@camstack/server 0.1.8 → 0.2.1

package/src/api/core/__tests__/auth-router-totp.spec.ts

@@ -57,22 +57,35 @@ function makeUserMgmt(overrides: Partial<MockUserManagement> = {}): MockUserMana
   }
 }
 
-function makeConfig(overrides: Record<string, unknown> = {}): { get<T>(p: string): T; update(s: string, d: Record<string, unknown>): void } {
+function makeConfig(overrides: Record<string, unknown> = {}): {
+  get<T>(p: string): T
+  update(s: string, d: Record<string, unknown>): void
+} {
   const store: Record<string, unknown> = { 'auth.jwtSecret': 'unit-test-secret', ...overrides }
   return {
-    get<T>(path: string): T { return store[path] as T },
-    update(_section: string, _data: Record<string, unknown>): void { /* no-op */ },
+    get<T>(path: string): T {
+      return store[path] as T
+    },
+    update(_section: string, _data: Record<string, unknown>): void {
+      /* no-op */
+    },
   }
 }
 
-function makeRegistry(userMgmt: MockUserManagement): { getSingleton: (name: string) => unknown | null } {
+function makeRegistry(userMgmt: MockUserManagement): {
+  getSingleton: (name: string) => unknown | null
+} {
   return {
     getSingleton: (name: string) => (name === 'user-management' ? userMgmt : null),
   }
 }
 
 /** Invoke a tRPC procedure directly via the router's internal API. */
-async function callProc(router: ReturnType<typeof createAuthRouter>, name: 'login' | 'loginVerifyTotp', input: unknown): Promise<unknown> {
+async function callProc(
+  router: ReturnType<typeof createAuthRouter>,
+  name: 'login' | 'loginVerifyTotp',
+  input: unknown,
+): Promise<unknown> {
   const caller = router.createCaller({} as never)
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   const fn = (caller as any)[name]
@@ -97,7 +110,7 @@ describe('auth.router — TOTP gate', () => {
       userMgmt.getTotpStatus.mockResolvedValueOnce({ enabled: false, confirmedAt: null })
 
       const router = createAuthRouter(auth, registry as never)
-      const result = await callProc(router, 'login', { username: 'alice', password: 'pw' }) as {
+      const result = (await callProc(router, 'login', { username: 'alice', password: 'pw' })) as {
         token: string
         user: { id: string; username: string; isAdmin: boolean }
         requiresTotp?: boolean
@@ -118,7 +131,7 @@ describe('auth.router — TOTP gate', () => {
       userMgmt.getTotpStatus.mockResolvedValueOnce({ enabled: true, confirmedAt: Date.now() })
 
       const router = createAuthRouter(auth, registry as never)
-      const result = await callProc(router, 'login', { username: 'alice', password: 'pw' }) as {
+      const result = (await callProc(router, 'login', { username: 'alice', password: 'pw' })) as {
         token: string
         user: { id: string; username: string; isAdmin: boolean }
         requiresTotp?: boolean
@@ -137,13 +150,17 @@ describe('auth.router — TOTP gate', () => {
     it('rejects invalid credentials', async () => {
       userMgmt.validateCredentials.mockResolvedValueOnce(null)
       const router = createAuthRouter(auth, registry as never)
-      await expect(callProc(router, 'login', { username: 'alice', password: 'wrong' })).rejects.toThrow('Invalid credentials')
+      await expect(
+        callProc(router, 'login', { username: 'alice', password: 'wrong' }),
+      ).rejects.toThrow('Invalid credentials')
     })
 
     it('throws when user-management cap is unregistered (boot failure)', async () => {
       const emptyRegistry = { getSingleton: () => null } as never
       const router = createAuthRouter(auth, emptyRegistry)
-      await expect(callProc(router, 'login', { username: 'alice', password: 'pw' })).rejects.toThrow(/user-management.*capability not registered/)
+      await expect(
+        callProc(router, 'login', { username: 'alice', password: 'pw' }),
+      ).rejects.toThrow(/user-management.*capability not registered/)
     })
 
     it('falls through to session-token branch when getTotpStatus method is absent (older user-mgmt builds)', async () => {
@@ -155,7 +172,9 @@ describe('auth.router — TOTP gate', () => {
         listUsers: vi.fn(),
       }
       const router = createAuthRouter(auth, makeRegistry(legacyMgmt as never) as never)
-      const result = await callProc(router, 'login', { username: 'alice', password: 'pw' }) as { requiresTotp?: boolean }
+      const result = (await callProc(router, 'login', { username: 'alice', password: 'pw' })) as {
+        requiresTotp?: boolean
+      }
       expect(result.requiresTotp).toBe(false)
     })
   })
@@ -173,7 +192,10 @@ describe('auth.router — TOTP gate', () => {
       })
 
       const router = createAuthRouter(auth, registry as never)
-      const result = await callProc(router, 'loginVerifyTotp', { challengeToken, code: '123456' }) as {
+      const result = (await callProc(router, 'loginVerifyTotp', {
+        challengeToken,
+        code: '123456',
+      })) as {
         token: string
         user: { id: string; username: string; isAdmin: boolean }
         requiresTotp?: boolean
@@ -195,7 +217,11 @@ describe('auth.router — TOTP gate', () => {
 
     it('rejects a forged challenge token (signed with wrong secret)', async () => {
       const other = new AuthService(makeConfig({ 'auth.jwtSecret': 'attacker-secret' }) as never)
-      const forged = other.signTotpChallengeToken({ userId: 'u-1', username: 'alice', isAdmin: true })
+      const forged = other.signTotpChallengeToken({
+        userId: 'u-1',
+        username: 'alice',
+        isAdmin: true,
+      })
       const router = createAuthRouter(auth, registry as never)
       await expect(
         callProc(router, 'loginVerifyTotp', { challengeToken: forged, code: '000000' }),
@@ -218,7 +244,11 @@ describe('auth.router — TOTP gate', () => {
 
     it('rejects a wrong 6-digit code', async () => {
       userMgmt.verifyTotp.mockResolvedValueOnce({ valid: false })
-      const challengeToken = auth.signTotpChallengeToken({ userId: 'u-1', username: 'alice', isAdmin: false })
+      const challengeToken = auth.signTotpChallengeToken({
+        userId: 'u-1',
+        username: 'alice',
+        isAdmin: false,
+      })
       const router = createAuthRouter(auth, registry as never)
       await expect(
         callProc(router, 'loginVerifyTotp', { challengeToken, code: '000000' }),
@@ -229,7 +259,11 @@ describe('auth.router — TOTP gate', () => {
       userMgmt.verifyTotp.mockResolvedValueOnce({ valid: true })
       // The fresh listUsers() call returns nothing — user was deleted.
       userMgmt.listUsers.mockResolvedValueOnce([])
-      const challengeToken = auth.signTotpChallengeToken({ userId: 'ghost', username: 'alice', isAdmin: false })
+      const challengeToken = auth.signTotpChallengeToken({
+        userId: 'ghost',
+        username: 'alice',
+        isAdmin: false,
+      })
       const router = createAuthRouter(auth, registry as never)
       await expect(
         callProc(router, 'loginVerifyTotp', { challengeToken, code: '123456' }),
@@ -238,14 +272,21 @@ describe('auth.router — TOTP gate', () => {
 
     it('uses the FRESHLY fetched user record (scope changes pick up immediately)', async () => {
       // Issue challenge for u-1 with empty scopes (the in-token snapshot).
-      const challengeToken = auth.signTotpChallengeToken({ userId: 'u-1', username: 'alice', isAdmin: false })
+      const challengeToken = auth.signTotpChallengeToken({
+        userId: 'u-1',
+        username: 'alice',
+        isAdmin: false,
+      })
       // Between the two legs, an admin granted u-1 a new scope.
       userMgmt.verifyTotp.mockResolvedValueOnce({ valid: true })
       userMgmt.listUsers.mockResolvedValueOnce([
         makeUser({ scopes: [{ type: 'category', target: 'addon', access: ['view'] }] }),
       ])
       const router = createAuthRouter(auth, registry as never)
-      const result = await callProc(router, 'loginVerifyTotp', { challengeToken, code: '123456' }) as { token: string }
+      const result = (await callProc(router, 'loginVerifyTotp', {
+        challengeToken,
+        code: '123456',
+      })) as { token: string }
       const decoded = auth.verifyToken(result.token)
       // The fresh scope is in the minted session JWT, not the snapshot
       // from the (potentially stale) password leg.

package/src/api/core/addon-settings.router.ts

@@ -103,7 +103,10 @@ export function createAddonSettingsRouter(cfg: ConfigService) {
       .output(SuccessSchema)
       .mutation(({ input }) => {
         const current = cfg.getAddonDevice(input.addonId, input.deviceId)
-        cfg.setAddonDevice(input.addonId, input.deviceId, { ...current, [input.field]: input.value })
+        cfg.setAddonDevice(input.addonId, input.deviceId, {
+          ...current,
+          [input.field]: input.value,
+        })
         return { success: true as const }
       }),
 

package/src/api/core/agents.router.ts

@@ -9,51 +9,44 @@
 import { z } from 'zod'
 import type { AgentRegistryService } from '../../core/agent/agent-registry.service.js'
 import type { MoleculerService } from '../../core/moleculer/moleculer.service.js'
-import {
-  trpcRouter, adminProcedure,
-} from '../trpc/trpc.middleware.js'
+import { trpcRouter, adminProcedure } from '../trpc/trpc.middleware.js'
 
 const AgentRoleSchema = z.enum(['decoder', 'transcoder', 'detector', 'recorder'])
 
-export function createAgentsRouter(
-  ar: AgentRegistryService,
-  moleculer: MoleculerService,
-) {
+export function createAgentsRouter(ar: AgentRegistryService, moleculer: MoleculerService) {
   return trpcRouter({
     // ── Node listing (replaces listAgents / listConnected) ────────────
-    listNodes: adminProcedure
-      .input(z.void())
-      .query(async () => {
-        const items = await ar.listNodes()
-        // Spread to mutable copies: AgentListItem uses readonly arrays; Zod output schema uses mutable.
-        return items.map(a => ({
-          ...a,
-          info: {
-            ...a.info,
-            capabilities: [...a.info.capabilities],
-          },
-          status: {
-            ...a.status,
-            fps: { ...a.status.fps },
-            errors: [...a.status.errors],
-          },
-          subProcesses: [...a.subProcesses],
-        }))
-      }),
+    listNodes: adminProcedure.input(z.void()).query(async () => {
+      const items = await ar.listNodes()
+      // Spread to mutable copies: AgentListItem uses readonly arrays; Zod output schema uses mutable.
+      return items.map((a) => ({
+        ...a,
+        info: {
+          ...a.info,
+          capabilities: [...a.info.capabilities],
+        },
+        status: {
+          ...a.status,
+          fps: { ...a.status.fps },
+          errors: [...a.status.errors],
+        },
+        subProcesses: [...a.subProcesses],
+      }))
+    }),
 
     // ── Capability discovery (via Moleculer service list) ─────────────
-    getAgentCapabilities: adminProcedure
-      .input(z.void())
-      .query(async () => {
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access -- moleculer.broker.call typing chain unresolvable; runtime shape validated by the cast below
-        const services = await moleculer.broker.call('$node.services', {}) as Array<{ name: string }>
-        const capSet = new Set<string>()
-        for (const svc of services) {
-          if (svc.name.startsWith('$')) continue
-          capSet.add(svc.name)
-        }
-        return [...capSet].sort()
-      }),
+    getAgentCapabilities: adminProcedure.input(z.void()).query(async () => {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access -- moleculer.broker.call typing chain unresolvable; runtime shape validated by the cast below
+      const services = (await moleculer.broker.call('$node.services', {})) as Array<{
+        name: string
+      }>
+      const capSet = new Set<string>()
+      for (const svc of services) {
+        if (svc.name.startsWith('$')) continue
+        capSet.add(svc.name)
+      }
+      return [...capSet].toSorted()
+    }),
 
     // ── Role assignments ──────────────────────────────────────────────
     getAssignments: adminProcedure
@@ -61,27 +54,33 @@ export function createAgentsRouter(
       .query(({ input }) => ar.getAssignments(input.cameraId)),
 
     setAssignment: adminProcedure
-      .input(z.object({
-        cameraId: z.number(),
-        role: AgentRoleSchema,
-        agentId: z.string(),
-        priority: z.enum(['primary', 'backup', 'overflow']),
-        rtspUrl: z.string().optional(),
-      }))
+      .input(
+        z.object({
+          cameraId: z.number(),
+          role: AgentRoleSchema,
+          agentId: z.string(),
+          priority: z.enum(['primary', 'backup', 'overflow']),
+          rtspUrl: z.string().optional(),
+        }),
+      )
       .mutation(({ input }) => ar.setAssignment(input as never)),
 
     removeAssignment: adminProcedure
-      .input(z.object({
-        cameraId: z.number(),
-        role: AgentRoleSchema,
-      }))
+      .input(
+        z.object({
+          cameraId: z.number(),
+          role: AgentRoleSchema,
+        }),
+      )
       .mutation(({ input }) => ar.removeAssignment(input.cameraId, input.role as never)),
 
     activateBackup: adminProcedure
-      .input(z.object({
-        cameraId: z.number(),
-        role: AgentRoleSchema,
-      }))
+      .input(
+        z.object({
+          cameraId: z.number(),
+          role: AgentRoleSchema,
+        }),
+      )
       .mutation(({ input }) => ar.activateBackup(input.cameraId, input.role as never)),
   })
 }

package/src/api/core/auth.router.ts

@@ -43,23 +43,22 @@ const AuthProviderSummarySchema = z.object({
 })
 
 /** Wire shape of the authenticated user returned by `auth.me`. */
-const MeSchema = z.object({
-  id: z.string(),
-  username: z.string(),
-  isAdmin: z.boolean(),
-  permissions: z.object({
+const MeSchema = z
+  .object({
+    id: z.string(),
+    username: z.string(),
     isAdmin: z.boolean(),
-    allowedProviders: z.union([z.literal('*'), z.array(z.string())]),
-    allowedDevices: z.record(z.string(), z.unknown()),
-  }),
-  isApiKey: z.boolean(),
-  agentId: z.string().optional(),
-}).nullable()
+    permissions: z.object({
+      isAdmin: z.boolean(),
+      allowedProviders: z.union([z.literal('*'), z.array(z.string())]),
+      allowedDevices: z.record(z.string(), z.unknown()),
+    }),
+    isApiKey: z.boolean(),
+    agentId: z.string().optional(),
+  })
+  .nullable()
 
-export function createAuthRouter(
-  auth: AuthService,
-  registry: CapabilityRegistry | null,
-) {
+export function createAuthRouter(auth: AuthService, registry: CapabilityRegistry | null) {
   return trpcRouter({
     login: publicProcedure
       .input(z.object({ username: z.string(), password: z.string() }))
@@ -73,13 +72,16 @@ export function createAuthRouter(
           // common cause is a settings-store regression that breaks
           // the `users` collection query path.
           throw new Error(
-            'Login unavailable — `user-management` capability not registered. '
-            + 'The `local-auth` addon failed to initialize; check server logs '
-            + 'for an error tagged `[hub/local-auth]`.',
+            'Login unavailable — `user-management` capability not registered. ' +
+              'The `local-auth` addon failed to initialize; check server logs ' +
+              'for an error tagged `[hub/local-auth]`.',
           )
         }
 
-        const user = await userMgmt.validateCredentials({ username: input.username, password: input.password })
+        const user = await userMgmt.validateCredentials({
+          username: input.username,
+          password: input.password,
+        })
         if (!user) throw new Error('Invalid credentials')
 
         // ── TOTP gate ────────────────────────────────────────────────
@@ -91,9 +93,10 @@ export function createAuthRouter(
         // `kind: 'totp-challenge'` so it can't be replayed against
         // protected endpoints (the auth middleware rejects anything
         // without the standard session shape).
-        const totpStatus = typeof userMgmt.getTotpStatus === 'function'
-          ? await userMgmt.getTotpStatus({ userId: user.id })
-          : { enabled: false }
+        const totpStatus =
+          typeof userMgmt.getTotpStatus === 'function'
+            ? await userMgmt.getTotpStatus({ userId: user.id })
+            : { enabled: false }
         if (totpStatus.enabled) {
           const challengeToken = auth.signTotpChallengeToken({
             userId: user.id,
@@ -154,18 +157,20 @@ export function createAuthRouter(
         if (!userMgmt) {
           throw new Error('Login unavailable — `user-management` capability not registered')
         }
-        const verify = typeof userMgmt.verifyTotp === 'function'
-          ? await userMgmt.verifyTotp({ userId: claims.userId, code: input.code.trim() })
-          : { valid: false }
+        const verify =
+          typeof userMgmt.verifyTotp === 'function'
+            ? await userMgmt.verifyTotp({ userId: claims.userId, code: input.code.trim() })
+            : { valid: false }
         if (!verify.valid) {
           throw new Error('Invalid TOTP code')
         }
         // Re-fetch the user record so scopes / allowedDevices reflect
         // any admin change made between the two legs. Without this we
         // could mint a stale-scope session.
-        const fresh = typeof userMgmt.listUsers === 'function'
-          ? (await userMgmt.listUsers()).find((u) => u.id === claims.userId)
-          : null
+        const fresh =
+          typeof userMgmt.listUsers === 'function'
+            ? (await userMgmt.listUsers()).find((u) => u.id === claims.userId)
+            : null
         if (!fresh) {
           throw new Error('User no longer exists')
         }
@@ -202,15 +207,20 @@ export function createAuthRouter(
     // exists only to block third-party tampering — operators acting on
     // themselves bypass it intentionally.
     changeOwnPassword: protectedProcedure
-      .input(z.object({
-        currentPassword: z.string().min(1),
-        newPassword: z.string().min(8),
-      }))
+      .input(
+        z.object({
+          currentPassword: z.string().min(1),
+          newPassword: z.string().min(8),
+        }),
+      )
       .output(z.object({ success: z.literal(true) }))
       .mutation(async ({ input, ctx }) => {
         const userMgmt = registry?.getSingleton('user-management') as
           | {
-              validateCredentials: (i: { username: string; password: string }) => Promise<{ id: string } | null>
+              validateCredentials: (i: {
+                username: string
+                password: string
+              }) => Promise<{ id: string } | null>
               resetPassword: (i: { id: string; newPassword: string }) => Promise<{ success: true }>
             }
           | null
@@ -220,7 +230,10 @@ export function createAuthRouter(
         // Re-validate the current password against the live store to
         // confirm session identity → password ownership match. Stops a
         // stolen session-token from rotating credentials silently.
-        const ok = await userMgmt.validateCredentials({ username: ctx.user.username, password: input.currentPassword })
+        const ok = await userMgmt.validateCredentials({
+          username: ctx.user.username,
+          password: input.currentPassword,
+        })
         if (!ok) throw new Error('Current password is incorrect')
         await userMgmt.resetPassword({ id: ctx.user.id, newPassword: input.newPassword })
         return { success: true as const }
@@ -231,7 +244,9 @@ export function createAuthRouter(
       .output(z.object({ secret: z.string(), otpauthUrl: z.string() }))
       .mutation(async ({ ctx }) => {
         const userMgmt = registry?.getSingleton('user-management') as
-          | { setupTotp: (i: { userId: string }) => Promise<{ secret: string; otpauthUrl: string }> }
+          | {
+              setupTotp: (i: { userId: string }) => Promise<{ secret: string; otpauthUrl: string }>
+            }
           | null
           | undefined
         if (!userMgmt) throw new Error('user-management capability not available')
@@ -270,7 +285,11 @@ export function createAuthRouter(
       .output(z.object({ enabled: z.boolean(), confirmedAt: z.number().nullable() }))
       .query(async ({ ctx }) => {
         const userMgmt = registry?.getSingleton('user-management') as
-          | { getTotpStatus: (i: { userId: string }) => Promise<{ enabled: boolean; confirmedAt: number | null }> }
+          | {
+              getTotpStatus: (i: {
+                userId: string
+              }) => Promise<{ enabled: boolean; confirmedAt: number | null }>
+            }
           | null
           | undefined
         if (!userMgmt || !ctx.user) return { enabled: false, confirmedAt: null }

package/src/api/core/bulk-update-coordinator.ts

@@ -29,7 +29,11 @@ export interface IBulkUpdateLogger {
 export interface BulkUpdateCoordinatorDeps {
   readonly eventBus: IBulkUpdateEventBus
   readonly updateAddon: (input: { name: string; version: string }) => Promise<void>
-  readonly updateFrameworkPackage: (input: { packageName: string; version: string; deferRestart: boolean }) => Promise<void>
+  readonly updateFrameworkPackage: (input: {
+    packageName: string
+    version: string
+    deferRestart: boolean
+  }) => Promise<void>
   readonly restartServer: (input: { confirm: true }) => Promise<void>
   readonly logger: IBulkUpdateLogger
   /** Injectable clock for tests. Default: `() => Date.now()`. */
@@ -77,7 +81,7 @@ export class BulkUpdateCoordinator {
 
     const id = randomUUID()
 
-    const items: BulkUpdateItem[] = input.items.map(i => ({
+    const items: BulkUpdateItem[] = input.items.map((i) => ({
       name: i.name,
       isSystem: i.isSystem,
       // fromVersion: the cap interface receives name+version+isSystem only;
@@ -110,7 +114,7 @@ export class BulkUpdateCoordinator {
     // Emit initial state so clients see the bulk as started immediately
     this.emit(state)
 
-    void this.runLoop(id, cancelFlag).catch(err => {
+    void this.runLoop(id, cancelFlag).catch((err) => {
       this.deps.logger.error('BulkUpdateCoordinator: loop crashed unexpectedly', err)
     })
 
@@ -133,9 +137,9 @@ export class BulkUpdateCoordinator {
 
   list(nodeId?: string): readonly BulkUpdateState[] {
     const all = [...this.states.keys()]
-      .map(id => this.get(id))                // get() applies lazy-cleanup
+      .map((id) => this.get(id)) // get() applies lazy-cleanup
       .filter((s): s is BulkUpdateState => s !== null)
-    return nodeId === undefined ? all : all.filter(s => s.nodeId === nodeId)
+    return nodeId === undefined ? all : all.filter((s) => s.nodeId === nodeId)
   }
 
   cancel(id: string): { cancelled: boolean } {
@@ -148,7 +152,7 @@ export class BulkUpdateCoordinator {
     if (state.completedAtMs !== undefined) return { cancelled: false }
 
     flag.cancelled = true
-    this.mutate(id, s => ({ ...s, cancelled: true }))
+    this.mutate(id, (s) => ({ ...s, cancelled: true }))
     return { cancelled: true }
   }
 
@@ -160,24 +164,24 @@ export class BulkUpdateCoordinator {
     // ── Phase 1: regular addons ──────────────────────────────────────
     this.transitionPhase(id, 'regular')
 
-    for (const item of initial.items.filter(i => !i.isSystem)) {
+    for (const item of initial.items.filter((i) => !i.isSystem)) {
       if (cancelFlag.cancelled) break
       await this.processItem(id, item, false)
     }
 
     // ── Phase 2: system packages (deferRestart: true) ────────────────
-    if (!cancelFlag.cancelled && initial.items.some(i => i.isSystem)) {
+    if (!cancelFlag.cancelled && initial.items.some((i) => i.isSystem)) {
       this.transitionPhase(id, 'system')
 
-      for (const item of initial.items.filter(i => i.isSystem)) {
+      for (const item of initial.items.filter((i) => i.isSystem)) {
         if (cancelFlag.cancelled) break
         await this.processItem(id, item, true)
       }
 
       // ── Phase 3: single restart ──────────────────────────────────
-      const anySystemPendingRestart = this.states.get(id)!.items.some(
-        i => i.isSystem && i.status === 'done-pending-restart',
-      )
+      const anySystemPendingRestart = this.states
+        .get(id)!
+        .items.some((i) => i.isSystem && i.status === 'done-pending-restart')
 
       if (anySystemPendingRestart && !cancelFlag.cancelled) {
         this.transitionPhase(id, 'restarting')
@@ -214,7 +218,7 @@ export class BulkUpdateCoordinator {
 
   private async processItem(id: string, item: BulkUpdateItem, isSystem: boolean): Promise<void> {
     this.setItemStatus(id, item.name, 'updating', { startedAtMs: this.now() })
-    this.mutate(id, s => ({ ...s, current: item.name }))
+    this.mutate(id, (s) => ({ ...s, current: item.name }))
     this.emit(this.states.get(id)!)
 
     try {
@@ -234,7 +238,7 @@ export class BulkUpdateCoordinator {
       this.setItemStatus(id, item.name, 'failed', { error: msg, completedAtMs: this.now() })
     }
 
-    this.mutate(id, s => ({ ...s, current: null }))
+    this.mutate(id, (s) => ({ ...s, current: null }))
     this.emit(this.states.get(id)!)
   }
 
@@ -246,26 +250,25 @@ export class BulkUpdateCoordinator {
     status: BulkUpdateItemStatus,
     fields: { error?: string; startedAtMs?: number; completedAtMs?: number } = {},
   ): void {
-    this.mutate(id, s => {
-      const items = s.items.map(it =>
-        it.name === name ? { ...it, status, ...fields } : it,
-      )
+    this.mutate(id, (s) => {
+      const items = s.items.map((it) => (it.name === name ? { ...it, status, ...fields } : it))
       // completed = all terminal states: done | done-pending-restart | failed
       const completed = items.filter(
-        it => it.status === 'done' || it.status === 'done-pending-restart' || it.status === 'failed',
+        (it) =>
+          it.status === 'done' || it.status === 'done-pending-restart' || it.status === 'failed',
       ).length
-      const failed = items.filter(it => it.status === 'failed').length
+      const failed = items.filter((it) => it.status === 'failed').length
       return { ...s, items, completed, failed }
     })
   }
 
   private transitionPhase(id: string, phase: BulkUpdatePhase): void {
-    this.mutate(id, s => ({ ...s, phase }))
+    this.mutate(id, (s) => ({ ...s, phase }))
     this.emit(this.states.get(id)!)
   }
 
   private completeBulk(id: string): void {
-    this.mutate(id, s => ({ ...s, completedAtMs: this.now(), current: null }))
+    this.mutate(id, (s) => ({ ...s, completedAtMs: this.now(), current: null }))
     this.emit(this.states.get(id)!)
 
     // Free the nodeId slot so a new bulk for the same node can be started