@blamejs/blamejs-shop 0.4.22 → 0.4.24

package/lib/operator-accounts.js

@@ -87,9 +87,60 @@
  *
  *   Storage: `migrations-d1/0213_operator_accounts.sql`.
  *
+ *   Dual-control (two-operator approval) — evaluated, deliberately NOT
+ *   wired in v1:
+ *
+ *     `b.dualControl` raises a destructive op to "two distinct named
+ *     operators must approve before it runs." It is the right control for
+ *     a store run by a TEAM, but it is structurally a two-actor M-of-N
+ *     gate — `create()` hard-validates `minApprovers >= 2`, and there is
+ *     no auto-satisfy-on-single-operator path. The dominant deployment of
+ *     this storefront is a SINGLE owner; on such a store a dual-control
+ *     gate would DEADLOCK the destructive op forever — there is no second
+ *     operator to approve, so the op can never consume its grant. Wiring
+ *     it unconditionally is therefore a worse failure than the
+ *     single-operator risk it would close. It is also a two-request async
+ *     workflow (request → a different actor approves → consume), which
+ *     does not fit the synchronous single-POST shape these admin actions
+ *     have today.
+ *
+ *     Per destructive op, the v1 stance:
+ *
+ *       - gift-card void (POST /admin/gift-cards/:id/void): recoverable —
+ *         void is a status flip that PRESERVES the balance (it burns no
+ *         value), so re-issuing or restoring the card's status makes a
+ *         mistaken void recoverable, and the giftcard ledger records the
+ *         acting operator. The cost of a deadlock-on-single-owner
+ *         outweighs the benefit. Stance: role-gate (`orders.write`) +
+ *         audit, no dual-control.
+ *
+ *       - refunds (POST /admin/orders/:id/refund, /admin/returns/:id/
+ *         refund): real money out, but bounded by the order's captured
+ *         amount (the payment primitive refuses to over-refund a PI), and
+ *         every refund is idempotency-keyed + audited with the operator
+ *         id. The damage ceiling is one order's total, not the whole
+ *         book. Stance: role-gate (`orders.write`) + audit, no
+ *         dual-control.
+ *
+ *       - operator disable (POST /admin/operators/:id/disable): the
+ *         highest-blast-radius op (it can revoke a co-owner), but it is
+ *         REVERSIBLE in one click (`/enable`), gated on `operators.manage`
+ *         (owner-only), and audited. A malicious self-lockout still leaves
+ *         the `ADMIN_API_KEY` break-glass owner credential working.
+ *         Stance: role-gate + audit, no dual-control.
+ *
+ *     Re-open condition: when a store carries TWO OR MORE active `owner`/
+ *     `manager` operators, dual-control becomes wire-able WITHOUT the
+ *     deadlock risk — gate the approval flow on `listAccounts({ status:
+ *     "active" })` length >= 2, auto-satisfy below that, and move the
+ *     destructive POST to a request/approve/consume sequence keyed off a
+ *     b.cache grant. That is the natural follow-up the moment a real
+ *     multi-operator store exists; it is not defensible to ship a control
+ *     that bricks the single-operator common case to pre-empt it.
+ *
  * @primitive operatorAccounts
  * @related   operatorRoles, operatorSessions, operatorAuditLog,
- *            b.password, b.crypto, b.guardEmail, b.uuid
+ *            b.password, b.crypto, b.guardEmail, b.uuid, b.dualControl
  */
 
 var EMAIL_NAMESPACE   = "operator-email";

package/lib/operator-audit-log.js

@@ -84,6 +84,11 @@ var SHA3_512_HEX_LEN      = 128;
 
 var ZERO_HASH = "0".repeat(SHA3_512_HEX_LEN);
 
+// Canonical prefix for the bytes a checkpoint signs. Stable forever —
+// changing it invalidates every prior checkpoint signature. Mirrors the
+// framework audit chain's "blamejs-audit-checkpoint-v1" format.
+var CHECKPOINT_FORMAT = "blamejs-operator-audit-checkpoint-v1";
+
 var ALLOWED_ACTOR_TYPES = Object.freeze(["operator", "system", "app"]);
 var ALLOWED_UA_CLASSES  = Object.freeze([
   "browser",
@@ -304,6 +309,20 @@ function create(opts) {
     query = function (sql, params) { return b.externalDb.query(sql, params); };
   }
 
+  // Single-writer discipline for the append path. `record()` reads the
+  // chain head, derives prev_hash + row_hash from it, then INSERTs — a
+  // read-derive-write sequence that is NOT atomic across the three
+  // awaits. Two concurrent record() calls would otherwise both read the
+  // same head, both stamp the same prev_hash, and fork the chain — which
+  // verifyChain() then reports as a prev_hash mismatch, indistinguishable
+  // from a real tamper. Serializing the whole body behind a per-instance
+  // mutex collapses the window: the second writer blocks until the first
+  // has committed its row, so it reads the freshly-advanced head. In-
+  // process only — it narrows the fork window to a single isolate, the
+  // same bound the framework chain primitive carries; the checkpoint
+  // anchoring below remains the cross-isolate / full-rewrite defense.
+  var appendMutex = new b.safeAsync.Mutex();
+
   async function _currentHead() {
     var r = await query(
       "SELECT row_hash, occurred_at, id FROM operator_audit_events " +
@@ -326,6 +345,8 @@ function create(opts) {
     if (!input || typeof input !== "object") {
       throw new TypeError("operatorAuditLog.record: input object required");
     }
+    // Validate OUTSIDE the lock — a bad-input throw shouldn't hold the
+    // append serializer, and validation touches no shared chain state.
     var actorType    = _actorType(input.actor_type);
     var actorId      = _ident(input.actor_id,      "actor_id",      IDENT_RE, MAX_ACTOR_ID_LEN);
     var action       = _ident(input.action,        "action",        ACTION_RE, MAX_ACTION_LEN);
@@ -336,6 +357,9 @@ function create(opts) {
     var ipHash       = _ipHash(input.ip_hash);
     var uaClass      = _uaClass(input.ua_class);
 
+    // Acquire the append mutex for the head-read → hash → INSERT body so
+    // the chain advances under a single writer.
+    return appendMutex.runExclusive(async function () {
     var head      = await _currentHead();
     var prevHash  = head.row_hash;
     var id        = b.uuid.v7();
@@ -393,6 +417,7 @@ function create(opts) {
       prev_hash:     prevHash,
       row_hash:      rowHash,
     };
+    });
   }
 
   // -- listByActor -------------------------------------------------------
@@ -581,6 +606,152 @@ function create(opts) {
     return { ok: true, rows_verified: rows.length, last_hash: prevHash };
   }
 
+  // -- checkpoint anchoring ----------------------------------------------
+  //
+  // The hash chain is tamper-EVIDENT against a single edited/deleted row,
+  // but an attacker who can rewrite the whole table can re-hash from a
+  // forged genesis and leave the chain internally consistent. Anchoring
+  // the tip with a post-quantum signature over the head row_hash — keyed
+  // off the framework's b.auditSign keypair, whose private half never
+  // touches D1 — closes that hole: a full-chain rewrite can't reproduce a
+  // valid checkpoint signature over the rewritten tip.
+  //
+  // checkpoint() signs the CURRENT head and inserts an anchor row.
+  // verifyCheckpoints() re-derives every anchor's signature and confirms
+  // the anchored row still carries the signed hash. Both no-op gracefully
+  // when b.auditSign isn't initialized (the chain stays hash-linked; the
+  // signature layer is simply absent) so a deployment without the
+  // audit-signing keypair still records + verifies the linkage.
+
+  function _auditSignReady() {
+    try { b.auditSign.getPublicKeyFingerprint(); return true; }
+    catch (_e) { return false; }
+  }
+
+  // Canonical signed bytes for a checkpoint. STABLE FOREVER — changing
+  // this layout invalidates every prior checkpoint signature.
+  function _checkpointPayload(atRowId, atOccurredAt, atRowHash, createdAt) {
+    return Buffer.from(
+      CHECKPOINT_FORMAT + "\n" +
+      atRowId + "\n" +
+      String(atOccurredAt) + "\n" +
+      atRowHash + "\n" +
+      String(createdAt),
+      "utf8",
+    );
+  }
+
+  // Anchor the current chain tip with a fresh PQC signature. Returns the
+  // inserted checkpoint row, or null when the chain is empty (nothing to
+  // anchor) or `skipIfUnchanged` and the tip hasn't advanced since the
+  // last checkpoint. Throws OperatorAuditCheckpointSigningUnavailable-
+  // shaped TypeError only if asked to checkpoint without a signing key —
+  // callers that want a soft skip check `signingAvailable()` first.
+  async function checkpoint(checkpointOpts) {
+    checkpointOpts = checkpointOpts || {};
+    if (!_auditSignReady()) {
+      throw new TypeError("operatorAuditLog.checkpoint: b.auditSign is not initialized — " +
+        "no signing key to anchor the chain with");
+    }
+    var head = await _currentHead();
+    if (head.id === null) return null;  // empty chain — nothing to anchor
+
+    if (checkpointOpts.skipIfUnchanged) {
+      var last = await query(
+        "SELECT at_row_hash FROM operator_audit_checkpoints " +
+        "ORDER BY created_at DESC, id DESC LIMIT 1",
+        [],
+      );
+      if (last.rows.length && last.rows[0].at_row_hash === head.row_hash) {
+        return null;  // already anchored at this exact tip
+      }
+    }
+
+    var createdAt = _now();
+    var payload   = _checkpointPayload(head.id, head.occurred_at, head.row_hash, createdAt);
+    var signature = b.auditSign.sign(payload).toString("base64");
+    var pubFp     = b.auditSign.getPublicKeyFingerprint();
+    var id        = b.uuid.v7();
+
+    await query(
+      "INSERT INTO operator_audit_checkpoints " +
+      "(id, created_at, at_row_id, at_occurred_at, at_row_hash, signature, public_key_fingerprint) " +
+      "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)",
+      [id, createdAt, head.id, head.occurred_at, head.row_hash, signature, pubFp],
+    );
+
+    return {
+      id:                     id,
+      created_at:             createdAt,
+      at_row_id:              head.id,
+      at_occurred_at:         head.occurred_at,
+      at_row_hash:            head.row_hash,
+      public_key_fingerprint: pubFp,
+    };
+  }
+
+  // Walk every checkpoint oldest-first, re-derive its signature, and
+  // confirm the anchored row still carries the signed hash. Reports the
+  // first divergence — a forged signature, a key-rotation fingerprint
+  // mismatch, a vanished anchor row, or a rewritten tip whose hash no
+  // longer matches what was signed.
+  async function verifyCheckpoints() {
+    if (!_auditSignReady()) {
+      return { ok: true, checkpoints_verified: 0, reason: "audit-sign-unavailable" };
+    }
+    var r = await query(
+      "SELECT * FROM operator_audit_checkpoints ORDER BY created_at ASC, id ASC",
+      [],
+    );
+    var rows = r.rows;
+    if (!rows.length) return { ok: true, checkpoints_verified: 0 };
+
+    var currentFp  = b.auditSign.getPublicKeyFingerprint();
+    var currentPub = b.auditSign.getPublicKey();
+
+    for (var i = 0; i < rows.length; i += 1) {
+      var c = rows[i];
+      // Only the current key verifies (no key-history table). A rotation
+      // without re-signing surfaces here rather than silently failing.
+      if (c.public_key_fingerprint !== currentFp) {
+        return {
+          ok: false, checkpoints_verified: i, break_at: i, checkpoint_id: c.id,
+          reason: "public key fingerprint mismatch (key rotated without re-signing?)",
+          expected: currentFp, actual: c.public_key_fingerprint,
+        };
+      }
+      var payload = _checkpointPayload(c.at_row_id, Number(c.at_occurred_at), c.at_row_hash, Number(c.created_at));
+      var sigBuf;
+      try { sigBuf = Buffer.from(c.signature, "base64"); }
+      catch (_e) {
+        return { ok: false, checkpoints_verified: i, break_at: i, checkpoint_id: c.id,
+          reason: "checkpoint signature not decodable" };
+      }
+      if (!b.auditSign.verify(payload, sigBuf, currentPub)) {
+        return { ok: false, checkpoints_verified: i, break_at: i, checkpoint_id: c.id,
+          reason: "post-quantum signature failed" };
+      }
+      // The anchored row must still exist AND still carry the signed hash.
+      // A full-chain rewrite changes row_hash → this mismatch is the catch.
+      var anchored = await query(
+        "SELECT row_hash FROM operator_audit_events WHERE id = ?1 LIMIT 1",
+        [c.at_row_id],
+      );
+      if (!anchored.rows.length) {
+        return { ok: false, checkpoints_verified: i, break_at: i, checkpoint_id: c.id,
+          reason: "anchored audit row missing (id=" + c.at_row_id + ")" };
+      }
+      if (anchored.rows[0].row_hash !== c.at_row_hash) {
+        return {
+          ok: false, checkpoints_verified: i, break_at: i, checkpoint_id: c.id,
+          reason: "anchored row_hash mismatch — operator_audit_events was rewritten",
+          expected: c.at_row_hash, actual: anchored.rows[0].row_hash,
+        };
+      }
+    }
+    return { ok: true, checkpoints_verified: rows.length };
+  }
+
   return {
     MAX_ACTOR_ID_LEN:      MAX_ACTOR_ID_LEN,
     MAX_ACTION_LEN:        MAX_ACTION_LEN,
@@ -593,12 +764,20 @@ function create(opts) {
     ALLOWED_UA_CLASSES:    ALLOWED_UA_CLASSES,
     ZERO_HASH:             ZERO_HASH,
 
-    record:         record,
-    listByActor:    listByActor,
-    listByResource: listByResource,
-    searchAction:   searchAction,
-    chainHead:      chainHead,
-    verifyChain:    verifyChain,
+    record:            record,
+    listByActor:       listByActor,
+    listByResource:    listByResource,
+    searchAction:      searchAction,
+    chainHead:         chainHead,
+    verifyChain:       verifyChain,
+    // Checkpoint anchoring — sign the chain tip out-of-band so a
+    // full-chain rewrite (which verifyChain alone can't catch) becomes
+    // detectable. `signingAvailable()` lets callers soft-skip when the
+    // audit-signing key isn't initialized.
+    checkpoint:        checkpoint,
+    verifyCheckpoints: verifyCheckpoints,
+    signingAvailable:  _auditSignReady,
+    CHECKPOINT_FORMAT: CHECKPOINT_FORMAT,
   };
 }
 
@@ -614,4 +793,5 @@ module.exports = {
   ALLOWED_ACTOR_TYPES:   ALLOWED_ACTOR_TYPES,
   ALLOWED_UA_CLASSES:    ALLOWED_UA_CLASSES,
   ZERO_HASH:             ZERO_HASH,
+  CHECKPOINT_FORMAT:     CHECKPOINT_FORMAT,
 };

package/lib/operator-inbox.js

@@ -127,6 +127,25 @@
  *     - unreadCount({ operator_id, severity_min? })
  *         Cheap count for the navbar badge. Excludes archived.
  *
+ *     - inboxForRole({ role, severity_min?, unread_only?,
+ *                      include_archived?, limit?, cursor? })
+ *         Read the messages broadcast to a single role, newest-first.
+ *         Returns ONLY `role = ?` rows (never operator-id-addressed
+ *         ones), so it composes with `inboxForOperator` rather than
+ *         duplicating it — the read side for a console that addresses
+ *         notifications to a role and has no per-operator session to
+ *         fold role membership through.
+ *
+ *     - unreadCountForRole({ role, severity_min? })
+ *         Role-scoped navbar-badge count. Excludes archived + read.
+ *
+ *     - markReadForRole({ id, role }) / archiveForRole({ id, role })
+ *         Clear / retire a role-broadcast row by its role rather than
+ *         by an owning operator. Each asserts the row carries the
+ *         supplied role before mutating (a caller can't clear an
+ *         operator-id-addressed row, or another role's row, by
+ *         guessing its id). Idempotent.
+ *
  *     - cleanupOlderThan({ now?, age_ms })
  *         Delete rows whose `created_at < (now - age_ms)`. Used to
  *         keep the table bounded — the inbox is a feed, not an
@@ -771,6 +790,176 @@ function create(opts) {
     return Number(row.c || row.COUNT || 0);
   }
 
+  // ---- inboxForRole -----------------------------------------------------
+  //
+  // Read every message broadcast to a single role, newest-first. This is
+  // the read side for a console that addresses notifications to a role
+  // rather than to one owning operator — e.g. a single-credential admin
+  // where the "fulfillment" team is the audience but there's no per-
+  // operator session to fold role membership through. It returns ONLY
+  // `role = ?` rows (never operator-id-addressed rows), so it composes
+  // with `inboxForOperator` rather than duplicating it. Same severity_min
+  // / unread_only / include_archived / HMAC-cursor surface.
+  async function inboxForRole(input) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("operatorInbox.inboxForRole: input object required");
+    }
+    var role            = _role(input.role, "role");
+    var severityMin     = _severityMin(input.severity_min);
+    var unreadOnly      = _bool(input.unread_only,      "unread_only",      false);
+    var includeArchived = _bool(input.include_archived, "include_archived", false);
+    var limit           = _limit(input.limit);
+    var cursorState     = _decodeCursor(input.cursor, "inboxForRole");
+
+    var params = [];
+    var idx    = 1;
+    var pushP  = function (v) { params.push(v); var k = idx; idx += 1; return "?" + k; };
+
+    var where = "role = " + pushP(role);
+    if (!includeArchived) where += " AND archived_at IS NULL";
+    if (unreadOnly)       where += " AND read_at IS NULL";
+
+    if (severityMin) {
+      var minRank = SEVERITY_RANK[severityMin];
+      var allowed = [];
+      for (var si = 0; si < SEVERITIES.length; si += 1) {
+        if (SEVERITY_RANK[SEVERITIES[si]] >= minRank) {
+          allowed.push(pushP(SEVERITIES[si]));
+        }
+      }
+      where += " AND severity IN (" + allowed.join(", ") + ")";
+    }
+
+    if (cursorState) {
+      var caP = pushP(cursorState.created_at);
+      var idP = pushP(cursorState.id);
+      where  += " AND (created_at < " + caP +
+                " OR (created_at = " + caP + " AND id < " + idP + "))";
+    }
+
+    var limitPlace = pushP(limit);
+    var sql = "SELECT * FROM operator_inbox_messages WHERE " + where +
+              " ORDER BY created_at DESC, id DESC LIMIT " + limitPlace;
+    var r = await query(sql, params);
+    var rows = [];
+    for (var ki = 0; ki < r.rows.length; ki += 1) rows.push(_decodeRow(r.rows[ki]));
+    var nextCursor = rows.length === limit
+      ? b.pagination.encodeCursor({
+          orderKey: CURSOR_ORDER_KEY,
+          vals:     [rows[rows.length - 1].created_at, rows[rows.length - 1].id],
+          forward:  true,
+        }, cursorSecret)
+      : null;
+    return { rows: rows, next_cursor: nextCursor };
+  }
+
+  // ---- unreadCountForRole -----------------------------------------------
+  //
+  // Cheap navbar-badge count of unread, un-archived messages broadcast to
+  // one role. The role-scoped sibling of `unreadCount` — used by a
+  // role-addressed console where the badge audience is a role, not a
+  // single operator.
+  async function unreadCountForRole(input) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("operatorInbox.unreadCountForRole: input object required");
+    }
+    var role        = _role(input.role, "role");
+    var severityMin = _severityMin(input.severity_min);
+
+    var params = [];
+    var idx    = 1;
+    var pushP  = function (v) { params.push(v); var k = idx; idx += 1; return "?" + k; };
+
+    var where = "role = " + pushP(role) +
+                " AND read_at IS NULL AND archived_at IS NULL";
+
+    if (severityMin) {
+      var minRank = SEVERITY_RANK[severityMin];
+      var allowed = [];
+      for (var si = 0; si < SEVERITIES.length; si += 1) {
+        if (SEVERITY_RANK[SEVERITIES[si]] >= minRank) {
+          allowed.push(pushP(SEVERITIES[si]));
+        }
+      }
+      where += " AND severity IN (" + allowed.join(", ") + ")";
+    }
+
+    var sql = "SELECT COUNT(*) AS c FROM operator_inbox_messages WHERE " + where;
+    var r = await query(sql, params);
+    var row = r.rows[0] || {};
+    return Number(row.c || row.COUNT || 0);
+  }
+
+  // ---- markReadForRole / archiveForRole ---------------------------------
+  //
+  // The role-scoped write side. A console addressing notifications to a
+  // role (rather than to one owning operator) needs to clear a role-
+  // broadcast row WITHOUT a per-operator session to gate against — the
+  // role itself is the audience. Both assert the row carries the supplied
+  // role before mutating, so a caller can't clear an operator-id-addressed
+  // row (or a different role's row) by guessing its id. Idempotent.
+  async function _roleAddressableRow(messageId, role) {
+    var r = await query("SELECT * FROM operator_inbox_messages WHERE id = ?1", [messageId]);
+    if (!r.rows.length) return { row: null, reason: "not_found" };
+    var row = r.rows[0];
+    if (row.role != null && row.role === role) return { row: row, reason: null };
+    return { row: row, reason: "not_addressable" };
+  }
+
+  async function markReadForRole(input) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("operatorInbox.markReadForRole: input object required");
+    }
+    var id   = _messageId(input.id);
+    var role = _role(input.role, "role");
+    var gated = await _roleAddressableRow(id, role);
+    if (gated.reason === "not_found") {
+      var miss = new Error("operatorInbox.markReadForRole: message not found");
+      miss.code = "INBOX_MESSAGE_NOT_FOUND";
+      throw miss;
+    }
+    if (gated.reason === "not_addressable") {
+      var nope = new Error("operatorInbox.markReadForRole: message not addressed to this role");
+      nope.code = "INBOX_MESSAGE_NOT_ADDRESSABLE";
+      throw nope;
+    }
+    if (gated.row.read_at != null) return _decodeRow(gated.row);   // idempotent
+    var ts = _now();
+    await query(
+      "UPDATE operator_inbox_messages SET read_at = ?1 WHERE id = ?2 AND read_at IS NULL",
+      [ts, id],
+    );
+    var fresh = await query("SELECT * FROM operator_inbox_messages WHERE id = ?1", [id]);
+    return _decodeRow(fresh.rows[0]);
+  }
+
+  async function archiveForRole(input) {
+    if (!input || typeof input !== "object") {
+      throw new TypeError("operatorInbox.archiveForRole: input object required");
+    }
+    var id   = _messageId(input.id);
+    var role = _role(input.role, "role");
+    var gated = await _roleAddressableRow(id, role);
+    if (gated.reason === "not_found") {
+      var miss = new Error("operatorInbox.archiveForRole: message not found");
+      miss.code = "INBOX_MESSAGE_NOT_FOUND";
+      throw miss;
+    }
+    if (gated.reason === "not_addressable") {
+      var nope = new Error("operatorInbox.archiveForRole: message not addressed to this role");
+      nope.code = "INBOX_MESSAGE_NOT_ADDRESSABLE";
+      throw nope;
+    }
+    if (gated.row.archived_at != null) return _decodeRow(gated.row);   // idempotent
+    var ts = _now();
+    await query(
+      "UPDATE operator_inbox_messages SET archived_at = ?1 WHERE id = ?2 AND archived_at IS NULL",
+      [ts, id],
+    );
+    var fresh = await query("SELECT * FROM operator_inbox_messages WHERE id = ?1", [id]);
+    return _decodeRow(fresh.rows[0]);
+  }
+
   // ---- cleanupOlderThan -------------------------------------------------
 
   async function cleanupOlderThan(input) {
@@ -860,15 +1049,19 @@ function create(opts) {
     MAX_LIMIT:         MAX_LIMIT,
     MAX_BULK_IDS:      MAX_BULK_IDS,
 
-    enqueueMessage:    enqueueMessage,
-    inboxForOperator:  inboxForOperator,
-    markRead:          markRead,
-    markUnread:        markUnread,
-    archiveMessage:    archiveMessage,
-    bulkArchive:       bulkArchive,
-    unreadCount:       unreadCount,
-    cleanupOlderThan:  cleanupOlderThan,
-    metricsForKind:    metricsForKind,
+    enqueueMessage:     enqueueMessage,
+    inboxForOperator:   inboxForOperator,
+    inboxForRole:       inboxForRole,
+    markRead:           markRead,
+    markUnread:         markUnread,
+    markReadForRole:    markReadForRole,
+    archiveMessage:     archiveMessage,
+    archiveForRole:     archiveForRole,
+    bulkArchive:        bulkArchive,
+    unreadCount:        unreadCount,
+    unreadCountForRole: unreadCountForRole,
+    cleanupOlderThan:   cleanupOlderThan,
+    metricsForKind:     metricsForKind,
   };
 }