@fuzdev/fuz_app 0.1.0

package/dist/realtime/sse.js

@@ -0,0 +1,109 @@
+/**
+ * SSE (Server-Sent Events) streaming utilities for Hono.
+ *
+ * Provides generic helpers for creating SSE response streams
+ * and a notification type aligned with JSON-RPC 2.0.
+ *
+ * @module
+ */
+import { streamSSE } from 'hono/streaming';
+import { z } from 'zod';
+import { DEV } from 'esm-env';
+/**
+ * Create an SSE response for a Hono context.
+ *
+ * Wraps Hono's `streamSSE` to provide a `{response, stream}` API
+ * compatible with `SubscriberRegistry` push-based broadcasting.
+ * The callback suspends via a promise that resolves on client disconnect
+ * or explicit `close()`, keeping the stream alive for external sends.
+ *
+ * Uses `hono_stream.write()` directly (not `writeSSE`) to avoid
+ * Hono's HTML callback resolution — keeps the same `data: JSON\n\n` format.
+ *
+ * @param c - Hono context
+ * @returns object with response and stream controller
+ */
+export const create_sse_response = (c, log) => {
+    const { promise, resolve } = Promise.withResolvers();
+    const close_listeners = [];
+    let resolved = false;
+    const do_close = () => {
+        if (resolved)
+            return;
+        resolved = true;
+        resolve();
+        for (const fn of close_listeners) {
+            try {
+                fn();
+            }
+            catch (e) {
+                log.error('on_close listener threw:', e);
+            }
+        }
+    };
+    let sse_stream;
+    const response = streamSSE(c, async (hono_stream) => {
+        sse_stream = {
+            send(data) {
+                if (resolved || hono_stream.aborted)
+                    return;
+                try {
+                    // JSON.stringify (no space arg) never produces literal newlines,
+                    // so single-line `data:` framing is safe per the SSE spec.
+                    void hono_stream.write(`data: ${JSON.stringify(data)}\n\n`);
+                }
+                catch (e) {
+                    log.error('send failed to serialize data:', e);
+                }
+            },
+            comment(text) {
+                if (resolved || hono_stream.aborted)
+                    return;
+                void hono_stream.write(`: ${text}\n`);
+            },
+            close: do_close,
+            on_close(fn) {
+                close_listeners.push(fn);
+            },
+        };
+        hono_stream.onAbort(do_close);
+        // flush an SSE comment to push headers through proxies (Vite, nginx),
+        // ensuring EventSource fires onopen without waiting for the first data event
+        void hono_stream.write(SSE_CONNECTED_COMMENT);
+        await promise;
+    });
+    return { response, stream: sse_stream };
+};
+/** SSE comment sent on connect to flush headers through proxies. Exported for test assertions. */
+export const SSE_CONNECTED_COMMENT = `: connected\n\n`;
+/**
+ * Create a broadcaster that validates events in DEV mode.
+ *
+ * In DEV: warns on unknown methods and invalid params.
+ * In production: passes through with zero overhead.
+ *
+ * @param broadcaster - duck-typed broadcaster (e.g. `SubscriberRegistry`)
+ * @param event_specs - event specs to validate against
+ * @returns validated broadcaster wrapper (passthrough in production)
+ */
+export const create_validated_broadcaster = (broadcaster, event_specs, log) => {
+    if (!DEV) {
+        return broadcaster;
+    }
+    const spec_map = new Map(event_specs.map((s) => [s.method, s]));
+    return {
+        broadcast: (channel, data) => {
+            const spec = spec_map.get(data.method);
+            if (!spec) {
+                log.warn(`Unknown event method: '${data.method}'`);
+            }
+            else {
+                const result = spec.params.safeParse(data.params);
+                if (!result.success) {
+                    log.warn(`Params mismatch for '${data.method}':`, result.error.issues);
+                }
+            }
+            broadcaster.broadcast(channel, data);
+        },
+    };
+};

package/dist/realtime/sse_auth_guard.d.ts

@@ -0,0 +1,93 @@
+/**
+ * SSE auth guard and convenience factory for audit log SSE.
+ *
+ * `create_sse_auth_guard` bridges audit events to `SubscriberRegistry.close_by_identity()`,
+ * closing SSE streams when a subscriber's access is revoked (role revocation or
+ * session invalidation).
+ *
+ * `create_audit_log_sse` is a convenience factory that combines the registry,
+ * guard, and broadcaster — making the secure path the easy path for consumers.
+ *
+ * @module
+ */
+import type { Logger } from '@fuzdev/fuz_util/log.js';
+import { type AuditLogEvent } from '../auth/audit_log_schema.js';
+import { SubscriberRegistry } from './subscriber_registry.js';
+import type { SseStream, SseNotification, SseEventSpec } from './sse.js';
+/**
+ * Audit event types that trigger SSE stream disconnection.
+ *
+ * `permit_revoke` requires the revoked role to match the guard's `required_role`.
+ * `session_revoke_all` and `password_change` close unconditionally for the target account.
+ */
+export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
+/**
+ * Create an audit event handler that closes SSE streams on auth changes.
+ *
+ * Closes streams when:
+ * - `permit_revoke` fires for the `required_role` targeting a connected subscriber
+ * - `session_revoke_all` targets a connected subscriber (consistent invalidation)
+ * - `password_change` targets a connected subscriber (sessions revoked implicitly)
+ *
+ * The registry must use `account_id` as the identity key when subscribing
+ * (passed as the third argument to `registry.subscribe()`).
+ *
+ * @param registry - the subscriber registry to guard
+ * @param required_role - the role that grants access to the SSE endpoint
+ * @param log - logger for disconnect events
+ * @returns an `on_audit_event` callback
+ */
+export declare const create_sse_auth_guard: <T>(registry: SubscriberRegistry<T>, required_role: string, log: Logger) => ((event: AuditLogEvent) => void);
+/**
+ * Convenience factory result for audit log SSE.
+ *
+ * Satisfies `AuditLogRouteOptions['stream']` and provides the combined
+ * `on_audit_event` callback (broadcast + guard).
+ */
+export interface AuditLogSse {
+    /** Subscribe function — pass as part of `stream` option to `create_audit_log_route_specs`. */
+    subscribe: (stream: SseStream<SseNotification>, channels?: Array<string>, identity?: string) => () => void;
+    /** Logger — pass as part of `stream` option to `create_audit_log_route_specs`. */
+    log: Logger;
+    /** Combined broadcast + guard callback. Pass as `on_audit_event` on `CreateAppBackendOptions`. */
+    on_audit_event: (event: AuditLogEvent) => void;
+    /** The underlying registry — exposed for subscriber count monitoring. */
+    registry: SubscriberRegistry<SseNotification>;
+}
+/**
+ * Create a complete audit log SSE setup with broadcasting and auth guard.
+ *
+ * Combines `SubscriberRegistry`, `create_sse_auth_guard`, and the broadcast
+ * call into a single object. The result satisfies `AuditLogRouteOptions['stream']`
+ * and provides the `on_audit_event` callback for `CreateAppBackendOptions`.
+ *
+ * @example
+ * ```ts
+ * const audit_sse = create_audit_log_sse({log});
+ *
+ * // In create_app_backend options:
+ * on_audit_event: audit_sse.on_audit_event,
+ *
+ * // In create_route_specs:
+ * create_audit_log_route_specs({stream: audit_sse});
+ *
+ * // In create_app_server options:
+ * event_specs: AUDIT_LOG_EVENT_SPECS,
+ * ```
+ *
+ * @param options - factory options
+ * @returns audit log SSE setup (stream options + on_audit_event + registry)
+ */
+/**
+ * SSE event specs for audit log events.
+ *
+ * One spec per `AUDIT_EVENT_TYPES` entry, all sharing the `AuditLogEventJson` params schema.
+ * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
+ */
+export declare const AUDIT_LOG_EVENT_SPECS: Array<SseEventSpec>;
+export declare const create_audit_log_sse: (options: {
+    /** Role required to access the SSE endpoint. Default `'admin'`. */
+    role?: string;
+    log: Logger;
+}) => AuditLogSse;
+//# sourceMappingURL=sse_auth_guard.d.ts.map

package/dist/realtime/sse_auth_guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAC,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,YAAY,EAAC,MAAM,UAAU,CAAC;AAEvE;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAIrD,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,EACrB,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAqBjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CACV,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAClC,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EACxB,QAAQ,CAAC,EAAE,MAAM,KACb,MAAM,IAAI,CAAC;IAChB,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,YAAY,CAOrD,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACZ,KAAG,WAcH,CAAC"}

package/dist/realtime/sse_auth_guard.js

@@ -0,0 +1,111 @@
+/**
+ * SSE auth guard and convenience factory for audit log SSE.
+ *
+ * `create_sse_auth_guard` bridges audit events to `SubscriberRegistry.close_by_identity()`,
+ * closing SSE streams when a subscriber's access is revoked (role revocation or
+ * session invalidation).
+ *
+ * `create_audit_log_sse` is a convenience factory that combines the registry,
+ * guard, and broadcaster — making the secure path the easy path for consumers.
+ *
+ * @module
+ */
+import { AUDIT_EVENT_TYPES, AuditLogEventJson, } from '../auth/audit_log_schema.js';
+import { SubscriberRegistry } from './subscriber_registry.js';
+/**
+ * Audit event types that trigger SSE stream disconnection.
+ *
+ * `permit_revoke` requires the revoked role to match the guard's `required_role`.
+ * `session_revoke_all` and `password_change` close unconditionally for the target account.
+ */
+export const DISCONNECT_EVENT_TYPES = new Set([
+    'permit_revoke', // role revoked — user lost access
+    'session_revoke_all', // all sessions invalidated — user should be kicked
+    'password_change', // password changed — all sessions revoked implicitly
+]);
+/**
+ * Create an audit event handler that closes SSE streams on auth changes.
+ *
+ * Closes streams when:
+ * - `permit_revoke` fires for the `required_role` targeting a connected subscriber
+ * - `session_revoke_all` targets a connected subscriber (consistent invalidation)
+ * - `password_change` targets a connected subscriber (sessions revoked implicitly)
+ *
+ * The registry must use `account_id` as the identity key when subscribing
+ * (passed as the third argument to `registry.subscribe()`).
+ *
+ * @param registry - the subscriber registry to guard
+ * @param required_role - the role that grants access to the SSE endpoint
+ * @param log - logger for disconnect events
+ * @returns an `on_audit_event` callback
+ */
+export const create_sse_auth_guard = (registry, required_role, log) => {
+    return (event) => {
+        if (!DISCONNECT_EVENT_TYPES.has(event.event_type))
+            return;
+        // permit_revoke requires matching the specific role
+        if (event.event_type === 'permit_revoke') {
+            if (event.metadata?.role !== required_role)
+                return;
+        }
+        // resolve the affected account — admin actions set target_account_id,
+        // self-service actions (password_change, own session_revoke_all) only set account_id
+        const target = event.target_account_id ?? event.account_id;
+        if (!target)
+            return;
+        const closed = registry.close_by_identity(target);
+        if (closed > 0) {
+            log.info(`SSE auth guard: closed ${closed} stream(s) for account ${target} (${event.event_type})`);
+        }
+    };
+};
+/**
+ * Create a complete audit log SSE setup with broadcasting and auth guard.
+ *
+ * Combines `SubscriberRegistry`, `create_sse_auth_guard`, and the broadcast
+ * call into a single object. The result satisfies `AuditLogRouteOptions['stream']`
+ * and provides the `on_audit_event` callback for `CreateAppBackendOptions`.
+ *
+ * @example
+ * ```ts
+ * const audit_sse = create_audit_log_sse({log});
+ *
+ * // In create_app_backend options:
+ * on_audit_event: audit_sse.on_audit_event,
+ *
+ * // In create_route_specs:
+ * create_audit_log_route_specs({stream: audit_sse});
+ *
+ * // In create_app_server options:
+ * event_specs: AUDIT_LOG_EVENT_SPECS,
+ * ```
+ *
+ * @param options - factory options
+ * @returns audit log SSE setup (stream options + on_audit_event + registry)
+ */
+/**
+ * SSE event specs for audit log events.
+ *
+ * One spec per `AUDIT_EVENT_TYPES` entry, all sharing the `AuditLogEventJson` params schema.
+ * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
+ */
+export const AUDIT_LOG_EVENT_SPECS = AUDIT_EVENT_TYPES.map((event_type) => ({
+    method: event_type,
+    params: AuditLogEventJson,
+    description: `Audit log: ${event_type.replaceAll('_', ' ')}`,
+    channel: 'audit_log',
+}));
+export const create_audit_log_sse = (options) => {
+    const role = options.role ?? 'admin';
+    const registry = new SubscriberRegistry();
+    const guard = create_sse_auth_guard(registry, role, options.log);
+    return {
+        subscribe: registry.subscribe.bind(registry),
+        log: options.log,
+        on_audit_event: (event) => {
+            registry.broadcast('audit_log', { method: event.event_type, params: event });
+            guard(event);
+        },
+        registry,
+    };
+};

package/dist/realtime/subscriber_registry.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Generic subscriber registry for broadcasting to SSE clients.
+ *
+ * Supports channel-based filtering — subscribers connect with optional
+ * channel filters, and broadcasts reach only matching subscribers.
+ * Optional identity keys enable force-closing subscribers by identity
+ * (e.g., close all streams for a specific account when their permissions change).
+ *
+ * @module
+ */
+import type { SseStream } from './sse.js';
+export interface Subscriber<T> {
+    stream: SseStream<T>;
+    /** Channels this subscriber listens to. `null` means all channels. */
+    channels: Set<string> | null;
+    /** Optional identity key for targeted disconnection (e.g., account_id). */
+    identity: string | null;
+}
+/**
+ * Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
+ *
+ * Subscribers connect with optional channel filters and an optional identity key.
+ * Broadcasts go to a specific channel and reach only matching subscribers.
+ * `close_by_identity` force-closes all subscribers with a given identity —
+ * use for auth revocation (close streams when a user's permissions change).
+ *
+ * @example
+ * ```ts
+ * const registry = new SubscriberRegistry<SseNotification>();
+ *
+ * // subscriber connects (from SSE endpoint)
+ * const unsubscribe = registry.subscribe(stream, ['runs']);
+ *
+ * // when a run changes
+ * registry.broadcast('runs', {method: 'run_created', params: {run}});
+ *
+ * // subscriber disconnects
+ * unsubscribe();
+ * ```
+ *
+ * @example
+ * ```ts
+ * // identity-keyed subscription for auth revocation
+ * const unsubscribe = registry.subscribe(stream, ['audit_log'], account_id);
+ *
+ * // when admin revokes the user's role — close their streams
+ * registry.close_by_identity(account_id);
+ * ```
+ */
+export declare class SubscriberRegistry<T> {
+    #private;
+    /** Number of active subscribers. */
+    get count(): number;
+    /**
+     * Add a subscriber.
+     *
+     * @param stream - SSE stream to send data to
+     * @param channels - channels to subscribe to (`undefined` or empty = all channels)
+     * @param identity - optional identity key for targeted disconnection
+     * @returns unsubscribe function
+     */
+    subscribe(stream: SseStream<T>, channels?: Array<string>, identity?: string): () => void;
+    /**
+     * Broadcast data to all subscribers on a channel.
+     *
+     * Subscribers with no channel filter receive all broadcasts.
+     * Subscribers with a channel filter only receive matching broadcasts.
+     *
+     * @param channel - the channel to broadcast on
+     * @param data - the data to send
+     */
+    broadcast(channel: string, data: T): void;
+    /**
+     * Force-close all subscribers with the given identity.
+     *
+     * Closes each matching stream and removes the subscriber from the registry.
+     * Use for auth revocation — when a user's permissions change, close their
+     * SSE connections so they must reconnect and re-authenticate.
+     *
+     * @param identity - the identity key to match
+     * @returns the number of subscribers closed
+     */
+    close_by_identity(identity: string): number;
+}
+//# sourceMappingURL=subscriber_registry.d.ts.map

package/dist/realtime/subscriber_registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"subscriber_registry.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/subscriber_registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,UAAU,CAAC;AAExC,MAAM,WAAW,UAAU,CAAC,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACrB,sEAAsE;IACtE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC7B,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,kBAAkB,CAAC,CAAC;;IAGhC,oCAAoC;IACpC,IAAI,KAAK,IAAI,MAAM,CAElB;IAED;;;;;;;OAOG;IACH,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,IAAI;IAYxF;;;;;;;;OAQG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI;IAQzC;;;;;;;;;OASG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAe3C"}

package/dist/realtime/subscriber_registry.js

@@ -0,0 +1,108 @@
+/**
+ * Generic subscriber registry for broadcasting to SSE clients.
+ *
+ * Supports channel-based filtering — subscribers connect with optional
+ * channel filters, and broadcasts reach only matching subscribers.
+ * Optional identity keys enable force-closing subscribers by identity
+ * (e.g., close all streams for a specific account when their permissions change).
+ *
+ * @module
+ */
+/**
+ * Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
+ *
+ * Subscribers connect with optional channel filters and an optional identity key.
+ * Broadcasts go to a specific channel and reach only matching subscribers.
+ * `close_by_identity` force-closes all subscribers with a given identity —
+ * use for auth revocation (close streams when a user's permissions change).
+ *
+ * @example
+ * ```ts
+ * const registry = new SubscriberRegistry<SseNotification>();
+ *
+ * // subscriber connects (from SSE endpoint)
+ * const unsubscribe = registry.subscribe(stream, ['runs']);
+ *
+ * // when a run changes
+ * registry.broadcast('runs', {method: 'run_created', params: {run}});
+ *
+ * // subscriber disconnects
+ * unsubscribe();
+ * ```
+ *
+ * @example
+ * ```ts
+ * // identity-keyed subscription for auth revocation
+ * const unsubscribe = registry.subscribe(stream, ['audit_log'], account_id);
+ *
+ * // when admin revokes the user's role — close their streams
+ * registry.close_by_identity(account_id);
+ * ```
+ */
+export class SubscriberRegistry {
+    #subscribers = new Set();
+    /** Number of active subscribers. */
+    get count() {
+        return this.#subscribers.size;
+    }
+    /**
+     * Add a subscriber.
+     *
+     * @param stream - SSE stream to send data to
+     * @param channels - channels to subscribe to (`undefined` or empty = all channels)
+     * @param identity - optional identity key for targeted disconnection
+     * @returns unsubscribe function
+     */
+    subscribe(stream, channels, identity) {
+        const subscriber = {
+            stream,
+            channels: channels && channels.length > 0 ? new Set(channels) : null,
+            identity: identity ?? null,
+        };
+        this.#subscribers.add(subscriber);
+        return () => {
+            this.#subscribers.delete(subscriber);
+        };
+    }
+    /**
+     * Broadcast data to all subscribers on a channel.
+     *
+     * Subscribers with no channel filter receive all broadcasts.
+     * Subscribers with a channel filter only receive matching broadcasts.
+     *
+     * @param channel - the channel to broadcast on
+     * @param data - the data to send
+     */
+    broadcast(channel, data) {
+        for (const subscriber of this.#subscribers) {
+            if (subscriber.channels === null || subscriber.channels.has(channel)) {
+                subscriber.stream.send(data);
+            }
+        }
+    }
+    /**
+     * Force-close all subscribers with the given identity.
+     *
+     * Closes each matching stream and removes the subscriber from the registry.
+     * Use for auth revocation — when a user's permissions change, close their
+     * SSE connections so they must reconnect and re-authenticate.
+     *
+     * @param identity - the identity key to match
+     * @returns the number of subscribers closed
+     */
+    close_by_identity(identity) {
+        // collect first, then close — avoids mutating the Set during iteration
+        // (stream.close() fires on_close listeners which may call unsubscribe)
+        const to_close = [];
+        for (const subscriber of this.#subscribers) {
+            if (subscriber.identity === identity) {
+                to_close.push(subscriber);
+            }
+        }
+        for (const subscriber of to_close) {
+            subscriber.stream.close();
+            this.#subscribers.delete(subscriber);
+        }
+        return to_close.length;
+    }
+}

package/dist/runtime/deno.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Deno implementation of `RuntimeDeps`.
+ *
+ * Provides `create_deno_runtime(args)` — a factory returning a `RuntimeDeps`
+ * backed by Deno APIs. Only imported by Deno entry points (compiled binaries
+ * for tx, zzz, etc.).
+ *
+ * @module
+ */
+import type { RuntimeDeps } from './deps.js';
+/**
+ * Create a runtime backed by Deno APIs.
+ *
+ * Returns an object satisfying all `*Deps` interfaces from `deps.ts`.
+ * Pass to shared functions that accept `EnvDeps`, `FsReadDeps`, etc.
+ *
+ * @param args - CLI arguments (typically `Deno.args`)
+ * @returns runtime implementation using Deno APIs
+ */
+export declare const create_deno_runtime: (args: ReadonlyArray<string>) => RuntimeDeps;
+//# sourceMappingURL=deno.d.ts.map

package/dist/runtime/deno.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deno.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/runtime/deno.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,WAAW,EAA4B,MAAM,WAAW,CAAC;AAoCtE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAAI,MAAM,aAAa,CAAC,MAAM,CAAC,KAAG,WAmEhE,CAAC"}

package/dist/runtime/deno.js

@@ -0,0 +1,83 @@
+/**
+ * Deno implementation of `RuntimeDeps`.
+ *
+ * Provides `create_deno_runtime(args)` — a factory returning a `RuntimeDeps`
+ * backed by Deno APIs. Only imported by Deno entry points (compiled binaries
+ * for tx, zzz, etc.).
+ *
+ * @module
+ */
+/**
+ * Create a runtime backed by Deno APIs.
+ *
+ * Returns an object satisfying all `*Deps` interfaces from `deps.ts`.
+ * Pass to shared functions that accept `EnvDeps`, `FsReadDeps`, etc.
+ *
+ * @param args - CLI arguments (typically `Deno.args`)
+ * @returns runtime implementation using Deno APIs
+ */
+export const create_deno_runtime = (args) => ({
+    // === Environment ===
+    env_get: (name) => Deno.env.get(name),
+    env_set: (name, value) => Deno.env.set(name, value),
+    env_all: () => Deno.env.toObject(),
+    // === Process ===
+    args,
+    cwd: () => Deno.cwd(),
+    exit: (code) => Deno.exit(code),
+    // === Local File System ===
+    stat: async (path) => {
+        try {
+            const s = await Deno.stat(path);
+            return { is_file: s.isFile, is_directory: s.isDirectory };
+        }
+        catch {
+            return null;
+        }
+    },
+    mkdir: (path, options) => Deno.mkdir(path, options),
+    read_file: (path) => Deno.readTextFile(path),
+    write_file: (path, content) => Deno.writeTextFile(path, content),
+    rename: (old_path, new_path) => Deno.rename(old_path, new_path),
+    remove: (path, options) => Deno.remove(path, options),
+    // === Local Commands ===
+    run_command: async (cmd, args) => {
+        try {
+            const proc = new Deno.Command(cmd, {
+                args,
+                stdout: 'piped',
+                stderr: 'piped',
+            });
+            const result = await proc.output();
+            return {
+                success: result.code === 0,
+                code: result.code,
+                stdout: new TextDecoder().decode(result.stdout),
+                stderr: new TextDecoder().decode(result.stderr),
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                success: false,
+                code: 1,
+                stdout: '',
+                stderr: `Failed to execute command: ${message}`,
+            };
+        }
+    },
+    run_command_inherit: async (cmd, args) => {
+        const proc = new Deno.Command(cmd, {
+            args,
+            stdout: 'inherit',
+            stderr: 'inherit',
+        });
+        const result = await proc.output();
+        return result.code;
+    },
+    // === Terminal I/O ===
+    stdout_write: (data) => Deno.stdout.write(data),
+    stdin_read: (buffer) => Deno.stdin.read(buffer),
+    // === Logging ===
+    warn: (...args) => console.warn(...args),
+});