furystack · gallayl · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1 @@
+yarn lint-staged
diff --git a/.yarn/changelogs/common.3625e922.md b/.yarn/changelogs/common.3625e922.md
@@ -0,0 +1,61 @@
+<!-- version-type: major -->
+# common
+
+<!--
+FORMATTING GUIDE:
+
+### Detailed Entry (appears first when merging)
+
+Use h3 (###) and below for detailed entries with paragraphs, code examples, and lists.
+
+### Simple List Items
+
+- Simple changes can be added as list items
+- They are collected together at the bottom of each section
+
+TIP: When multiple changelog drafts are merged, heading-based entries
+appear before simple list items within each section.
+-->
+
+## 💥 Breaking Changes
+
+### `User` model re-exported from `@furystack/core`
+
+The `User` class is no longer defined locally. It is now re-exported from `@furystack/core`, which may have a different shape or behavior than the previous local definition.
+
+**Examples:**
+
+```typescript
+// ❌ Before
+import { User } from 'common'
+// User was a local class with `username: string` and `roles: string[]`
+
+// ✅ After
+import { User } from 'common'
+// User is now the `@furystack/core` User type
+```
+
+**Impact:** Consumers relying on the exact class definition (e.g., `instanceof` checks or decorators tied to the old class) need to verify compatibility with the `@furystack/core` User type.
+
+## ✨ Features
+
+### JWT API type definitions
+
+Added `JwtApi` and `AuthorizedApi` interfaces for typed JWT authentication endpoints. The `BoilerplateApi` now also includes JWT endpoints (`/jwt/login`, `/jwt/refresh`, `/jwt/logout`) and a `/testAuthorized` endpoint.
+
+**Usage:**
+
+```typescript
+import type { JwtApi, AuthorizedApi } from 'common'
+
+// JwtApi provides typed POST endpoints for /jwt/login, /jwt/refresh, /jwt/logout
+// AuthorizedApi provides typed GET endpoints requiring a valid access token
+```
+
+- Added `jwt-api.ts` with schema generation support for the new JWT API types
+
+## ⬆️ Dependencies
+
+- Updated `@furystack/rest` from `^8.0.32` to `^8.1.0`
+- Updated `@types/node` from `^25.0.10` to `^25.3.5`
+- Updated `ts-json-schema-generator` from `^2.4.0` to `^2.9.0`
diff --git a/.yarn/changelogs/frontend.3625e922.md b/.yarn/changelogs/frontend.3625e922.md
@@ -0,0 +1,101 @@
+<!-- version-type: major -->
+# frontend
+
+<!--
+FORMATTING GUIDE:
+
+### Detailed Entry (appears first when merging)
+
+Use h3 (###) and below for detailed entries with paragraphs, code examples, and lists.
+
+### Simple List Items
+
+- Simple changes can be added as list items
+- They are collected together at the bottom of each section
+
+TIP: When multiple changelog drafts are merged, heading-based entries
+appear before simple list items within each section.
+-->
+
+## 💥 Breaking Changes
+
+### Migrated from `shadowDomName` to `customElementName`
+
+All Shade components now use `customElementName` instead of `shadowDomName`, following the Shades v13 API change.
+
+**Examples:**
+
+```typescript
+// ❌ Before
+export const MyComponent = Shade({
+  shadowDomName: 'my-component',
+  render: () => { /* ... */ },
+})
+
+// ✅ After
+export const MyComponent = Shade({
+  customElementName: 'my-component',
+  render: () => { /* ... */ },
+})
+```
+
+**Impact:** All custom Shade components must be updated to use the new property name.
+
+### Replaced cookie-based session auth with JWT token-based auth
+
+`BoilerplateApiClient` no longer uses cookie-based session authentication. It now uses JWT tokens via `@furystack/auth-jwt/client` with automatic token refresh. The `call` method now wraps `AuthorizedApi` instead of `BoilerplateApi`, and login/logout are handled through the token store.
+
+**Examples:**
+
+```typescript
+// ❌ Before
+const apiClient = injector.getInstance(BoilerplateApiClient)
+await apiClient.call({ method: 'POST', action: '/login', body: { username, password } })
+await apiClient.call({ method: 'POST', action: '/logout' })
+
+// ✅ After
+const apiClient = injector.getInstance(BoilerplateApiClient)
+await apiClient.login({ username, password })
+await apiClient.logout()
+// API calls automatically include JWT authorization headers
+await apiClient.call({ method: 'GET', action: '/currentUser' })
+```
+
+**Impact:** All code using `BoilerplateApiClient` for authentication must switch to the new `login()`/`logout()` methods.
+
+## ✨ Features
+
+### Sidebar navigation with collapsible drawer
+
+Added a `Sidebar` component with a vertical `Menu` for page navigation. The layout now uses `PageLayout` with a collapsible left drawer that auto-collapses on medium breakpoints, and `NestedRouter` for client-side routing.
+
+### Redesigned UI pages
+
+- **Login page** - Redesigned with `Card`, `CardContent`, `Alert`, and `Typography` components for a polished sign-in experience
+- **Offline page** - Redesigned with `Alert` components for error/info states and a reload `Button`
+- **Init page** - Redesigned with CSS variable theming via `cssVariableTheme`
+- **Buttons demo** - Redesigned with `PageContainer` and `PageHeader` for consistent page layout
+- **Hello world** - Added an authorized endpoint test section to verify JWT token refresh behavior
+
+### `SessionService` implements `Disposable`
+
+`SessionService` now properly disposes all `ObservableValue` instances via the `Disposable` interface, preventing memory leaks.
+
+## ♻️ Refactoring
+
+- Removed `Body` component; session-state routing logic moved into `Layout`
+- Simplified `Header` by removing configurable props (`title`, `links`) in favor of a fixed layout with `DrawerToggleButton`
+- Replaced `RouteLink` with `NestedRouteLink` and `Router` with `NestedRouter`
+- Used standalone `getTextColor()` function instead of `ThemeProviderService.getTextColor()` method
+
+## ⬆️ Dependencies
+
+- Added `@furystack/auth-jwt` `^2.1.2` - JWT authentication client for token-based auth
+- Updated `@furystack/shades` from `^11.0.33` to `^13.0.0` - Introduces `customElementName` API
+- Updated `@furystack/shades-common-components` from `^10.0.33` to `^14.0.0` - New `PageLayout`, `PageContainer`, `PageHeader`, `Card`, `Alert`, `Menu`, `Typography`, and `DrawerToggleButton` components
+- Updated `@furystack/core` from `^15.0.32` to `^15.2.5`
+- Updated `@furystack/inject` from `^12.0.26` to `^12.0.32`
+- Updated `@furystack/logging` from `^8.0.26` to `^8.1.1`
+- Updated `@furystack/rest-client-fetch` from `^8.0.32` to `^8.1.2`
+- Updated `@furystack/utils` from `^8.1.8` to `^8.2.1`
+- Updated `@types/node` from `^25.0.10` to `^25.3.5`
diff --git a/.yarn/changelogs/furystack-boilerplate-app.3625e922.md b/.yarn/changelogs/furystack-boilerplate-app.3625e922.md
@@ -0,0 +1,47 @@
+<!-- version-type: major -->
+# furystack-boilerplate-app
+
+<!--
+FORMATTING GUIDE:
+
+### Detailed Entry (appears first when merging)
+
+Use h3 (###) and below for detailed entries with paragraphs, code examples, and lists.
+
+### Simple List Items
+
+- Simple changes can be added as list items
+- They are collected together at the bottom of each section
+
+TIP: When multiple changelog drafts are merged, heading-based entries
+appear before simple list items within each section.
+-->
+
+## 💥 Breaking Changes
+
+### Migrated from ESLint v9 to ESLint v10
+
+The ESLint configuration now uses ESLint v10 and switched from `project` array to `projectService` for TypeScript integration. The `@furystack/eslint-plugin` is now used for FuryStack-specific lint rules.
+
+**Impact:** Custom ESLint configurations or overrides targeting ESLint v9 may need to be updated.
+
+## ✨ Features
+
+### Added `@furystack/eslint-plugin` with strict lint rules
+
+Integrated `@furystack/eslint-plugin` with `recommendedStrict` config for all TypeScript files and `shadesStrict` config for frontend `.tsx`/`.ts` files, enforcing FuryStack-specific best practices (e.g., `furystack/rest-action-validate-wrapper`).
+
+## ⬆️ Dependencies
+
+- Added `@furystack/eslint-plugin` `^2.0.0` - FuryStack-specific ESLint rules
+- Updated Yarn from `4.12.0` to `4.13.0`
+- Updated `eslint` from `^9.39.2` to `^10.0.3`
+- Updated `@eslint/js` from `^9.39.2` to `^10.0.1`
+- Updated `typescript-eslint` from `^8.53.1` to `^8.56.1`
+- Updated `eslint-plugin-jsdoc` from `^62.4.0` to `^62.7.1`
+- Updated `eslint-plugin-playwright` from `^2.5.0` to `^2.9.0`
+- Updated `lint-staged` from `^16.2.7` to `^16.3.2`
+- Updated `rimraf` from `^6.1.2` to `^6.1.3`
+- Updated `@playwright/test` from `^1.58.0` to `^1.58.2`
+- Updated `@furystack/yarn-plugin-changelog` from `^1.0.1` to `^1.0.6`
+- Updated `@types/node` from `^25.0.10` to `^25.3.5`
diff --git a/.yarn/changelogs/service.3625e922.md b/.yarn/changelogs/service.3625e922.md
@@ -0,0 +1,78 @@
+<!-- version-type: major -->
+# service
+
+<!--
+FORMATTING GUIDE:
+
+### Detailed Entry (appears first when merging)
+
+Use h3 (###) and below for detailed entries with paragraphs, code examples, and lists.
+
+### Simple List Items
+
+- Simple changes can be added as list items
+- They are collected together at the bottom of each section
+
+TIP: When multiple changelog drafts are merged, heading-based entries
+appear before simple list items within each section.
+-->
+
+## 💥 Breaking Changes
+
+### Replaced monolithic `config.ts` with modular service setup
+
+The single `config.ts` file has been split into dedicated modules:
+
+- `root-injector.ts` - Creates the root injector with logging
+- `setup-store.ts` - Configures all physical stores, DataSets, and authentication
+- `setup-rest-api.ts` - Configures REST API endpoints and static file serving
+- `get-cors-options.ts` - CORS configuration
+- `get-port.ts` - Port configuration
+- `authorization/authorized-only.ts` - Authorization helpers
+
+**Impact:** Any imports from `service/src/config.js` must be updated to the new module paths.
+
+### Seeding uses DataSets instead of direct store access
+
+The `seed.ts` module now uses `getDataSetFor()` with a system identity context (`useSystemIdentityContext`) instead of directly accessing `PhysicalStore` instances via `StoreManager`. This enforces repository-level authorization during seeding.
+
+### Added JWT authentication alongside session-based auth
+
+The service now configures JWT authentication via `useJwtAuthentication()` with configurable secret and token expiration. This adds `RefreshToken` and `PasswordResetToken` stores and DataSets.
+
+## ✨ Features
+
+### JWT authentication endpoints
+
+Added three new POST endpoints for JWT-based authentication:
+
+- `/jwt/login` - Authenticate with username/password, returns access and refresh tokens
+- `/jwt/refresh` - Exchange a refresh token for new token pair
+- `/jwt/logout` - Invalidate a refresh token
+
+### Authorized endpoint example
+
+Added `GET /testAuthorized` endpoint using the `Authenticate()` middleware to demonstrate token-protected routes.
+
+### CORS `authorization` header support
+
+The CORS configuration now includes the `authorization` header, allowing JWT tokens to be sent from the frontend.
+
+## ♻️ Refactoring
+
+- Extracted REST API setup into `setup-rest-api.ts` for better separation of concerns
+- Extracted store/repository/auth setup into `setup-store.ts`
+- Extracted port resolution into `get-port.ts` and CORS config into `get-cors-options.ts`
+- Moved `authorizedOnly` helper and `authorizedDataSet` into `authorization/authorized-only.ts` with proper typing (removed `any`)
+
+## ⬆️ Dependencies
+
+- Added `@furystack/auth-jwt` `^2.1.2` - JWT authentication support with token management
+- Updated `@furystack/rest-service` from `^10.1.3` to `^12.3.0` - New `Authenticate` middleware and API changes
+- Updated `@furystack/security` from `^6.0.32` to `^7.0.4` - Adds `PasswordResetToken` model
+- Updated `@furystack/core` from `^15.0.32` to `^15.2.5`
+- Updated `@furystack/filesystem-store` from `^7.0.32` to `^7.1.2`
+- Updated `@furystack/inject` from `^12.0.26` to `^12.0.32`
+- Updated `@furystack/logging` from `^8.0.26` to `^8.1.1`
+- Updated `@furystack/repository` from `^10.0.32` to `^10.1.6`
+- Updated `@types/node` from `^25.0.10` to `^25.3.5`