feat: spec to platform

platform/spec/account/errors.ts

@@ -0,0 +1,7 @@
+import { ConflictError } from "@platform/relay";
+
+export class AccountEmailClaimedError extends ConflictError {
+  constructor(email: string) {
+    super(`Email '${email}' is already claimed by another account.`);
+  }
+}

platform/spec/account/role.ts

@@ -0,0 +1,5 @@
+import z from "zod";
+
+export const RoleSchema = z.union([z.literal("user"), z.literal("admin")]);
+
+export type Role = z.infer<typeof RoleSchema>;

platform/spec/account/routes.ts

@@ -0,0 +1,30 @@
+import { AccountSchema } from "@platform/models/account.ts";
+import { NameSchema } from "@platform/models/value-objects/name.ts";
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+import { AccountEmailClaimedError } from "./errors.ts";
+
+export const create = route
+  .post("/api/v1/accounts")
+  .body(
+    z.object({
+      name: NameSchema,
+      email: z.email(),
+    }),
+  )
+  .errors([AccountEmailClaimedError])
+  .response(z.uuid());
+
+export const getById = route
+  .get("/api/v1/accounts/:id")
+  .params({
+    id: z.string(),
+  })
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError])
+  .response(AccountSchema);
+
+export const routes = {
+  create,
+  getById,
+};

platform/spec/account/strategies.ts

@@ -0,0 +1,33 @@
+import z from "zod";
+
+const EmailStrategySchema = z.object({
+  type: z.literal("email"),
+  value: z.string(),
+});
+
+const PasswordStrategySchema = z.object({
+  type: z.literal("password"),
+  alias: z.string(),
+  password: z.string(),
+});
+
+const PasskeyStrategySchema = z.object({
+  type: z.literal("passkey"),
+  credId: z.string(),
+  credPublicKey: z.string(),
+  webauthnUserId: z.string(),
+  counter: z.number(),
+  backupEligible: z.boolean(),
+  backupStatus: z.boolean(),
+  transports: z.string(),
+  createdAt: z.date(),
+  lastUsed: z.date(),
+});
+
+export const StrategySchema = z.discriminatedUnion("type", [
+  EmailStrategySchema,
+  PasswordStrategySchema,
+  PasskeyStrategySchema,
+]);
+
+export type Strategy = z.infer<typeof StrategySchema>;

platform/spec/auth/errors.ts

@@ -0,0 +1,7 @@
+import { BadRequestError } from "@platform/relay";
+
+export class AuthenticationStrategyPayloadError extends BadRequestError {
+  constructor() {
+    super("Provided authentication payload is not recognized.");
+  }
+}

platform/spec/auth/routes.ts

@@ -0,0 +1,40 @@
+import { AccountSchema } from "@platform/models/account.ts";
+import { route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export * from "./errors.ts";
+export * from "./strategies.ts";
+
+export const email = route.post("/api/v1/auth/email").body(
+  z.object({
+    base: z.url(),
+    email: z.email(),
+  }),
+);
+
+export const password = route.post("/api/v1/auth/password").body(
+  z.object({
+    alias: z.string(),
+    password: z.string(),
+  }),
+);
+
+export const code = route
+  .get("/api/v1/auth/code/:accountId/code/:codeId/:value")
+  .params({
+    accountId: z.string(),
+    codeId: z.string(),
+    value: z.string(),
+  })
+  .query({
+    next: z.string().optional(),
+  });
+
+export const session = route.get("/api/v1/auth/session").response(AccountSchema).errors([UnauthorizedError]);
+
+export const routes = {
+  email,
+  password,
+  code,
+  session,
+};

platform/spec/auth/strategies.ts

@@ -0,0 +1,44 @@
+import { z } from "zod";
+
+export const PasskeyStrategySchema = z.object({
+  type: z.literal("passkey").describe("Authentication strategy type for WebAuthn/Passkey"),
+  id: z.string().describe("Base64URL encoded credential ID"),
+  rawId: z.string().describe("Raw credential ID as base64URL encoded string"),
+  response: z
+    .object({
+      clientDataJSON: z.string().describe("Base64URL encoded client data JSON"),
+      authenticatorData: z.string().describe("Base64URL encoded authenticator data"),
+      signature: z.string().optional().describe("Signature for authentication responses"),
+      userHandle: z.string().optional().describe("Optional user handle identifier"),
+      attestationObject: z.string().optional().describe("Attestation object for registration responses"),
+    })
+    .describe("WebAuthn response data"),
+  clientExtensionResults: z
+    .record(z.string(), z.unknown())
+    .default({})
+    .describe("Results from WebAuthn extension inputs"),
+  authenticatorAttachment: z
+    .enum(["platform", "cross-platform"])
+    .optional()
+    .describe("Type of authenticator used (platform or cross-platform)"),
+});
+
+export const EmailStrategySchema = z.object({
+  type: z.literal("email").describe("Authentication strategy type for email"),
+  email: z.email().describe("User's email address for authentication"),
+});
+
+export const PasswordStrategySchema = z.object({
+  type: z.literal("password").describe("Authentication strategy type for password"),
+  alias: z.string().describe("User alias (username or email)"),
+  password: z.string().describe("User's password"),
+});
+
+export const StrategySchema = z
+  .union([PasskeyStrategySchema, EmailStrategySchema, PasswordStrategySchema])
+  .describe("Union of all available authentication strategy schemas");
+
+export type PasskeyStrategy = z.infer<typeof PasskeyStrategySchema>;
+export type EmailStrategy = z.infer<typeof EmailStrategySchema>;
+export type PasswordStrategy = z.infer<typeof PasswordStrategySchema>;
+export type Strategy = z.infer<typeof StrategySchema>;

platform/spec/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "@platform/spec",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "@platform/models": "workspace:*",
+    "@platform/relay": "workspace:*",
+    "zod": "4"
+  }
+}