@fuzdev/fuz_app 0.1.0

package/dist/actions/action_registry.js

@@ -0,0 +1,83 @@
+/**
+ * `ActionRegistry` — query and filter utility over `ActionSpecUnion[]`.
+ *
+ * @module
+ */
+// TODO @action-system-review Many getters below are stub API surface — only `spec_by_method`,
+// `request_response_specs`, `remote_notification_specs`, `local_call_specs`,
+// `frontend_methods`, `backend_methods`, and `methods` are used by consumers (codegen).
+// The rest are pre-built for future use. Revisit which getters to keep when the action
+// system matures (saes-rpc quest). Also consider lazy memoization (`??=` or derived).
+/**
+ * Utility class to manage and query action specifications.
+ * Provides helper methods to get actions by various criteria.
+ */
+export class ActionRegistry {
+    specs;
+    constructor(specs) {
+        this.specs = specs;
+    }
+    get spec_by_method() {
+        return new Map(this.specs.map((spec) => [spec.method, spec]));
+    }
+    get request_response_specs() {
+        return this.specs.filter((spec) => spec.kind === 'request_response');
+    }
+    get remote_notification_specs() {
+        return this.specs.filter((spec) => spec.kind === 'remote_notification');
+    }
+    get local_call_specs() {
+        return this.specs.filter((spec) => spec.kind === 'local_call');
+    }
+    // TODO @action-system-review `backend_specs` filters out local_call (can't run on backend);
+    // `frontend_specs` returns all specs (all action kinds are relevant to the frontend).
+    // Revisit whether these filters are correct as the action system matures.
+    get backend_specs() {
+        return this.specs.filter((spec) => spec.kind !== 'local_call');
+    }
+    get frontend_specs() {
+        return this.specs;
+    }
+    get backend_to_frontend_specs() {
+        return this.specs.filter((spec) => spec.initiator === 'backend' || spec.initiator === 'both');
+    }
+    get frontend_to_backend_specs() {
+        return this.specs.filter((spec) => spec.initiator === 'frontend' || spec.initiator === 'both');
+    }
+    get public_specs() {
+        return this.specs.filter((spec) => spec.auth === 'public');
+    }
+    get authenticated_specs() {
+        return this.specs.filter((spec) => spec.auth === 'authenticated');
+    }
+    get methods() {
+        return this.specs.map((spec) => spec.method);
+    }
+    get request_response_methods() {
+        return this.request_response_specs.map((spec) => spec.method);
+    }
+    get remote_notification_methods() {
+        return this.remote_notification_specs.map((spec) => spec.method);
+    }
+    get local_call_methods() {
+        return this.local_call_specs.map((spec) => spec.method);
+    }
+    get backend_methods() {
+        return this.backend_specs.map((spec) => spec.method);
+    }
+    get frontend_methods() {
+        return this.frontend_specs.map((spec) => spec.method);
+    }
+    get frontend_to_backend_methods() {
+        return this.frontend_to_backend_specs.map((spec) => spec.method);
+    }
+    get backend_to_frontend_methods() {
+        return this.backend_to_frontend_specs.map((spec) => spec.method);
+    }
+    get public_methods() {
+        return this.public_specs.map((spec) => spec.method);
+    }
+    get authenticated_methods() {
+        return this.authenticated_specs.map((spec) => spec.method);
+    }
+}

package/dist/actions/action_spec.d.ts

@@ -0,0 +1,169 @@
+/**
+ * Action spec types — the canonical source of truth for action contracts.
+ *
+ * Extracted from zzz's action system. Action specs define method, kind,
+ * auth, side effects, and input/output schemas. Bridge functions in
+ * `action_bridge.ts` derive `RouteSpec` and `SseEventSpec` from them.
+ *
+ * TODO @action-system-review The action system (action_spec, action_registry,
+ * action_codegen, action_bridge) will evolve significantly with the saes-rpc quest.
+ * Current state: bridge is stable, registry and codegen are partially stub API.
+ * Search for `@action-system-review` across the actions/ and routes/ modules.
+ *
+ * @module
+ */
+import { z } from 'zod';
+export declare const ActionKind: z.ZodEnum<{
+    request_response: "request_response";
+    remote_notification: "remote_notification";
+    local_call: "local_call";
+}>;
+export type ActionKind = z.infer<typeof ActionKind>;
+export declare const ActionInitiator: z.ZodEnum<{
+    both: "both";
+    frontend: "frontend";
+    backend: "backend";
+}>;
+export type ActionInitiator = z.infer<typeof ActionInitiator>;
+export declare const ActionAuth: z.ZodUnion<readonly [z.ZodLiteral<"public">, z.ZodLiteral<"authenticated">, z.ZodLiteral<"keeper">, z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>]>;
+export type ActionAuth = z.infer<typeof ActionAuth>;
+export declare const ActionSideEffects: z.ZodUnion<readonly [z.ZodLiteral<true>, z.ZodNull]>;
+export type ActionSideEffects = z.infer<typeof ActionSideEffects>;
+export declare const ActionSpec: z.ZodObject<{
+    method: z.ZodString;
+    kind: z.ZodEnum<{
+        request_response: "request_response";
+        remote_notification: "remote_notification";
+        local_call: "local_call";
+    }>;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    auth: z.ZodNullable<z.ZodUnion<readonly [z.ZodLiteral<"public">, z.ZodLiteral<"authenticated">, z.ZodLiteral<"keeper">, z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>]>>;
+    side_effects: z.ZodUnion<readonly [z.ZodLiteral<true>, z.ZodNull]>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    output: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    async: z.ZodBoolean;
+    description: z.ZodString;
+}, z.core.$strict>;
+export type ActionSpec = z.infer<typeof ActionSpec>;
+export declare const RequestResponseActionSpec: z.ZodObject<{
+    method: z.ZodString;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    side_effects: z.ZodUnion<readonly [z.ZodLiteral<true>, z.ZodNull]>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    output: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    description: z.ZodString;
+    kind: z.ZodDefault<z.ZodLiteral<"request_response">>;
+    auth: z.ZodUnion<readonly [z.ZodLiteral<"public">, z.ZodLiteral<"authenticated">, z.ZodLiteral<"keeper">, z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>]>;
+    async: z.ZodDefault<z.ZodLiteral<true>>;
+}, z.core.$strict>;
+export type RequestResponseActionSpec = z.infer<typeof RequestResponseActionSpec>;
+export declare const RemoteNotificationActionSpec: z.ZodObject<{
+    method: z.ZodString;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    description: z.ZodString;
+    kind: z.ZodDefault<z.ZodLiteral<"remote_notification">>;
+    auth: z.ZodDefault<z.ZodNull>;
+    side_effects: z.ZodDefault<z.ZodNullable<z.ZodLiteral<true>>>;
+    output: z.ZodCustom<z.ZodVoid, z.ZodVoid>;
+    async: z.ZodDefault<z.ZodLiteral<true>>;
+}, z.core.$strict>;
+export type RemoteNotificationActionSpec = z.infer<typeof RemoteNotificationActionSpec>;
+/**
+ * Local calls can wrap synchronous or asynchronous actions,
+ * and are the escape hatch for remote APIs that do not support SAES.
+ */
+export declare const LocalCallActionSpec: z.ZodObject<{
+    method: z.ZodString;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    side_effects: z.ZodUnion<readonly [z.ZodLiteral<true>, z.ZodNull]>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    output: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    async: z.ZodBoolean;
+    description: z.ZodString;
+    kind: z.ZodDefault<z.ZodLiteral<"local_call">>;
+    auth: z.ZodDefault<z.ZodNull>;
+}, z.core.$strict>;
+export type LocalCallActionSpec = z.infer<typeof LocalCallActionSpec>;
+export declare const ActionSpecUnion: z.ZodUnion<readonly [z.ZodObject<{
+    method: z.ZodString;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    side_effects: z.ZodUnion<readonly [z.ZodLiteral<true>, z.ZodNull]>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    output: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    description: z.ZodString;
+    kind: z.ZodDefault<z.ZodLiteral<"request_response">>;
+    auth: z.ZodUnion<readonly [z.ZodLiteral<"public">, z.ZodLiteral<"authenticated">, z.ZodLiteral<"keeper">, z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>]>;
+    async: z.ZodDefault<z.ZodLiteral<true>>;
+}, z.core.$strict>, z.ZodObject<{
+    method: z.ZodString;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    description: z.ZodString;
+    kind: z.ZodDefault<z.ZodLiteral<"remote_notification">>;
+    auth: z.ZodDefault<z.ZodNull>;
+    side_effects: z.ZodDefault<z.ZodNullable<z.ZodLiteral<true>>>;
+    output: z.ZodCustom<z.ZodVoid, z.ZodVoid>;
+    async: z.ZodDefault<z.ZodLiteral<true>>;
+}, z.core.$strict>, z.ZodObject<{
+    method: z.ZodString;
+    initiator: z.ZodEnum<{
+        both: "both";
+        frontend: "frontend";
+        backend: "backend";
+    }>;
+    side_effects: z.ZodUnion<readonly [z.ZodLiteral<true>, z.ZodNull]>;
+    input: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    output: z.ZodCustom<z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+    async: z.ZodBoolean;
+    description: z.ZodString;
+    kind: z.ZodDefault<z.ZodLiteral<"local_call">>;
+    auth: z.ZodDefault<z.ZodNull>;
+}, z.core.$strict>]>;
+export type ActionSpecUnion = z.infer<typeof ActionSpecUnion>;
+export declare const is_action_spec: (value: unknown) => value is ActionSpecUnion;
+export declare const ActionEventPhase: z.ZodEnum<{
+    send_request: "send_request";
+    receive_request: "receive_request";
+    send_response: "send_response";
+    receive_response: "receive_response";
+    send_error: "send_error";
+    receive_error: "receive_error";
+    send: "send";
+    receive: "receive";
+    execute: "execute";
+}>;
+export type ActionEventPhase = z.infer<typeof ActionEventPhase>;
+//# sourceMappingURL=action_spec.d.ts.map

package/dist/actions/action_spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action_spec.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_spec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,eAAO,MAAM,UAAU;;;;EAAoE,CAAC;AAC5F,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,eAAO,MAAM,eAAe;;;;EAA0C,CAAC;AACvE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,eAAO,MAAM,UAAU;;oBAKrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,eAAO,MAAM,iBAAiB,sDAAuC,CAAC;AACtE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;kBAUrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;kBAIpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;kBAMvC,CAAC;AACH,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAExF;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,eAAO,MAAM,cAAc,GAAI,OAAO,OAAO,KAAG,KAAK,IAAI,eAKoB,CAAC;AAE9E,eAAO,MAAM,gBAAgB;;;;;;;;;;EAU3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}

package/dist/actions/action_spec.js

@@ -0,0 +1,76 @@
+/**
+ * Action spec types — the canonical source of truth for action contracts.
+ *
+ * Extracted from zzz's action system. Action specs define method, kind,
+ * auth, side effects, and input/output schemas. Bridge functions in
+ * `action_bridge.ts` derive `RouteSpec` and `SseEventSpec` from them.
+ *
+ * TODO @action-system-review The action system (action_spec, action_registry,
+ * action_codegen, action_bridge) will evolve significantly with the saes-rpc quest.
+ * Current state: bridge is stable, registry and codegen are partially stub API.
+ * Search for `@action-system-review` across the actions/ and routes/ modules.
+ *
+ * @module
+ */
+import { z } from 'zod';
+export const ActionKind = z.enum(['request_response', 'remote_notification', 'local_call']);
+export const ActionInitiator = z.enum(['frontend', 'backend', 'both']);
+export const ActionAuth = z.union([
+    z.literal('public'),
+    z.literal('authenticated'),
+    z.literal('keeper'),
+    z.strictObject({ role: z.string() }),
+]);
+export const ActionSideEffects = z.union([z.literal(true), z.null()]);
+export const ActionSpec = z.strictObject({
+    method: z.string(),
+    kind: ActionKind,
+    initiator: ActionInitiator,
+    auth: ActionAuth.nullable(),
+    side_effects: ActionSideEffects,
+    input: z.custom((v) => v instanceof z.ZodType),
+    output: z.custom((v) => v instanceof z.ZodType),
+    async: z.boolean(),
+    description: z.string(),
+});
+export const RequestResponseActionSpec = ActionSpec.extend({
+    kind: z.literal('request_response').default('request_response'),
+    auth: ActionAuth,
+    async: z.literal(true).default(true),
+});
+export const RemoteNotificationActionSpec = ActionSpec.extend({
+    kind: z.literal('remote_notification').default('remote_notification'),
+    auth: z.null().default(null),
+    side_effects: z.literal(true).nullable().default(true),
+    output: z.custom((v) => v instanceof z.ZodVoid),
+    async: z.literal(true).default(true),
+});
+/**
+ * Local calls can wrap synchronous or asynchronous actions,
+ * and are the escape hatch for remote APIs that do not support SAES.
+ */
+export const LocalCallActionSpec = ActionSpec.extend({
+    kind: z.literal('local_call').default('local_call'),
+    auth: z.null().default(null),
+});
+export const ActionSpecUnion = z.union([
+    RequestResponseActionSpec,
+    RemoteNotificationActionSpec,
+    LocalCallActionSpec,
+]);
+export const is_action_spec = (value) => value !== null &&
+    typeof value === 'object' &&
+    'method' in value &&
+    'kind' in value &&
+    ActionKind.options.includes(value.kind);
+export const ActionEventPhase = z.enum([
+    'send_request',
+    'receive_request',
+    'send_response',
+    'receive_response',
+    'send_error',
+    'receive_error',
+    'send',
+    'receive',
+    'execute',
+]);

package/dist/auth/account_queries.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Account and actor database queries.
+ *
+ * Provides CRUD operations for the account and actor tables.
+ * For v1, every account has exactly one actor (1:1).
+ *
+ * @module
+ */
+import type { QueryDeps } from '../db/query_deps.js';
+import { type Account, type Actor, type CreateAccountInput, type AdminAccountEntryJson } from './account_schema.js';
+/**
+ * Create a new account.
+ *
+ * @param deps - query dependencies
+ * @param input - the account fields
+ * @returns the created account
+ */
+export declare const query_create_account: (deps: QueryDeps, input: CreateAccountInput) => Promise<Account>;
+/**
+ * Find an account by id.
+ */
+export declare const query_account_by_id: (deps: QueryDeps, id: string) => Promise<Account | undefined>;
+/**
+ * Find an account by username (case-insensitive).
+ */
+export declare const query_account_by_username: (deps: QueryDeps, username: string) => Promise<Account | undefined>;
+/**
+ * Find an account by email (case-insensitive).
+ */
+export declare const query_account_by_email: (deps: QueryDeps, email: string) => Promise<Account | undefined>;
+/**
+ * Find an account by username or email.
+ *
+ * If the input contains `@`, tries email lookup first then username.
+ * Otherwise tries username first then email. This supports a single
+ * login field that accepts either format.
+ *
+ * @param deps - query dependencies
+ * @param input - username or email address
+ * @returns the matching account, or `undefined`
+ */
+export declare const query_account_by_username_or_email: (deps: QueryDeps, input: string) => Promise<Account | undefined>;
+/**
+ * Update the password hash for an account.
+ */
+export declare const query_update_account_password: (deps: QueryDeps, id: string, password_hash: string, updated_by: string | null) => Promise<void>;
+/**
+ * Delete an account. Cascades to actors, permits, sessions, and tokens.
+ */
+export declare const query_delete_account: (deps: QueryDeps, id: string) => Promise<boolean>;
+/**
+ * Check if any account exists.
+ */
+export declare const query_account_has_any: (deps: QueryDeps) => Promise<boolean>;
+/**
+ * Create a new actor for an account.
+ *
+ * @param deps - query dependencies
+ * @param account_id - the owning account
+ * @param name - display name (defaults to account username)
+ * @returns the created actor
+ */
+export declare const query_create_actor: (deps: QueryDeps, account_id: string, name: string) => Promise<Actor>;
+/**
+ * Find the actor for an account.
+ *
+ * For v1, each account has exactly one actor.
+ */
+export declare const query_actor_by_account: (deps: QueryDeps, account_id: string) => Promise<Actor | undefined>;
+/**
+ * Find an actor by id.
+ */
+export declare const query_actor_by_id: (deps: QueryDeps, id: string) => Promise<Actor | undefined>;
+/**
+ * Create an account and its actor in a single operation.
+ *
+ * For v1, every account gets exactly one actor with the same name as the username.
+ *
+ * @param deps - query dependencies
+ * @param input - the account fields
+ * @returns the created account and actor
+ */
+export declare const query_create_account_with_actor: (deps: QueryDeps, input: CreateAccountInput) => Promise<{
+    account: Account;
+    actor: Actor;
+}>;
+/**
+ * List all accounts with their actors and active permits for admin display.
+ *
+ * Uses 3 flat queries instead of N+1 per-account loops.
+ *
+ * @param deps - query dependencies
+ * @returns admin account entries sorted by creation date
+ */
+export declare const query_admin_account_list: (deps: QueryDeps) => Promise<Array<AdminAccountEntryJson>>;
+//# sourceMappingURL=account_queries.d.ts.map

package/dist/auth/account_queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAEN,KAAK,OAAO,EACZ,KAAK,KAAK,EACV,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,MAAM,qBAAqB,CAAC;AAE7B;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,GAAG,SAAS,CAE7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAS7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,EACV,eAAe,MAAM,EACrB,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM,SAAS,EAAE,IAAI,MAAM,KAAG,OAAO,CAAC,OAAO,CAKvF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,OAAO,CAK5E,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,KAAK,CAMf,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAC,CAI1C,CAAC;AAYF;;;;;;;GAOG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CA4CtC,CAAC"}

package/dist/auth/account_queries.js

@@ -0,0 +1,172 @@
+/**
+ * Account and actor database queries.
+ *
+ * Provides CRUD operations for the account and actor tables.
+ * For v1, every account has exactly one actor (1:1).
+ *
+ * @module
+ */
+import { assert_row } from '../db/assert_row.js';
+import { to_admin_account, } from './account_schema.js';
+/**
+ * Create a new account.
+ *
+ * @param deps - query dependencies
+ * @param input - the account fields
+ * @returns the created account
+ */
+export const query_create_account = async (deps, input) => {
+    const row = await deps.db.query_one(`INSERT INTO account (username, password_hash, email)
+		 VALUES ($1, $2, $3)
+		 RETURNING *`, [input.username, input.password_hash, input.email ?? null]);
+    return assert_row(row, 'INSERT INTO account');
+};
+/**
+ * Find an account by id.
+ */
+export const query_account_by_id = async (deps, id) => {
+    return deps.db.query_one(`SELECT * FROM account WHERE id = $1`, [id]);
+};
+/**
+ * Find an account by username (case-insensitive).
+ */
+export const query_account_by_username = async (deps, username) => {
+    return deps.db.query_one(`SELECT * FROM account WHERE LOWER(username) = LOWER($1)`, [
+        username,
+    ]);
+};
+/**
+ * Find an account by email (case-insensitive).
+ */
+export const query_account_by_email = async (deps, email) => {
+    return deps.db.query_one(`SELECT * FROM account WHERE LOWER(email) = LOWER($1)`, [
+        email,
+    ]);
+};
+/**
+ * Find an account by username or email.
+ *
+ * If the input contains `@`, tries email lookup first then username.
+ * Otherwise tries username first then email. This supports a single
+ * login field that accepts either format.
+ *
+ * @param deps - query dependencies
+ * @param input - username or email address
+ * @returns the matching account, or `undefined`
+ */
+export const query_account_by_username_or_email = async (deps, input) => {
+    if (input.includes('@')) {
+        return ((await query_account_by_email(deps, input)) ?? (await query_account_by_username(deps, input)));
+    }
+    return ((await query_account_by_username(deps, input)) ?? (await query_account_by_email(deps, input)));
+};
+/**
+ * Update the password hash for an account.
+ */
+export const query_update_account_password = async (deps, id, password_hash, updated_by) => {
+    await deps.db.query(`UPDATE account SET password_hash = $1, updated_at = NOW(), updated_by = $2 WHERE id = $3`, [password_hash, updated_by ?? null, id]);
+};
+/**
+ * Delete an account. Cascades to actors, permits, sessions, and tokens.
+ */
+export const query_delete_account = async (deps, id) => {
+    const rows = await deps.db.query(`DELETE FROM account WHERE id = $1 RETURNING id`, [
+        id,
+    ]);
+    return rows.length > 0;
+};
+/**
+ * Check if any account exists.
+ */
+export const query_account_has_any = async (deps) => {
+    const row = await deps.db.query_one(`SELECT EXISTS(SELECT 1 FROM account) AS exists`);
+    return row?.exists ?? false;
+};
+/**
+ * Create a new actor for an account.
+ *
+ * @param deps - query dependencies
+ * @param account_id - the owning account
+ * @param name - display name (defaults to account username)
+ * @returns the created actor
+ */
+export const query_create_actor = async (deps, account_id, name) => {
+    const row = await deps.db.query_one(`INSERT INTO actor (account_id, name) VALUES ($1, $2) RETURNING *`, [account_id, name]);
+    return assert_row(row, 'INSERT INTO actor');
+};
+/**
+ * Find the actor for an account.
+ *
+ * For v1, each account has exactly one actor.
+ */
+export const query_actor_by_account = async (deps, account_id) => {
+    return deps.db.query_one(`SELECT * FROM actor WHERE account_id = $1`, [account_id]);
+};
+/**
+ * Find an actor by id.
+ */
+export const query_actor_by_id = async (deps, id) => {
+    return deps.db.query_one(`SELECT * FROM actor WHERE id = $1`, [id]);
+};
+/**
+ * Create an account and its actor in a single operation.
+ *
+ * For v1, every account gets exactly one actor with the same name as the username.
+ *
+ * @param deps - query dependencies
+ * @param input - the account fields
+ * @returns the created account and actor
+ */
+export const query_create_account_with_actor = async (deps, input) => {
+    const account = await query_create_account(deps, input);
+    const actor = await query_create_actor(deps, account.id, input.username);
+    return { account, actor };
+};
+/**
+ * List all accounts with their actors and active permits for admin display.
+ *
+ * Uses 3 flat queries instead of N+1 per-account loops.
+ *
+ * @param deps - query dependencies
+ * @returns admin account entries sorted by creation date
+ */
+export const query_admin_account_list = async (deps) => {
+    const [accounts, actors, permits] = await Promise.all([
+        deps.db.query(`SELECT * FROM account ORDER BY created_at`),
+        deps.db.query(`SELECT * FROM actor`),
+        deps.db.query(`SELECT id, actor_id, role, created_at, expires_at, granted_by
+			 FROM permit
+			 WHERE revoked_at IS NULL
+			   AND (expires_at IS NULL OR expires_at > NOW())`),
+    ]);
+    // Index actors by account_id (1:1 in v1)
+    const actor_by_account = new Map();
+    for (const actor of actors) {
+        actor_by_account.set(actor.account_id, actor);
+    }
+    // Group permits by actor_id
+    const permits_by_actor = new Map();
+    for (const permit of permits) {
+        let list = permits_by_actor.get(permit.actor_id);
+        if (!list) {
+            list = [];
+            permits_by_actor.set(permit.actor_id, list);
+        }
+        list.push(permit);
+    }
+    return accounts.map((account) => {
+        const actor = actor_by_account.get(account.id);
+        const actor_permits = actor ? (permits_by_actor.get(actor.id) ?? []) : [];
+        return {
+            account: to_admin_account(account),
+            actor: actor ? { id: actor.id, name: actor.name } : null,
+            permits: actor_permits.map((p) => ({
+                id: p.id,
+                role: p.role,
+                created_at: p.created_at,
+                expires_at: p.expires_at,
+                granted_by: p.granted_by,
+            })),
+        };
+    });
+};