@camstack/server 0.2.2 → 1.0.1

package/src/api/core/auth.router.ts

@@ -1,322 +0,0 @@
-/**
- * Auth router — core API for login/logout/me.
- *
- * Login validates credentials via the `user-management` capability
- * (owned by the local-auth addon) and signs a JWT.
- *
- * JWT signing stays in the server — it's a transport-level concern
- * (the server owns the secret and the HTTP session).
- *
- * External auth providers are listed via the `auth-provider` cap collection.
- */
-import { z } from 'zod'
-import type { CapabilityRegistry } from '@camstack/kernel'
-import type { AuthService } from '../../core/auth/auth.service.js'
-import { trpcRouter, publicProcedure, protectedProcedure } from '../trpc/trpc.middleware.js'
-
-/**
- * Login response — discriminated on `requiresTotp`.
- *
- *   • `requiresTotp: false` (or absent in the legacy path): the
- *     credentials were sufficient, `token` is the real session JWT.
- *   • `requiresTotp: true`: the user has TOTP enrolled. `token` is a
- *     short-lived (5 min) challenge token, NOT a session. The client
- *     prompts for a 6-digit code and submits to `loginVerifyTotp`
- *     with `{challengeToken, code}`. Only on success does the server
- *     mint the real session.
- */
-const LoginResultSchema = z.object({
-  token: z.string(),
-  user: z.object({
-    id: z.string(),
-    username: z.string(),
-    isAdmin: z.boolean(),
-  }),
-  requiresTotp: z.boolean().optional(),
-})
-
-const AuthProviderSummarySchema = z.object({
-  id: z.string(),
-  name: z.string(),
-  icon: z.string(),
-  flowType: z.string(),
-})
-
-/** Wire shape of the authenticated user returned by `auth.me`. */
-const MeSchema = z
-  .object({
-    id: z.string(),
-    username: z.string(),
-    isAdmin: z.boolean(),
-    permissions: z.object({
-      isAdmin: z.boolean(),
-      allowedProviders: z.union([z.literal('*'), z.array(z.string())]),
-      allowedDevices: z.record(z.string(), z.unknown()),
-    }),
-    isApiKey: z.boolean(),
-    agentId: z.string().optional(),
-  })
-  .nullable()
-
-export function createAuthRouter(auth: AuthService, registry: CapabilityRegistry | null) {
-  return trpcRouter({
-    login: publicProcedure
-      .input(z.object({ username: z.string(), password: z.string() }))
-      .output(LoginResultSchema)
-      .mutation(async ({ input }) => {
-        const userMgmt = registry?.getSingleton('user-management')
-        if (!userMgmt) {
-          // The local-auth addon owns this cap. When this fires the
-          // addon either failed to initialize or is still booting.
-          // Check the server log for `[hub/local-auth]` errors —
-          // common cause is a settings-store regression that breaks
-          // the `users` collection query path.
-          throw new Error(
-            'Login unavailable — `user-management` capability not registered. ' +
-              'The `local-auth` addon failed to initialize; check server logs ' +
-              'for an error tagged `[hub/local-auth]`.',
-          )
-        }
-
-        const user = await userMgmt.validateCredentials({
-          username: input.username,
-          password: input.password,
-        })
-        if (!user) throw new Error('Invalid credentials')
-
-        // ── TOTP gate ────────────────────────────────────────────────
-        // After credentials validate, check whether the user has
-        // active 2FA enrollment. If yes, mint a SHORT-LIVED challenge
-        // token instead of the real session — the client must follow
-        // up via `loginVerifyTotp` with a valid 6-digit code before
-        // we hand out the actual JWT. The challenge token carries
-        // `kind: 'totp-challenge'` so it can't be replayed against
-        // protected endpoints (the auth middleware rejects anything
-        // without the standard session shape).
-        const totpStatus =
-          typeof userMgmt.getTotpStatus === 'function'
-            ? await userMgmt.getTotpStatus({ userId: user.id })
-            : { enabled: false }
-        if (totpStatus.enabled) {
-          const challengeToken = auth.signTotpChallengeToken({
-            userId: user.id,
-            username: user.username,
-            isAdmin: user.isAdmin,
-          })
-          return {
-            token: challengeToken,
-            user: { id: user.id, username: user.username, isAdmin: user.isAdmin },
-            requiresTotp: true,
-          }
-        }
-
-        // Snapshot `scopes` into the JWT payload. Admins ignore the
-        // field (middleware bypass); for non-admins this drives the
-        // entire scope-access check until the user logs out + back in.
-        // setUserScopes mutations take effect on next login — old JWTs
-        // carry the snapshot from issue time. This is the standard JWT
-        // staleness tradeoff; if you need immediate revocation, force a
-        // logout from the admin UI.
-        const token = auth.signToken({
-          userId: user.id,
-          username: user.username,
-          isAdmin: user.isAdmin,
-          allowedProviders: user.allowedProviders ?? '*',
-          allowedDevices: user.allowedDevices ?? {},
-          scopes: user.scopes ?? [],
-        })
-        return {
-          token,
-          user: { id: user.id, username: user.username, isAdmin: user.isAdmin },
-          requiresTotp: false,
-        }
-      }),
-
-    /**
-     * Second leg of the 2FA login. Accepts the challenge token minted
-     * by `login` (when `requiresTotp: true`) plus the operator-entered
-     * 6-digit code. Re-validates both, then mints the real session.
-     *
-     * Failure modes:
-     *   • Invalid/expired challenge token → 401 (session timed out,
-     *     restart login).
-     *   • Code doesn't match → 401 (try again with a fresh code from
-     *     the authenticator app).
-     *   • User vanished between leg 1 and leg 2 → 401 (operator was
-     *     deleted concurrently — rare).
-     */
-    loginVerifyTotp: publicProcedure
-      .input(z.object({ challengeToken: z.string(), code: z.string() }))
-      .output(LoginResultSchema)
-      .mutation(async ({ input }) => {
-        const claims = auth.verifyTotpChallengeToken(input.challengeToken)
-        if (!claims) {
-          throw new Error('Invalid or expired TOTP challenge — please re-enter your password')
-        }
-        const userMgmt = registry?.getSingleton('user-management')
-        if (!userMgmt) {
-          throw new Error('Login unavailable — `user-management` capability not registered')
-        }
-        const verify =
-          typeof userMgmt.verifyTotp === 'function'
-            ? await userMgmt.verifyTotp({ userId: claims.userId, code: input.code.trim() })
-            : { valid: false }
-        if (!verify.valid) {
-          throw new Error('Invalid TOTP code')
-        }
-        // Re-fetch the user record so scopes / allowedDevices reflect
-        // any admin change made between the two legs. Without this we
-        // could mint a stale-scope session.
-        const fresh =
-          typeof userMgmt.listUsers === 'function'
-            ? (await userMgmt.listUsers()).find((u) => u.id === claims.userId)
-            : null
-        if (!fresh) {
-          throw new Error('User no longer exists')
-        }
-        const sessionToken = auth.signToken({
-          userId: fresh.id,
-          username: fresh.username,
-          isAdmin: fresh.isAdmin,
-          allowedProviders: fresh.allowedProviders ?? '*',
-          allowedDevices: fresh.allowedDevices ?? {},
-          scopes: fresh.scopes ?? [],
-        })
-        return {
-          token: sessionToken,
-          user: { id: fresh.id, username: fresh.username, isAdmin: fresh.isAdmin },
-          requiresTotp: false,
-        }
-      }),
-
-    me: protectedProcedure
-      .input(z.void())
-      .output(MeSchema)
-      .query(({ ctx }) => ctx.user),
-
-    // ── Self-service profile operations ───────────────────────────────
-    //
-    // These route through the `user-management` capability provider but
-    // bind `userId` to the CALLER's session identity (`ctx.user.id`)
-    // — i.e. every authenticated user can manage THEIR OWN password and
-    // TOTP enrollment, without the admin gate that the corresponding
-    // cap methods enforce on the trpc layer.
-    //
-    // Provider methods themselves don't check admin status, so calling
-    // them directly here is fine. The trpc admin-gate on the cap router
-    // exists only to block third-party tampering — operators acting on
-    // themselves bypass it intentionally.
-    changeOwnPassword: protectedProcedure
-      .input(
-        z.object({
-          currentPassword: z.string().min(1),
-          newPassword: z.string().min(8),
-        }),
-      )
-      .output(z.object({ success: z.literal(true) }))
-      .mutation(async ({ input, ctx }) => {
-        const userMgmt = registry?.getSingleton('user-management') as
-          | {
-              validateCredentials: (i: {
-                username: string
-                password: string
-              }) => Promise<{ id: string } | null>
-              resetPassword: (i: { id: string; newPassword: string }) => Promise<{ success: true }>
-            }
-          | null
-          | undefined
-        if (!userMgmt) throw new Error('user-management capability not available')
-        if (!ctx.user) throw new Error('Not authenticated')
-        // Re-validate the current password against the live store to
-        // confirm session identity → password ownership match. Stops a
-        // stolen session-token from rotating credentials silently.
-        const ok = await userMgmt.validateCredentials({
-          username: ctx.user.username,
-          password: input.currentPassword,
-        })
-        if (!ok) throw new Error('Current password is incorrect')
-        await userMgmt.resetPassword({ id: ctx.user.id, newPassword: input.newPassword })
-        return { success: true as const }
-      }),
-
-    setupOwnTotp: protectedProcedure
-      .input(z.void())
-      .output(z.object({ secret: z.string(), otpauthUrl: z.string() }))
-      .mutation(async ({ ctx }) => {
-        const userMgmt = registry?.getSingleton('user-management') as
-          | {
-              setupTotp: (i: { userId: string }) => Promise<{ secret: string; otpauthUrl: string }>
-            }
-          | null
-          | undefined
-        if (!userMgmt) throw new Error('user-management capability not available')
-        if (!ctx.user) throw new Error('Not authenticated')
-        return userMgmt.setupTotp({ userId: ctx.user.id })
-      }),
-
-    confirmOwnTotp: protectedProcedure
-      .input(z.object({ code: z.string().min(1) }))
-      .output(z.object({ success: z.literal(true) }))
-      .mutation(async ({ input, ctx }) => {
-        const userMgmt = registry?.getSingleton('user-management') as
-          | { confirmTotp: (i: { userId: string; code: string }) => Promise<{ success: true }> }
-          | null
-          | undefined
-        if (!userMgmt) throw new Error('user-management capability not available')
-        if (!ctx.user) throw new Error('Not authenticated')
-        return userMgmt.confirmTotp({ userId: ctx.user.id, code: input.code })
-      }),
-
-    disableOwnTotp: protectedProcedure
-      .input(z.void())
-      .output(z.object({ success: z.literal(true) }))
-      .mutation(async ({ ctx }) => {
-        const userMgmt = registry?.getSingleton('user-management') as
-          | { disableTotp: (i: { userId: string }) => Promise<{ success: true }> }
-          | null
-          | undefined
-        if (!userMgmt) throw new Error('user-management capability not available')
-        if (!ctx.user) throw new Error('Not authenticated')
-        return userMgmt.disableTotp({ userId: ctx.user.id })
-      }),
-
-    getOwnTotpStatus: protectedProcedure
-      .input(z.void())
-      .output(z.object({ enabled: z.boolean(), confirmedAt: z.number().nullable() }))
-      .query(async ({ ctx }) => {
-        const userMgmt = registry?.getSingleton('user-management') as
-          | {
-              getTotpStatus: (i: {
-                userId: string
-              }) => Promise<{ enabled: boolean; confirmedAt: number | null }>
-            }
-          | null
-          | undefined
-        if (!userMgmt || !ctx.user) return { enabled: false, confirmedAt: null }
-        return userMgmt.getTotpStatus({ userId: ctx.user.id })
-      }),
-
-    logout: protectedProcedure
-      .input(z.void())
-      .output(z.object({ success: z.literal(true) }))
-      .mutation(() => ({ success: true as const })),
-
-    listProviders: publicProcedure
-      .input(z.void())
-      .output(z.array(AuthProviderSummarySchema).readonly())
-      .query(() => {
-        if (!registry) return []
-        // Validate each auth-provider entry independently. A single
-        // malformed entry (e.g. an auth addon that registers without an
-        // `icon`) must NOT sink the whole array through the tRPC output
-        // validator — that would 500 the query and lock every login
-        // method out of the UI. Drop the bad entry, keep the rest.
-        const out: z.infer<typeof AuthProviderSummarySchema>[] = []
-        for (const entry of registry.getCollection('auth-provider')) {
-          const parsed = AuthProviderSummarySchema.safeParse(entry)
-          if (parsed.success) out.push(parsed.data)
-        }
-        return out
-      }),
-  })
-}

package/src/api/core/bulk-update-coordinator.ts

@@ -1,305 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-argument -- The server installs @camstack/types@0.1.38 (last published) in server/backend/node_modules, while the workspace has 0.1.39 with the new BulkUpdate* types. ESLint's type-checker resolves against 0.1.38 and treats the new imports as `any`. Runtime is correct because Node module resolution walks up to root node_modules → workspace symlink. This disable mirrors the pattern in cap-providers.ts (same root cause). Will resolve when 0.1.39 is published and the local dist is synced. */
-import { randomUUID } from 'node:crypto'
-import {
-  EventCategory,
-  type BulkUpdateItem,
-  type BulkUpdateState,
-  type BulkUpdatePhase,
-  type BulkUpdateItemStatus,
-} from '@camstack/types'
-
-/**
- * Narrow event-bus interface required by BulkUpdateCoordinator.
- * Intentionally narrower than IEventBus: the coordinator only emits a single
- * topic, so we avoid importing the full IEventBus (which lives in @camstack/types
- * and would pull in all event-catalog types). The full IEventBus satisfies this
- * interface structurally, so wiring in cap-providers.ts is cast-free.
- */
-export interface IBulkUpdateEventBus {
-  emit(category: EventCategory.AddonsBulkUpdateProgress, payload: BulkUpdateState): void
-}
-
-export interface IBulkUpdateLogger {
-  info(message: string, ...args: unknown[]): void
-  warn(message: string, ...args: unknown[]): void
-  error(message: string, ...args: unknown[]): void
-  debug(message: string, ...args: unknown[]): void
-}
-
-export interface BulkUpdateCoordinatorDeps {
-  readonly eventBus: IBulkUpdateEventBus
-  readonly updateAddon: (input: { name: string; version: string }) => Promise<void>
-  readonly updateFrameworkPackage: (input: {
-    packageName: string
-    version: string
-    deferRestart: boolean
-  }) => Promise<void>
-  readonly restartServer: (input: { confirm: true }) => Promise<void>
-  readonly logger: IBulkUpdateLogger
-  /** Injectable clock for tests. Default: `() => Date.now()`. */
-  readonly clock?: () => number
-  /** How long to keep completed state before purging. Default: 5 minutes. */
-  readonly cleanupAfterMs?: number
-}
-
-export interface StartBulkUpdateInput {
-  readonly nodeId: string
-  readonly items: readonly { name: string; version: string; isSystem: boolean }[]
-}
-
-const DEFAULT_CLEANUP_AFTER_MS = 5 * 60 * 1_000
-
-export class BulkUpdateCoordinator {
-  private readonly states = new Map<string, BulkUpdateState>()
-  private readonly cancelFlags = new Map<string, { cancelled: boolean }>()
-  /**
-   * Tracks wall-clock time (ms) when each bulk completed. Used for lazy
-   * cleanup in `get()` — avoids scheduling a fake-timer `setTimeout` that
-   * would be eagerly fired by `vi.runAllTimersAsync()` in tests.
-   */
-  private readonly completedWallMs = new Map<string, number>()
-  /** Tracks which nodeIds currently have an active (non-completed) bulk update. */
-  private readonly activeNodeIds = new Set<string>()
-
-  private readonly now: () => number
-  private readonly cleanupAfterMs: number
-  /** Wall-clock source. Fake timers intercept `Date.now`, so tests can advance via `advanceTimersByTimeAsync`. */
-  private readonly wallNow: () => number
-
-  constructor(private readonly deps: BulkUpdateCoordinatorDeps) {
-    this.now = deps.clock ?? (() => Date.now())
-    this.cleanupAfterMs = deps.cleanupAfterMs ?? DEFAULT_CLEANUP_AFTER_MS
-    this.wallNow = () => Date.now()
-  }
-
-  // ── Public API ────────────────────────────────────────────────────
-
-  start(input: StartBulkUpdateInput): { id: string } {
-    if (this.activeNodeIds.has(input.nodeId)) {
-      throw new Error(`Bulk update already in progress for node ${input.nodeId}`)
-    }
-
-    const id = randomUUID()
-
-    const items: BulkUpdateItem[] = input.items.map((i) => ({
-      name: i.name,
-      isSystem: i.isSystem,
-      // fromVersion: the cap interface receives name+version+isSystem only;
-      // the caller (cap-providers.ts) may enrich this with the current version
-      // if available. Empty string is acceptable per plan spec.
-      fromVersion: '',
-      toVersion: i.version,
-      status: 'queued' as BulkUpdateItemStatus,
-    }))
-
-    const state: BulkUpdateState = {
-      id,
-      nodeId: input.nodeId,
-      startedAtMs: this.now(),
-      total: items.length,
-      completed: 0,
-      failed: 0,
-      current: null,
-      phase: 'regular',
-      cancelled: false,
-      items,
-    }
-
-    this.states.set(id, state)
-    this.activeNodeIds.add(input.nodeId)
-
-    const cancelFlag = { cancelled: false }
-    this.cancelFlags.set(id, cancelFlag)
-
-    // Emit initial state so clients see the bulk as started immediately
-    this.emit(state)
-
-    void this.runLoop(id, cancelFlag).catch((err) => {
-      this.deps.logger.error('BulkUpdateCoordinator: loop crashed unexpectedly', err)
-    })
-
-    return { id }
-  }
-
-  get(id: string): BulkUpdateState | null {
-    const state = this.states.get(id)
-    if (state === undefined) return null
-    // Lazy cleanup: purge if the wall-clock elapsed since completion exceeds threshold.
-    // This avoids scheduling a long-lived setTimeout that would be eagerly fired
-    // by vi.runAllTimersAsync() in tests.
-    const completedWall = this.completedWallMs.get(id)
-    if (completedWall !== undefined && this.wallNow() - completedWall >= this.cleanupAfterMs) {
-      this.purge(id)
-      return null
-    }
-    return state
-  }
-
-  list(nodeId?: string): readonly BulkUpdateState[] {
-    const all = [...this.states.keys()]
-      .map((id) => this.get(id)) // get() applies lazy-cleanup
-      .filter((s): s is BulkUpdateState => s !== null)
-    return nodeId === undefined ? all : all.filter((s) => s.nodeId === nodeId)
-  }
-
-  cancel(id: string): { cancelled: boolean } {
-    const state = this.states.get(id)
-    const flag = this.cancelFlags.get(id)
-    if (state === undefined || flag === undefined) return { cancelled: false }
-    // Once restarting, the hub restart is committed — cancel has no effect.
-    if (state.phase === 'restarting') return { cancelled: false }
-    // Already completed.
-    if (state.completedAtMs !== undefined) return { cancelled: false }
-
-    flag.cancelled = true
-    this.mutate(id, (s) => ({ ...s, cancelled: true }))
-    return { cancelled: true }
-  }
-
-  // ── Internal loop ─────────────────────────────────────────────────
-
-  private async runLoop(id: string, cancelFlag: { cancelled: boolean }): Promise<void> {
-    const initial = this.states.get(id)!
-
-    // ── Phase 1: regular addons ──────────────────────────────────────
-    this.transitionPhase(id, 'regular')
-
-    for (const item of initial.items.filter((i) => !i.isSystem)) {
-      if (cancelFlag.cancelled) break
-      await this.processItem(id, item, false)
-    }
-
-    // ── Phase 2: system packages (deferRestart: true) ────────────────
-    if (!cancelFlag.cancelled && initial.items.some((i) => i.isSystem)) {
-      this.transitionPhase(id, 'system')
-
-      for (const item of initial.items.filter((i) => i.isSystem)) {
-        if (cancelFlag.cancelled) break
-        await this.processItem(id, item, true)
-      }
-
-      // ── Phase 3: single restart ──────────────────────────────────
-      const anySystemPendingRestart = this.states
-        .get(id)!
-        .items.some((i) => i.isSystem && i.status === 'done-pending-restart')
-
-      if (anySystemPendingRestart && !cancelFlag.cancelled) {
-        this.transitionPhase(id, 'restarting')
-        try {
-          await this.deps.restartServer({ confirm: true })
-          // NOTE: In production, restartServer kills+respawns the hub process.
-          // Code below this point will not execute in that scenario.
-          // If the mock/stub returns (e.g. in tests), we fall through to finalizing.
-        } catch (err) {
-          // Restart failed but the npm installs already completed. Promote all
-          // done-pending-restart items to done with a caveat error so the UI
-          // can inform the user that a manual restart is needed.
-          this.deps.logger.error('BulkUpdateCoordinator: restart failed', err)
-          const errMsg = err instanceof Error ? err.message : String(err)
-          for (const it of this.states.get(id)!.items) {
-            if (it.status === 'done-pending-restart') {
-              this.setItemStatus(id, it.name, 'done', {
-                error: `Restart failed; manual restart required (${errMsg})`,
-              })
-            }
-          }
-        }
-      }
-    }
-
-    // ── Phase 4: finalize ────────────────────────────────────────────
-    // Reached when:
-    //  a) no system packages at all, OR
-    //  b) restart failed (process continued), OR
-    //  c) cancelled before the restart phase.
-    this.transitionPhase(id, 'finalizing')
-    this.completeBulk(id)
-  }
-
-  private async processItem(id: string, item: BulkUpdateItem, isSystem: boolean): Promise<void> {
-    this.setItemStatus(id, item.name, 'updating', { startedAtMs: this.now() })
-    this.mutate(id, (s) => ({ ...s, current: item.name }))
-    this.emit(this.states.get(id)!)
-
-    try {
-      if (isSystem) {
-        await this.deps.updateFrameworkPackage({
-          packageName: item.name,
-          version: item.toVersion,
-          deferRestart: true,
-        })
-        this.setItemStatus(id, item.name, 'done-pending-restart', { completedAtMs: this.now() })
-      } else {
-        await this.deps.updateAddon({ name: item.name, version: item.toVersion })
-        this.setItemStatus(id, item.name, 'done', { completedAtMs: this.now() })
-      }
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err)
-      this.setItemStatus(id, item.name, 'failed', { error: msg, completedAtMs: this.now() })
-    }
-
-    this.mutate(id, (s) => ({ ...s, current: null }))
-    this.emit(this.states.get(id)!)
-  }
-
-  // ── State mutation helpers ────────────────────────────────────────
-
-  private setItemStatus(
-    id: string,
-    name: string,
-    status: BulkUpdateItemStatus,
-    fields: { error?: string; startedAtMs?: number; completedAtMs?: number } = {},
-  ): void {
-    this.mutate(id, (s) => {
-      const items = s.items.map((it) => (it.name === name ? { ...it, status, ...fields } : it))
-      // completed = all terminal states: done | done-pending-restart | failed
-      const completed = items.filter(
-        (it) =>
-          it.status === 'done' || it.status === 'done-pending-restart' || it.status === 'failed',
-      ).length
-      const failed = items.filter((it) => it.status === 'failed').length
-      return { ...s, items, completed, failed }
-    })
-  }
-
-  private transitionPhase(id: string, phase: BulkUpdatePhase): void {
-    this.mutate(id, (s) => ({ ...s, phase }))
-    this.emit(this.states.get(id)!)
-  }
-
-  private completeBulk(id: string): void {
-    this.mutate(id, (s) => ({ ...s, completedAtMs: this.now(), current: null }))
-    this.emit(this.states.get(id)!)
-
-    // Free the nodeId slot so a new bulk for the same node can be started
-    const nodeId = this.states.get(id)!.nodeId
-    this.activeNodeIds.delete(nodeId)
-
-    // Record wall-clock completion time for lazy cleanup in `get()`.
-    // We intentionally avoid scheduling a setTimeout here: a long-lived
-    // setTimeout (5 min) would be eagerly fired by vi.runAllTimersAsync()
-    // in tests, causing `get()` to return null immediately after the run.
-    // Instead, `get()` lazily checks whether the cleanup threshold has
-    // elapsed using Date.now() — which fake timers DO advance via
-    // advanceTimersByTimeAsync(), making the cleanup testable without
-    // a long-running timer.
-    this.completedWallMs.set(id, this.wallNow())
-  }
-
-  private purge(id: string): void {
-    this.states.delete(id)
-    this.cancelFlags.delete(id)
-    this.completedWallMs.delete(id)
-  }
-
-  /** Immutably update the state for the given id. No-op if id is unknown. */
-  private mutate(id: string, update: (s: BulkUpdateState) => BulkUpdateState): void {
-    const current = this.states.get(id)
-    if (current === undefined) return
-    this.states.set(id, update(current))
-  }
-
-  private emit(state: BulkUpdateState): void {
-    this.deps.eventBus.emit(EventCategory.AddonsBulkUpdateProgress, state)
-  }
-}