v1.17.1

fix(docs): refresh module readmes and add repository license file
v1.17.0
2026-04-20 08:15:42 +00:00 · 2026-04-20 08:15:42 +00:00 · 2026-04-20 08:12:07 +00:00 · 2026-04-20 08:12:07 +00:00 · 2026-01-29 15:06:40 +00:00 · 2026-01-29 15:06:40 +00:00
38 changed files with 4940 additions and 3416 deletions
@@ -1,5 +1,37 @@
 # Changelog
 ## 2026-04-20 - 1.17.1 - fix(docs)
 refresh module readmes and add repository license file
 - rewrite the root, backend, web, client, CLI, and interfaces README content to focus on current module responsibilities and usage
 - standardize README license references to the lowercase license file path
 - add the repository MIT license file
 ## 2026-04-20 - 1.17.0 - feat(auth)
 harden authentication with argon2 passwords and rotating hashed refresh tokens
 - replace SHA-256 password hashing with argon2 while preserving verification and upgrade support for legacy hashes
 - rotate refresh tokens on JWT refresh, detect token reuse, and invalidate compromised sessions
 - store refresh and transfer tokens as hashes with one-time transfer token validation and expiry
 - persist refresh tokens separately on the client so sessions can recover and refresh without embedding tokens in JWTs
 - add authentication tests covering password verification, legacy hash migration, refresh token rotation, reuse detection, and one-time transfer tokens
 ## 2026-01-29 - 1.16.0 - feat(dev)
 add local development docs, update tswatch preset and add Playwright screenshots
 - readme.md: added a Local Development section with prerequisites, quick-start commands, environment variables, development routes, and default development credentials + security note
 - npmextra.json: changed @git.zone/tswatch preset from "website" to "service" and disabled the built-in server (removed port/serveDir/liveReload and set server.enabled false); removed triggerReload from website watcher
 - .playwright-mcp: added Playwright screenshots (login-page.png, register-page.png, account-dashboard.png) for visual tests / CI
 ## 2026-01-29 - 1.15.0 - feat(build)
 add tsbundle/tswatch configs, update build/watch scripts, bump dependencies, and add CLI documentation
 - Add tsbundle and tswatch configuration to npmextra.json to support bundling and a local dev server (dist_serve, liveReload, watch patterns).
 - Update package.json build/watch scripts to use generic tsbundle/tswatch invocations (removed explicit 'website' target).
 - Bump dependencies and devDependencies: @git.zone/tsbuild ^4.0.2 -> ^4.1.2, @git.zone/tsbundle ^2.6.3 -> ^2.8.3, @git.zone/tswatch ^2.3.13 -> ^3.0.1, @api.global/typedserver ^8.1.0 -> ^8.3.0, several @design.estate packages, @push.rocks/taskbuffer ^3.5.0 -> ^4.1.1, @types/node 25.0.3 -> 25.1.0, and other minor/patch bumps.
 - Add a new CLI README (ts_idpcli/readme.md) with usage, commands, programmatic API examples and configuration.
 - Update README license/Legal sections in ts_idpclient, ts_interfaces and ts_web to include license, trademark, and company information.
 ## 2025-12-22 - 1.14.1 - fix(oidc)
 migrate OIDC endpoints and internal handlers to use typedserver IRequestContext and update dependencies
@@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2026 Task Venture Capital GmbH
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
@@ -50,5 +50,40 @@
      "registries": ["https://verdaccio.lossless.digital"],
      "accessLevel": "public"
    }
  },
  "@git.zone/tsbundle": {
    "bundles": [
      {
        "from": "./ts_web/index.ts",
        "to": "./dist_serve/bundle.js",
        "outputMode": "bundle",
        "bundler": "esbuild",
        "production": true
      }
    ]
  },
  "@git.zone/tswatch": {
    "preset": "service",
    "server": {
      "enabled": false
    },
    "watchers": [
      {
        "name": "backend",
        "watch": "./ts/**/*",
        "command": "npm run startTs",
        "restart": true,
        "debounce": 300,
        "runOnStart": true
      }
    ],
    "bundles": [
      {
        "name": "website",
        "from": "./ts_web/index.ts",
        "to": "./dist_serve/bundle.js",
        "watchPatterns": ["./ts_web/**/*"]
      }
    ]
  }
 }
@@ -1,14 +1,14 @@
 {
  "name": "@idp.global/idp.global",
-  "version": "1.14.1",
+  "version": "1.17.1",
  "description": "An identity provider software managing user authentications, registrations, and sessions.",
  "main": "dist_ts/index.js",
  "typings": "dist_ts/index.d.ts",
  "type": "module",
  "scripts": {
-    "test": "npm run build",
+    "test": "pnpm run build && tstest test/",
-    "build": "tsbuild tsfolders --web --allowimplicitany && tsbundle website --production",
+    "build": "tsbuild tsfolders --web --allowimplicitany && tsbundle",
-    "watch": "tswatch website",
+    "watch": "tswatch",
    "start": "(node cli.js)",
    "startTs": "(node cli.ts.js)",
    "buildDocs": "tsdoc"
@@ -16,49 +16,51 @@
  "author": "Task Venture Capital GmbH",
  "license": "MIT",
  "dependencies": {
-    "@api.global/typedrequest": "^3.2.5",
+    "@api.global/typedrequest": "^3.3.0",
    "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^8.1.0",
+    "@api.global/typedserver": "^8.4.6",
-    "@api.global/typedsocket": "^4.1.0",
+    "@api.global/typedsocket": "^4.1.2",
    "@consent.software/catalog": "^2.0.1",
-    "@design.estate/dees-catalog": "^3.4.0",
+    "@design.estate/dees-catalog": "^3.81.0",
-    "@design.estate/dees-domtools": "^2.3.6",
+    "@design.estate/dees-domtools": "^2.5.4",
-    "@design.estate/dees-element": "^2.1.3",
+    "@design.estate/dees-element": "^2.2.4",
-    "@git.zone/tspublish": "^1.11.0",
+    "@git.zone/tspublish": "^1.11.5",
-    "@push.rocks/lik": "^6.2.2",
+    "@push.rocks/lik": "^6.4.0",
    "@push.rocks/qenv": "^6.1.3",
-    "@push.rocks/smartcli": "^4.0.19",
+    "@push.rocks/smartcli": "^4.0.20",
-    "@push.rocks/smartdata": "^7.0.15",
+    "@push.rocks/smartdata": "^7.1.7",
    "@push.rocks/smartdelay": "^3.0.5",
    "@push.rocks/smartfile": "^13.1.0",
    "@push.rocks/smarthash": "^3.2.6",
    "@push.rocks/smartinteract": "^2.0.6",
    "@push.rocks/smartjson": "^6.0.0",
    "@push.rocks/smartjwt": "^2.2.1",
-    "@push.rocks/smartlog": "^3.1.10",
+    "@push.rocks/smartlog": "^3.2.2",
    "@push.rocks/smartmail": "^2.2.0",
    "@push.rocks/smartpath": "^6.0.0",
    "@push.rocks/smartpromise": "^4.2.3",
    "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartstate": "^2.0.27",
+    "@push.rocks/smartstate": "^2.3.0",
-    "@push.rocks/smarttime": "^4.1.1",
+    "@push.rocks/smarttime": "^4.2.3",
    "@push.rocks/smartunique": "^3.0.9",
    "@push.rocks/smarturl": "^3.1.0",
-    "@push.rocks/taskbuffer": "^3.5.0",
+    "@push.rocks/taskbuffer": "^8.0.2",
    "@push.rocks/webjwt": "^1.0.9",
    "@push.rocks/websetup": "^3.0.15",
-    "@push.rocks/webstore": "^2.0.20",
+    "@push.rocks/webstore": "^2.0.21",
    "@serve.zone/platformclient": "^1.1.2",
-    "@tsclass/tsclass": "^9.3.0",
+    "@tsclass/tsclass": "^9.5.0",
-    "@uptime.link/webwidget": "^1.2.6"
+    "@uptime.link/webwidget": "^1.2.6",
    "argon2": "^0.44.0"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^4.0.2",
+    "@git.zone/tsbuild": "^4.4.0",
-    "@git.zone/tsbundle": "^2.6.3",
+    "@git.zone/tsbundle": "^2.10.0",
-    "@git.zone/tsrun": "^2.0.1",
+    "@git.zone/tsrun": "^2.0.2",
-    "@git.zone/tswatch": "^2.3.13",
+    "@git.zone/tstest": "^3.6.3",
-    "@push.rocks/projectinfo": "^5.0.1",
+    "@git.zone/tswatch": "^3.3.2",
-    "@types/node": "^25.0.3"
+    "@push.rocks/projectinfo": "^5.1.0",
    "@types/node": "^25.6.0"
  },
  "private": true,
  "repository": {
@@ -1,314 +1,194 @@
 # @idp.global/idp.global
-🔐 **A modern, open-source Identity Provider (IdP) SaaS platform** for managing user authentication, registrations, sessions, and organization-based access control.
+Identity infrastructure for apps that need accounts, sessions, organizations, invites, admin tooling, and OpenID Connect in one TypeScript codebase.
-Built with TypeScript and designed for modern web applications, idp.global provides a complete identity management solution that you can self-host or use as a service.
+This repository ships the `idp.global` server, the browser/client SDK, the CLI, shared request/data interfaces, and the web UI used by the hosted service.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
-## ✨ Features
+## What It Does
-### 🔑 Authentication & Authorization
+- Runs an identity provider with MongoDB-backed users, sessions, roles, organizations, invitations, API tokens, and billing plans.
- **Multiple Login Methods**: Email/password, email magic links, API tokens
+- Serves a web app for login, registration, account management, org management, billing flows, and global admin views.
- **JWT-Based Sessions**: Secure token management with automatic refresh
+- Exposes typed realtime APIs over `typedrequest` and `typedsocket`.
- **Two-Factor Authentication**: Enhanced security with 2FA support
+- Implements OIDC/OAuth endpoints including discovery, JWKS, authorization, token, userinfo, and revoke.
- **Password Reset**: Secure password recovery flow
+- Includes a reusable browser client and a terminal CLI for common account and org workflows.
 - **Device Management**: Track and manage authenticated devices
-### 🏢 Organization Management
+## Monorepo Modules
 - **Multi-Tenant Architecture**: Support multiple organizations per user
 - **Role-Based Access Control (RBAC)**: Fine-grained permissions system
 - **Organization Roles**: Admin, member, and custom role support
 - **Member Invitations**: Bulk invite and manage team members
 - **Ownership Transfer**: Seamlessly transfer organization ownership
-### 🔗 Third-Party Integration
+| Folder | Purpose |
- **OpenID Connect (OIDC) Provider**: Full OIDC compliance for third-party apps
+| --- | --- |
-  - Discovery endpoint (`/.well-known/openid-configuration`)
+| `ts/` | Backend service entrypoint and the core `Reception` managers |
-  - JWKS endpoint for token verification
+| `ts_interfaces/` | Shared request and data contracts used by server, client, CLI, and UI |
-  - Authorization code flow with PKCE
+| `ts_idpclient/` | Browser-focused SDK published as `@idp.global/client` |
-  - Token refresh and revocation
+| `ts_idpcli/` | CLI published as `@idp.global/cli` |
- **OAuth 2.0**: Standard OAuth flows for app authorization
+| `ts_web/` | Frontend bundle with login, registration, account, org, billing, and admin views |
 - **Supported Scopes**: `openid`, `profile`, `email`, `organizations`, `roles`
-### 💳 Billing Integration
+## Core Backend Pieces
 - **Paddle Integration**: Built-in payment processing support
 - **Billing Plans**: Flexible subscription management
 - **Checkout Flows**: Streamlined payment experiences
-### 🎨 Modern Web UI
+`Reception` wires the service together and starts these managers:
 - **Responsive Design**: Beautiful UI components built with `@design.estate/dees-catalog`
 - **Account Management**: User profile, settings, and preferences
 - **Organization Dashboard**: Manage members, roles, and apps
 - **Admin Panel**: Global administration interface
-### 📡 Real-Time Communication
+- `JwtManager` for signing, refreshing, and validating JWTs.
- **WebSocket Support**: Real-time updates via TypedSocket
+- `LoginSessionManager` for login state and session lifecycle.
- **Typed API Requests**: Type-safe client-server communication
+- `RegistrationSessionManager` for multi-step sign-up flows.
- **Public Key Distribution**: Automatic JWT key rotation notifications
+- `UserManager` for user lookups and account data.
 - `OrganizationManager` for org creation and membership lookup.
 - `RoleManager` for org roles and permissions.
 - `UserInvitationManager` for invites, membership updates, and ownership transfer.
 - `ApiTokenManager` for long-lived token auth.
 - `BillingPlanManager` for Paddle-backed billing data.
 - `AppManager` and `AppConnectionManager` for app connections and admin app stats.
 - `ActivityLogManager` for audit-style activity entries.
 - `OidcManager` for the OIDC/OAuth provider surface.
-## 🏗️ Architecture
+## Quick Start
-idp.global is built as a modular TypeScript monorepo:
+### Prerequisites
-```
+- Node.js 20+
-├── ts/                    # Server-side code (Node.js)
+- `pnpm`
-│   └── reception/         # Core identity management logic
+- MongoDB
 ├── ts_interfaces/         # Shared TypeScript interfaces (published as @idp.global/interfaces)
 ├── ts_idpclient/          # Browser/Node client library (published as @idp.global/idpclient)
 ├── ts_idpcli/             # Command-line interface tool
 └── ts_web/                # Web frontend (published as @idp.global/web)
 ```
-### Core Managers
+### Install
 | Manager | Responsibility |
 |---------|----------------|
 | `JwtManager` | JWT generation, validation, and key management |
 | `LoginSessionManager` | Session creation and authentication |
 | `UserManager` | User CRUD and profile management |
 | `OrganizationManager` | Organization lifecycle management |
 | `RoleManager` | RBAC and permission management |
 | `OidcManager` | OpenID Connect provider functionality |
 | `AppManager` | OAuth client app registration |
 | `BillingPlanManager` | Subscription and payment handling |
 ## 🚀 Quick Start
 ### 🐳 Docker Deployment (Recommended)
 The easiest way to run idp.global is using Docker:
 ```bash
-# Pull the latest image
+pnpm install
 docker pull code.foss.global/idp.global/idp.global
 # Run with environment variables
 docker run -d \
  -p 2999:2999 \
  -e MONGODB_URL=mongodb://your-mongo:27017/idp \
  -e IDP_BASEURL=https://your-domain.com \
  -e INSTANCE_NAME=idp.global \
  code.foss.global/idp.global/idp.global
 ```
-### Environment Variables
+### Required Environment
-| Variable | Description | Required |
+```bash
-|----------|-------------|----------|
+export MONGODB_URL=mongodb://localhost:27017/idp-dev
-| `MONGODB_URL` | MongoDB connection string | ✅ Yes |
+export IDP_BASEURL=http://localhost:2999
-| `IDP_BASEURL` | Public URL of your idp.global instance | ✅ Yes |
+export INSTANCE_NAME=idp-dev
 | `INSTANCE_NAME` | Name for this IDP instance | No (default: `idp.global`) |
 | `SERVEZONE_PLATFROM_AUTHORIZATION` | ServeZone platform auth token | No |
 ### Docker Compose Example
 ```yaml
 version: '3.8'
 services:
  idp:
    image: code.foss.global/idp.global/idp.global
    ports:
      - "2999:2999"
    environment:
      MONGODB_URL: mongodb://mongo:27017/idp
      IDP_BASEURL: https://idp.yourdomain.com
      INSTANCE_NAME: my-idp
    depends_on:
      - mongo
  mongo:
    image: mongo:7
    volumes:
      - mongo-data:/data/db
 volumes:
  mongo-data:
 ```
-The server listens on port 2999 by default.
+Optional:
-## 📦 Published Packages
+- `SERVEZONE_PLATFROM_AUTHORIZATION`
 - `PADDLE_TOKEN`
 - `PADDLE_PRICE_ID`
-This monorepo publishes the following npm packages:
+### Build
-| Package | Description |
+```bash
-|---------|-------------|
+pnpm build
-| `@idp.global/interfaces` | TypeScript interfaces for API contracts |
+```
 | `@idp.global/idpclient` | Client library for browser and Node.js |
 | `@idp.global/web` | Web UI components |
-## 💻 Client Usage
+### Run Locally
-### Browser Client
+```bash
 pnpm watch
 ```
-```typescript
+This starts the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`. The service listens on port `2999`.
-import { IdpClient } from '@idp.global/idpclient';
+
 ## Runtime Surface
 ### Web Routes
 | Route | Purpose |
 | --- | --- |
 | `/` | Welcome page |
 | `/login` | Login flow |
 | `/register` | Registration flow |
 | `/finishregistration` | Multi-step registration completion |
 | `/account` | Signed-in account area |
 ### OIDC and OAuth Endpoints
 | Route | Purpose |
 | --- | --- |
 | `/.well-known/openid-configuration` | Discovery document |
 | `/.well-known/jwks.json` | Public signing keys |
 | `/oauth/authorize` | Authorization endpoint |
 | `/oauth/token` | Token exchange |
 | `/oauth/userinfo` | UserInfo endpoint |
 | `/oauth/revoke` | Token revocation |
 Supported scopes in the OIDC manager include `openid`, `profile`, `email`, `organizations`, and `roles`.
 ## SDK Example
 The browser SDK lives in `ts_idpclient/` and is published as `@idp.global/client`.
 ```ts
 import { IdpClient } from '@idp.global/client';
 // Initialize the client
 const idpClient = new IdpClient('https://idp.global');
 // Enable WebSocket connection
 await idpClient.enableTypedSocket();
 // Check login status
 const isLoggedIn = await idpClient.determineLoginStatus();
-// Login with email and password
+if (!isLoggedIn) {
-const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
+  const loginResult = await idpClient.requests.loginWithUserNameAndPassword.fire({
-  username: 'user@example.com',
+    username: 'user@example.com',
-  password: 'securepassword'
+    password: 'secret',
-});
+  });
-if (response.refreshToken) {
+  if (loginResult.refreshToken) {
-  await idpClient.refreshJwt(response.refreshToken);
+    await idpClient.refreshJwt(loginResult.refreshToken);
-  console.log('✅ Login successful!');
+  }
 }
-// Get current user info
+const whoIs = await idpClient.whoIs();
-const userInfo = await idpClient.whoIs();
+console.log(whoIs.user.data.email);
 console.log('User:', userInfo.user);
 // Get user's organizations
 const orgs = await idpClient.getRolesAndOrganizations();
 console.log('Organizations:', orgs.organizations);
 ```
-### Organization Management
+## CLI Example
-```typescript
+The terminal client lives in `ts_idpcli/` and is published as `@idp.global/cli`.
 // Create a new organization
 const result = await idpClient.createOrganization('My Company', 'my-company', 'manifest');
 console.log('Created:', result.resultingOrganization);
 // Invite members
 await idpClient.requests.createInvitation.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  email: 'newmember@example.com',
  roles: ['member']
 });
 ```
 ### CLI Tool
 The `ts_idpcli` module provides a command-line interface:
 ```bash
 # Login
 idp login
 # Show current user
 idp whoami
 # List organizations
 idp orgs
 # List organization members
 idp members --org <org-id>
 # Invite a user
 idp invite --org <org-id> --email user@example.com
 ```
-## 🔐 OIDC Integration
+The CLI stores credentials in `~/.idp-global/credentials.json` and reads `IDP_URL` to override the target server.
-idp.global implements a full OpenID Connect provider. Third-party applications can use it for SSO:
+## Shared Interfaces
-### Discovery Document
+`ts_interfaces/` exports the type contracts shared across the stack:
-```
+- `data/*` for users, orgs, roles, JWTs, sessions, devices, billing plans, apps, and OIDC payloads.
-GET /.well-known/openid-configuration
+- `request/*` for auth, registration, user, org, invitation, app, admin, billing, and JWT request contracts.
-```
+- `tags/*` for shared tag exports.
-### Authorization Flow
+## Frontend
-```
+`ts_web/` is the web application bundle. It contains:
 GET /oauth/authorize?
  client_id=your-client-id&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=openid profile email organizations&
  state=random-state&
  code_challenge=PKCE_CHALLENGE&
  code_challenge_method=S256
 ```
-### Token Exchange
+- Login and registration prompts.
 - A registration stepper.
 - Account navigation and account views.
 - Organization creation and bulk invite modals.
 - Billing and Paddle setup views.
 - A global admin view.
-```
+## Package Scripts
 POST /oauth/token
 Content-Type: application/x-www-form-urlencoded
-grant_type=authorization_code&
+| Command | Purpose |
-code=AUTHORIZATION_CODE&
+| --- | --- |
-redirect_uri=https://yourapp.com/callback&
+| `pnpm build` | Build TypeScript output and frontend bundle |
-client_id=your-client-id&
+| `pnpm watch` | Run backend watch mode and frontend bundle watch |
-client_secret=your-client-secret&
+| `pnpm test` | Build and run the test suite |
 code_verifier=PKCE_VERIFIER
 ```
-### UserInfo
+## Repository Notes
-```
+- Package manager: `pnpm`
-GET /oauth/userinfo
+- Main backend entrypoint: `ts/index.ts`
-Authorization: Bearer ACCESS_TOKEN
+- Frontend entrypoint: `ts_web/index.ts`
-```
+- Browser SDK entrypoint: `ts_idpclient/index.ts`
-
+- CLI entrypoint: `ts_idpcli/index.ts`
 Response:
 ```json
 {
  "sub": "user-id",
  "name": "John Doe",
  "email": "john@example.com",
  "email_verified": true,
  "organizations": [
    { "id": "org-1", "name": "Acme Corp", "slug": "acme", "roles": ["admin"] }
  ],
  "roles": ["user"]
 }
 ```
 ## 🛠️ Tech Stack
 - **Runtime**: Node.js with ES Modules
 - **Language**: TypeScript (strict mode)
 - **Database**: MongoDB via `@push.rocks/smartdata`
 - **Web Server**: `@api.global/typedserver`
 - **Real-time**: `@api.global/typedsocket` (WebSocket)
 - **JWT**: `@push.rocks/smartjwt` (RS256 signing)
 - **Frontend**: `@design.estate/dees-element` (Web Components)
 - **Build**: `@git.zone/tsbuild` + `@git.zone/tsbundle`
 ## 📚 API Reference
 ### Request Interfaces
 All API requests are type-safe. See `ts_interfaces/request/` for the complete API:
 - **Authentication**: `IReq_LoginWithEmail`, `IReq_LoginWithApiToken`, `IReq_RefreshJwt`
 - **Registration**: `IReq_FirstRegistration`, `IReq_FinishRegistration`
 - **User Management**: `IReq_GetUserData`, `IReq_SetUserData`, `IReq_GetUserSessions`
 - **Organizations**: `IReq_CreateOrganization`, `IReq_GetOrgMembers`, `IReq_CreateInvitation`
 - **Apps & OAuth**: `IReq_GetGlobalApps`, `IReq_CreateGlobalApp`
 - **Billing**: `IReq_GetBillingPlan`, `IReq_UpdatePaymentMethod`
 ### Data Models
 See `ts_interfaces/data/` for all data structures:
 - `IUser` - User profile and credentials
 - `IOrganization` - Organization entity
 - `IRole` - User roles within organizations
 - `IJwt` - JWT token structure
 - `IApp` - OAuth application definitions
 - `IOidcAccessToken`, `IAuthorizationCode` - OIDC tokens
 ## License and Legal Information
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -0,0 +1,61 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import { LoginSession } from '../ts/reception/classes.loginsession.js';
 import { User } from '../ts/reception/classes.user.js';
 import * as plugins from '../ts/plugins.js';
 const createTestLoginSession = () => {
  const loginSession = new LoginSession();
  loginSession.id = 'test-session';
  loginSession.data.userId = 'test-user';
  (loginSession as LoginSession & { save: () => Promise<void> }).save = async () => undefined;
  return loginSession;
 };
 tap.test('hashes passwords with argon2 and verifies them', async () => {
  const passwordHash = await User.hashPassword('correct horse battery staple');
  expect(passwordHash.startsWith('$argon2')).toBeTrue();
  expect(await User.verifyPassword('correct horse battery staple', passwordHash)).toBeTrue();
  expect(await User.verifyPassword('wrong password', passwordHash)).toBeFalse();
  expect(User.shouldUpgradePasswordHash(passwordHash)).toBeFalse();
 });
 tap.test('accepts legacy sha256 hashes and marks them for upgrade', async () => {
  const legacyHash = await plugins.smarthash.sha256FromString('legacy-password');
  expect(User.isLegacyPasswordHash(legacyHash)).toBeTrue();
  expect(await User.verifyPassword('legacy-password', legacyHash)).toBeTrue();
  expect(await User.verifyPassword('different-password', legacyHash)).toBeFalse();
  expect(User.shouldUpgradePasswordHash(legacyHash)).toBeTrue();
 });
 tap.test('rotates refresh tokens and detects reuse', async () => {
  const loginSession = createTestLoginSession();
  const firstRefreshToken = await loginSession.getRefreshToken();
  const secondRefreshToken = await loginSession.getRefreshToken();
  expect(firstRefreshToken.startsWith('refresh_')).toBeTrue();
  expect(secondRefreshToken.startsWith('refresh_')).toBeTrue();
  expect(firstRefreshToken).not.toEqual(secondRefreshToken);
  expect(loginSession.data.refreshToken).toBeNullOrUndefined();
  expect(loginSession.data.refreshTokenHash).toBeTruthy();
  expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('current');
  expect(await loginSession.validateRefreshToken(firstRefreshToken)).toEqual('reused');
  await loginSession.invalidate();
  expect(await loginSession.validateRefreshToken(secondRefreshToken)).toEqual('invalidated');
 });
 tap.test('persists transfer tokens as one-time hashes', async () => {
  const loginSession = createTestLoginSession();
  const transferToken = await loginSession.getTransferToken();
  expect(transferToken.startsWith('transfer_')).toBeTrue();
  expect(loginSession.data.transferTokenHash).toBeTruthy();
  expect(await loginSession.validateTransferToken(transferToken)).toBeTrue();
  expect(await loginSession.validateTransferToken(transferToken)).toBeFalse();
 });
 export default tap.start();
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@idp.global/idp.global',
-  version: '1.14.1',
+  version: '1.17.1',
  description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }
@@ -1,6 +1,7 @@
 // Native scope
 import * as crypto from 'node:crypto';
 import * as path from 'path';
-export { path };
+export { crypto, path };
 // Project scope
 import * as idpInterfaces from '../dist_ts_interfaces/index.js';
@@ -32,8 +33,10 @@ import * as smartpromise from '@push.rocks/smartpromise';
 import * as smarttime from '@push.rocks/smarttime';
 import * as smartunique from '@push.rocks/smartunique';
 import * as taskbuffer from '@push.rocks/taskbuffer';
 import * as argon2 from 'argon2';
 export {
  argon2,
  lik,
  projectinfo,
  qenv,
@@ -0,0 +1,87 @@
 # `ts/` Backend Module
 The `ts/` folder contains the server runtime for `idp.global`: startup, website server wiring, typed routes, OIDC endpoints, and the core `Reception` managers.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## What Lives Here
 - `index.ts` boots the service, loads env vars, starts the website server, and mounts OIDC endpoints.
 - `reception/classes.reception.ts` creates the service container and initializes all managers.
 - `reception/` contains the domain logic for users, sessions, orgs, roles, invites, apps, billing, and OIDC.
 - `plugins.ts` centralizes external imports used by the backend.
 ## Startup Behavior
 The backend startup in `ts/index.ts` does four main things:
 1. Loads runtime configuration from `.nogit` and the working directory.
 2. Creates a `UtilityWebsiteServer` that serves the built frontend.
 3. Registers OIDC endpoints such as discovery, JWKS, authorize, token, userinfo, and revoke.
 4. Creates and starts `Reception`, then starts HTTP serving on port `2999`.
 ## Required Environment
 ```bash
 export MONGODB_URL=mongodb://localhost:27017/idp-dev
 export IDP_BASEURL=http://localhost:2999
 export INSTANCE_NAME=idp-dev
 ```
 Optional:
 - `SERVEZONE_PLATFROM_AUTHORIZATION`
 - `PADDLE_TOKEN`
 - `PADDLE_PRICE_ID`
 ## Key Managers
 | Class | Responsibility |
 | --- | --- |
 | `JwtManager` | JWT issuance, validation, and key rotation support |
 | `LoginSessionManager` | Session creation, refresh, logout, and session metadata |
 | `RegistrationSessionManager` | Registration flow state |
 | `UserManager` | User-centric queries and mutations |
 | `OrganizationManager` | Organization creation and access checks |
 | `RoleManager` | Role and permission management |
 | `UserInvitationManager` | Invitations, member updates, and ownership transfer |
 | `BillingPlanManager` | Billing plan state and Paddle config endpoint |
 | `AppManager` | Global app administration |
 | `AppConnectionManager` | App connection tracking |
 | `ActivityLogManager` | User activity logging |
 | `OidcManager` | OIDC discovery, auth code flow, token exchange, userinfo, revoke |
 ## Local Development
 From the repository root:
 ```bash
 pnpm install
 pnpm build
 pnpm watch
 ```
 The watch setup runs the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`.
 ## License and Legal Information
 This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 ### Trademarks
 This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
 Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 ### Company Information
 Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 For any legal inquiries or further information, please contact us via email at hello@task.vc.
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
@@ -1,5 +1,6 @@
 import * as plugins from '../plugins.js';
 import { JwtManager } from './classes.jwtmanager.js';
 import type { LoginSession } from './classes.loginsession.js';
 /**
 * a User is identified by its username or email.
@@ -11,21 +12,27 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
  public static async createJwtForRefreshToken(
    jwtManagerInstance: JwtManager,
    refreshTokenArg: string
-  ) {
+  ): Promise<string | null> {
-    const loginSession =
+    const sessionLookup =
-      await jwtManagerInstance.receptionRef.loginSessionManager.CLoginSession.getLoginSessionByRefreshToken(
+      await jwtManagerInstance.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
        refreshTokenArg
      );
-    if (!loginSession) {
+    if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
      return null;
    }
    const refreshTokenValid = await loginSession.validateRefreshToken(refreshTokenArg);
    if (!refreshTokenValid) {
      return null;
    }
    return this.createJwtForLoginSession(jwtManagerInstance, sessionLookup.loginSession);
  }
  public static async createJwtForLoginSession(
    jwtManagerInstance: JwtManager,
    loginSession: LoginSession
  ): Promise<string | null> {
    const user = await jwtManagerInstance.receptionRef.userManager.CUser.getInstance({
      id: loginSession.data.userId,
    });
    if (!user) {
      return null;
    }
    const validUntil = plugins.smarttime.ExtendedDate.fromMillis(
      Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 1 })
    );
@@ -33,10 +40,10 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
    jwt.id = plugins.smartunique.shortId();
    jwt.data = {
      userId: user.id,
      sessionId: loginSession.id,
      validUntil: validUntil.getTime(),
      refreshEvery: 1000000,
      refreshFrom: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ days: 0.5 }),
      refreshToken: await loginSession.getRefreshToken(), // TODO: handle multiple refresh tokens
      justForLooks: {
        validUntilIsoString: validUntil.toISOString(),
      }
@@ -46,7 +53,7 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
    const jwtString = await jwtManagerInstance.smartjwtInstance.createJWT({
      id: jwt.id,
-      blocked: null,
+      blocked: false,
      data: jwt.data,
    } as plugins.idpInterfaces.data.IJwt);
    return jwtString;
@@ -68,11 +75,26 @@ export class Jwt extends plugins.smartdata.SmartDataDbDoc<Jwt, plugins.idpInterf
  }
  public async getLoginSession() {
-    const loginSession = await this.manager.receptionRef.loginSessionManager.CLoginSession.getInstance({
+    if (this.data.sessionId) {
-      data: {
+      return this.manager.receptionRef.loginSessionManager.CLoginSession.getInstance({
-        refreshToken: this.data.refreshToken,
+        id: this.data.sessionId,
-      }
+      });
-    });
+    }
-    return loginSession;
+
    if (!this.data.refreshToken) {
      return null;
    }
    const sessionLookup =
      await this.manager.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
        this.data.refreshToken
      );
    if (!sessionLookup) {
      return null;
    }
    return sessionLookup.loginSession;
  }
 }
@@ -25,10 +25,41 @@ export class JwtManager {
      new plugins.typedrequest.TypedHandler(
        'refreshJwt',
        async (requestArg) => {
-          const resultJwt = await Jwt.createJwtForRefreshToken(this, requestArg.refreshToken);
+          const sessionLookup =
            await this.receptionRef.loginSessionManager.findLoginSessionByRefreshToken(
              requestArg.refreshToken
            );
          if (!sessionLookup || sessionLookup.validationStatus === 'invalid') {
            return {
              status: 'not found',
            };
          }
          if (sessionLookup.validationStatus === 'invalidated') {
            return {
              status: 'invalidated',
            };
          }
          if (sessionLookup.validationStatus === 'reused') {
            await sessionLookup.loginSession.invalidate();
            return {
              status: 'invalidated',
            };
          }
          const rotatedRefreshToken = await sessionLookup.loginSession.getRefreshToken();
          const resultJwt = await Jwt.createJwtForLoginSession(this, sessionLookup.loginSession);
          if (!rotatedRefreshToken || !resultJwt) {
            return {
              status: 'invalidated',
            };
          }
          return {
            status: 'loggedIn',
            jwt: resultJwt,
            refreshToken: rotatedRefreshToken,
          };
        }
      )
@@ -120,19 +151,24 @@ export class JwtManager {
    await this.pushPublicKeyToClients();
  }
-  public async verifyJWTAndGetData(jwtArg: string): Promise<Jwt> {
+  public async verifyJWTAndGetData(jwtArg: string): Promise<Jwt | null> {
    const jwtData: plugins.idpInterfaces.data.IJwt = await this.smartjwtInstance.verifyJWTAndGetData(jwtArg);
    const jwt = await this.CJwt.getInstance({
      id: jwtData.id,
    });
    if (!jwt) {
      return null;
    }
    if (jwt.blocked) {
      return null;
    }
    if (jwt) {
      const loginSession = await jwt.getLoginSession();
-      if (!loginSession) {
+      if (!loginSession || loginSession.data.invalidated) {
        await jwt.block();
-        this.blockedJwtIdList.push(jwt.id);
+        if (!this.blockedJwtIdList.includes(jwt.id)) {
          this.blockedJwtIdList.push(jwt.id);
        }
        return null;
      }
    }
@@ -2,6 +2,8 @@ import * as plugins from '../plugins.js';
 import { LoginSessionManager } from './classes.loginsessionmanager.js';
 import { User } from './classes.user.js';
 export type TRefreshTokenValidationResult = 'current' | 'invalid' | 'invalidated' | 'reused';
 /**
 * a LoginSession keeps track of a login over the whole time of the user being loggedin
 */
@@ -40,7 +42,14 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
  }
  public static async getLoginSessionByRefreshToken(refreshTokenArg: string) {
-    const loginSession = await LoginSession.getInstance({
+    const refreshTokenHash = await LoginSession.hashSessionToken(refreshTokenArg);
    let loginSession = await LoginSession.getInstance({
      'data.refreshTokenHash': refreshTokenHash,
    });
    if (loginSession) {
      return loginSession;
    }
    loginSession = await LoginSession.getInstance({
      data: {
        refreshToken: refreshTokenArg,
      },
@@ -48,6 +57,14 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
    return loginSession;
  }
  public static async hashSessionToken(tokenArg: string) {
    return plugins.smarthash.sha256FromString(tokenArg);
  }
  public static createOpaqueToken(prefixArg: string) {
    return `${prefixArg}${plugins.crypto.randomBytes(32).toString('base64url')}`;
  }
  // ========
  // INSTANCE
  // ========
@@ -60,13 +77,17 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
    validUntil: Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ weeks: 1 }),
    invalidated: false,
    refreshToken: null,
    refreshTokenHash: null,
    rotatedRefreshTokenHashes: [],
    transferTokenHash: null,
    transferTokenExpiresAt: null,
    deviceId: null,
    deviceInfo: null,
    createdAt: Date.now(),
    lastActive: Date.now(),
  };
-  public transferToken: string;
+  public transferToken: string | null = null;
  constructor() {
    super();
@@ -77,40 +98,99 @@ export class LoginSession extends plugins.smartdata.SmartDataDbDoc<
   */
  public async invalidate() {
    this.data.invalidated = true;
    this.data.refreshToken = null;
    this.data.refreshTokenHash = null;
    this.data.transferTokenHash = null;
    this.data.transferTokenExpiresAt = null;
    await this.save();
  }
  /**
-   * a refresh token is unique to a login session and ONLY created once per login session
+   * a refresh token is unique to a login session and rotated whenever it is issued
   * @returns
   */
  public async getRefreshToken() {
    if (this.data.invalidated) {
      console.log('login session is invalidated. no refresh token can be generated.');
      return null;
    }
-    if (!this.data.refreshToken) {
+    const previousRefreshTokenHash =
-      this.data.refreshToken = plugins.smartunique.uni('refresh_');
+      this.data.refreshTokenHash ||
      (this.data.refreshToken
        ? await LoginSession.hashSessionToken(this.data.refreshToken)
        : null);
    if (previousRefreshTokenHash) {
      this.data.rotatedRefreshTokenHashes = [
        ...(this.data.rotatedRefreshTokenHashes || []),
        previousRefreshTokenHash,
      ].slice(-5);
    }
    const refreshToken = LoginSession.createOpaqueToken('refresh_');
    this.data.refreshTokenHash = await LoginSession.hashSessionToken(refreshToken);
    this.data.refreshToken = null;
    this.data.lastActive = Date.now();
    await this.save();
-    return this.data.refreshToken;
+    return refreshToken;
  }
  public async getTransferToken() {
-    this.transferToken = plugins.smartunique.uni('transfer_');
+    this.transferToken = LoginSession.createOpaqueToken('transfer_');
    this.data.transferTokenHash = await LoginSession.hashSessionToken(this.transferToken);
    this.data.transferTokenExpiresAt =
      Date.now() + plugins.smarttime.getMilliSecondsFromUnits({ minutes: 5 });
    await this.save();
    return this.transferToken;
  }
-  public async validateRefreshToken(refreshTokenArg: string) {
+  public async validateRefreshToken(
-    return this.data.refreshToken === refreshTokenArg;
+    refreshTokenArg: string
  ): Promise<TRefreshTokenValidationResult> {
    if (this.data.invalidated) {
      return 'invalidated';
    }
    const refreshTokenHash = await LoginSession.hashSessionToken(refreshTokenArg);
    if (
      this.data.refreshTokenHash === refreshTokenHash ||
      (!!this.data.refreshToken && this.data.refreshToken === refreshTokenArg)
    ) {
      return 'current';
    }
    if ((this.data.rotatedRefreshTokenHashes || []).includes(refreshTokenHash)) {
      return 'reused';
    }
    return 'invalid';
  }
  public async validateTransferToken(transferTokenArg: string) {
-    const result = this.transferToken === transferTokenArg;
+    if (this.data.invalidated || !this.data.transferTokenHash) {
      return false;
    }
    if (
      this.data.transferTokenExpiresAt &&
      this.data.transferTokenExpiresAt < Date.now()
    ) {
      this.data.transferTokenHash = null;
      this.data.transferTokenExpiresAt = null;
      await this.save();
      return false;
    }
    const result =
      this.data.transferTokenHash ===
      (await LoginSession.hashSessionToken(transferTokenArg));
    // a transfer token can only be used once, so we invalidate it here
    if (result) {
      this.transferToken = null;
      this.data.transferTokenHash = null;
      this.data.transferTokenExpiresAt = null;
      await this.save();
    }
    return result;
  }
@@ -1,5 +1,5 @@
 import * as plugins from '../plugins.js';
-import { LoginSession } from './classes.loginsession.js';
+import { LoginSession, type TRefreshTokenValidationResult } from './classes.loginsession.js';
 import { Reception } from './classes.reception.js';
 import { logger } from './logging.js';
@@ -32,9 +32,6 @@ export class LoginSessionManager {
          let user = await this.receptionRef.userManager.CUser.getInstance({
            data: {
              username: requestData.username,
              passwordHash: await this.receptionRef.userManager.CUser.hashPassword(
                requestData.password
              ),
            },
          });
@@ -42,33 +39,30 @@ export class LoginSessionManager {
            user = await this.receptionRef.userManager.CUser.getInstance({
              data: {
                email: requestData.username,
                passwordHash: await this.receptionRef.userManager.CUser.hashPassword(
                  requestData.password
                ),
              },
            });
          }
-          if (user) {
+          if (user && (await this.receptionRef.userManager.CUser.verifyPassword(
-            // lets recheck
+            requestData.password,
-            if (
+            user.data.passwordHash
-              (user.data.username !== requestData.username &&
+          ))) {
-                user.data.email !== requestData.username) ||
+            if (this.receptionRef.userManager.CUser.shouldUpgradePasswordHash(user.data.passwordHash)) {
-              user.data.passwordHash !==
+              user.data.passwordHash = await this.receptionRef.userManager.CUser.hashPassword(
-                (await this.receptionRef.userManager.CUser.hashPassword(requestData.password))
+                requestData.password
            ) {
              throw new Error(
                'database returned a user that does not match wanted criterea. CRITICAL!'
              );
              await user.save();
            }
            const loginSession = await LoginSession.createLoginSessionForUser(user);
            this.loginSessions.add(loginSession);
            const refreshToken = await loginSession.getRefreshToken();
            if (!refreshToken) {
              throw new plugins.typedrequest.TypedResponseError('Could not create login session');
            }
            return {
-              status: 'ok',
+              refreshToken,
              refreshToken: refreshToken,
              twoFaNeeded: false,
            };
          } else {
@@ -109,12 +103,14 @@ export class LoginSessionManager {
          } else {
            logger.log('info', `loginWithEmail did not find user: ${requestDataArg.email}`);
          }
          const testOnlyToken =
            process.env.TEST_MODE && existingUser
              ? this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
                  ?.token
              : undefined;
          return {
            status: 'ok',
-            testOnlyToken: process.env.TEST_MODE
+            testOnlyToken,
              ? this.emailTokenMap.findSync((itemArg) => itemArg.email === existingUser.data.email)
                  .token
              : null,
          };
        }
      )
@@ -133,10 +129,17 @@ export class LoginSessionManager {
                email: requestArg.email,
              },
            });
            if (!user) {
              throw new plugins.typedrequest.TypedResponseError('User not found');
            }
            const loginSession = await LoginSession.createLoginSessionForUser(user);
            this.loginSessions.add(loginSession);
            const refreshToken = await loginSession.getRefreshToken();
            if (!refreshToken) {
              throw new plugins.typedrequest.TypedResponseError('Could not create login session');
            }
            return {
-              refreshToken: await loginSession.getRefreshToken(),
+              refreshToken,
            };
          } else {
            throw new plugins.typedrequest.TypedResponseError('Validation Token not found');
@@ -147,8 +150,11 @@ export class LoginSessionManager {
    this.typedRouter.addTypedHandler<plugins.idpInterfaces.request.ILogoutRequest>(
      new plugins.typedrequest.TypedHandler('logout', async (requestDataArg) => {
-        const loginSession = await this.CLoginSession.getLoginSessionByRefreshToken(requestDataArg.refreshToken);
+        const sessionLookup = await this.findLoginSessionByRefreshToken(requestDataArg.refreshToken);
-        await loginSession.invalidate();
+        if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
          throw new plugins.typedrequest.TypedResponseError('Invalid refresh token');
        }
        await sessionLookup.loginSession.invalidate();
        return {}
      })
    );
@@ -158,31 +164,39 @@ export class LoginSessionManager {
        'exchangeRefreshTokenAndTransferToken',
        async (requestDataArg) => {
          switch (true) {
-            case !!requestDataArg.refreshToken:
+            case !!requestDataArg.refreshToken: {
-              const loginSession = await this.loginSessions.find(async (loginSessionArg) => {
+              const sessionLookup = await this.findLoginSessionByRefreshToken(
-                return loginSessionArg.validateRefreshToken(requestDataArg.refreshToken);
+                requestDataArg.refreshToken
-              });
+              );
-              if (!loginSession) {
+              if (!sessionLookup || sessionLookup.validationStatus !== 'current') {
                if (sessionLookup?.validationStatus === 'reused') {
                  await sessionLookup.loginSession.invalidate();
                }
                throw new plugins.typedrequest.TypedResponseError('your refresh token is invalid');
              }
              return {
-                transferToken: await loginSession.getTransferToken(),
+                transferToken: await sessionLookup.loginSession.getTransferToken(),
              };
-              break;
+            }
-            case !!requestDataArg.transferToken:
+            case !!requestDataArg.transferToken: {
-              let transferToken: string;
+              const loginSession2 = await this.findLoginSessionByTransferToken(
-              const loginSession2 = await this.loginSessions.find(async (loginSessionArg) => {
+                requestDataArg.transferToken
-                return loginSessionArg.validateTransferToken(requestDataArg.transferToken);
+              );
              });
              if (!loginSession2) {
                throw new plugins.typedrequest.TypedResponseError(
                  'Your transfer token is not valid.'
                );
              }
              const refreshToken = await loginSession2.getRefreshToken();
              if (!refreshToken) {
                throw new plugins.typedrequest.TypedResponseError('Could not create login session');
              }
              return {
-                refreshToken: await loginSession2.getRefreshToken(),
+                refreshToken,
              };
-              break;
+            }
            default:
              throw new plugins.typedrequest.TypedResponseError('Invalid token exchange request');
          }
        }
      )
@@ -271,8 +285,7 @@ export class LoginSessionManager {
            throw new plugins.typedrequest.TypedResponseError('Invalid JWT');
          }
-          // Get the current session's refresh token to identify the current session
+          const currentLoginSession = await jwt.getLoginSession();
          const currentRefreshToken = jwt.data.refreshToken;
          // Get all sessions for this user
          const sessions = await this.CLoginSession.getInstances({
@@ -290,7 +303,7 @@ export class LoginSessionManager {
              ip: session.data.deviceInfo?.ip || 'Unknown',
              lastActive: session.data.lastActive || session.data.createdAt || Date.now(),
              createdAt: session.data.createdAt || Date.now(),
-              isCurrent: session.data.refreshToken === currentRefreshToken,
+              isCurrent: session.id === currentLoginSession?.id,
            })),
          };
        }
@@ -317,8 +330,10 @@ export class LoginSessionManager {
            throw new plugins.typedrequest.TypedResponseError('Session not found');
          }
          const currentLoginSession = await jwt.getLoginSession();
          // Don't allow revoking the current session via this method
-          if (sessionToRevoke.data.refreshToken === jwt.data.refreshToken) {
+          if (sessionToRevoke.id === currentLoginSession?.id) {
            throw new plugins.typedrequest.TypedResponseError(
              'Cannot revoke current session. Use logout instead.'
            );
@@ -338,4 +353,44 @@ export class LoginSessionManager {
      )
    );
  }
  public async findLoginSessionByRefreshToken(refreshTokenArg: string): Promise<{
    loginSession: LoginSession;
    validationStatus: TRefreshTokenValidationResult;
  } | null> {
    const directMatch = await this.CLoginSession.getLoginSessionByRefreshToken(refreshTokenArg);
    if (directMatch) {
      return {
        loginSession: directMatch,
        validationStatus: await directMatch.validateRefreshToken(refreshTokenArg),
      };
    }
    const loginSessions = await this.CLoginSession.getInstances({});
    for (const loginSession of loginSessions) {
      const validationStatus = await loginSession.validateRefreshToken(refreshTokenArg);
      if (validationStatus !== 'invalid') {
        return {
          loginSession,
          validationStatus,
        };
      }
    }
    return null;
  }
  public async findLoginSessionByTransferToken(transferTokenArg: string) {
    const transferTokenHash = await LoginSession.hashSessionToken(transferTokenArg);
    const loginSession = await this.CLoginSession.getInstance({
      'data.transferTokenHash': transferTokenHash,
    });
    if (!loginSession) {
      return null;
    }
    const isValid = await loginSession.validateTransferToken(transferTokenArg);
    return isValid ? loginSession : null;
  }
 }
@@ -1,5 +1,4 @@
 import * as plugins from '../plugins.js';
 import * as paths from '../paths.js';
 import { logger } from './logging.js';
 import { JwtManager } from './classes.jwtmanager.js';
@@ -30,7 +29,6 @@ export interface IReceptionOptions {
 }
 export class Reception {
  public projectinfoNpm = new plugins.projectinfo.ProjectinfoNpm(paths.packageDir);
  public typedrouter = new plugins.typedrequest.TypedRouter();
  public serviceQenv = new plugins.qenv.Qenv('./', './.nogit');
  public szPlatformClient = new plugins.szPlatformClient.SzPlatformClient();
@@ -10,7 +10,6 @@ export class ReceptionDb {
  }
  public async start() {
    console.log(this.receptionRef.options.mongoDescriptor);
    this.smartdataDb = new plugins.smartdata.SmartdataDb(this.receptionRef.options.mongoDescriptor);
    await this.smartdataDb.init();
  }
@@ -17,7 +17,7 @@ export class User extends plugins.smartdata.SmartDataDbDoc<
    const newUser = new User();
    newUser.id = plugins.smartunique.shortId();
    newUser.data = {
-      connectedOrgs: null,
+      connectedOrgs: [],
      status: 'new',
      name: userDataArg.name,
      username: userDataArg.username,
@@ -31,8 +31,26 @@ export class User extends plugins.smartdata.SmartDataDbDoc<
    return newUser;
  }
-  public static hashPassword(passwordArg: string) {
+  public static async hashPassword(passwordArg: string) {
-    return plugins.smarthash.sha256FromString(passwordArg);
+    return plugins.argon2.hash(passwordArg);
  }
  public static isLegacyPasswordHash(passwordHashArg?: string) {
    return !!passwordHashArg && !passwordHashArg.startsWith('$argon2');
  }
  public static shouldUpgradePasswordHash(passwordHashArg?: string) {
    return this.isLegacyPasswordHash(passwordHashArg);
  }
  public static async verifyPassword(passwordArg: string, passwordHashArg?: string) {
    if (!passwordHashArg) {
      return false;
    }
    if (this.isLegacyPasswordHash(passwordHashArg)) {
      return passwordHashArg === (await plugins.smarthash.sha256FromString(passwordArg));
    }
    return plugins.argon2.verify(passwordHashArg, passwordArg);
  }
  // INSTANCE
@@ -23,6 +23,9 @@ export class UserManager {
      new plugins.typedrequest.TypedHandler('getRolesAndOrganizationsForUserId', async reqArg => {
        console.log('user manager: getting roles and orgs');
        const user = await this.getUserByJwtValidation(reqArg.jwt);
        if (!user) {
          throw new plugins.typedrequest.TypedResponseError('User not found');
        }
        const organizations = await this.receptionRef.organizationmanager.getAllOrganizationsForUser(
          user
        );
@@ -49,8 +52,7 @@ export class UserManager {
              email: user.data.email,
              mobileNumber: user.data.mobileNumber,
              connectedOrgs: user.data.connectedOrgs,
-              status: null,
+              status: user.data.status,
              password: null,
              isGlobalAdmin: user.data.isGlobalAdmin,
            } as plugins.idpInterfaces.data.IUser['data']
          }
@@ -64,6 +66,9 @@ export class UserManager {
   */
  public async getUserByJwt(jwtString: string) {
    const jwtInstance = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtString);
    if (!jwtInstance) {
      return null;
    }
    const user = await this.CUser.getInstance({
      id: jwtInstance.data.userId
    });
@@ -75,7 +80,10 @@ export class UserManager {
   * faster than the "getUserByJwt"
   */
  public async getUserByJwtValidation(jwtStringArg: string) {
-    const jwtDataArg: plugins.idpInterfaces.data.IJwt = await this.receptionRef.jwtManager.smartjwtInstance.verifyJWTAndGetData(jwtStringArg);
+    const jwtDataArg = await this.receptionRef.jwtManager.verifyJWTAndGetData(jwtStringArg);
    if (!jwtDataArg) {
      return null;
    }
    const resultingUser = await this.CUser.getInstance({
      id: jwtDataArg.data.userId
    });
@@ -1,6 +1,3 @@
 import * as plugins from '../plugins.js';
 import * as paths from '../paths.js';
 const projectinfoNpm = new plugins.projectinfo.ProjectinfoNpm(paths.packageDir);
 export const logger = new plugins.smartlog.ConsoleLog();
@@ -193,6 +193,7 @@ export class IdpCli {
      this.storeCredentials({
        ...credentials,
        jwt: response.jwt,
        refreshToken: response.refreshToken || credentials.refreshToken,
      });
      return response.jwt;
    }
@@ -0,0 +1,111 @@
 # @idp.global/cli
 Terminal client for `idp.global`.
 It wraps the same typed backend used by the web app and SDK, but stores credentials on disk so you can inspect accounts, sessions, orgs, and admin state from the shell.
 ## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## Install
 ```bash
 pnpm add -g @idp.global/cli
 ```
 ## Quick Start
 ```bash
 idp login
 idp whoami
 idp orgs
 idp sessions
 ```
 ## Commands
 | Command | Purpose |
 | --- | --- |
 | `idp login` | Prompt for email and password |
 | `idp login-token` | Prompt for an API token |
 | `idp logout` | Remove local credentials and try server-side logout |
 | `idp whoami` | Print the current user |
 | `idp sessions` | List active sessions |
 | `idp revoke --session <session-id>` | Revoke a session |
 | `idp orgs` | List organizations for the current user |
 | `idp orgs-create` | Interactively create an organization |
 | `idp members --org <org-id>` | List members for an organization |
 | `idp invite --org <org-id> --email user@example.com` | Invite a member |
 | `idp admin-check` | Check global admin status |
 | `idp admin-apps` | List global app stats |
 | `idp admin-suspend --user <user-id>` | Suspend a user |
 ## Configuration
 The CLI reads `IDP_URL` and defaults to `https://idp.global`.
 ```bash
 IDP_URL=http://localhost:2999 idp whoami
 ```
 Credentials are stored in:
 ```text
 ~/.idp-global/credentials.json
 ```
 ## Programmatic Usage
 ```ts
 import { IdpCli } from '@idp.global/cli';
 const cli = new IdpCli({
  idpBaseUrl: 'http://localhost:2999',
 });
 await cli.loginWithPassword('user@example.com', 'secret');
 const me = await cli.whoami();
 const orgs = await cli.getOrganizations();
 console.log(me?.data?.email);
 console.log(orgs?.organizations.length);
 await cli.disconnect();
 ```
 ## What The Class Exposes
 - `loginWithPassword()` and `loginWithApiToken()`
 - `refreshJwt()` and `logout()`
 - `whoami()`, `getSessions()`, and `revokeSession()`
 - `getOrganizations()`, `createOrganization()`, `getOrgMembers()`, and `inviteMember()`
 - `checkGlobalAdmin()`, `getGlobalAppStats()`, and `suspendUser()`
 ## Implementation Notes
 - The CLI connects to the backend websocket surface at `/typedrequest`.
 - It uses file-based credentials instead of browser storage.
 - `orgs-create` first checks availability, then creates the organization.
 ## License and Legal Information
 This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 ### Trademarks
 This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
 Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 ### Company Information
 Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 For any legal inquiries or further information, please contact us via email at hello@task.vc.
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
@@ -29,9 +29,9 @@ export class IdpClient {
      appDataArg = {
        id: '', // TODO
        appUrl: `https://${window.location.host}/`,
-        description: null,
+        description: '',
-        logoUrl: null,
+        logoUrl: '',
-        name: null,
+        name: '',
      };
    }
    this.appData = appDataArg;
@@ -67,10 +67,14 @@ export class IdpClient {
    await this.storeJwt(jwtStringArg);
  }
  public async setRefreshToken(refreshTokenArg: string) {
    await this.storeRefreshToken(refreshTokenArg);
  }
  /**
   * a typedsocket for going reactive
   */
-  public typedsocket: plugins.typedsocket.TypedSocket;
+  public typedsocket!: plugins.typedsocket.TypedSocket;
  /**
   * a typed router to go reactive
@@ -89,16 +93,30 @@ export class IdpClient {
    await this.ssoStore.set('idpJwt', jwtString);
  }
  public async storeRefreshToken(refreshToken: string) {
    await this.ssoStore.set('idpRefreshToken', refreshToken);
  }
  public async getJwt(): Promise<string> {
    return await this.ssoStore.get('idpJwt');
  }
  public async getRefreshToken(): Promise<string> {
    return await this.ssoStore.get('idpRefreshToken');
  }
  public async getJwtData(): Promise<plugins.idpInterfaces.data.IJwt> {
    return this.helpers.extractDataFromJwtString(await this.getJwt());
  }
  public async deleteJwt() {
    await this.ssoStore.delete('idpJwt');
-    console.log('removed jwt');
+  }
  public async deleteRefreshToken() {
    await this.ssoStore.delete('idpRefreshToken');
  }
  public async clearAuthState() {
    await Promise.all([this.deleteJwt(), this.deleteRefreshToken()]);
  }
  /**
@@ -115,47 +133,63 @@ export class IdpClient {
    if (extractedJwt.data.refreshFrom < Date.now() && Date.now() < extractedJwt.data.validUntil) {
      jwt = await this.refreshJwt();
    } else if (Date.now() > extractedJwt.data.validUntil) {
-      this.deleteJwt();
+      await this.deleteJwt();
      jwt = await this.refreshJwt();
    }
    return jwt;
  }
-  public async refreshJwt(refreshTokenArg?: string): Promise<string> {
+  public async refreshJwt(refreshTokenArg?: string): Promise<string | null> {
-    let extractedJwt: plugins.idpInterfaces.data.IJwt;
+    const refreshToken = refreshTokenArg || (await this.getRefreshToken());
-    if (!refreshTokenArg) {
+    if (!refreshToken) {
-      extractedJwt = await this.helpers.extractDataFromJwtString(await this.getJwt());
+      return null;
    }
    await this.typedsocketDeferred.promise;
    const refreshJwtReq =
      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
        'refreshJwt'
      );
-    const response = await refreshJwtReq.fire({
+    const response = await refreshJwtReq
-      refreshToken: refreshTokenArg || extractedJwt.data.refreshToken,
+      .fire({
-    });
+        refreshToken,
-    if (response.jwt) {
+      })
-      await this.storeJwt(response.jwt);
+      .catch(async () => {
-    } else {
+        await this.clearAuthState();
-      await this.deleteJwt();
+        return null;
      });
    if (!response?.jwt) {
      await this.clearAuthState();
      this.statusObservable.next(response?.status || 'loggedOut');
      return null;
    }
    if (response.refreshToken) {
      await this.storeRefreshToken(response.refreshToken);
    }
    await this.storeJwt(response.jwt);
    this.statusObservable.next(response.status);
-    return await this.getJwt();
+    return response.jwt;
  }
  /**
   * can be used to switch between pages
   */
-  public async getTransferToken(appDataArg?: plugins.idpInterfaces.data.IAppLegacy): Promise<string> {
+  public async getTransferToken(appDataArg?: plugins.idpInterfaces.data.IAppLegacy): Promise<string | null> {
-    const jwt = await this.performJwtHousekeeping();
+    await this.performJwtHousekeeping();
-    const extractedJwt = await this.helpers.extractDataFromJwtString(jwt);
+    const refreshToken = await this.getRefreshToken();
    if (!refreshToken) {
      return null;
    }
    await this.typedsocketDeferred.promise;
    const getTransferToken =
      this.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_ExchangeRefreshTokenAndTransferToken>(
        'exchangeRefreshTokenAndTransferToken'
      );
    const response = await getTransferToken.fire({
-      refreshToken: extractedJwt.data.refreshToken,
+      refreshToken,
      appData: appDataArg || this.appData,
    });
    return response.transferToken;
@@ -230,6 +264,13 @@ export class IdpClient {
      const jwt = await this.performJwtHousekeeping();
      return !!jwt;
    } else {
      const refreshToken = await this.getRefreshToken();
      if (refreshToken) {
        const jwt = await this.refreshJwt(refreshToken);
        if (jwt) {
          return true;
        }
      }
      const transferTokenResult = await this.processTransferToken();
      if (transferTokenResult) {
        // we are in the clear
@@ -258,12 +299,18 @@ export class IdpClient {
   */
  public async logout() {
    const idpLogoutUrl = this.parsedReceptionUrl.clone().set('path', '/logout');
    const refreshToken = await this.getRefreshToken();
    if (!globalThis.location.href.startsWith(idpLogoutUrl.origin)) {
      // we are somewhere in an app
-      await this.deleteJwt();
+      await this.clearAuthState();
      globalThis.location.href = idpLogoutUrl.toString();
    } else {
      // we are in the sso page
      if (!refreshToken) {
        await this.clearAuthState();
        window.location.href = this.parsedReceptionUrl.origin;
        return;
      }
      await this.enableTypedSocket();
      console.log(`logging out against ${this.parsedReceptionUrl.toString()}`);
      const logoutTr =
@@ -271,9 +318,9 @@ export class IdpClient {
          'logout'
        );
      await logoutTr.fire({
-        refreshToken: (await this.getJwtData()).data.refreshToken,
+        refreshToken,
      });
-      await this.deleteJwt();
+      await this.clearAuthState();
      const appData = await this.getAppDataOnSsoDomain();
      if (appData) {
        console.log(`redirecting to app after logout: ${appData.appUrl}`);
@@ -1,71 +1,61 @@
-# @idp.global/idpclient
+# @idp.global/client
-A TypeScript client library for integrating with the idp.global Identity Provider. Works in both browser and Node.js environments.
+Browser-facing TypeScript client for talking to an `idp.global` server over `typedrequest` and `typedsocket`.
-## Overview
+It handles login state, refresh tokens, JWT housekeeping, cross-app transfer tokens, and direct access to the typed request surface.
-The IdpClient provides a complete API for authentication, session management, and organization operations. It uses WebSocket connections via TypedSocket for real-time, type-safe communication with the IdP server.
+## Issue Reporting and Security
-## Installation
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## Install
 ```bash
-npm install @idp.global/idpclient
+pnpm add @idp.global/client
 # or
 pnpm add @idp.global/idpclient
 ```
 ## Quick Start
-```typescript
+```ts
-import { IdpClient } from '@idp.global/idpclient';
+import { IdpClient } from '@idp.global/client';
 // Initialize the client
 const idpClient = new IdpClient('https://idp.global');
 // Enable WebSocket connection
 await idpClient.enableTypedSocket();
-// Check login status
+const loggedIn = await idpClient.determineLoginStatus();
 const isLoggedIn = await idpClient.determineLoginStatus();
-if (isLoggedIn) {
+if (!loggedIn) {
-  const userInfo = await idpClient.whoIs();
+  const loginResult = await idpClient.requests.loginWithUserNameAndPassword.fire({
-  console.log('Logged in as:', userInfo.user.data.name);
+    username: 'user@example.com',
    password: 'secret',
  });
  if (loginResult.refreshToken) {
    await idpClient.refreshJwt(loginResult.refreshToken);
  }
 }
 const whoIs = await idpClient.whoIs();
 console.log(whoIs.user.data.email);
 ```
-## Core Features
+## What The Client Handles
-### Authentication
+- Normalizes the base URL to the server's `/typedrequest` endpoint.
 - Stores JWT and refresh token state in a browser `WebStore`.
 - Refreshes expiring JWTs via `performJwtHousekeeping()`.
 - Redirects to `/login` when `determineLoginStatus(true)` is used.
 - Exchanges refresh tokens for cross-app transfer tokens.
 - Exposes the low-level typed requests through `idpClient.requests`.
-#### Password Login
+## Common Flows
-```typescript
+### Password Login
-const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
+
 ```ts
 const result = await idpClient.requests.loginWithUserNameAndPassword.fire({
  username: 'user@example.com',
-  password: 'securepassword',
+  password: 'secret',
 });
 if (response.refreshToken) {
  await idpClient.refreshJwt(response.refreshToken);
  console.log('Login successful!');
 } else if (response.twoFaNeeded) {
  console.log('2FA verification required');
 }
 ```
 #### Magic Link Login
 ```typescript
 // Request magic link
 await idpClient.requests.loginWithEmail.fire({
  email: 'user@example.com',
 });
 // After clicking the email link
 const result = await idpClient.requests.loginWithEmailAfterToken.fire({
  email: 'user@example.com',
  token: 'token-from-email-link',
 });
 if (result.refreshToken) {
@@ -73,300 +63,94 @@ if (result.refreshToken) {
 }
 ```
-#### API Token Login
+### Magic Link Login
-```typescript
+```ts
-const result = await idpClient.requests.loginWithApiToken.fire({
+await idpClient.requests.loginWithEmail.fire({
-  apiToken: 'your-api-token',
+  email: 'user@example.com',
 });
-if (result.jwt) {
+const result = await idpClient.requests.loginWithEmailAfterToken.fire({
-  await idpClient.setJwt(result.jwt);
+  email: 'user@example.com',
-}
+  token: 'token-from-email',
 });
 await idpClient.refreshJwt(result.refreshToken);
 ```
-### Session Management
+### Session and Identity
-```typescript
+```ts
 // Get current JWT
 const jwt = await idpClient.getJwt();
 // Get parsed JWT data
 const jwtData = await idpClient.getJwtData();
 console.log('User ID:', jwtData.id);
 // Refresh JWT (automatic housekeeping)
 await idpClient.performJwtHousekeeping();
-// Manual refresh
+const jwt = await idpClient.getJwt();
-await idpClient.refreshJwt();
+const jwtData = await idpClient.getJwtData();
 const whoIs = await idpClient.whoIs();
-// Logout
+console.log(jwtData.id, whoIs.user.data.username);
 await idpClient.logout();
 ```
-### User Information
+### Organizations
-```typescript
+```ts
-// Get current user details
+const rolesAndOrganizations = await idpClient.getRolesAndOrganizations();
 const whoIsResponse = await idpClient.whoIs();
 console.log('Name:', whoIsResponse.user.data.name);
 console.log('Email:', whoIsResponse.user.data.email);
-// Get user data
+const created = await idpClient.createOrganization(
-const userData = await idpClient.requests.getUserData.fire({
+  'Acme',
-  jwt: await idpClient.getJwt(),
+  'acme',
-  userId: jwtData.id,
+  'manifest'
 });
 // Update user data
 await idpClient.requests.setUserData.fire({
  jwt: await idpClient.getJwt(),
  userId: jwtData.id,
  name: 'New Name',
 });
 ```
 ### Organization Management
 ```typescript
 // Get user's organizations and roles
 const orgsAndRoles = await idpClient.getRolesAndOrganizations();
 console.log('Organizations:', orgsAndRoles.organizations);
 console.log('Roles:', orgsAndRoles.roles);
 // Create a new organization
 const result = await idpClient.createOrganization(
  'My Company',       // name
  'my-company',       // slug
  'manifest'          // mode: 'checkAvailability' or 'manifest'
 );
 if (result.resultingOrganization) {
  console.log('Created:', result.resultingOrganization.id);
 }
 // Get organization details
 const orgDetails = await idpClient.requests.getOrganizationById.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
 });
 ```
 ### Member & Invitation Management
 ```typescript
 // Get organization members
 const members = await idpClient.requests.getOrgMembers.fire({
  jwt: await idpClient.getJwt(),
-  organizationId: 'org-id',
+  organizationId: created.resultingOrganization.id,
 });
 // Invite a new member
 await idpClient.requests.createInvitation.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  email: 'newmember@example.com',
  roles: ['member'],
 });
 // Bulk invite members
 await idpClient.requests.bulkCreateInvitations.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  invitations: [
    { email: 'user1@example.com', roles: ['member'] },
    { email: 'user2@example.com', roles: ['admin'] },
  ],
 });
 // Accept an invitation
 await idpClient.requests.acceptInvitation.fire({
  jwt: await idpClient.getJwt(),
  invitationToken: 'token-from-invite-email',
 });
 // Remove a member
 await idpClient.requests.removeMember.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  userId: 'user-id',
 });
 // Transfer ownership
 await idpClient.requests.transferOwnership.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  newOwnerId: 'new-owner-user-id',
 });
 ```
-### Password Management
+### Cross-App Transfer
-```typescript
+```ts
 // Request password reset
 await idpClient.requests.resetPassword.fire({
  email: 'user@example.com',
 });
 // Set new password (with token from email)
 await idpClient.requests.setNewPassword.fire({
  email: 'user@example.com',
  tokenArg: 'reset-token',
  newPassword: 'newsecurepassword',
 });
 // Change password (when logged in)
 await idpClient.requests.setNewPassword.fire({
  email: 'user@example.com',
  oldPassword: 'currentpassword',
  newPassword: 'newsecurepassword',
 });
 ```
 ### Session & Device Management
 ```typescript
 // Get active sessions
 const sessions = await idpClient.requests.getUserSessions.fire({
  jwt: await idpClient.getJwt(),
  userId: jwtData.id,
 });
 // Revoke a session
 await idpClient.requests.revokeSession.fire({
  jwt: await idpClient.getJwt(),
  sessionId: 'session-id',
 });
 // Get device ID
 const deviceInfo = await idpClient.requests.obtainDeviceId.fire({});
 // Attach device to session
 await idpClient.requests.attachDeviceId.fire({
  jwt: await idpClient.getJwt(),
  deviceId: deviceInfo.deviceId.id,
 });
 ```
 ### Cross-Domain Authentication
 ```typescript
 // Get transfer token for SSO between apps
 const transferToken = await idpClient.getTransferToken();
 // Switch to another app with authentication
 await idpClient.getTransferTokenAndSwitchToLocation('https://app.example.com/');
 // Process incoming transfer token (in target app)
 const success = await idpClient.processTransferToken();
 if (success) {
  console.log('Cross-domain login successful');
 }
 ```
-### Billing Integration
+## Typed Request Surface
-```typescript
+`IdpRequests` exposes typed request getters for:
 // Get billing plan for an organization
 const billingPlan = await idpClient.requests.getBillingPlan.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
 });
-// Get Paddle configuration
+- authentication
-const paddleConfig = await idpClient.requests.getPaddleConfig.fire({
+- registration
-  jwt: await idpClient.getJwt(),
+- user/session queries
-});
+- org and invitation management
 - billing requests
 - JWT validation key requests
 - admin requests
-// Update payment method
+Use these when you want full control instead of the higher-level helper methods on `IdpClient`.
 await idpClient.updatePaddleCheckoutId('org-id', 'checkout-id');
 ```
-### Admin Operations (Global Admins Only)
+## Important Runtime Notes
-```typescript
+- The default fallback `appData` uses `window.location`, so this package is primarily browser-oriented.
-// Check if user is global admin
+- The client expects the backend `typedrequest` websocket surface to be reachable.
-const isAdmin = await idpClient.requests.checkGlobalAdmin.fire({
+- Auth state is persisted in browser storage under the `idpglobalStore` store name.
  jwt: await idpClient.getJwt(),
 });
-// Get platform statistics
+## License and Legal Information
 const stats = await idpClient.requests.getGlobalAppStats.fire({
  jwt: await idpClient.getJwt(),
 });
-// Create a global app
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 await idpClient.requests.createGlobalApp.fire({
  jwt: await idpClient.getJwt(),
  name: 'My App',
  description: 'App description',
 });
-// Suspend a user
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 await idpClient.requests.suspendUser.fire({
  jwt: await idpClient.getJwt(),
  userId: 'user-id',
 });
 ```
-## Reactive Subscriptions
+### Trademarks
-The client provides RxJS subjects for reactive updates:
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
-```typescript
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 // Subscribe to login status changes
 idpClient.statusObservable.subscribe((status) => {
  console.log('Login status changed:', status);
 });
-// Subscribe to roles updates
+### Company Information
 idpClient.rolesReplaySubject.subscribe((roles) => {
  console.log('Roles updated:', roles);
 });
-// Subscribe to organizations updates
+Task Venture Capital GmbH  
-idpClient.organizationsReplaySubject.subscribe((orgs) => {
+Registered at District Court Bremen HRB 35230 HB, Germany
  console.log('Organizations updated:', orgs);
 });
 ```
-## API Reference
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
-### IdpClient Class
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
 | Method | Description |
 |--------|-------------|
 | `enableTypedSocket()` | Initialize WebSocket connection |
 | `determineLoginStatus(requireLogin?)` | Check if user is logged in |
 | `getJwt()` | Get stored JWT string |
 | `getJwtData()` | Get parsed JWT data |
 | `setJwt(jwt)` | Store JWT |
 | `deleteJwt()` | Remove stored JWT |
 | `refreshJwt(refreshToken?)` | Refresh the JWT |
 | `performJwtHousekeeping()` | Auto-refresh JWT if needed |
 | `logout()` | End session and redirect |
 | `whoIs()` | Get current user info |
 | `getRolesAndOrganizations()` | Get user's orgs and roles |
 | `createOrganization(name, slug, mode)` | Create new organization |
 | `getTransferToken(appData?)` | Get SSO transfer token |
 | `processTransferToken()` | Process incoming transfer token |
 | `stop()` | Close WebSocket connection |
 ### IdpRequests Class
 Access via `idpClient.requests.*`:
 **Authentication**: `loginWithUserNameAndPassword`, `loginWithEmail`, `loginWithEmailAfterToken`, `loginWithApiToken`, `resetPassword`, `setNewPassword`
 **User**: `getUserData`, `setUserData`, `getUserSessions`, `revokeSession`, `getUserActivity`
 **Organization**: `getOrganizationById`, `updateOrganization`, `createInvitation`, `bulkCreateInvitations`, `getOrgMembers`, `getOrgInvitations`, `acceptInvitation`, `cancelInvitation`, `resendInvitation`, `removeMember`, `updateMemberRoles`, `transferOwnership`
 **Billing**: `getBillingPlan`, `getPaddleConfig`
 **Admin**: `checkGlobalAdmin`, `getGlobalAppStats`, `createGlobalApp`, `updateGlobalApp`, `deleteGlobalApp`, `suspendUser`, `deleteSuspendedUser`
 ## License
 MIT - See the main repository for full license details.
@@ -10,6 +10,11 @@ export interface IJwt {
     */
    userId: string;
    /**
     * the login session backing this jwt
     */
    sessionId?: string;
    /**
     * the latest point of
     */
@@ -24,9 +29,9 @@ export interface IJwt {
    refreshEvery: number;
    /**
-     * the refresh token to obtain a new jwt for a session
+     * legacy field kept for compatibility with already-issued jwt documents
     */
-    refreshToken: string;
+    refreshToken?: string;
    /**
     * just for looks/debugging
@@ -1,15 +1,22 @@
 export interface ILoginSession {
  id: string;
  data: {
-    userId: string;
+    userId: string | null;
    validUntil: number;
    invalidated: boolean;
-    refreshToken: string;
+    /**
     * legacy plaintext refresh token field kept so existing sessions can migrate on first use
     */
    refreshToken?: string | null;
    refreshTokenHash?: string | null;
    rotatedRefreshTokenHashes?: string[];
    transferTokenHash?: string | null;
    transferTokenExpiresAt?: number | null;
    /**
     * a device id that can be used to share the login session
     * in different contexts on the same device
     */
-    deviceId: string;
+    deviceId?: string | null;
    /**
     * Device metadata for session display
     */
@@ -18,7 +25,7 @@ export interface ILoginSession {
      browser: string;
      os: string;
      ip: string;
-    };
+    } | null;
    /**
     * When this session was created
     */
@@ -1,312 +1,128 @@
 # @idp.global/interfaces
-TypeScript interfaces and type definitions for the idp.global Identity Provider platform.
+Shared TypeScript contracts for the `idp.global` backend, browser client, CLI, and frontend.
-## Overview
+Use this package when you want typed request/response payloads and shared data models for users, sessions, organizations, apps, billing, and OIDC.
-This package provides the complete type system for idp.global, including data models, API request/response interfaces, and OIDC definitions. Use this package when building applications that integrate with idp.global or when you need type-safe interactions with the IdP API.
+## Issue Reporting and Security
-## Installation
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## Install
 ```bash
 npm install @idp.global/interfaces
 # or
 pnpm add @idp.global/interfaces
 ```
-## Usage
+## Quick Start
-```typescript
+```ts
 import { data, request, tags } from '@idp.global/interfaces';
-// Data interfaces
+const loginRequest: request.IReq_LoginWithEmailOrUsernameAndPassword['request'] = {
-const user: data.IUser = {
+  username: 'user@example.com',
-  id: 'user_123',
+  password: 'secret',
  data: {
    name: 'John Doe',
    username: 'johndoe',
    email: 'john@example.com',
    status: 'active',
    connectedOrgs: ['org_1', 'org_2'],
  },
 };
-// Organization interface
+const organization: data.IOrganization = {
 const org: data.IOrganization = {
  id: 'org_1',
  data: {
-    name: 'Acme Corp',
+    name: 'Acme',
    slug: 'acme',
    billingPlanId: 'plan_free',
-    roleIds: ['role_admin', 'role_member'],
+    roleIds: [],
  },
 };
 ```
-## Package Structure
+## Exports
-```
+### `data`
-ts_interfaces/
+
-├── data/                    # Data model interfaces
+The `data` export includes types for:
-│   ├── loint-reception.user.ts         # User profiles
+
-│   ├── loint-reception.organization.ts # Organizations
+- users
-│   ├── loint-reception.role.ts         # RBAC roles
+- organizations
-│   ├── loint-reception.app.ts          # OAuth applications
+- roles
-│   ├── loint-reception.oidc.ts         # OIDC tokens & flows
+- JWT payloads
-│   ├── loint-reception.jwt.ts          # JWT structures
+- login sessions
-│   ├── loint-reception.loginsession.ts # Login sessions
+- devices
-│   ├── loint-reception.billingplan.ts  # Billing plans
+- activity logs
-│   ├── loint-reception.device.ts       # Device management
+- apps and app connections
-│   ├── loint-reception.activity.ts     # Activity logs
+- billing plans and Paddle checkout data
-│   ├── loint-reception.userinvitation.ts # Invitations
+- OIDC data structures
-│   └── loint-reception.appconnection.ts  # App connections
+- invitations
-├── request/                 # API request/response interfaces
+
-│   ├── loint-reception.login.ts        # Authentication
+### `request`
-│   ├── loint-reception.registration.ts # User registration
+
-│   ├── loint-reception.user.ts         # User management
+The `request` export includes typed request contracts for:
-│   ├── loint-reception.organization.ts # Org management
+
-│   ├── loint-reception.jwt.ts          # JWT operations
+- login, logout, refresh, password reset, and device attachment
-│   ├── loint-reception.apitoken.ts     # API tokens
+- registration flow requests
-│   ├── loint-reception.app.ts          # App management
+- user and session queries
-│   ├── loint-reception.billingplan.ts  # Billing
+- organization CRUD-style requests
-│   └── loint-reception.admin.ts        # Admin operations
+- invitations and membership changes
-└── tags/                    # Tag definitions
+- app and admin actions
 - billing and JWT validation support
 ### `tags`
 Shared tag exports live under `tags/`.
 ## Layout
 | Path | Purpose |
 | --- | --- |
 | `data/index.ts` | Re-exports all shared data interfaces |
 | `request/index.ts` | Re-exports all typed request contracts |
 | `tags/index.ts` | Re-exports shared tags |
 ## Examples
 ### Login Contract
 ```ts
 type TLogin = request.IReq_LoginWithEmailOrUsernameAndPassword;
 const payload: TLogin['request'] = {
  username: 'user@example.com',
  password: 'secret',
 };
 ```
-## Data Interfaces
+### Session Contract
-### User (`IUser`)
+```ts
-
+type TSessions = request.IReq_GetUserSessions['response']['sessions'];
 ```typescript
 interface IUser {
  id: string;
  data: {
    name: string;
    username: string;
    email: string;
    mobileNumber?: string;
    password?: string;        // Only during initial setting
    passwordHash?: string;    // For validation
    status: 'new' | 'active' | 'deleted' | 'suspended';
    connectedOrgs: string[];  // Organization IDs
    isGlobalAdmin?: boolean;  // Platform admin flag
  };
 }
 ```
-### Organization (`IOrganization`)
+### OIDC Contract
-```typescript
+```ts
-interface IOrganization {
+type TUserInfo = data.IUserInfoResponse;
  id: string;
  data: {
    name: string;
    slug: string;
    billingPlanId: string;
    roleIds: string[];
  };
 }
 ```
-### Role (`IRole`)
+## Scope
-```typescript
+This package is intentionally contract-only. It does not open sockets, store auth state, or perform HTTP/websocket communication by itself.
 interface IRole {
  id: string;
  data: {
    name: string;
    organizationId: string;
    userId: string;
    permissions: string[];
  };
 }
 ```
-### OAuth Application Types
+## License and Legal Information
-```typescript
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 // Global platform apps (maintained by platform admins)
 interface IGlobalApp {
  id: string;
  type: 'globalApp';
  data: {
    name: string;
    description: string;
    iconBase64?: string;
    oauthCredentials?: IOAuthCredentials;
  };
 }
-// Partner apps (third-party integrations)
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 interface IPartnerApp {
  id: string;
  type: 'partnerApp';
  data: {
    name: string;
    description: string;
    ownerOrganizationId: string;
    oauthCredentials?: IOAuthCredentials;
  };
 }
-// Custom OIDC clients
+### Trademarks
 interface ICustomOidcApp {
  id: string;
  type: 'customOidcApp';
  data: {
    name: string;
    description: string;
    ownerOrganizationId: string;
    oauthCredentials: IOAuthCredentials;
  };
 }
 ```
-### OAuth Credentials
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
-```typescript
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 interface IOAuthCredentials {
  clientId: string;
  clientSecretHash: string;
  redirectUris: string[];
  scopes: string[];
  grantTypes: ('authorization_code' | 'refresh_token' | 'client_credentials')[];
 }
 ```
-## OIDC Interfaces
+### Company Information
-### Authorization Code
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
-```typescript
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
 interface IAuthorizationCode {
  code: string;
  clientId: string;
  userId: string;
  scopes: string[];
  redirectUri: string;
  codeChallenge?: string;
  codeChallengeMethod?: 'S256';
  expiresAt: number;
  used: boolean;
 }
 ```
-### Token Response
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
 ```typescript
 interface ITokenResponse {
  access_token: string;
  token_type: 'Bearer';
  expires_in: number;
  refresh_token?: string;
  id_token?: string;
  scope: string;
 }
 ```
 ### UserInfo Response
 ```typescript
 interface IUserInfoResponse {
  sub: string;
  name?: string;
  preferred_username?: string;
  email?: string;
  email_verified?: boolean;
  organizations?: Array<{
    id: string;
    name: string;
    slug: string;
    roles: string[];
  }>;
  roles?: string[];
 }
 ```
 ### ID Token Claims
 ```typescript
 interface IIdTokenClaims {
  iss: string;          // Issuer
  sub: string;          // Subject (user ID)
  aud: string;          // Audience (client ID)
  exp: number;          // Expiration time
  iat: number;          // Issued at
  nonce?: string;       // Replay protection
  name?: string;
  email?: string;
  email_verified?: boolean;
  organizations?: Array<{...}>;
  roles?: string[];
 }
 ```
 ## Request Interfaces
 All API requests follow the TypedRequest pattern:
 ```typescript
 interface IReq_LoginWithEmailOrUsernameAndPassword {
  method: 'loginWithEmailOrUsernameAndPassword';
  request: {
    username: string;
    password: string;
  };
  response: {
    refreshToken?: string;
    twoFaNeeded: boolean;
  };
 }
 ```
 ### Authentication Requests
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_LoginWithEmailOrUsernameAndPassword` | `loginWithEmailOrUsernameAndPassword` | Password login |
 | `IReq_LoginWithEmail` | `loginWithEmail` | Magic link request |
 | `IReq_LoginWithEmailAfterEmailTokenAquired` | `loginWithEmailAfterEmailTokenAquired` | Magic link verification |
 | `IReq_LoginWithApiToken` | `loginWithApiToken` | API token login |
 | `IReq_RefreshJwt` | `refreshJwt` | Refresh access token |
 | `ILogoutRequest` | `logout` | End session |
 ### User Management Requests
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_GetUserData` | `getUserData` | Get current user |
 | `IReq_SetUserData` | `setUserData` | Update user profile |
 | `IReq_GetUserSessions` | `getUserSessions` | List active sessions |
 | `IReq_ResetPassword` | `resetPassword` | Request password reset |
 | `IReq_SetNewPassword` | `setNewPassword` | Set new password |
 ### Organization Requests
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_CreateOrganization` | `createOrganization` | Create new org |
 | `IReq_GetOrgMembers` | `getOrgMembers` | List org members |
 | `IReq_CreateInvitation` | `createInvitation` | Invite user |
 | `IReq_AcceptInvitation` | `acceptInvitation` | Accept invite |
 ### JWT Operations
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_GetPublicKeyForValidation` | `getPublicKeyForValidation` | Get JWT public key |
 | `IReq_GetJwtIdBlocklist` | `getJwtIdBlocklist` | Get revoked token IDs |
 ## Supported OIDC Scopes
 | Scope | Description |
 |-------|-------------|
 | `openid` | Required for OIDC flows |
 | `profile` | User's name and username |
 | `email` | User's email address |
 | `organizations` | User's organization memberships |
 | `roles` | User's roles within organizations |
 ## License
 MIT - See the main repository for full license details.
@@ -87,7 +87,8 @@ export interface IReq_RefreshJwt
  };
  response: {
    status: data.TLoginStatus;
-    jwt: string;
+    jwt?: string;
    refreshToken?: string;
  };
 }
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@idp.global/idp.global',
-  version: '1.14.1',
+  version: '1.17.1',
  description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }
@@ -19,7 +19,7 @@ import { accountDesignTokens } from './sharedstyles.js';
 import * as views from './views/index.js';
 import * as accountstate from '../../states/accountstate.js';
-import { commitinfo } from '../../../dist_ts/00_commitinfo_data.js';
+import { commitinfo } from '../../../ts/00_commitinfo_data.js';
 declare global {
@@ -17,7 +17,7 @@ import { accountDesignTokens } from './sharedstyles.js';
 import { CreateOrgModal } from './create-org-modal.js';
 import { OrgSelectModal } from './org-select-modal.js';
-import { commitinfo } from '../../../dist_ts/00_commitinfo_data.js';
+import { commitinfo } from '../../../ts/00_commitinfo_data.js';
 declare global {
  interface HTMLElementTagNameMap {
@@ -11,7 +11,7 @@ import {
  query,
 } from '@design.estate/dees-element';
-import { commitinfo } from '../../dist_ts/00_commitinfo_data.js';
+import { commitinfo } from '../../ts/00_commitinfo_data.js';
 import { IdpState } from '../states/idp.state.js';
 declare global {
@@ -207,21 +207,14 @@ export class IdpRegistrationPrompt extends DeesElement {
  }
  public async handleRefreshToken(refreshTokenArg: string, delayDispatchMillisArg = 0) {
    // a refreshToken binds directly to a session.
    // the refresh token is used on a continuous basis to get fresh and short-lived jwts
    const idpState = await IdpState.getSingletonInstance();
-    const refreshJwt = idpState.idpClient.typedsocket.createTypedRequest<plugins.idpInterfaces.request.IReq_RefreshJwt>(
+    const jwt = await idpState.idpClient.refreshJwt(refreshTokenArg);
      'refreshJwt'
    );
    const responseJwt = await refreshJwt.fire({
      refreshToken: refreshTokenArg,
    });
-    if (responseJwt.jwt) {
+    if (jwt) {
      this.domtools.convenience.smartdelay.delayFor(delayDispatchMillisArg).then(() => {
-        this.dispatchJwt(responseJwt.jwt);
+        this.dispatchJwt(jwt);
      });
-      return responseJwt.jwt;
+      return jwt;
    } else {
      return null;
    }
@@ -488,15 +488,15 @@ export class IdpRegistrationStepper extends DeesElement {
                  username: this.storedData.email,
                  password: eventArg.detail.data.password,
                });
              this.storedData.refreshToken = loginResponse.refreshToken;
              deesForm.setStatus('pending', 'Obtaining JWT...');
-              const jwtResponse = await idpState.idpClient.requests.obtainJwt.fire({
+              const jwt = await idpState.idpClient.refreshJwt(loginResponse.refreshToken);
-                refreshToken: this.storedData.refreshToken,
+
-              });
+              if (!jwt) {
                deesForm.setStatus('error', 'Failed to establish a login session.');
                return;
              }
              deesForm.setStatus('success', 'Ok! Lets Go!');
              await idpState.idpClient.setJwt(jwtResponse.jwt);
              idpState.domtools.router.pushUrl('/account');
            }, { signal });
          },
@@ -1,256 +1,83 @@
-# @idp.global/web
+# `ts_web/` Web App Module
-Web Components and UI elements for the idp.global Identity Provider platform. Built with `@design.estate/dees-element` and the dees-catalog component library.
+The `ts_web/` folder contains the frontend for `idp.global`: login, registration, account management, org management, billing, and admin UI.
-## Overview
+It is built with `@design.estate/dees-element`, `@design.estate/dees-domtools`, and the shared `idp.global` client and interface packages.
-This package provides the complete web interface for idp.global, including authentication flows, account management, and organization administration. All components are built as Web Components using the Lit-based `dees-element` framework.
+## Issue Reporting and Security
-## Installation
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## What Lives Here
 | Path | Purpose |
 | --- | --- |
 | `index.ts` | Frontend entrypoint and initial render |
 | `views/viewcontainer.ts` | View switching for welcome, login, register, finishregistration, and account |
 | `elements/` | Web components for prompts, layout, and account UI |
 | `elements/account/views/` | Account subviews including org, apps, subscriptions, paddle setup, and admin |
 | `states/` | App-level and account-level state containers |
 ## UI Surface
 The module currently includes:
 - a welcome page
 - login and registration prompts
 - a multi-step registration flow
 - an account area with navigation
 - organization selection and creation flows
 - bulk member invitation UI
 - app and subscription views
 - a global admin view
 ## Routing
 `IdpViewcontainer` switches between these frontend states:
 | View | Route |
 | --- | --- |
 | `welcome` | `/` |
 | `login` | `/login` |
 | `register` | `/register` |
 | `finishregistration` | `/finishregistration` |
 | `account` | `/account` |
 ## Build And Run
 From the repository root:
 ```bash
-npm install @idp.global/web
+pnpm install
 # or
 pnpm add @idp.global/web
 ```
 ## Architecture
 ```
 ts_web/
 ├── index.ts                 # Application entry point
 ├── plugins.ts               # Plugin imports
 ├── views/
 │   ├── viewcontainer.ts     # Main view router
 │   └── index.ts
 ├── elements/                # Web Components
 │   ├── idp-loginprompt.ts        # Login form
 │   ├── idp-registerprompt.ts     # Registration form
 │   ├── idp-registration-stepper.ts # Multi-step registration
 │   ├── idp-centercontainer.ts    # Centered layout container
 │   ├── idp-transfermanager.ts    # SSO transfer handling
 │   ├── idp-welcome.ts            # Welcome/landing page
 │   └── account/                  # Account dashboard components
 │       ├── content.ts            # Main account layout
 │       ├── navigation.ts         # Sidebar navigation
 │       ├── org-select-modal.ts   # Organization switcher
 │       ├── create-org-modal.ts   # Create organization dialog
 │       ├── bulk-invite-modal.ts  # Bulk member invite dialog
 │       └── views/                # Account sub-views
 │           ├── baseview.ts       # Base view class
 │           ├── usersview.ts      # User profile view
 │           ├── orgview.ts        # Organization details
 │           ├── orgsetup.ts       # Organization setup
 │           ├── appsview.ts       # Connected apps
 │           ├── adminview.ts      # Global admin panel
 │           ├── subscriptions.ts  # Billing subscriptions
 │           └── paddlesetup.ts    # Payment setup
 └── states/
    ├── idp.state.ts          # Main application state
    └── accountstate.ts       # Account dashboard state
 ```
 ## Components
 ### Authentication Components
 #### `<idp-loginprompt>`
 Login form supporting password and magic link authentication.
 ```html
 <idp-loginprompt></idp-loginprompt>
 ```
 Features:
 - Email/username + password login
 - Magic link (passwordless) authentication
 - Automatic button text based on password presence
 - Form validation and error handling
 - Redirect to registration
 #### `<idp-registerprompt>`
 Initial registration form for new users.
 ```html
 <idp-registerprompt></idp-registerprompt>
 ```
 #### `<idp-registration-stepper>`
 Multi-step registration wizard for completing user profile.
 ```html
 <idp-registration-stepper></idp-registration-stepper>
 ```
 Steps include:
 - Profile information
 - Email verification
 - Mobile verification (optional)
 - Password setup
 ### Layout Components
 #### `<idp-viewcontainer>`
 Main view container that handles routing between views.
 ```html
 <idp-viewcontainer></idp-viewcontainer>
 ```
 Supported views:
 - `welcome` - Landing page
 - `login` - Login form
 - `register` - Registration form
 - `finishregistration` - Registration stepper
 - `account` - Account dashboard
 #### `<idp-centercontainer>`
 Centered container with animation support for forms.
 ```html
 <idp-centercontainer>
  <h2>Your Content</h2>
  <form>...</form>
 </idp-centercontainer>
 ```
 Methods:
 - `show()` - Animate container into view
 - `hide()` - Animate container out of view
 ### Account Dashboard Components
 #### `<idp-account-content>`
 Main account dashboard layout with navigation.
 ```html
 <idp-account-content></idp-account-content>
 ```
 #### Navigation Views
 | Component | Route | Description |
 |-----------|-------|-------------|
 | `<idp-usersview>` | `/account/users` | User profile management |
 | `<idp-orgview>` | `/account/org` | Organization details |
 | `<idp-orgsetup>` | `/account/orgsetup` | Organization configuration |
 | `<idp-appsview>` | `/account/apps` | Connected applications |
 | `<idp-adminview>` | `/account/admin` | Global admin panel |
 | `<idp-subscriptions>` | `/account/subscriptions` | Billing management |
 | `<idp-paddlesetup>` | `/account/paddle` | Payment method setup |
 ### Modal Components
 #### `<idp-org-select-modal>`
 Organization switcher modal for users with multiple organizations.
 #### `<idp-create-org-modal>`
 Dialog for creating new organizations with slug validation.
 #### `<idp-bulk-invite-modal>`
 Bulk invitation dialog for inviting multiple members at once.
 ## State Management
 ### IdpState
 Central application state using `@push.rocks/smartstate`.
 ```typescript
 import { IdpState } from '@idp.global/web';
 const idpState = await IdpState.getSingletonInstance();
 // Access IdP client
 const isLoggedIn = await idpState.idpClient.determineLoginStatus();
 // Access router
 idpState.domtools.router.pushUrl('/login');
 // Subscribe to view changes
 idpState.mainStatePart.select(s => s.view).subscribe(view => {
  console.log('Current view:', view);
 });
 ```
 ### AccountState
 State for the account dashboard section.
 ```typescript
 import { AccountState } from '@idp.global/web';
 const accountState = await AccountState.getSingletonInstance();
 // Access current organization
 const currentOrg = accountState.currentOrganization;
 // Access user roles
 const roles = accountState.userRoles;
 ```
 ## Styling
 Components use CSS custom properties for theming:
 ```css
 :host {
  --foreground: hsl(0 0% 98%);
  --muted-foreground: hsl(240 5% 64.9%);
  --background-accent: #303f9f;
 }
 ```
 All components include:
 - Dark mode by default
 - Geist Sans font family
 - Smooth animations
 - Responsive layouts
 ## Dependencies
 - `@design.estate/dees-element` - Web Component base class
 - `@design.estate/dees-catalog` - UI component library
 - `@design.estate/dees-domtools` - DOM utilities and routing
 - `@idp.global/idpclient` - IdP client library
 - `@idp.global/interfaces` - TypeScript interfaces
 - `@push.rocks/smartstate` - State management
 - `@uptime.link/webwidget` - Status widget
 ## Views and Routes
 | Route | View | Component |
 |-------|------|-----------|
 | `/` | `welcome` | `IdpWelcome` |
 | `/login` | `login` | `IdpLoginPrompt` |
 | `/register` | `register` | `IdpRegistrationPrompt` |
 | `/finishregistration` | `finishregistration` | `IdpRegistrationStepper` |
 | `/account` | `account` | `IdpAccountContent` |
 | `/logout` | - | Logout handler |
 ## Building
 The web module is bundled using `@git.zone/tsbundle`:
 ```bash
 # Development with hot reload
 pnpm watch
 # Production build
 pnpm build
 pnpm watch
 ```
-The bundled output is served from `dist_ts_web/` by the TypedServer.
+`pnpm watch` rebuilds the frontend bundle from `ts_web/index.ts` into `dist_serve/bundle.js` while the backend serves the app.
-## License
+## Notes
-MIT - See the main repository for full license details.
+- The app metadata in `ts_web/index.ts` identifies the site as `idp.global`.
 - The frontend uses the shared client package for auth state and backend communication.
 - Account-related UI is split into reusable elements plus state containers in `states/`.
 ## License and Legal Information
 This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 ### Trademarks
 This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
 Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 ### Company Information
 Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 For any legal inquiries or further information, please contact us via email at hello@task.vc.
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
@@ -4,7 +4,9 @@
    "module": "NodeNext",
    "moduleResolution": "NodeNext",
    "esModuleInterop": true,
-    "verbatimModuleSyntax": true
+    "verbatimModuleSyntax": true,
    "types": ["node"],
    "strict": false
  },
  "exclude": [
    "dist_*/**/*.d.ts"
Author	SHA1	Message	Date
jkunz	1532c9704b	v1.17.1 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-04-20 08:15:42 +00:00
jkunz	76efcb835f	fix(docs): refresh module readmes and add repository license file	2026-04-20 08:15:42 +00:00
jkunz	2d1e6ea6e1	v1.17.0 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-04-20 08:12:07 +00:00
jkunz	98e614a945	feat(auth): harden authentication with argon2 passwords and rotating hashed refresh tokens	2026-04-20 08:12:07 +00:00
jkunz	ad3e51a9e8	v1.16.0 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-01-29 15:06:40 +00:00
jkunz	d8f72d620a	feat(dev): add local development docs, update tswatch preset and add Playwright screenshots	2026-01-29 15:06:40 +00:00
jkunz	53b36e506c	v1.15.0 Docker (tags) / security (push) Failing after 1s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2026-01-29 14:24:08 +00:00
jkunz	7d5ad29a27	feat(build): add tsbundle/tswatch configs, update build/watch scripts, bump dependencies, and add CLI documentation	2026-01-29 14:24:08 +00:00