interline-io · drewda · May 5, 2026
diff --git a/.changeset/external-data-passthrough.md b/.changeset/external-data-passthrough.md
@@ -0,0 +1,5 @@
+---
+'@interline-io/tlv2-auth': minor
+---
+
+Plumb the GraphQL `me.external_data` map through to client-side composables. The session endpoint now requests `external_data` alongside id/name/email/roles; the enriched claims include a `tlv2_external_data` field; `useUser()` exposes a new `externalData: Record<string, unknown>` property. The map is passed through verbatim — schema is deployment-specific (e.g. tlserver populates `external_data.gatekeeper` with a JSON-stringified Gatekeeper response); consumers cast or parse as needed.
diff --git a/src/runtime/composables/useUser.ts b/src/runtime/composables/useUser.ts
@@ -7,6 +7,12 @@ export interface TlUser {
   name: string
   email: string
   roles: string[]
+  /**
+   * Opaque key-value map plumbed through from the backend's user context
+   * (e.g. tlserver's WithExternalData via the gatekeeper middleware).
+   * Schema is deployment-specific; consumers cast or parse as needed.
+   */
+  externalData: Record<string, unknown>
   hasRole: (v: string) => boolean
 }
 
@@ -29,6 +35,7 @@ export const useUser = (): TlUser => {
     name: auth0User.value?.name || auth0User.value?.tlv2_name || '',
     email: auth0User.value?.email || auth0User.value?.tlv2_email || '',
     roles: roles.value,
+    externalData: (auth0User.value?.tlv2_external_data || {}) as Record<string, unknown>,
     hasRole (v: string): boolean {
       return roles.value.includes(v)
     }

diff --git a/src/runtime/server/api/auth/session.get.ts b/src/runtime/server/api/auth/session.get.ts
@@ -13,7 +13,7 @@ async function fetchMeData (proxyBase: string, headers: Record<string, string>)
   const response = await fetch(`${proxyBase}/query`, {
     method: 'POST',
     headers: { ...headers, 'Content-Type': 'application/json' },
-    body: JSON.stringify({ query: '{ me { id name email roles } }' })
+    body: JSON.stringify({ query: '{ me { id name email roles external_data } }' })
   }).catch((e: Error) => {
     console.warn('[tlv2-auth] /auth/session: GraphQL me query network error:', e.message)
     return null

diff --git a/src/runtime/util/enrich.spec.ts b/src/runtime/util/enrich.spec.ts
@@ -20,16 +20,35 @@ describe('enrichUserClaims', () => {
       tlv2_id: 'gql-42',
       tlv2_name: 'Alice B',
       tlv2_email: 'alice@work.com',
-      tlv2_roles: ['admin', 'editor']
+      tlv2_roles: ['admin', 'editor'],
+      tlv2_external_data: {}
     })
   })
 
+  it('passes through external_data verbatim', () => {
+    const externalData = {
+      gatekeeper: '{"id":1,"active_orders":[]}',
+      amberflo: { customer_id: 'production-1' }
+    }
+    const result = enrichUserClaims(baseUser, {
+      id: 'gql-42',
+      external_data: externalData
+    })
+    expect(result.tlv2_external_data).toEqual(externalData)
+  })
+
+  it('defaults missing external_data to empty object', () => {
+    const result = enrichUserClaims(baseUser, { id: '1' })
+    expect(result.tlv2_external_data).toEqual({})
+  })
+
   it('defaults missing meData fields to empty values', () => {
     const result = enrichUserClaims(baseUser, {})
     expect(result.tlv2_id).toBe('')
     expect(result.tlv2_name).toBe('')
     expect(result.tlv2_email).toBe('')
     expect(result.tlv2_roles).toEqual([])
+    expect(result.tlv2_external_data).toEqual({})
   })
 
   it('defaults undefined roles to empty array', () => {

diff --git a/src/runtime/util/enrich.ts b/src/runtime/util/enrich.ts
@@ -1,14 +1,28 @@
+interface MeData {
+  id?: string
+  name?: string
+  email?: string
+  roles?: string[]
+  external_data?: Record<string, unknown> | null
+}
+
 // Pure function to merge GraphQL `me` response into auth0 user claims.
+// `external_data` is an opaque key-value map plumbed through from tlserver's
+// authn user (e.g. via WithExternalData() in the gatekeeper middleware). We
+// pass it through verbatim under `tlv2_external_data`; consumers are
+// responsible for any deployment-specific shape (e.g. parsing
+// `external_data.gatekeeper` as JSON).
 export function enrichUserClaims (
   user: Record<string, any>,
-  meData: { id?: string, name?: string, email?: string, roles?: string[] } | null
+  meData: MeData | null
 ): Record<string, any> {
   if (!meData) { return user }
   return {
     ...user,
     tlv2_id: meData.id || '',
     tlv2_name: meData.name || '',
     tlv2_email: meData.email || '',
-    tlv2_roles: meData.roles || []
+    tlv2_roles: meData.roles || [],
+    tlv2_external_data: meData.external_data || {}
   }
 }