lightsparkdev · github-actions · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
@@ -54,6 +54,9 @@ test-config.yml
 dist/
 build/
 lib/
+# The GGA example app keeps decoupled source modules under src/lib/ (not a
+# compiled-output dir), so it must not be swept up by the `lib/` rule above.
+!apps/examples/grid-global-accounts-example-app/src/lib/
 
 # Vim swap files
 *.swp
@@ -126,3 +129,6 @@ stats.html
 
 # Dev proxy cookies (contains ALB session tokens)
 .dev-proxy-cookies
+
+# Playwright MCP logs
+.playwright-mcp/
@@ -1,10 +1,10 @@
 compressionLevel: mixed
 
-enableGlobalCache: false
+enableGlobalCache: true
 
 nodeLinker: node-modules
 
-npmMinimalAgeGate: 1440
+npmMinimalAgeGate: 4320 # 3 days
 
 npmPreapprovedPackages:
   - "@lightsparkdev/*"

@@ -0,0 +1,2 @@
+# Verification screenshots — captured locally, not tracked.
+.screenshots/
@@ -0,0 +1,12 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Grid Global Accounts</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
@@ -0,0 +1,30 @@
+{
+  "name": "@lightsparkdev/grid-global-accounts-example-app",
+  "private": true,
+  "version": "0.0.1",
+  "scripts": {
+    "dev": "vite",
+    "build": "tsc && vite build",
+    "start": "vite",
+    "preview": "vite preview",
+    "test": "vitest run"
+  },
+  "devDependencies": {
+    "@types/react": "^19.2.15",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^5.2.0",
+    "typescript": "^5.6.2",
+    "vite": "^8.0.14",
+    "vitest": "^4.1.7"
+  },
+  "dependencies": {
+    "@emotion/react": "^11.14.0",
+    "@emotion/styled": "^11.14.1",
+    "@lightsparkdev/origin": "*",
+    "@turnkey/api-key-stamper": "^0.6.5",
+    "@turnkey/crypto": "^2.8.14",
+    "@turnkey/encoding": "^0.6.0",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6"
+  }
+}
@@ -0,0 +1,19 @@
+import { Shell } from "./components/Shell";
+import { AppStateProvider, useAppState } from "./state/store";
+import { CustomerView } from "./views/customer/CustomerView";
+import { PlatformView } from "./views/platform/PlatformView";
+
+export function App() {
+  return (
+    <AppStateProvider>
+      <Shell>
+        <Router />
+      </Shell>
+    </AppStateProvider>
+  );
+}
+
+function Router() {
+  const { persona } = useAppState();
+  return persona === "platform" ? <PlatformView /> : <CustomerView />;
+}
@@ -0,0 +1,136 @@
+import { afterEach, describe, expect, it } from "vitest";
+
+import {
+  clearActiveSession,
+  getAccountId,
+  getSessionId,
+  getSessionModel,
+  hasSessionSigningKey,
+  resolveSessionKeys,
+  setAccountId,
+  setActiveSessionAccount,
+  setSessionId,
+  setSessionKeysFromTek,
+} from "../session";
+
+// Reset to logged-out between tests so module-level context state can't leak.
+afterEach(() => {
+  setActiveSessionAccount(null);
+});
+
+describe("per-customer session isolation", () => {
+  it("keeps signing keys, model, and account id independent per account key", () => {
+    // No active context → logged-out, getters return empty/null.
+    setActiveSessionAccount(null);
+    expect(hasSessionSigningKey()).toBe(false);
+    expect(resolveSessionKeys()).toBeNull();
+    expect(getAccountId()).toBe("");
+    expect(getSessionModel()).toBe("none");
+
+    // Customer A signs in (OTP-TEK model) under its own account key.
+    setActiveSessionAccount("InternalAccount:A");
+    setAccountId("InternalAccount:A");
+    setSessionKeysFromTek({ publicKey: "pubA", privateKey: "privA" });
+    expect(hasSessionSigningKey()).toBe(true);
+    expect(getSessionModel()).toBe("otp-tek");
+    expect(resolveSessionKeys()).toEqual({
+      apiPublicKey: "pubA",
+      apiPrivateKey: "privA",
+    });
+    expect(getAccountId()).toBe("InternalAccount:A");
+
+    // Switch to a fresh customer B: it inherits NOTHING from A.
+    setActiveSessionAccount("InternalAccount:B");
+    expect(hasSessionSigningKey()).toBe(false);
+    expect(resolveSessionKeys()).toBeNull();
+    expect(getSessionModel()).toBe("none");
+    expect(getAccountId()).toBe("");
+
+    // B establishes its own session with different keys.
+    setAccountId("InternalAccount:B");
+    setSessionKeysFromTek({ publicKey: "pubB", privateKey: "privB" });
+    expect(resolveSessionKeys()).toEqual({
+      apiPublicKey: "pubB",
+      apiPrivateKey: "privB",
+    });
+    expect(getAccountId()).toBe("InternalAccount:B");
+
+    // Switching back to A restores A's cached session, untouched by B.
+    setActiveSessionAccount("InternalAccount:A");
+    expect(hasSessionSigningKey()).toBe(true);
+    expect(getSessionModel()).toBe("otp-tek");
+    expect(resolveSessionKeys()).toEqual({
+      apiPublicKey: "pubA",
+      apiPrivateKey: "privA",
+    });
+    expect(getAccountId()).toBe("InternalAccount:A");
+  });
+
+  it("treats null as logged-out with no active context", () => {
+    setActiveSessionAccount("InternalAccount:A");
+    setSessionKeysFromTek({ publicKey: "pubA", privateKey: "privA" });
+    expect(hasSessionSigningKey()).toBe(true);
+
+    setActiveSessionAccount(null);
+    expect(hasSessionSigningKey()).toBe(false);
+    expect(resolveSessionKeys()).toBeNull();
+    expect(getAccountId()).toBe("");
+
+    // Mutators no-op while logged-out; later re-activation still has A cached.
+    setSessionKeysFromTek({ publicKey: "pubX", privateKey: "privX" });
+    setActiveSessionAccount("InternalAccount:A");
+    expect(resolveSessionKeys()).toEqual({
+      apiPublicKey: "pubA",
+      apiPrivateKey: "privA",
+    });
+  });
+
+  it("clearActiveSession wipes the active context's signing key without touching others", () => {
+    // Customer A signs in under its own account key.
+    setActiveSessionAccount("InternalAccount:clearA");
+    setAccountId("InternalAccount:clearA");
+    setSessionId("session-A");
+    setSessionKeysFromTek({ publicKey: "pubA", privateKey: "privA" });
+
+    // Customer B signs in under a different key.
+    setActiveSessionAccount("InternalAccount:clearB");
+    setAccountId("InternalAccount:clearB");
+    setSessionId("session-B");
+    setSessionKeysFromTek({ publicKey: "pubB", privateKey: "privB" });
+
+    // Back on A, clearing wipes A's signing key/model/session id but keeps the
+    // account id so the slot still belongs to A (logged out, can re-auth).
+    setActiveSessionAccount("InternalAccount:clearA");
+    expect(hasSessionSigningKey()).toBe(true);
+    clearActiveSession();
+    expect(hasSessionSigningKey()).toBe(false);
+    expect(resolveSessionKeys()).toBeNull();
+    expect(getSessionModel()).toBe("none");
+    expect(getSessionId()).toBe("");
+    expect(getAccountId()).toBe("InternalAccount:clearA");
+
+    // B is untouched by clearing A.
+    setActiveSessionAccount("InternalAccount:clearB");
+    expect(hasSessionSigningKey()).toBe(true);
+    expect(getSessionModel()).toBe("otp-tek");
+    expect(getSessionId()).toBe("session-B");
+    expect(resolveSessionKeys()).toEqual({
+      apiPublicKey: "pubB",
+      apiPrivateKey: "privB",
+    });
+  });
+
+  it("clearActiveSession is a no-op when logged out", () => {
+    setActiveSessionAccount(null);
+    expect(() => clearActiveSession()).not.toThrow();
+    expect(hasSessionSigningKey()).toBe(false);
+  });
+
+  it("preserves first-account-wins for setAccountId within a fresh context", () => {
+    // A distinct key so the context is fresh (contexts persist across tests).
+    setActiveSessionAccount("InternalAccount:C");
+    setAccountId("first");
+    setAccountId("second");
+    expect(getAccountId()).toBe("first");
+  });
+});
@@ -0,0 +1,86 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  buildAllowCredentials,
+  buildAssertionOptions,
+  buildCreationOptions,
+  bytesToB64Url,
+  SECURITY_KEY_TRANSPORTS,
+} from "../webauthn";
+
+const RP = "localhost";
+
+describe("buildCreationOptions — forces a cross-platform security key", () => {
+  const challenge = new Uint8Array([1, 2, 3]);
+  const userId = new Uint8Array([9, 9]);
+  const opts = buildCreationOptions("My key", RP, challenge, userId);
+
+  it("requests a cross-platform (roaming) authenticator, not the platform one", () => {
+    expect(opts.authenticatorSelection?.authenticatorAttachment).toBe(
+      "cross-platform",
+    );
+  });
+
+  it("uses security-key-friendly resident-key + UV settings", () => {
+    expect(opts.authenticatorSelection?.residentKey).toBe("discouraged");
+    expect(opts.authenticatorSelection?.requireResidentKey).toBe(false);
+    expect(opts.authenticatorSelection?.userVerification).toBe("preferred");
+  });
+
+  it("offers ES256 (-7) in pubKeyCredParams", () => {
+    expect(opts.pubKeyCredParams).toContainEqual({
+      type: "public-key",
+      alg: -7,
+    });
+  });
+
+  it("sets the rp id and passes the challenge/user through", () => {
+    expect(opts.rp.id).toBe(RP);
+    expect(opts.challenge).toBe(challenge);
+    expect(opts.user.id).toBe(userId);
+  });
+});
+
+describe("buildAllowCredentials — targets the security key over USB/NFC", () => {
+  // A valid base64url credential id (decodes cleanly via atob).
+  const idA = bytesToB64Url(new Uint8Array([10, 20, 30]));
+  const idB = bytesToB64Url(new Uint8Array([40, 50, 60]));
+
+  it("includes every registered id with usb/nfc transports", () => {
+    const out = buildAllowCredentials([idA, idB]);
+    expect(out).toHaveLength(2);
+    for (const d of out) {
+      expect(d.type).toBe("public-key");
+      expect(d.transports).toEqual(SECURITY_KEY_TRANSPORTS);
+      expect(d.transports).toEqual(["usb", "nfc"]);
+    }
+  });
+
+  it("drops blank and duplicate ids", () => {
+    const out = buildAllowCredentials([idA, "", "  ", idA]);
+    expect(out).toHaveLength(1);
+  });
+
+  it("returns [] when no ids are known (discoverable-credential fallback)", () => {
+    expect(buildAllowCredentials([])).toEqual([]);
+  });
+});
+
+describe("buildAssertionOptions", () => {
+  const challenge = new Uint8Array([7]);
+  const id = bytesToB64Url(new Uint8Array([1, 2, 3, 4]));
+
+  it("wires the rp id, challenge, UV and the allowCredentials", () => {
+    const opts = buildAssertionOptions(challenge, [id], RP);
+    expect(opts.rpId).toBe(RP);
+    expect(opts.challenge).toBe(challenge);
+    expect(opts.userVerification).toBe("preferred");
+    expect(opts.allowCredentials).toHaveLength(1);
+    expect(opts.allowCredentials?.[0].transports).toEqual(["usb", "nfc"]);
+  });
+
+  it("yields an empty allowCredentials when no ids are known", () => {
+    const opts = buildAssertionOptions(challenge, [], RP);
+    expect(opts.allowCredentials).toEqual([]);
+  });
+});
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Verification screenshots — captured locally, not tracked.
		.screenshots/