!globalThis.location.href.startsWith('https://sso.workspace.global/')) {
+          if (!globalThis.location.href.startsWith(this.parsedReceptionUrl.toString())) {
             globalThis.location.href = urlInstance.toString();
           }
         }
@@ -252,28 +298,29 @@ export class IdpClient {
    * logs out the current user
    */
   public async logout() {
-    const urlInstance = plugins.smarturl.Smarturl.createFromUrl('https://sso.workspace.global/', {
+    const idpLogoutUrl = this.parsedReceptionUrl.clone().set('path', '/logout');
-      searchParams: {
+    const refreshToken = await this.getRefreshToken();
-        appdata: plugins.smartjson.stringifyBase64(this.appData),
+    if (!globalThis.location.href.startsWith(idpLogoutUrl.origin)) {
-        action: 'logout',
-      },
-    });
-    if (!globalThis.location.href.startsWith('https://sso.workspace.global/')) {
       // we are somewhere in an app
-      await this.deleteJwt();
+      await this.clearAuthState();
-      globalThis.location.href = urlInstance.toString();
+      globalThis.location.href = idpLogoutUrl.toString();
     } else {
       // we are in the sso page
+      if (!refreshToken) {
+        await this.clearAuthState();
+        window.location.href = this.parsedReceptionUrl.origin;
+        return;
+      }
       await this.enableTypedSocket();
-      console.log(`logging out against ${this.receptionTrUrl}`)
+      console.log(`logging out against ${this.parsedReceptionUrl.toString()}`);
       const logoutTr =
-        this.typedsocket.createTypedRequest<plugins.lointReception.request.ILogoutRequest>(
+        this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.ILogoutRequest>(
           'logout'
         );
       await logoutTr.fire({
-        refreshToken: (await this.getJwtData()).data.refreshToken,
+        refreshToken,
       });
-      await this.deleteJwt();
+      await this.clearAuthState();
       const appData = await this.getAppDataOnSsoDomain();
       if (appData) {
         console.log(`redirecting to app after logout: ${appData.appUrl}`);
@@ -281,6 +328,9 @@ export class IdpClient {
       } else {
         console.error('no appData provided. Not redirecting after logout.');
       }
+      if (window.location.href.startsWith(idpLogoutUrl.origin)) {
+        window.location.href = this.parsedReceptionUrl.origin;
+      }
     }
   }
 
@@ -292,7 +342,7 @@ export class IdpClient {
     this.typedsocketDeferred.claim();
     this.typedsocket = await plugins.typedsocket.TypedSocket.createClient(
       this.typedrouter,
-      `${this.receptionTrUrl}/`
+      this.parsedReceptionUrl.toString()
     );
     this.typedsocketDeferred.resolve(this.typedsocket);
     return this.typedsocketDeferred.promise;
@@ -312,7 +362,7 @@ export class IdpClient {
   ) {
     await this.typedsocketDeferred.promise;
     const validateOrg =
-      this.typedsocket.createTypedRequest<plugins.lointReception.request.IReq_CreateOrganization>(
+      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CreateOrganization>(
         'createOrganization'
       );
     const response = await validateOrg.fire({
@@ -329,9 +379,10 @@ export class IdpClient {
    * gets the current OrganizationRoles
    */
   public async getRolesAndOrganizations() {
+    console.log('idpclient: getting roles and orgs...');
     await this.typedsocketDeferred.promise;
     const rolesAndOrganizationsForUserId =
-      this.typedsocket.createTypedRequest<plugins.lointReception.request.IReq_GetRolesAndOrganizationsForUserId>(
+      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetRolesAndOrganizationsForUserId>(
         'getRolesAndOrganizationsForUserId'
       );
     const response = await rolesAndOrganizationsForUserId.fire({
@@ -347,7 +398,7 @@ export class IdpClient {
   public async updatePaddleCheckoutId(orgIdArg: string, checkoutIdArg: string) {
     await this.typedsocketDeferred.promise;
     const updateBillingPlan =
-      this.typedsocket.createTypedRequest<plugins.lointReception.request.IReq_UpdatePaymentMethod>(
+      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_UpdatePaymentMethod>(
         'updatePaymentMethod'
       );
     const response = await updateBillingPlan.fire({
@@ -359,4 +410,16 @@ export class IdpClient {
     });
     return response;
   }
+
+  public async whoIs() {
+    await this.typedsocketDeferred.promise;
+    const whoIs =
+      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_WhoIs>(
+        'whoIs'
+      );
+    const response = await whoIs.fire({
+      jwt: await this.getJwt(),
+    });
+    return response;
+  }
 }

ts_idpclient/classes.idprequests.ts

@@ -3,6 +3,7 @@ import type { IdpClient } from "./classes.idpclient.js";
 
 /**
  * this class bundles all the typed requests that are used by the idp
+ * All requests use TypedSocket (WebSocket) transport
  */
 export class IdpRequests {
   idpClientArg: IdpClient;
@@ -11,52 +12,315 @@ export class IdpRequests {
   }
 
   public get afterRegistrationEmailClicked () {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_AfterRegistrationEmailClicked>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_AfterRegistrationEmailClicked>(
-      this.idpClientArg.receptionTrUrl,
       'afterRegistrationEmailClicked'
     );
   }
 
   public get setData() {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_SetDataForRegistration>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_SetDataForRegistration>(
-      this.idpClientArg.receptionTrUrl,
       'setDataForRegistration'
     );
   }
 
   public get mobileNumberVerification () {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_MobileVerificationForRegistration>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_MobileVerificationForRegistration>(
-      this.idpClientArg.receptionTrUrl,
       'mobileVerificationForRegistration'
     );
   }
-    
+
 
   public get finishRegistration() {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_FinishRegistration>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_FinishRegistration>(
-      this.idpClientArg.receptionTrUrl,
       'finishRegistration'
     );
   }
 
   public get loginWithUserNameAndPassword () {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_LoginWithEmailOrUsernameAndPassword>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithEmailOrUsernameAndPassword>(
-      this.idpClientArg.receptionTrUrl,
       'loginWithEmailOrUsernameAndPassword'
     );
-  } 
+  }
 
   public get obtainJwt () {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_RefreshJwt>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
-      this.idpClientArg.receptionTrUrl,
       'refreshJwt'
     );
   }
 
   public get obtainOneTimeToken () {
-    return new plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_ExchangeRefreshTokenAndTransferToken>(
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ExchangeRefreshTokenAndTransferToken>(
-      this.idpClientArg.receptionTrUrl,
       'exchangeRefreshTokenAndTransferToken'
     );
   }
-}
+
+  // ============================================
+  // Login & Authentication
+  // ============================================
+
+  public get loginWithEmail() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithEmail>(
+      'loginWithEmail'
+    );
+  }
+
+  public get loginWithEmailAfterToken() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithEmailAfterEmailTokenAquired>(
+      'loginWithEmailAfterEmailTokenAquired'
+    );
+  }
+
+  public get loginWithApiToken() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_LoginWithApiToken>(
+      'loginWithApiToken'
+    );
+  }
+
+  public get resetPassword() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ResetPassword>(
+      'resetPassword'
+    );
+  }
+
+  public get setNewPassword() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_SetNewPassword>(
+      'setNewPassword'
+    );
+  }
+
+  public get obtainDeviceId() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ObtainDeviceId>(
+      'obtainDeviceId'
+    );
+  }
+
+  public get attachDeviceId() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_AttachDeviceId>(
+      'attachDeviceId'
+    );
+  }
+
+  // ============================================
+  // Registration
+  // ============================================
+
+  public get firstRegistration() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_FirstRegistration>(
+      'firstRegistrationRequest'
+    );
+  }
+
+  // ============================================
+  // User Management
+  // ============================================
+
+  public get getUserData() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetUserData>(
+      'getUserData'
+    );
+  }
+
+  public get setUserData() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_SetUserData>(
+      'setUserData'
+    );
+  }
+
+  public get getUserSessions() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetUserSessions>(
+      'getUserSessions'
+    );
+  }
+
+  public get revokeSession() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RevokeSession>(
+      'revokeSession'
+    );
+  }
+
+  public get getUserActivity() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetUserActivity>(
+      'getUserActivity'
+    );
+  }
+
+  // ============================================
+  // Organization Management
+  // ============================================
+
+  public get getOrganizationById() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetOrganizationById>(
+      'getOrganizationById'
+    );
+  }
+
+  public get updateOrganization() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_UpdateOrganization>(
+      'updateOrganization'
+    );
+  }
+
+  // ============================================
+  // Member & Invitation Management
+  // ============================================
+
+  public get createInvitation() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CreateInvitation>(
+      'createInvitation'
+    );
+  }
+
+  public get getOrgInvitations() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetOrgInvitations>(
+      'getOrgInvitations'
+    );
+  }
+
+  public get getOrgMembers() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetOrgMembers>(
+      'getOrgMembers'
+    );
+  }
+
+  public get cancelInvitation() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CancelInvitation>(
+      'cancelInvitation'
+    );
+  }
+
+  public get resendInvitation() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ResendInvitation>(
+      'resendInvitation'
+    );
+  }
+
+  public get removeMember() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RemoveMember>(
+      'removeMember'
+    );
+  }
+
+  public get updateMemberRoles() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_UpdateMemberRoles>(
+      'updateMemberRoles'
+    );
+  }
+
+  public get transferOwnership() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_TransferOwnership>(
+      'transferOwnership'
+    );
+  }
+
+  public get getInvitationByToken() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetInvitationByToken>(
+      'getInvitationByToken'
+    );
+  }
+
+  public get acceptInvitation() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_AcceptInvitation>(
+      'acceptInvitation'
+    );
+  }
+
+  public get bulkCreateInvitations() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_BulkCreateInvitations>(
+      'bulkCreateInvitations'
+    );
+  }
+
+  // ============================================
+  // Billing
+  // ============================================
+
+  public get getBillingPlan() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetBillingPlan>(
+      'getBillingPlan'
+    );
+  }
+
+  public get getPaddleConfig() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetPaddleConfig>(
+      'getPaddleConfig'
+    );
+  }
+
+  // ============================================
+  // JWT Verification & Management
+  // ============================================
+
+  public get getPublicKeyForValidation() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetPublicKeyForValidation>(
+      'getPublicKeyForValidation'
+    );
+  }
+
+  public get pushPublicKeyForValidation() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_PushPublicKeyForValidation>(
+      'pushPublicKeyForValidation'
+    );
+  }
+
+  public get pushOrGetJwtIdBlocklist() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_PushOrGetJwtIdBlocklist>(
+      'pushOrGetJwtIdBlocklist'
+    );
+  }
+
+  // ============================================
+  // User Suspension (Admin)
+  // ============================================
+
+  public get suspendUser() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_SuspendUser>(
+      'suspendUser'
+    );
+  }
+
+  public get deleteSuspendedUser() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IDeleteSuspendedUser>(
+      'deleteSuspendedUser'
+    );
+  }
+
+  // ============================================
+  // Admin (Global Admin Only)
+  // ============================================
+
+  public get checkGlobalAdmin() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CheckGlobalAdmin>(
+      'checkGlobalAdmin'
+    );
+  }
+
+  public get getGlobalAppStats() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_GetGlobalAppStats>(
+      'getGlobalAppStats'
+    );
+  }
+
+  public get createGlobalApp() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_CreateGlobalApp>(
+      'createGlobalApp'
+    );
+  }
+
+  public get updateGlobalApp() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_UpdateGlobalApp>(
+      'updateGlobalApp'
+    );
+  }
+
+  public get deleteGlobalApp() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_DeleteGlobalApp>(
+      'deleteGlobalApp'
+    );
+  }
+
+  public get regenerateAppCredentials() {
+    return this.idpClientArg.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RegenerateAppCredentials>(
+      'regenerateAppCredentials'
+    );
+  }
+}

ts_idpclient/plugins.ts

@@ -1,7 +1,7 @@
 // losslessone_private scope
-import * as lointReception from '../dist_ts_interfaces/index.js';
+import * as idpInterfaces from '../dist_ts_interfaces/index.js';
 
-export { lointReception };
+export { idpInterfaces };
 
 // apiglobal scope
 import * as typedrequest from '@api.global/typedrequest';

ts_idpclient/readme.md

@@ -0,0 +1,156 @@
+# @idp.global/client
+
+Browser-facing TypeScript client for talking to an `idp.global` server over `typedrequest` and `typedsocket`.
+
+It handles login state, refresh tokens, JWT housekeeping, cross-app transfer tokens, and direct access to the typed request surface.
+
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Install
+
+```bash
+pnpm add @idp.global/client
+```
+
+## Quick Start
+
+```ts
+import { IdpClient } from '@idp.global/client';
+
+const idpClient = new IdpClient('https://idp.global');
+await idpClient.enableTypedSocket();
+
+const loggedIn = await idpClient.determineLoginStatus();
+
+if (!loggedIn) {
+  const loginResult = await idpClient.requests.loginWithUserNameAndPassword.fire({
+    username: 'user@example.com',
+    password: 'secret',
+  });
+
+  if (loginResult.refreshToken) {
+    await idpClient.refreshJwt(loginResult.refreshToken);
+  }
+}
+
+const whoIs = await idpClient.whoIs();
+console.log(whoIs.user.data.email);
+```
+
+## What The Client Handles
+
+- Normalizes the base URL to the server's `/typedrequest` endpoint.
+- Stores JWT and refresh token state in a browser `WebStore`.
+- Refreshes expiring JWTs via `performJwtHousekeeping()`.
+- Redirects to `/login` when `determineLoginStatus(true)` is used.
+- Exchanges refresh tokens for cross-app transfer tokens.
+- Exposes the low-level typed requests through `idpClient.requests`.
+
+## Common Flows
+
+### Password Login
+
+```ts
+const result = await idpClient.requests.loginWithUserNameAndPassword.fire({
+  username: 'user@example.com',
+  password: 'secret',
+});
+
+if (result.refreshToken) {
+  await idpClient.refreshJwt(result.refreshToken);
+}
+```
+
+### Magic Link Login
+
+```ts
+await idpClient.requests.loginWithEmail.fire({
+  email: 'user@example.com',
+});
+
+const result = await idpClient.requests.loginWithEmailAfterToken.fire({
+  email: 'user@example.com',
+  token: 'token-from-email',
+});
+
+await idpClient.refreshJwt(result.refreshToken);
+```
+
+### Session and Identity
+
+```ts
+await idpClient.performJwtHousekeeping();
+
+const jwt = await idpClient.getJwt();
+const jwtData = await idpClient.getJwtData();
+const whoIs = await idpClient.whoIs();
+
+console.log(jwtData.id, whoIs.user.data.username);
+```
+
+### Organizations
+
+```ts
+const rolesAndOrganizations = await idpClient.getRolesAndOrganizations();
+
+const created = await idpClient.createOrganization(
+  'Acme',
+  'acme',
+  'manifest'
+);
+
+const members = await idpClient.requests.getOrgMembers.fire({
+  jwt: await idpClient.getJwt(),
+  organizationId: created.resultingOrganization.id,
+});
+```
+
+### Cross-App Transfer
+
+```ts
+const transferToken = await idpClient.getTransferToken();
+await idpClient.getTransferTokenAndSwitchToLocation('https://app.example.com/');
+```
+
+## Typed Request Surface
+
+`IdpRequests` exposes typed request getters for:
+
+- authentication
+- registration
+- user/session queries
+- org and invitation management
+- billing requests
+- JWT validation key requests
+- admin requests
+
+Use these when you want full control instead of the higher-level helper methods on `IdpClient`.
+
+## Important Runtime Notes
+
+- The default fallback `appData` uses `window.location`, so this package is primarily browser-oriented.
+- The client expects the backend `typedrequest` websocket surface to be reachable.
+- Auth state is persisted in browser storage under the `idpglobalStore` store name.
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH  
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

ts_idpclient/tspublish.json

@@ -0,0 +1,4 @@
+{
+  "name": "@idp.global/client",
+  "order": 3
+}

ts_interfaces/data/index.ts

@@ -1,9 +1,15 @@
+export * from './loint-reception.activity.js';
 export * from './loint-reception.app.js';
+export * from './loint-reception.emailactiontoken.js';
+export * from './loint-reception.oidc.js';
+export * from './loint-reception.appconnection.js';
 export * from './loint-reception.billingplan.js';
 export * from './loint-reception.device.js';
 export * from './loint-reception.jwt.js';
 export * from './loint-reception.loginsession.js';
 export * from './loint-reception.organization.js';
 export * from './loint-reception.paddlecheckoutdata.js';
+export * from './loint-reception.registrationsession.js';
 export * from './loint-reception.role.js';
 export * from './loint-reception.user.js';
+export * from './loint-reception.userinvitation.js';

ts_interfaces/data/loint-reception.activity.ts

@@ -0,0 +1,28 @@
+export type TActivityAction =
+  | 'login'
+  | 'logout'
+  | 'session_created'
+  | 'session_revoked'
+  | 'org_created'
+  | 'org_joined'
+  | 'org_left'
+  | 'role_changed'
+  | 'profile_updated'
+  | 'app_connected'
+  | 'app_disconnected';
+
+export interface IActivityLog {
+  id: string;
+  data: {
+    userId: string;
+    action: TActivityAction;
+    timestamp: number;
+    metadata: {
+      ip?: string;
+      userAgent?: string;
+      targetId?: string;
+      targetType?: string;
+      description: string;
+    };
+  };
+}

ts_interfaces/data/loint-reception.app.ts

@@ -1,4 +1,80 @@
-export interface IApp {
+// App Types
+export type TAppType = 'global' | 'partner' | 'custom_oidc';
+export type TAppApprovalStatus = 'draft' | 'pending_review' | 'approved' | 'rejected' | 'suspended';
+
+// OAuth Credentials
+export interface IOAuthCredentials {
+  clientId: string;
+  clientSecretHash: string;
+  redirectUris: string[];
+  allowedScopes: string[];
+  grantTypes: ('authorization_code' | 'client_credentials' | 'refresh_token')[];
+}
+
+// Base app data shared by all app types
+export interface IAppBaseData {
+  name: string;
+  description: string;
+  logoUrl: string;
+  appUrl: string;
+}
+
+// Global App - First-party apps managed by platform (foss.global, task.vc, etc.)
+export interface IGlobalApp {
+  id: string;
+  type: 'global';
+  data: IAppBaseData & {
+    oauthCredentials: IOAuthCredentials;
+    isActive: boolean;
+    category: string;
+    createdAt: number;
+    createdByUserId: string;
+  };
+}
+
+// Partner App - Third-party apps submitted to AppStore
+export interface IPartnerApp {
+  id: string;
+  type: 'partner';
+  data: IAppBaseData & {
+    ownerOrganizationId: string;
+    oauthCredentials: IOAuthCredentials;
+    appStoreMetadata: {
+      shortDescription: string;
+      longDescription: string;
+      screenshots: string[];
+      category: string;
+      tags: string[];
+      pricing: { model: 'free' | 'paid' | 'freemium' };
+    };
+    approvalStatus: TAppApprovalStatus;
+    isPublished: boolean;
+    installCount: number;
+  };
+}
+
+// Custom OIDC App - Organization-created OAuth clients
+export interface ICustomOidcApp {
+  id: string;
+  type: 'custom_oidc';
+  data: IAppBaseData & {
+    ownerOrganizationId: string;
+    oauthCredentials: IOAuthCredentials;
+    oidcSettings: {
+      accessTokenLifetime: number; // seconds
+      refreshTokenLifetime: number; // seconds
+    };
+  };
+}
+
+// Union type for all app types
+export type IApp = IGlobalApp | IPartnerApp | ICustomOidcApp;
+
+/**
+ * Legacy interface for backwards compatibility with existing code
+ * that expects a flat app structure (e.g., idpclient, transfermanager)
+ */
+export interface IAppLegacy {
   /**
    * must be unique
    */
@@ -11,3 +87,13 @@ export interface IApp {
   logoUrl: string;
   appUrl: string;
 }
+
+/**
+ * Storage interface for SmartData documents
+ * Uses the discriminated union approach with a 'type' field
+ */
+export interface IAppDocument {
+  id: string;
+  type: TAppType;
+  data: IGlobalApp['data'] | IPartnerApp['data'] | ICustomOidcApp['data'];
+}

ts_interfaces/data/loint-reception.appconnection.ts

@@ -0,0 +1,16 @@
+import type { TAppType } from './loint-reception.app.js';
+
+export type TAppConnectionStatus = 'active' | 'disconnected';
+
+export interface IAppConnection {
+  id: string;
+  data: {
+    organizationId: string;
+    appId: string;
+    appType: TAppType;
+    status: TAppConnectionStatus;
+    connectedAt: number;
+    connectedByUserId: string;
+    grantedScopes: string[];
+  };
+}

ts_interfaces/data/loint-reception.emailactiontoken.ts

@@ -0,0 +1,12 @@
+export type TEmailActionTokenAction = 'emailLogin' | 'passwordReset';
+
+export interface IEmailActionToken {
+  id: string;
+  data: {
+    email: string;
+    action: TEmailActionTokenAction;
+    tokenHash: string;
+    validUntil: number;
+    createdAt: number;
+  };
+}

ts_interfaces/data/loint-reception.jwt.ts

@@ -10,6 +10,11 @@ export interface IJwt {
      */
     userId: string;
 
+    /**
+     * the login session backing this jwt
+     */
+    sessionId?: string;
+
     /**
      * the latest point of
      */
@@ -24,9 +29,9 @@ export interface IJwt {
     refreshEvery: number;
 
     /**
-     * the refresh token to obtain a new jwt for a session
+     * legacy field kept for compatibility with already-issued jwt documents
      */
-    refreshToken: string;
+    refreshToken?: string;
 
     /**
      * just for looks/debugging

ts_interfaces/data/loint-reception.loginsession.ts

@@ -1,14 +1,38 @@
 export interface ILoginSession {
   id: string;
   data: {
-    userId: string;
+    userId: string | null;
     validUntil: number;
     invalidated: boolean;
-    refreshToken: string;
+    /**
+     * legacy plaintext refresh token field kept so existing sessions can migrate on first use
+     */
+    refreshToken?: string | null;
+    refreshTokenHash?: string | null;
+    rotatedRefreshTokenHashes?: string[];
+    transferTokenHash?: string | null;
+    transferTokenExpiresAt?: number | null;
     /**
      * a device id that can be used to share the login session
      * in different contexts on the same device
      */
-    deviceId: string;
+    deviceId?: string | null;
+    /**
+     * Device metadata for session display
+     */
+    deviceInfo?: {
+      deviceName: string;
+      browser: string;
+      os: string;
+      ip: string;
+    } | null;
+    /**
+     * When this session was created
+     */
+    createdAt?: number;
+    /**
+     * Last time this session was active (e.g., refreshed)
+     */
+    lastActive?: number;
   };
 }

ts_interfaces/data/loint-reception.oidc.ts

@@ -0,0 +1,267 @@
+/**
+ * OIDC (OpenID Connect) data interfaces for third-party client support
+ */
+
+/**
+ * Supported OIDC scopes
+ */
+export type TOidcScope = 'openid' | 'profile' | 'email' | 'organizations' | 'roles';
+
+/**
+ * Authorization code for OAuth 2.0 authorization code flow
+ */
+export interface IAuthorizationCode {
+  /** The authorization code string */
+  code: string;
+  /** OAuth client ID */
+  clientId: string;
+  /** User ID who authorized */
+  userId: string;
+  /** Scopes granted */
+  scopes: TOidcScope[];
+  /** Redirect URI used in authorization request */
+  redirectUri: string;
+  /** PKCE code challenge (S256 hashed) */
+  codeChallenge?: string;
+  /** PKCE code challenge method */
+  codeChallengeMethod?: 'S256';
+  /** Nonce from authorization request (for ID token) */
+  nonce?: string;
+  /** Expiration timestamp (10 minutes from creation) */
+  expiresAt: number;
+  /** Whether the code has been used (single-use) */
+  used: boolean;
+}
+
+/**
+ * OIDC Access Token (opaque or JWT)
+ */
+export interface IOidcAccessToken {
+  /** Token identifier */
+  id: string;
+  /** The access token string (or hash for storage) */
+  tokenHash: string;
+  /** OAuth client ID */
+  clientId: string;
+  /** User ID */
+  userId: string;
+  /** Granted scopes */
+  scopes: TOidcScope[];
+  /** Expiration timestamp */
+  expiresAt: number;
+  /** Creation timestamp */
+  issuedAt: number;
+}
+
+/**
+ * OIDC Refresh Token
+ */
+export interface IOidcRefreshToken {
+  /** Token identifier */
+  id: string;
+  /** The refresh token string (or hash for storage) */
+  tokenHash: string;
+  /** OAuth client ID */
+  clientId: string;
+  /** User ID */
+  userId: string;
+  /** Granted scopes */
+  scopes: TOidcScope[];
+  /** Expiration timestamp */
+  expiresAt: number;
+  /** Creation timestamp */
+  issuedAt: number;
+  /** Whether the token has been revoked */
+  revoked: boolean;
+}
+
+/**
+ * User consent record for an OAuth client
+ */
+export interface IUserConsent {
+  /** Unique identifier */
+  id: string;
+  /** User who gave consent */
+  userId: string;
+  /** OAuth client ID */
+  clientId: string;
+  /** Scopes the user consented to */
+  scopes: TOidcScope[];
+  /** When consent was granted */
+  grantedAt: number;
+  /** When consent was last updated */
+  updatedAt: number;
+}
+
+/**
+ * OIDC Discovery Document (OpenID Provider Configuration)
+ */
+export interface IOidcDiscoveryDocument {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  userinfo_endpoint: string;
+  jwks_uri: string;
+  revocation_endpoint: string;
+  scopes_supported: TOidcScope[];
+  response_types_supported: string[];
+  grant_types_supported: string[];
+  subject_types_supported: string[];
+  id_token_signing_alg_values_supported: string[];
+  token_endpoint_auth_methods_supported: string[];
+  code_challenge_methods_supported: string[];
+  claims_supported: string[];
+}
+
+/**
+ * JSON Web Key Set (JWKS) response
+ */
+export interface IJwks {
+  keys: IJwk[];
+}
+
+/**
+ * JSON Web Key (RSA public key)
+ */
+export interface IJwk {
+  kty: 'RSA';
+  use: 'sig';
+  alg: 'RS256';
+  kid: string;
+  n: string;  // RSA modulus (base64url encoded)
+  e: string;  // RSA exponent (base64url encoded)
+}
+
+/**
+ * ID Token claims (JWT payload)
+ */
+export interface IIdTokenClaims {
+  /** Issuer (idp.global URL) */
+  iss: string;
+  /** Subject (user ID) */
+  sub: string;
+  /** Audience (client ID) */
+  aud: string;
+  /** Expiration time (Unix timestamp) */
+  exp: number;
+  /** Issued at (Unix timestamp) */
+  iat: number;
+  /** Authentication time (Unix timestamp) */
+  auth_time?: number;
+  /** Nonce (if provided in authorization request) */
+  nonce?: string;
+  /** Access token hash (for hybrid flows) */
+  at_hash?: string;
+
+  // Profile scope claims
+  name?: string;
+  preferred_username?: string;
+  picture?: string;
+
+  // Email scope claims
+  email?: string;
+  email_verified?: boolean;
+
+  // Custom claims for organizations scope
+  organizations?: IOrganizationClaim[];
+
+  // Custom claims for roles scope
+  roles?: string[];
+}
+
+/**
+ * Organization claim in ID token / userinfo
+ */
+export interface IOrganizationClaim {
+  id: string;
+  name: string;
+  slug: string;
+  roles: string[];
+}
+
+/**
+ * UserInfo endpoint response
+ */
+export interface IUserInfoResponse {
+  /** Subject (user ID) - always included */
+  sub: string;
+
+  // Profile scope
+  name?: string;
+  preferred_username?: string;
+  picture?: string;
+
+  // Email scope
+  email?: string;
+  email_verified?: boolean;
+
+  // Organizations scope (custom)
+  organizations?: IOrganizationClaim[];
+
+  // Roles scope (custom)
+  roles?: string[];
+}
+
+/**
+ * Token endpoint response
+ */
+export interface ITokenResponse {
+  access_token: string;
+  token_type: 'Bearer';
+  expires_in: number;
+  refresh_token?: string;
+  id_token?: string;
+  scope: string;
+}
+
+/**
+ * Token endpoint error response
+ */
+export interface ITokenErrorResponse {
+  error: 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' | 'unsupported_grant_type' | 'invalid_scope';
+  error_description?: string;
+  error_uri?: string;
+}
+
+/**
+ * Authorization request parameters
+ */
+export interface IAuthorizationRequest {
+  client_id: string;
+  redirect_uri: string;
+  response_type: 'code';
+  scope: string;
+  state: string;
+  code_challenge?: string;
+  code_challenge_method?: 'S256';
+  nonce?: string;
+  prompt?: 'none' | 'login' | 'consent';
+}
+
+/**
+ * Token request for authorization_code grant
+ */
+export interface ITokenRequestAuthCode {
+  grant_type: 'authorization_code';
+  code: string;
+  redirect_uri: string;
+  client_id: string;
+  client_secret?: string;
+  code_verifier?: string;
+}
+
+/**
+ * Token request for refresh_token grant
+ */
+export interface ITokenRequestRefresh {
+  grant_type: 'refresh_token';
+  refresh_token: string;
+  client_id: string;
+  client_secret?: string;
+  scope?: string;
+}
+
+/**
+ * Union type for token requests
+ */
+export type ITokenRequest = ITokenRequestAuthCode | ITokenRequestRefresh;

ts_interfaces/data/loint-reception.registrationsession.ts

@@ -0,0 +1,31 @@
+export type TRegistrationSessionStatus =
+  | 'announced'
+  | 'emailValidated'
+  | 'mobileVerified'
+  | 'registered'
+  | 'failed';
+
+export interface IRegistrationSession {
+  id: string;
+  data: {
+    emailAddress: string;
+    hashedEmailToken: string;
+    smsCodeHash?: string | null;
+    smsvalidationCounter: number;
+    status: TRegistrationSessionStatus;
+    validUntil: number;
+    createdAt: number;
+    collectedData: {
+      userData: {
+        username?: string | null;
+        connectedOrgs: string[];
+        email?: string | null;
+        name?: string | null;
+        status?: 'new' | 'active' | 'deleted' | 'suspended' | null;
+        mobileNumber?: string | null;
+        password?: string | null;
+        passwordHash?: string | null;
+      };
+    };
+  };
+}