npm - @fuzdev/fuz_app - Versions diffs - 0.1.0 - Mend

@fuzdev/fuz_app 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (457) hide show

package/LICENSE +21 -0
package/README.md +49 -0
package/dist/actions/action_bridge.d.ts +65 -0
package/dist/actions/action_bridge.d.ts.map +1 -0
package/dist/actions/action_bridge.js +76 -0
package/dist/actions/action_codegen.d.ts +97 -0
package/dist/actions/action_codegen.d.ts.map +1 -0
package/dist/actions/action_codegen.js +280 -0
package/dist/actions/action_registry.d.ts +35 -0
package/dist/actions/action_registry.d.ts.map +1 -0
package/dist/actions/action_registry.js +83 -0
package/dist/actions/action_spec.d.ts +169 -0
package/dist/actions/action_spec.d.ts.map +1 -0
package/dist/actions/action_spec.js +76 -0
package/dist/auth/account_queries.d.ts +96 -0
package/dist/auth/account_queries.d.ts.map +1 -0
package/dist/auth/account_queries.js +172 -0
package/dist/auth/account_routes.d.ts +86 -0
package/dist/auth/account_routes.d.ts.map +1 -0
package/dist/auth/account_routes.js +406 -0
package/dist/auth/account_schema.d.ts +192 -0
package/dist/auth/account_schema.d.ts.map +1 -0
package/dist/auth/account_schema.js +105 -0
package/dist/auth/admin_routes.d.ts +29 -0
package/dist/auth/admin_routes.d.ts.map +1 -0
package/dist/auth/admin_routes.js +193 -0
package/dist/auth/api_token.d.ts +33 -0
package/dist/auth/api_token.d.ts.map +1 -0
package/dist/auth/api_token.js +36 -0
package/dist/auth/api_token_queries.d.ts +80 -0
package/dist/auth/api_token_queries.d.ts.map +1 -0
package/dist/auth/api_token_queries.js +116 -0
package/dist/auth/app_settings_queries.d.ts +33 -0
package/dist/auth/app_settings_queries.d.ts.map +1 -0
package/dist/auth/app_settings_queries.js +51 -0
package/dist/auth/app_settings_routes.d.ts +27 -0
package/dist/auth/app_settings_routes.d.ts.map +1 -0
package/dist/auth/app_settings_routes.js +66 -0
package/dist/auth/app_settings_schema.d.ts +35 -0
package/dist/auth/app_settings_schema.d.ts.map +1 -0
package/dist/auth/app_settings_schema.js +22 -0
package/dist/auth/audit_log_queries.d.ts +90 -0
package/dist/auth/audit_log_queries.d.ts.map +1 -0
package/dist/auth/audit_log_queries.js +205 -0
package/dist/auth/audit_log_routes.d.ts +33 -0
package/dist/auth/audit_log_routes.d.ts.map +1 -0
package/dist/auth/audit_log_routes.js +106 -0
package/dist/auth/audit_log_schema.d.ts +259 -0
package/dist/auth/audit_log_schema.d.ts.map +1 -0
package/dist/auth/audit_log_schema.js +123 -0
package/dist/auth/bearer_auth.d.ts +32 -0
package/dist/auth/bearer_auth.d.ts.map +1 -0
package/dist/auth/bearer_auth.js +90 -0
package/dist/auth/bootstrap_account.d.ts +82 -0
package/dist/auth/bootstrap_account.d.ts.map +1 -0
package/dist/auth/bootstrap_account.js +97 -0
package/dist/auth/bootstrap_routes.d.ts +74 -0
package/dist/auth/bootstrap_routes.d.ts.map +1 -0
package/dist/auth/bootstrap_routes.js +154 -0
package/dist/auth/daemon_token.d.ts +49 -0
package/dist/auth/daemon_token.d.ts.map +1 -0
package/dist/auth/daemon_token.js +49 -0
package/dist/auth/daemon_token_middleware.d.ts +93 -0
package/dist/auth/daemon_token_middleware.d.ts.map +1 -0
package/dist/auth/daemon_token_middleware.js +167 -0
package/dist/auth/ddl.d.ts +27 -0
package/dist/auth/ddl.d.ts.map +1 -0
package/dist/auth/ddl.js +111 -0
package/dist/auth/deps.d.ts +52 -0
package/dist/auth/deps.d.ts.map +1 -0
package/dist/auth/deps.js +10 -0
package/dist/auth/invite_queries.d.ts +68 -0
package/dist/auth/invite_queries.d.ts.map +1 -0
package/dist/auth/invite_queries.js +105 -0
package/dist/auth/invite_routes.d.ts +18 -0
package/dist/auth/invite_routes.d.ts.map +1 -0
package/dist/auth/invite_routes.js +129 -0
package/dist/auth/invite_schema.d.ts +51 -0
package/dist/auth/invite_schema.d.ts.map +1 -0
package/dist/auth/invite_schema.js +25 -0
package/dist/auth/keyring.d.ts +87 -0
package/dist/auth/keyring.d.ts.map +1 -0
package/dist/auth/keyring.js +142 -0
package/dist/auth/middleware.d.ts +40 -0
package/dist/auth/middleware.d.ts.map +1 -0
package/dist/auth/middleware.js +64 -0
package/dist/auth/migrations.d.ts +42 -0
package/dist/auth/migrations.d.ts.map +1 -0
package/dist/auth/migrations.js +79 -0
package/dist/auth/password.d.ts +39 -0
package/dist/auth/password.d.ts.map +1 -0
package/dist/auth/password.js +25 -0
package/dist/auth/password_argon2.d.ts +43 -0
package/dist/auth/password_argon2.d.ts.map +1 -0
package/dist/auth/password_argon2.js +76 -0
package/dist/auth/permit_queries.d.ts +72 -0
package/dist/auth/permit_queries.d.ts.map +1 -0
package/dist/auth/permit_queries.js +116 -0
package/dist/auth/request_context.d.ts +114 -0
package/dist/auth/request_context.d.ts.map +1 -0
package/dist/auth/request_context.js +176 -0
package/dist/auth/require_keeper.d.ts +20 -0
package/dist/auth/require_keeper.d.ts.map +1 -0
package/dist/auth/require_keeper.js +35 -0
package/dist/auth/role_schema.d.ts +69 -0
package/dist/auth/role_schema.d.ts.map +1 -0
package/dist/auth/role_schema.js +70 -0
package/dist/auth/route_guards.d.ts +21 -0
package/dist/auth/route_guards.d.ts.map +1 -0
package/dist/auth/route_guards.js +32 -0
package/dist/auth/session_cookie.d.ts +158 -0
package/dist/auth/session_cookie.d.ts.map +1 -0
package/dist/auth/session_cookie.js +135 -0
package/dist/auth/session_lifecycle.d.ts +35 -0
package/dist/auth/session_lifecycle.d.ts.map +1 -0
package/dist/auth/session_lifecycle.js +27 -0
package/dist/auth/session_middleware.d.ts +33 -0
package/dist/auth/session_middleware.d.ts.map +1 -0
package/dist/auth/session_middleware.js +62 -0
package/dist/auth/session_queries.d.ts +135 -0
package/dist/auth/session_queries.d.ts.map +1 -0
package/dist/auth/session_queries.js +186 -0
package/dist/auth/signup_routes.d.ts +32 -0
package/dist/auth/signup_routes.d.ts.map +1 -0
package/dist/auth/signup_routes.js +150 -0
package/dist/cli/args.d.ts +48 -0
package/dist/cli/args.d.ts.map +1 -0
package/dist/cli/args.js +76 -0
package/dist/cli/config.d.ts +48 -0
package/dist/cli/config.d.ts.map +1 -0
package/dist/cli/config.js +77 -0
package/dist/cli/daemon.d.ts +82 -0
package/dist/cli/daemon.d.ts.map +1 -0
package/dist/cli/daemon.js +149 -0
package/dist/cli/help.d.ts +85 -0
package/dist/cli/help.d.ts.map +1 -0
package/dist/cli/help.js +138 -0
package/dist/cli/logger.d.ts +46 -0
package/dist/cli/logger.d.ts.map +1 -0
package/dist/cli/logger.js +48 -0
package/dist/cli/util.d.ts +36 -0
package/dist/cli/util.d.ts.map +1 -0
package/dist/cli/util.js +50 -0
package/dist/crypto.d.ts +13 -0
package/dist/crypto.d.ts.map +1 -0
package/dist/crypto.js +19 -0
package/dist/db/assert_row.d.ts +18 -0
package/dist/db/assert_row.d.ts.map +1 -0
package/dist/db/assert_row.js +24 -0
package/dist/db/create_db.d.ts +38 -0
package/dist/db/create_db.d.ts.map +1 -0
package/dist/db/create_db.js +57 -0
package/dist/db/db.d.ts +97 -0
package/dist/db/db.d.ts.map +1 -0
package/dist/db/db.js +76 -0
package/dist/db/db_pg.d.ts +21 -0
package/dist/db/db_pg.d.ts.map +1 -0
package/dist/db/db_pg.js +45 -0
package/dist/db/db_pglite.d.ts +21 -0
package/dist/db/db_pglite.d.ts.map +1 -0
package/dist/db/db_pglite.js +28 -0
package/dist/db/migrate.d.ts +67 -0
package/dist/db/migrate.d.ts.map +1 -0
package/dist/db/migrate.js +118 -0
package/dist/db/pg_error.d.ts +16 -0
package/dist/db/pg_error.d.ts.map +1 -0
package/dist/db/pg_error.js +15 -0
package/dist/db/query_deps.d.ts +14 -0
package/dist/db/query_deps.d.ts.map +1 -0
package/dist/db/query_deps.js +9 -0
package/dist/db/sql_identifier.d.ts +27 -0
package/dist/db/sql_identifier.d.ts.map +1 -0
package/dist/db/sql_identifier.js +31 -0
package/dist/db/status.d.ts +62 -0
package/dist/db/status.d.ts.map +1 -0
package/dist/db/status.js +116 -0
package/dist/dev/setup.d.ts +159 -0
package/dist/dev/setup.d.ts.map +1 -0
package/dist/dev/setup.js +265 -0
package/dist/env/dotenv.d.ts +25 -0
package/dist/env/dotenv.d.ts.map +1 -0
package/dist/env/dotenv.js +52 -0
package/dist/env/load.d.ts +52 -0
package/dist/env/load.d.ts.map +1 -0
package/dist/env/load.js +79 -0
package/dist/env/mask.d.ts +19 -0
package/dist/env/mask.d.ts.map +1 -0
package/dist/env/mask.js +26 -0
package/dist/env/resolve.d.ts +126 -0
package/dist/env/resolve.d.ts.map +1 -0
package/dist/env/resolve.js +200 -0
package/dist/hono_context.d.ts +48 -0
package/dist/hono_context.d.ts.map +1 -0
package/dist/hono_context.js +22 -0
package/dist/http/common_routes.d.ts +52 -0
package/dist/http/common_routes.d.ts.map +1 -0
package/dist/http/common_routes.js +65 -0
package/dist/http/db_routes.d.ts +57 -0
package/dist/http/db_routes.d.ts.map +1 -0
package/dist/http/db_routes.js +176 -0
package/dist/http/error_schemas.d.ts +169 -0
package/dist/http/error_schemas.d.ts.map +1 -0
package/dist/http/error_schemas.js +178 -0
package/dist/http/middleware_spec.d.ts +19 -0
package/dist/http/middleware_spec.d.ts.map +1 -0
package/dist/http/middleware_spec.js +9 -0
package/dist/http/origin.d.ts +57 -0
package/dist/http/origin.d.ts.map +1 -0
package/dist/http/origin.js +207 -0
package/dist/http/proxy.d.ts +112 -0
package/dist/http/proxy.d.ts.map +1 -0
package/dist/http/proxy.js +240 -0
package/dist/http/route_spec.d.ts +197 -0
package/dist/http/route_spec.d.ts.map +1 -0
package/dist/http/route_spec.js +243 -0
package/dist/http/schema_helpers.d.ts +64 -0
package/dist/http/schema_helpers.d.ts.map +1 -0
package/dist/http/schema_helpers.js +90 -0
package/dist/http/surface.d.ts +132 -0
package/dist/http/surface.d.ts.map +1 -0
package/dist/http/surface.js +156 -0
package/dist/http/surface_query.d.ts +77 -0
package/dist/http/surface_query.d.ts.map +1 -0
package/dist/http/surface_query.js +86 -0
package/dist/rate_limiter.d.ts +94 -0
package/dist/rate_limiter.d.ts.map +1 -0
package/dist/rate_limiter.js +156 -0
package/dist/realtime/sse.d.ts +80 -0
package/dist/realtime/sse.d.ts.map +1 -0
package/dist/realtime/sse.js +109 -0
package/dist/realtime/sse_auth_guard.d.ts +93 -0
package/dist/realtime/sse_auth_guard.d.ts.map +1 -0
package/dist/realtime/sse_auth_guard.js +111 -0
package/dist/realtime/subscriber_registry.d.ts +85 -0
package/dist/realtime/subscriber_registry.d.ts.map +1 -0
package/dist/realtime/subscriber_registry.js +108 -0
package/dist/runtime/deno.d.ts +21 -0
package/dist/runtime/deno.d.ts.map +1 -0
package/dist/runtime/deno.js +83 -0
package/dist/runtime/deps.d.ts +113 -0
package/dist/runtime/deps.d.ts.map +1 -0
package/dist/runtime/deps.js +10 -0
package/dist/runtime/fs.d.ts +15 -0
package/dist/runtime/fs.d.ts.map +1 -0
package/dist/runtime/fs.js +17 -0
package/dist/runtime/mock.d.ts +81 -0
package/dist/runtime/mock.d.ts.map +1 -0
package/dist/runtime/mock.js +195 -0
package/dist/runtime/node.d.ts +17 -0
package/dist/runtime/node.d.ts.map +1 -0
package/dist/runtime/node.js +117 -0
package/dist/schema_meta.d.ts +16 -0
package/dist/schema_meta.d.ts.map +1 -0
package/dist/schema_meta.js +9 -0
package/dist/sensitivity.d.ts +15 -0
package/dist/sensitivity.d.ts.map +1 -0
package/dist/sensitivity.js +9 -0
package/dist/server/app_backend.d.ts +74 -0
package/dist/server/app_backend.d.ts.map +1 -0
package/dist/server/app_backend.js +39 -0
package/dist/server/app_server.d.ts +201 -0
package/dist/server/app_server.d.ts.map +1 -0
package/dist/server/app_server.js +266 -0
package/dist/server/env.d.ts +68 -0
package/dist/server/env.d.ts.map +1 -0
package/dist/server/env.js +95 -0
package/dist/server/startup.d.ts +22 -0
package/dist/server/startup.d.ts.map +1 -0
package/dist/server/startup.js +48 -0
package/dist/server/static.d.ts +39 -0
package/dist/server/static.d.ts.map +1 -0
package/dist/server/static.js +38 -0
package/dist/server/validate_nginx.d.ts +34 -0
package/dist/server/validate_nginx.d.ts.map +1 -0
package/dist/server/validate_nginx.js +118 -0
package/dist/testing/CLAUDE.md +3 -0
package/dist/testing/admin_integration.d.ts +45 -0
package/dist/testing/admin_integration.d.ts.map +1 -0
package/dist/testing/admin_integration.js +840 -0
package/dist/testing/adversarial_404.d.ts +15 -0
package/dist/testing/adversarial_404.d.ts.map +1 -0
package/dist/testing/adversarial_404.js +118 -0
package/dist/testing/adversarial_headers.d.ts +36 -0
package/dist/testing/adversarial_headers.d.ts.map +1 -0
package/dist/testing/adversarial_headers.js +128 -0
package/dist/testing/adversarial_input.d.ts +56 -0
package/dist/testing/adversarial_input.d.ts.map +1 -0
package/dist/testing/adversarial_input.js +494 -0
package/dist/testing/app_server.d.ts +169 -0
package/dist/testing/app_server.d.ts.map +1 -0
package/dist/testing/app_server.js +240 -0
package/dist/testing/assert_dev_env.d.ts +10 -0
package/dist/testing/assert_dev_env.d.ts.map +1 -0
package/dist/testing/assert_dev_env.js +13 -0
package/dist/testing/assertions.d.ts +61 -0
package/dist/testing/assertions.d.ts.map +1 -0
package/dist/testing/assertions.js +96 -0
package/dist/testing/attack_surface.d.ts +63 -0
package/dist/testing/attack_surface.d.ts.map +1 -0
package/dist/testing/attack_surface.js +224 -0
package/dist/testing/audit_completeness.d.ts +29 -0
package/dist/testing/audit_completeness.d.ts.map +1 -0
package/dist/testing/audit_completeness.js +410 -0
package/dist/testing/auth_apps.d.ts +55 -0
package/dist/testing/auth_apps.d.ts.map +1 -0
package/dist/testing/auth_apps.js +122 -0
package/dist/testing/data_exposure.d.ts +62 -0
package/dist/testing/data_exposure.d.ts.map +1 -0
package/dist/testing/data_exposure.js +297 -0
package/dist/testing/db.d.ts +111 -0
package/dist/testing/db.d.ts.map +1 -0
package/dist/testing/db.js +258 -0
package/dist/testing/entities.d.ts +21 -0
package/dist/testing/entities.d.ts.map +1 -0
package/dist/testing/entities.js +42 -0
package/dist/testing/error_coverage.d.ts +78 -0
package/dist/testing/error_coverage.d.ts.map +1 -0
package/dist/testing/error_coverage.js +135 -0
package/dist/testing/integration.d.ts +37 -0
package/dist/testing/integration.d.ts.map +1 -0
package/dist/testing/integration.js +1139 -0
package/dist/testing/integration_helpers.d.ts +107 -0
package/dist/testing/integration_helpers.d.ts.map +1 -0
package/dist/testing/integration_helpers.js +246 -0
package/dist/testing/middleware.d.ts +125 -0
package/dist/testing/middleware.d.ts.map +1 -0
package/dist/testing/middleware.js +210 -0
package/dist/testing/rate_limiting.d.ts +43 -0
package/dist/testing/rate_limiting.d.ts.map +1 -0
package/dist/testing/rate_limiting.js +216 -0
package/dist/testing/round_trip.d.ts +37 -0
package/dist/testing/round_trip.d.ts.map +1 -0
package/dist/testing/round_trip.js +128 -0
package/dist/testing/schema_generators.d.ts +33 -0
package/dist/testing/schema_generators.d.ts.map +1 -0
package/dist/testing/schema_generators.js +137 -0
package/dist/testing/standard.d.ts +49 -0
package/dist/testing/standard.d.ts.map +1 -0
package/dist/testing/standard.js +16 -0
package/dist/testing/stubs.d.ts +96 -0
package/dist/testing/stubs.d.ts.map +1 -0
package/dist/testing/stubs.js +192 -0
package/dist/testing/surface_invariants.d.ts +189 -0
package/dist/testing/surface_invariants.d.ts.map +1 -0
package/dist/testing/surface_invariants.js +450 -0
package/dist/ui/AccountSessions.svelte +75 -0
package/dist/ui/AccountSessions.svelte.d.ts +19 -0
package/dist/ui/AccountSessions.svelte.d.ts.map +1 -0
package/dist/ui/AdminAccounts.svelte +107 -0
package/dist/ui/AdminAccounts.svelte.d.ts +19 -0
package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -0
package/dist/ui/AdminAuditLog.svelte +144 -0
package/dist/ui/AdminAuditLog.svelte.d.ts +4 -0
package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -0
package/dist/ui/AdminInvites.svelte +142 -0
package/dist/ui/AdminInvites.svelte.d.ts +4 -0
package/dist/ui/AdminInvites.svelte.d.ts.map +1 -0
package/dist/ui/AdminOverview.svelte +337 -0
package/dist/ui/AdminOverview.svelte.d.ts +4 -0
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -0
package/dist/ui/AdminPermitHistory.svelte +61 -0
package/dist/ui/AdminPermitHistory.svelte.d.ts +19 -0
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -0
package/dist/ui/AdminSessions.svelte +85 -0
package/dist/ui/AdminSessions.svelte.d.ts +19 -0
package/dist/ui/AdminSessions.svelte.d.ts.map +1 -0
package/dist/ui/AdminSettings.svelte +32 -0
package/dist/ui/AdminSettings.svelte.d.ts +19 -0
package/dist/ui/AdminSettings.svelte.d.ts.map +1 -0
package/dist/ui/AdminSurface.svelte +42 -0
package/dist/ui/AdminSurface.svelte.d.ts +4 -0
package/dist/ui/AdminSurface.svelte.d.ts.map +1 -0
package/dist/ui/AppShell.svelte +93 -0
package/dist/ui/AppShell.svelte.d.ts +20 -0
package/dist/ui/AppShell.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +105 -0
package/dist/ui/BootstrapForm.svelte.d.ts +4 -0
package/dist/ui/BootstrapForm.svelte.d.ts.map +1 -0
package/dist/ui/ColumnLayout.svelte +46 -0
package/dist/ui/ColumnLayout.svelte.d.ts +11 -0
package/dist/ui/ColumnLayout.svelte.d.ts.map +1 -0
package/dist/ui/ConfirmButton.svelte +125 -0
package/dist/ui/ConfirmButton.svelte.d.ts +54 -0
package/dist/ui/ConfirmButton.svelte.d.ts.map +1 -0
package/dist/ui/Datatable.svelte +185 -0
package/dist/ui/Datatable.svelte.d.ts +35 -0
package/dist/ui/Datatable.svelte.d.ts.map +1 -0
package/dist/ui/LoginForm.svelte +82 -0
package/dist/ui/LoginForm.svelte.d.ts +8 -0
package/dist/ui/LoginForm.svelte.d.ts.map +1 -0
package/dist/ui/LogoutButton.svelte +36 -0
package/dist/ui/LogoutButton.svelte.d.ts +10 -0
package/dist/ui/LogoutButton.svelte.d.ts.map +1 -0
package/dist/ui/MenuLink.svelte +35 -0
package/dist/ui/MenuLink.svelte.d.ts +12 -0
package/dist/ui/MenuLink.svelte.d.ts.map +1 -0
package/dist/ui/OpenSignupToggle.svelte +36 -0
package/dist/ui/OpenSignupToggle.svelte.d.ts +19 -0
package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -0
package/dist/ui/PopoverButton.svelte +136 -0
package/dist/ui/PopoverButton.svelte.d.ts +63 -0
package/dist/ui/PopoverButton.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +117 -0
package/dist/ui/SignupForm.svelte.d.ts +7 -0
package/dist/ui/SignupForm.svelte.d.ts.map +1 -0
package/dist/ui/SurfaceExplorer.svelte +287 -0
package/dist/ui/SurfaceExplorer.svelte.d.ts +8 -0
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -0
package/dist/ui/account_sessions_state.svelte.d.ts +15 -0
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -0
package/dist/ui/account_sessions_state.svelte.js +45 -0
package/dist/ui/admin_accounts_state.svelte.d.ts +19 -0
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -0
package/dist/ui/admin_accounts_state.svelte.js +65 -0
package/dist/ui/admin_invites_state.svelte.d.ts +19 -0
package/dist/ui/admin_invites_state.svelte.d.ts.map +1 -0
package/dist/ui/admin_invites_state.svelte.js +71 -0
package/dist/ui/admin_sessions_state.svelte.d.ts +18 -0
package/dist/ui/admin_sessions_state.svelte.d.ts.map +1 -0
package/dist/ui/admin_sessions_state.svelte.js +62 -0
package/dist/ui/app_settings_state.svelte.d.ts +14 -0
package/dist/ui/app_settings_state.svelte.d.ts.map +1 -0
package/dist/ui/app_settings_state.svelte.js +44 -0
package/dist/ui/audit_log_state.svelte.d.ts +40 -0
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -0
package/dist/ui/audit_log_state.svelte.js +153 -0
package/dist/ui/auth_state.svelte.d.ts +85 -0
package/dist/ui/auth_state.svelte.d.ts.map +1 -0
package/dist/ui/auth_state.svelte.js +238 -0
package/dist/ui/datatable.d.ts +25 -0
package/dist/ui/datatable.d.ts.map +1 -0
package/dist/ui/datatable.js +9 -0
package/dist/ui/enter_advance.d.ts +13 -0
package/dist/ui/enter_advance.d.ts.map +1 -0
package/dist/ui/enter_advance.js +30 -0
package/dist/ui/loadable.svelte.d.ts +55 -0
package/dist/ui/loadable.svelte.d.ts.map +1 -0
package/dist/ui/loadable.svelte.js +75 -0
package/dist/ui/popover.svelte.d.ts +137 -0
package/dist/ui/popover.svelte.d.ts.map +1 -0
package/dist/ui/popover.svelte.js +288 -0
package/dist/ui/position_helpers.d.ts +27 -0
package/dist/ui/position_helpers.d.ts.map +1 -0
package/dist/ui/position_helpers.js +81 -0
package/dist/ui/sidebar_state.svelte.d.ts +30 -0
package/dist/ui/sidebar_state.svelte.d.ts.map +1 -0
package/dist/ui/sidebar_state.svelte.js +39 -0
package/dist/ui/table_state.svelte.d.ts +63 -0
package/dist/ui/table_state.svelte.d.ts.map +1 -0
package/dist/ui/table_state.svelte.js +117 -0
package/dist/ui/ui_fetch.d.ts +29 -0
package/dist/ui/ui_fetch.d.ts.map +1 -0
package/dist/ui/ui_fetch.js +37 -0
package/dist/ui/ui_format.d.ts +63 -0
package/dist/ui/ui_format.d.ts.map +1 -0
package/dist/ui/ui_format.js +196 -0
package/package.json +121 -0

package/dist/auth/account_routes.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * Account route specs for cookie-based session management.
+ *
+ * Returns `RouteSpec[]` — caller applies them to Hono via `apply_route_specs`.
+ *
+ * Provides:
+ * - `POST /login` — Exchange username + password for signed session cookie
+ * - `POST /logout` — Clear session cookie and revoke auth session
+ * - `GET /verify` — Check if current session is valid
+ * - `GET /sessions` — List auth sessions for current account
+ * - `POST /sessions/:id/revoke` — Revoke a single auth session (account-scoped)
+ * - `POST /sessions/revoke-all` — Revoke all auth sessions for current account
+ * - `POST /tokens/create` — Create an API token
+ * - `GET /tokens` — List API tokens for current account
+ * - `POST /tokens/:id/revoke` — Revoke an API token (account-scoped)
+ * - `POST /password` — Change password (revokes all sessions and API tokens)
+ *
+ * Signup is separate — see `signup_routes.ts` for invite-gated account creation.
+ * Defaults are closed/safe: accounts are created through bootstrap, admin action, or invite.
+ *
+ * @module
+ */
+import type { SessionOptions } from './session_cookie.js';
+import { type RouteSpec } from '../http/route_spec.js';
+import { type RateLimiter } from '../rate_limiter.js';
+import type { RouteFactoryDeps } from './deps.js';
+/**
+ * Create the account status route spec.
+ *
+ * Handles both authenticated and unauthenticated requests:
+ * - Authenticated: returns `{account}` with 200
+ * - Unauthenticated: returns 401 with optional `bootstrap_available` flag
+ *
+ * This eliminates the need for a separate `/health` fetch on page load —
+ * the frontend gets both session state and bootstrap availability in one request.
+ *
+ * @param options - optional configuration (bootstrap_status for bootstrap detection)
+ * @returns a single account status route spec
+ */
+export declare const create_account_status_route_spec: (options?: AccountStatusOptions) => RouteSpec;
+/** Options for the account status route spec. */
+export interface AccountStatusOptions {
+    /** Override the default path (`/api/account/status`). */
+    path?: string;
+    /** Runtime bootstrap status — when available, 401 responses include `bootstrap_available`. */
+    bootstrap_status?: {
+        available: boolean;
+    };
+}
+/** Default maximum sessions per account. */
+export declare const DEFAULT_MAX_SESSIONS = 5;
+/** Default maximum API tokens per account. */
+export declare const DEFAULT_MAX_TOKENS = 10;
+/**
+ * Shared options for route factories that create sessions and rate-limit by IP.
+ *
+ * Extended by `AccountRouteOptions` and `SignupRouteOptions`.
+ * Consumers can destructure these from `AppServerContext` once and spread into multiple factories.
+ */
+export interface AuthSessionRouteOptions {
+    session_options: SessionOptions<string>;
+    /** Rate limiter for auth attempts, keyed by client IP. Pass `null` to disable. */
+    ip_rate_limiter: RateLimiter | null;
+}
+/**
+ * Per-factory configuration for account route specs.
+ */
+export interface AccountRouteOptions extends AuthSessionRouteOptions {
+    /** Rate limiter for login attempts, keyed by submitted username. Pass `null` to disable. */
+    login_account_rate_limiter: RateLimiter | null;
+    /** Max active sessions per account. Evicts oldest on login. Default 5, `null` disables. */
+    max_sessions?: number | null;
+    /** Max API tokens per account. Evicts oldest on creation. Default 10, `null` disables. */
+    max_tokens?: number | null;
+}
+/**
+ * Create account route specs for session-based auth.
+ *
+ * All session/token revocation is account-scoped to prevent cross-account attacks.
+ *
+ * @param deps - stateless capabilities (keyring, password, log)
+ * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)
+ * @returns route specs (not yet applied to Hono)
+ */
+export declare const create_account_route_specs: (deps: RouteFactoryDeps, options: AccountRouteOptions) => Array<RouteSpec>;
+//# sourceMappingURL=account_routes.d.ts.map

package/dist/auth/account_routes.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA+BxD,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExF,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAGhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SA0BhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,0FAA0F;IAC1F,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAkYjB,CAAC"}

package/dist/auth/account_routes.js ADDED Viewed

@@ -0,0 +1,406 @@
+/**
+ * Account route specs for cookie-based session management.
+ *
+ * Returns `RouteSpec[]` — caller applies them to Hono via `apply_route_specs`.
+ *
+ * Provides:
+ * - `POST /login` — Exchange username + password for signed session cookie
+ * - `POST /logout` — Clear session cookie and revoke auth session
+ * - `GET /verify` — Check if current session is valid
+ * - `GET /sessions` — List auth sessions for current account
+ * - `POST /sessions/:id/revoke` — Revoke a single auth session (account-scoped)
+ * - `POST /sessions/revoke-all` — Revoke all auth sessions for current account
+ * - `POST /tokens/create` — Create an API token
+ * - `GET /tokens` — List API tokens for current account
+ * - `POST /tokens/:id/revoke` — Revoke an API token (account-scoped)
+ * - `POST /password` — Change password (revokes all sessions and API tokens)
+ *
+ * Signup is separate — see `signup_routes.ts` for invite-gated account creation.
+ * Defaults are closed/safe: accounts are created through bootstrap, admin action, or invite.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
+import { clear_session_cookie } from './session_middleware.js';
+import { create_session_and_set_cookie } from './session_lifecycle.js';
+import { to_session_account, SessionAccountJson, AuthSessionJson, ClientApiTokenJson, UsernameProvided, } from './account_schema.js';
+import { hash_session_token, query_session_revoke_by_hash, query_session_revoke_for_account, query_session_revoke_all_for_account, query_session_list_for_account, } from './session_queries.js';
+import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
+import { query_create_api_token, query_api_token_enforce_limit, query_api_token_list_for_account, query_revoke_api_token_for_account, query_revoke_all_api_tokens_for_account, } from './api_token_queries.js';
+import { audit_log_fire_and_forget } from './audit_log_queries.js';
+import { generate_api_token } from './api_token.js';
+import { get_request_context, require_request_context } from './request_context.js';
+import { get_route_input, get_route_params } from '../http/route_spec.js';
+import { get_client_ip } from '../http/proxy.js';
+import { rate_limit_exceeded_response } from '../rate_limiter.js';
+import { Password, PasswordProvided } from './password.js';
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS } from '../http/error_schemas.js';
+/**
+ * Create the account status route spec.
+ *
+ * Handles both authenticated and unauthenticated requests:
+ * - Authenticated: returns `{account}` with 200
+ * - Unauthenticated: returns 401 with optional `bootstrap_available` flag
+ *
+ * This eliminates the need for a separate `/health` fetch on page load —
+ * the frontend gets both session state and bootstrap availability in one request.
+ *
+ * @param options - optional configuration (bootstrap_status for bootstrap detection)
+ * @returns a single account status route spec
+ */
+export const create_account_status_route_spec = (options) => ({
+    method: 'GET',
+    path: options?.path ?? '/api/account/status',
+    auth: { type: 'none' },
+    description: 'Current account info (unauthenticated: 401 with bootstrap status)',
+    input: z.null(),
+    output: z.looseObject({ account: z.looseObject({}) }),
+    errors: {
+        401: z.looseObject({
+            error: z.literal(ERROR_AUTHENTICATION_REQUIRED),
+            bootstrap_available: z.boolean().optional(),
+        }),
+    },
+    handler: (c) => {
+        const ctx = get_request_context(c);
+        if (ctx) {
+            return c.json({ account: to_session_account(ctx.account), permits: ctx.permits });
+        }
+        return c.json({
+            error: ERROR_AUTHENTICATION_REQUIRED,
+            ...(options?.bootstrap_status?.available ? { bootstrap_available: true } : {}),
+        }, 401);
+    },
+});
+/** Default maximum sessions per account. */
+export const DEFAULT_MAX_SESSIONS = 5;
+/** Default maximum API tokens per account. */
+export const DEFAULT_MAX_TOKENS = 10;
+/**
+ * Create account route specs for session-based auth.
+ *
+ * All session/token revocation is account-scoped to prevent cross-account attacks.
+ *
+ * @param deps - stateless capabilities (keyring, password, log)
+ * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)
+ * @returns route specs (not yet applied to Hono)
+ */
+export const create_account_route_specs = (deps, options) => {
+    const { keyring, password, on_audit_event } = deps;
+    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, max_tokens = DEFAULT_MAX_TOKENS, } = options;
+    return [
+        {
+            method: 'POST',
+            path: '/login',
+            auth: { type: 'none' },
+            description: 'Exchange credentials for session',
+            input: z.strictObject({
+                username: UsernameProvided,
+                password: PasswordProvided,
+            }),
+            output: z.strictObject({ ok: z.literal(true) }),
+            rate_limit: 'both',
+            errors: { 401: z.looseObject({ error: z.literal(ERROR_INVALID_CREDENTIALS) }) },
+            handler: async (c, route) => {
+                // Per-IP rate limit check (before any DB/password work)
+                const ip = ip_rate_limiter ? get_client_ip(c) : null;
+                if (ip_rate_limiter && ip) {
+                    const check = ip_rate_limiter.check(ip);
+                    if (!check.allowed) {
+                        return rate_limit_exceeded_response(c, check.retry_after);
+                    }
+                }
+                const { username: raw_username, password: pw } = get_route_input(c);
+                const username = raw_username.trim().toLowerCase();
+                // Per-account rate limit check (after input parsing, before DB work)
+                if (login_account_rate_limiter) {
+                    const check = login_account_rate_limiter.check(username);
+                    if (!check.allowed) {
+                        return rate_limit_exceeded_response(c, check.retry_after);
+                    }
+                }
+                const account = await query_account_by_username_or_email(route, username);
+                if (!account) {
+                    // enumeration prevention: verify_dummy equalizes timing, and both failure
+                    // paths return identical errors with identical rate limiting behavior
+                    await password.verify_dummy(pw);
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (login_account_rate_limiter)
+                        login_account_rate_limiter.record(username);
+                    void audit_log_fire_and_forget(route, {
+                        event_type: 'login',
+                        outcome: 'failure',
+                        ip: get_client_ip(c),
+                        metadata: { username },
+                    }, deps.log, on_audit_event);
+                    return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
+                }
+                const valid = await password.verify_password(pw, account.password_hash);
+                if (!valid) {
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (login_account_rate_limiter)
+                        login_account_rate_limiter.record(username);
+                    void audit_log_fire_and_forget(route, {
+                        event_type: 'login',
+                        outcome: 'failure',
+                        account_id: account.id,
+                        ip: get_client_ip(c),
+                        metadata: { username },
+                    }, deps.log, on_audit_event);
+                    return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
+                }
+                // Successful login — reset rate limits
+                if (ip_rate_limiter && ip)
+                    ip_rate_limiter.reset(ip);
+                if (login_account_rate_limiter)
+                    login_account_rate_limiter.reset(username);
+                await create_session_and_set_cookie({
+                    keyring,
+                    deps: route,
+                    c,
+                    account_id: account.id,
+                    session_options,
+                    max_sessions,
+                });
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'login',
+                    account_id: account.id,
+                    ip: get_client_ip(c),
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true });
+            },
+        },
+        {
+            method: 'POST',
+            path: '/logout',
+            auth: { type: 'authenticated' },
+            description: 'Revoke current session and clear cookie',
+            input: z.null(),
+            output: z.strictObject({ ok: z.literal(true), username: z.string() }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const session_token = c.get(session_options.context_key) ?? null;
+                if (session_token) {
+                    const token_hash = hash_session_token(session_token);
+                    await query_session_revoke_by_hash(route, token_hash);
+                }
+                clear_session_cookie(c, session_options);
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'logout',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true, username: ctx.account.username });
+            },
+        },
+        {
+            method: 'GET',
+            path: '/verify',
+            auth: { type: 'authenticated' },
+            description: 'Check session validity',
+            input: z.null(),
+            output: z.strictObject({ ok: z.literal(true), account: SessionAccountJson }),
+            handler: (c) => {
+                const ctx = require_request_context(c);
+                return c.json({ ok: true, account: to_session_account(ctx.account) });
+            },
+        },
+        {
+            method: 'GET',
+            path: '/sessions',
+            auth: { type: 'authenticated' },
+            description: 'List auth sessions for current account',
+            input: z.null(),
+            output: z.strictObject({ sessions: z.array(AuthSessionJson) }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const sessions = await query_session_list_for_account(route, ctx.account.id);
+                return c.json({ sessions });
+            },
+        },
+        {
+            method: 'POST',
+            path: '/sessions/:id/revoke',
+            auth: { type: 'authenticated' },
+            description: 'Revoke a single auth session (account-scoped)',
+            params: z.strictObject({ id: Blake3Hash }),
+            input: z.null(),
+            output: z.strictObject({ ok: z.literal(true), revoked: z.boolean() }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const { id } = get_route_params(c);
+                const revoked = await query_session_revoke_for_account(route, id, ctx.account.id);
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'session_revoke',
+                    outcome: revoked ? 'success' : 'failure',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { session_id: id },
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true, revoked });
+            },
+        },
+        {
+            method: 'POST',
+            path: '/sessions/revoke-all',
+            auth: { type: 'authenticated' },
+            description: 'Revoke all auth sessions for current account',
+            input: z.null(),
+            output: z.strictObject({ ok: z.literal(true), count: z.number() }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const count = await query_session_revoke_all_for_account(route, ctx.account.id);
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'session_revoke_all',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { count },
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true, count });
+            },
+        },
+        {
+            method: 'POST',
+            path: '/tokens/create',
+            auth: { type: 'authenticated' },
+            description: 'Create API token (shown once)',
+            input: z.strictObject({
+                name: z.string().default('CLI token'),
+            }),
+            output: z.strictObject({
+                ok: z.literal(true),
+                token: z.string(),
+                id: z.string(),
+                name: z.string(),
+            }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const { name } = get_route_input(c);
+                const { token, id, token_hash } = generate_api_token();
+                await query_create_api_token(route, id, ctx.account.id, name, token_hash);
+                if (max_tokens != null) {
+                    await query_api_token_enforce_limit(route, ctx.account.id, max_tokens);
+                }
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'token_create',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { token_id: id, name },
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true, token, id, name });
+            },
+        },
+        {
+            method: 'GET',
+            path: '/tokens',
+            auth: { type: 'authenticated' },
+            description: 'List API tokens for current account',
+            input: z.null(),
+            output: z.strictObject({ tokens: z.array(ClientApiTokenJson) }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const tokens = await query_api_token_list_for_account(route, ctx.account.id);
+                return c.json({ tokens });
+            },
+        },
+        {
+            method: 'POST',
+            path: '/tokens/:id/revoke',
+            auth: { type: 'authenticated' },
+            description: 'Revoke an API token (account-scoped)',
+            params: z.strictObject({ id: z.string().regex(/^tok_[A-Za-z0-9_-]{12}$/) }),
+            input: z.null(),
+            output: z.strictObject({ ok: z.literal(true), revoked: z.boolean() }),
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const { id } = get_route_params(c);
+                const revoked = await query_revoke_api_token_for_account(route, id, ctx.account.id);
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'token_revoke',
+                    outcome: revoked ? 'success' : 'failure',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { token_id: id },
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true, revoked });
+            },
+        },
+        {
+            method: 'POST',
+            path: '/password',
+            auth: { type: 'authenticated' },
+            description: 'Change password (revokes all sessions and API tokens)',
+            input: z.strictObject({
+                current_password: PasswordProvided,
+                new_password: Password,
+            }),
+            output: z.strictObject({
+                ok: z.literal(true),
+                sessions_revoked: z.number(),
+                tokens_revoked: z.number(),
+            }),
+            rate_limit: login_account_rate_limiter ? 'both' : 'ip',
+            handler: async (c, route) => {
+                // per-IP rate limit check (before argon2 work)
+                const ip = ip_rate_limiter ? get_client_ip(c) : null;
+                if (ip_rate_limiter && ip) {
+                    const check = ip_rate_limiter.check(ip);
+                    if (!check.allowed) {
+                        return rate_limit_exceeded_response(c, check.retry_after);
+                    }
+                }
+                const ctx = require_request_context(c);
+                const { current_password, new_password } = get_route_input(c);
+                // per-account rate limit check (after context resolution, before argon2 work)
+                if (login_account_rate_limiter) {
+                    const check = login_account_rate_limiter.check(ctx.account.id);
+                    if (!check.allowed) {
+                        return rate_limit_exceeded_response(c, check.retry_after);
+                    }
+                }
+                const valid = await password.verify_password(current_password, ctx.account.password_hash);
+                if (!valid) {
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (login_account_rate_limiter)
+                        login_account_rate_limiter.record(ctx.account.id);
+                    void audit_log_fire_and_forget(route, {
+                        event_type: 'password_change',
+                        outcome: 'failure',
+                        actor_id: ctx.actor.id,
+                        account_id: ctx.account.id,
+                        ip: get_client_ip(c),
+                    }, deps.log, on_audit_event);
+                    return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
+                }
+                // successful verification — reset rate limiters
+                if (ip_rate_limiter && ip)
+                    ip_rate_limiter.reset(ip);
+                if (login_account_rate_limiter)
+                    login_account_rate_limiter.reset(ctx.account.id);
+                const new_hash = await password.hash_password(new_password);
+                await query_update_account_password(route, ctx.account.id, new_hash, ctx.actor.id);
+                // revoke all sessions and API tokens (force re-auth everywhere)
+                const sessions_revoked = await query_session_revoke_all_for_account(route, ctx.account.id);
+                const tokens_revoked = await query_revoke_all_api_tokens_for_account(route, ctx.account.id);
+                clear_session_cookie(c, session_options);
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'password_change',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { sessions_revoked, tokens_revoked },
+                }, deps.log, on_audit_event);
+                return c.json({ ok: true, sessions_revoked, tokens_revoked });
+            },
+        },
+    ];
+};