@fuzdev/fuz_app 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +49 -0
- package/dist/actions/action_bridge.d.ts +65 -0
- package/dist/actions/action_bridge.d.ts.map +1 -0
- package/dist/actions/action_bridge.js +76 -0
- package/dist/actions/action_codegen.d.ts +97 -0
- package/dist/actions/action_codegen.d.ts.map +1 -0
- package/dist/actions/action_codegen.js +280 -0
- package/dist/actions/action_registry.d.ts +35 -0
- package/dist/actions/action_registry.d.ts.map +1 -0
- package/dist/actions/action_registry.js +83 -0
- package/dist/actions/action_spec.d.ts +169 -0
- package/dist/actions/action_spec.d.ts.map +1 -0
- package/dist/actions/action_spec.js +76 -0
- package/dist/auth/account_queries.d.ts +96 -0
- package/dist/auth/account_queries.d.ts.map +1 -0
- package/dist/auth/account_queries.js +172 -0
- package/dist/auth/account_routes.d.ts +86 -0
- package/dist/auth/account_routes.d.ts.map +1 -0
- package/dist/auth/account_routes.js +406 -0
- package/dist/auth/account_schema.d.ts +192 -0
- package/dist/auth/account_schema.d.ts.map +1 -0
- package/dist/auth/account_schema.js +105 -0
- package/dist/auth/admin_routes.d.ts +29 -0
- package/dist/auth/admin_routes.d.ts.map +1 -0
- package/dist/auth/admin_routes.js +193 -0
- package/dist/auth/api_token.d.ts +33 -0
- package/dist/auth/api_token.d.ts.map +1 -0
- package/dist/auth/api_token.js +36 -0
- package/dist/auth/api_token_queries.d.ts +80 -0
- package/dist/auth/api_token_queries.d.ts.map +1 -0
- package/dist/auth/api_token_queries.js +116 -0
- package/dist/auth/app_settings_queries.d.ts +33 -0
- package/dist/auth/app_settings_queries.d.ts.map +1 -0
- package/dist/auth/app_settings_queries.js +51 -0
- package/dist/auth/app_settings_routes.d.ts +27 -0
- package/dist/auth/app_settings_routes.d.ts.map +1 -0
- package/dist/auth/app_settings_routes.js +66 -0
- package/dist/auth/app_settings_schema.d.ts +35 -0
- package/dist/auth/app_settings_schema.d.ts.map +1 -0
- package/dist/auth/app_settings_schema.js +22 -0
- package/dist/auth/audit_log_queries.d.ts +90 -0
- package/dist/auth/audit_log_queries.d.ts.map +1 -0
- package/dist/auth/audit_log_queries.js +205 -0
- package/dist/auth/audit_log_routes.d.ts +33 -0
- package/dist/auth/audit_log_routes.d.ts.map +1 -0
- package/dist/auth/audit_log_routes.js +106 -0
- package/dist/auth/audit_log_schema.d.ts +259 -0
- package/dist/auth/audit_log_schema.d.ts.map +1 -0
- package/dist/auth/audit_log_schema.js +123 -0
- package/dist/auth/bearer_auth.d.ts +32 -0
- package/dist/auth/bearer_auth.d.ts.map +1 -0
- package/dist/auth/bearer_auth.js +90 -0
- package/dist/auth/bootstrap_account.d.ts +82 -0
- package/dist/auth/bootstrap_account.d.ts.map +1 -0
- package/dist/auth/bootstrap_account.js +97 -0
- package/dist/auth/bootstrap_routes.d.ts +74 -0
- package/dist/auth/bootstrap_routes.d.ts.map +1 -0
- package/dist/auth/bootstrap_routes.js +154 -0
- package/dist/auth/daemon_token.d.ts +49 -0
- package/dist/auth/daemon_token.d.ts.map +1 -0
- package/dist/auth/daemon_token.js +49 -0
- package/dist/auth/daemon_token_middleware.d.ts +93 -0
- package/dist/auth/daemon_token_middleware.d.ts.map +1 -0
- package/dist/auth/daemon_token_middleware.js +167 -0
- package/dist/auth/ddl.d.ts +27 -0
- package/dist/auth/ddl.d.ts.map +1 -0
- package/dist/auth/ddl.js +111 -0
- package/dist/auth/deps.d.ts +52 -0
- package/dist/auth/deps.d.ts.map +1 -0
- package/dist/auth/deps.js +10 -0
- package/dist/auth/invite_queries.d.ts +68 -0
- package/dist/auth/invite_queries.d.ts.map +1 -0
- package/dist/auth/invite_queries.js +105 -0
- package/dist/auth/invite_routes.d.ts +18 -0
- package/dist/auth/invite_routes.d.ts.map +1 -0
- package/dist/auth/invite_routes.js +129 -0
- package/dist/auth/invite_schema.d.ts +51 -0
- package/dist/auth/invite_schema.d.ts.map +1 -0
- package/dist/auth/invite_schema.js +25 -0
- package/dist/auth/keyring.d.ts +87 -0
- package/dist/auth/keyring.d.ts.map +1 -0
- package/dist/auth/keyring.js +142 -0
- package/dist/auth/middleware.d.ts +40 -0
- package/dist/auth/middleware.d.ts.map +1 -0
- package/dist/auth/middleware.js +64 -0
- package/dist/auth/migrations.d.ts +42 -0
- package/dist/auth/migrations.d.ts.map +1 -0
- package/dist/auth/migrations.js +79 -0
- package/dist/auth/password.d.ts +39 -0
- package/dist/auth/password.d.ts.map +1 -0
- package/dist/auth/password.js +25 -0
- package/dist/auth/password_argon2.d.ts +43 -0
- package/dist/auth/password_argon2.d.ts.map +1 -0
- package/dist/auth/password_argon2.js +76 -0
- package/dist/auth/permit_queries.d.ts +72 -0
- package/dist/auth/permit_queries.d.ts.map +1 -0
- package/dist/auth/permit_queries.js +116 -0
- package/dist/auth/request_context.d.ts +114 -0
- package/dist/auth/request_context.d.ts.map +1 -0
- package/dist/auth/request_context.js +176 -0
- package/dist/auth/require_keeper.d.ts +20 -0
- package/dist/auth/require_keeper.d.ts.map +1 -0
- package/dist/auth/require_keeper.js +35 -0
- package/dist/auth/role_schema.d.ts +69 -0
- package/dist/auth/role_schema.d.ts.map +1 -0
- package/dist/auth/role_schema.js +70 -0
- package/dist/auth/route_guards.d.ts +21 -0
- package/dist/auth/route_guards.d.ts.map +1 -0
- package/dist/auth/route_guards.js +32 -0
- package/dist/auth/session_cookie.d.ts +158 -0
- package/dist/auth/session_cookie.d.ts.map +1 -0
- package/dist/auth/session_cookie.js +135 -0
- package/dist/auth/session_lifecycle.d.ts +35 -0
- package/dist/auth/session_lifecycle.d.ts.map +1 -0
- package/dist/auth/session_lifecycle.js +27 -0
- package/dist/auth/session_middleware.d.ts +33 -0
- package/dist/auth/session_middleware.d.ts.map +1 -0
- package/dist/auth/session_middleware.js +62 -0
- package/dist/auth/session_queries.d.ts +135 -0
- package/dist/auth/session_queries.d.ts.map +1 -0
- package/dist/auth/session_queries.js +186 -0
- package/dist/auth/signup_routes.d.ts +32 -0
- package/dist/auth/signup_routes.d.ts.map +1 -0
- package/dist/auth/signup_routes.js +150 -0
- package/dist/cli/args.d.ts +48 -0
- package/dist/cli/args.d.ts.map +1 -0
- package/dist/cli/args.js +76 -0
- package/dist/cli/config.d.ts +48 -0
- package/dist/cli/config.d.ts.map +1 -0
- package/dist/cli/config.js +77 -0
- package/dist/cli/daemon.d.ts +82 -0
- package/dist/cli/daemon.d.ts.map +1 -0
- package/dist/cli/daemon.js +149 -0
- package/dist/cli/help.d.ts +85 -0
- package/dist/cli/help.d.ts.map +1 -0
- package/dist/cli/help.js +138 -0
- package/dist/cli/logger.d.ts +46 -0
- package/dist/cli/logger.d.ts.map +1 -0
- package/dist/cli/logger.js +48 -0
- package/dist/cli/util.d.ts +36 -0
- package/dist/cli/util.d.ts.map +1 -0
- package/dist/cli/util.js +50 -0
- package/dist/crypto.d.ts +13 -0
- package/dist/crypto.d.ts.map +1 -0
- package/dist/crypto.js +19 -0
- package/dist/db/assert_row.d.ts +18 -0
- package/dist/db/assert_row.d.ts.map +1 -0
- package/dist/db/assert_row.js +24 -0
- package/dist/db/create_db.d.ts +38 -0
- package/dist/db/create_db.d.ts.map +1 -0
- package/dist/db/create_db.js +57 -0
- package/dist/db/db.d.ts +97 -0
- package/dist/db/db.d.ts.map +1 -0
- package/dist/db/db.js +76 -0
- package/dist/db/db_pg.d.ts +21 -0
- package/dist/db/db_pg.d.ts.map +1 -0
- package/dist/db/db_pg.js +45 -0
- package/dist/db/db_pglite.d.ts +21 -0
- package/dist/db/db_pglite.d.ts.map +1 -0
- package/dist/db/db_pglite.js +28 -0
- package/dist/db/migrate.d.ts +67 -0
- package/dist/db/migrate.d.ts.map +1 -0
- package/dist/db/migrate.js +118 -0
- package/dist/db/pg_error.d.ts +16 -0
- package/dist/db/pg_error.d.ts.map +1 -0
- package/dist/db/pg_error.js +15 -0
- package/dist/db/query_deps.d.ts +14 -0
- package/dist/db/query_deps.d.ts.map +1 -0
- package/dist/db/query_deps.js +9 -0
- package/dist/db/sql_identifier.d.ts +27 -0
- package/dist/db/sql_identifier.d.ts.map +1 -0
- package/dist/db/sql_identifier.js +31 -0
- package/dist/db/status.d.ts +62 -0
- package/dist/db/status.d.ts.map +1 -0
- package/dist/db/status.js +116 -0
- package/dist/dev/setup.d.ts +159 -0
- package/dist/dev/setup.d.ts.map +1 -0
- package/dist/dev/setup.js +265 -0
- package/dist/env/dotenv.d.ts +25 -0
- package/dist/env/dotenv.d.ts.map +1 -0
- package/dist/env/dotenv.js +52 -0
- package/dist/env/load.d.ts +52 -0
- package/dist/env/load.d.ts.map +1 -0
- package/dist/env/load.js +79 -0
- package/dist/env/mask.d.ts +19 -0
- package/dist/env/mask.d.ts.map +1 -0
- package/dist/env/mask.js +26 -0
- package/dist/env/resolve.d.ts +126 -0
- package/dist/env/resolve.d.ts.map +1 -0
- package/dist/env/resolve.js +200 -0
- package/dist/hono_context.d.ts +48 -0
- package/dist/hono_context.d.ts.map +1 -0
- package/dist/hono_context.js +22 -0
- package/dist/http/common_routes.d.ts +52 -0
- package/dist/http/common_routes.d.ts.map +1 -0
- package/dist/http/common_routes.js +65 -0
- package/dist/http/db_routes.d.ts +57 -0
- package/dist/http/db_routes.d.ts.map +1 -0
- package/dist/http/db_routes.js +176 -0
- package/dist/http/error_schemas.d.ts +169 -0
- package/dist/http/error_schemas.d.ts.map +1 -0
- package/dist/http/error_schemas.js +178 -0
- package/dist/http/middleware_spec.d.ts +19 -0
- package/dist/http/middleware_spec.d.ts.map +1 -0
- package/dist/http/middleware_spec.js +9 -0
- package/dist/http/origin.d.ts +57 -0
- package/dist/http/origin.d.ts.map +1 -0
- package/dist/http/origin.js +207 -0
- package/dist/http/proxy.d.ts +112 -0
- package/dist/http/proxy.d.ts.map +1 -0
- package/dist/http/proxy.js +240 -0
- package/dist/http/route_spec.d.ts +197 -0
- package/dist/http/route_spec.d.ts.map +1 -0
- package/dist/http/route_spec.js +243 -0
- package/dist/http/schema_helpers.d.ts +64 -0
- package/dist/http/schema_helpers.d.ts.map +1 -0
- package/dist/http/schema_helpers.js +90 -0
- package/dist/http/surface.d.ts +132 -0
- package/dist/http/surface.d.ts.map +1 -0
- package/dist/http/surface.js +156 -0
- package/dist/http/surface_query.d.ts +77 -0
- package/dist/http/surface_query.d.ts.map +1 -0
- package/dist/http/surface_query.js +86 -0
- package/dist/rate_limiter.d.ts +94 -0
- package/dist/rate_limiter.d.ts.map +1 -0
- package/dist/rate_limiter.js +156 -0
- package/dist/realtime/sse.d.ts +80 -0
- package/dist/realtime/sse.d.ts.map +1 -0
- package/dist/realtime/sse.js +109 -0
- package/dist/realtime/sse_auth_guard.d.ts +93 -0
- package/dist/realtime/sse_auth_guard.d.ts.map +1 -0
- package/dist/realtime/sse_auth_guard.js +111 -0
- package/dist/realtime/subscriber_registry.d.ts +85 -0
- package/dist/realtime/subscriber_registry.d.ts.map +1 -0
- package/dist/realtime/subscriber_registry.js +108 -0
- package/dist/runtime/deno.d.ts +21 -0
- package/dist/runtime/deno.d.ts.map +1 -0
- package/dist/runtime/deno.js +83 -0
- package/dist/runtime/deps.d.ts +113 -0
- package/dist/runtime/deps.d.ts.map +1 -0
- package/dist/runtime/deps.js +10 -0
- package/dist/runtime/fs.d.ts +15 -0
- package/dist/runtime/fs.d.ts.map +1 -0
- package/dist/runtime/fs.js +17 -0
- package/dist/runtime/mock.d.ts +81 -0
- package/dist/runtime/mock.d.ts.map +1 -0
- package/dist/runtime/mock.js +195 -0
- package/dist/runtime/node.d.ts +17 -0
- package/dist/runtime/node.d.ts.map +1 -0
- package/dist/runtime/node.js +117 -0
- package/dist/schema_meta.d.ts +16 -0
- package/dist/schema_meta.d.ts.map +1 -0
- package/dist/schema_meta.js +9 -0
- package/dist/sensitivity.d.ts +15 -0
- package/dist/sensitivity.d.ts.map +1 -0
- package/dist/sensitivity.js +9 -0
- package/dist/server/app_backend.d.ts +74 -0
- package/dist/server/app_backend.d.ts.map +1 -0
- package/dist/server/app_backend.js +39 -0
- package/dist/server/app_server.d.ts +201 -0
- package/dist/server/app_server.d.ts.map +1 -0
- package/dist/server/app_server.js +266 -0
- package/dist/server/env.d.ts +68 -0
- package/dist/server/env.d.ts.map +1 -0
- package/dist/server/env.js +95 -0
- package/dist/server/startup.d.ts +22 -0
- package/dist/server/startup.d.ts.map +1 -0
- package/dist/server/startup.js +48 -0
- package/dist/server/static.d.ts +39 -0
- package/dist/server/static.d.ts.map +1 -0
- package/dist/server/static.js +38 -0
- package/dist/server/validate_nginx.d.ts +34 -0
- package/dist/server/validate_nginx.d.ts.map +1 -0
- package/dist/server/validate_nginx.js +118 -0
- package/dist/testing/CLAUDE.md +3 -0
- package/dist/testing/admin_integration.d.ts +45 -0
- package/dist/testing/admin_integration.d.ts.map +1 -0
- package/dist/testing/admin_integration.js +840 -0
- package/dist/testing/adversarial_404.d.ts +15 -0
- package/dist/testing/adversarial_404.d.ts.map +1 -0
- package/dist/testing/adversarial_404.js +118 -0
- package/dist/testing/adversarial_headers.d.ts +36 -0
- package/dist/testing/adversarial_headers.d.ts.map +1 -0
- package/dist/testing/adversarial_headers.js +128 -0
- package/dist/testing/adversarial_input.d.ts +56 -0
- package/dist/testing/adversarial_input.d.ts.map +1 -0
- package/dist/testing/adversarial_input.js +494 -0
- package/dist/testing/app_server.d.ts +169 -0
- package/dist/testing/app_server.d.ts.map +1 -0
- package/dist/testing/app_server.js +240 -0
- package/dist/testing/assert_dev_env.d.ts +10 -0
- package/dist/testing/assert_dev_env.d.ts.map +1 -0
- package/dist/testing/assert_dev_env.js +13 -0
- package/dist/testing/assertions.d.ts +61 -0
- package/dist/testing/assertions.d.ts.map +1 -0
- package/dist/testing/assertions.js +96 -0
- package/dist/testing/attack_surface.d.ts +63 -0
- package/dist/testing/attack_surface.d.ts.map +1 -0
- package/dist/testing/attack_surface.js +224 -0
- package/dist/testing/audit_completeness.d.ts +29 -0
- package/dist/testing/audit_completeness.d.ts.map +1 -0
- package/dist/testing/audit_completeness.js +410 -0
- package/dist/testing/auth_apps.d.ts +55 -0
- package/dist/testing/auth_apps.d.ts.map +1 -0
- package/dist/testing/auth_apps.js +122 -0
- package/dist/testing/data_exposure.d.ts +62 -0
- package/dist/testing/data_exposure.d.ts.map +1 -0
- package/dist/testing/data_exposure.js +297 -0
- package/dist/testing/db.d.ts +111 -0
- package/dist/testing/db.d.ts.map +1 -0
- package/dist/testing/db.js +258 -0
- package/dist/testing/entities.d.ts +21 -0
- package/dist/testing/entities.d.ts.map +1 -0
- package/dist/testing/entities.js +42 -0
- package/dist/testing/error_coverage.d.ts +78 -0
- package/dist/testing/error_coverage.d.ts.map +1 -0
- package/dist/testing/error_coverage.js +135 -0
- package/dist/testing/integration.d.ts +37 -0
- package/dist/testing/integration.d.ts.map +1 -0
- package/dist/testing/integration.js +1139 -0
- package/dist/testing/integration_helpers.d.ts +107 -0
- package/dist/testing/integration_helpers.d.ts.map +1 -0
- package/dist/testing/integration_helpers.js +246 -0
- package/dist/testing/middleware.d.ts +125 -0
- package/dist/testing/middleware.d.ts.map +1 -0
- package/dist/testing/middleware.js +210 -0
- package/dist/testing/rate_limiting.d.ts +43 -0
- package/dist/testing/rate_limiting.d.ts.map +1 -0
- package/dist/testing/rate_limiting.js +216 -0
- package/dist/testing/round_trip.d.ts +37 -0
- package/dist/testing/round_trip.d.ts.map +1 -0
- package/dist/testing/round_trip.js +128 -0
- package/dist/testing/schema_generators.d.ts +33 -0
- package/dist/testing/schema_generators.d.ts.map +1 -0
- package/dist/testing/schema_generators.js +137 -0
- package/dist/testing/standard.d.ts +49 -0
- package/dist/testing/standard.d.ts.map +1 -0
- package/dist/testing/standard.js +16 -0
- package/dist/testing/stubs.d.ts +96 -0
- package/dist/testing/stubs.d.ts.map +1 -0
- package/dist/testing/stubs.js +192 -0
- package/dist/testing/surface_invariants.d.ts +189 -0
- package/dist/testing/surface_invariants.d.ts.map +1 -0
- package/dist/testing/surface_invariants.js +450 -0
- package/dist/ui/AccountSessions.svelte +75 -0
- package/dist/ui/AccountSessions.svelte.d.ts +19 -0
- package/dist/ui/AccountSessions.svelte.d.ts.map +1 -0
- package/dist/ui/AdminAccounts.svelte +107 -0
- package/dist/ui/AdminAccounts.svelte.d.ts +19 -0
- package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -0
- package/dist/ui/AdminAuditLog.svelte +144 -0
- package/dist/ui/AdminAuditLog.svelte.d.ts +4 -0
- package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -0
- package/dist/ui/AdminInvites.svelte +142 -0
- package/dist/ui/AdminInvites.svelte.d.ts +4 -0
- package/dist/ui/AdminInvites.svelte.d.ts.map +1 -0
- package/dist/ui/AdminOverview.svelte +337 -0
- package/dist/ui/AdminOverview.svelte.d.ts +4 -0
- package/dist/ui/AdminOverview.svelte.d.ts.map +1 -0
- package/dist/ui/AdminPermitHistory.svelte +61 -0
- package/dist/ui/AdminPermitHistory.svelte.d.ts +19 -0
- package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -0
- package/dist/ui/AdminSessions.svelte +85 -0
- package/dist/ui/AdminSessions.svelte.d.ts +19 -0
- package/dist/ui/AdminSessions.svelte.d.ts.map +1 -0
- package/dist/ui/AdminSettings.svelte +32 -0
- package/dist/ui/AdminSettings.svelte.d.ts +19 -0
- package/dist/ui/AdminSettings.svelte.d.ts.map +1 -0
- package/dist/ui/AdminSurface.svelte +42 -0
- package/dist/ui/AdminSurface.svelte.d.ts +4 -0
- package/dist/ui/AdminSurface.svelte.d.ts.map +1 -0
- package/dist/ui/AppShell.svelte +93 -0
- package/dist/ui/AppShell.svelte.d.ts +20 -0
- package/dist/ui/AppShell.svelte.d.ts.map +1 -0
- package/dist/ui/BootstrapForm.svelte +105 -0
- package/dist/ui/BootstrapForm.svelte.d.ts +4 -0
- package/dist/ui/BootstrapForm.svelte.d.ts.map +1 -0
- package/dist/ui/ColumnLayout.svelte +46 -0
- package/dist/ui/ColumnLayout.svelte.d.ts +11 -0
- package/dist/ui/ColumnLayout.svelte.d.ts.map +1 -0
- package/dist/ui/ConfirmButton.svelte +125 -0
- package/dist/ui/ConfirmButton.svelte.d.ts +54 -0
- package/dist/ui/ConfirmButton.svelte.d.ts.map +1 -0
- package/dist/ui/Datatable.svelte +185 -0
- package/dist/ui/Datatable.svelte.d.ts +35 -0
- package/dist/ui/Datatable.svelte.d.ts.map +1 -0
- package/dist/ui/LoginForm.svelte +82 -0
- package/dist/ui/LoginForm.svelte.d.ts +8 -0
- package/dist/ui/LoginForm.svelte.d.ts.map +1 -0
- package/dist/ui/LogoutButton.svelte +36 -0
- package/dist/ui/LogoutButton.svelte.d.ts +10 -0
- package/dist/ui/LogoutButton.svelte.d.ts.map +1 -0
- package/dist/ui/MenuLink.svelte +35 -0
- package/dist/ui/MenuLink.svelte.d.ts +12 -0
- package/dist/ui/MenuLink.svelte.d.ts.map +1 -0
- package/dist/ui/OpenSignupToggle.svelte +36 -0
- package/dist/ui/OpenSignupToggle.svelte.d.ts +19 -0
- package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -0
- package/dist/ui/PopoverButton.svelte +136 -0
- package/dist/ui/PopoverButton.svelte.d.ts +63 -0
- package/dist/ui/PopoverButton.svelte.d.ts.map +1 -0
- package/dist/ui/SignupForm.svelte +117 -0
- package/dist/ui/SignupForm.svelte.d.ts +7 -0
- package/dist/ui/SignupForm.svelte.d.ts.map +1 -0
- package/dist/ui/SurfaceExplorer.svelte +287 -0
- package/dist/ui/SurfaceExplorer.svelte.d.ts +8 -0
- package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -0
- package/dist/ui/account_sessions_state.svelte.d.ts +15 -0
- package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -0
- package/dist/ui/account_sessions_state.svelte.js +45 -0
- package/dist/ui/admin_accounts_state.svelte.d.ts +19 -0
- package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -0
- package/dist/ui/admin_accounts_state.svelte.js +65 -0
- package/dist/ui/admin_invites_state.svelte.d.ts +19 -0
- package/dist/ui/admin_invites_state.svelte.d.ts.map +1 -0
- package/dist/ui/admin_invites_state.svelte.js +71 -0
- package/dist/ui/admin_sessions_state.svelte.d.ts +18 -0
- package/dist/ui/admin_sessions_state.svelte.d.ts.map +1 -0
- package/dist/ui/admin_sessions_state.svelte.js +62 -0
- package/dist/ui/app_settings_state.svelte.d.ts +14 -0
- package/dist/ui/app_settings_state.svelte.d.ts.map +1 -0
- package/dist/ui/app_settings_state.svelte.js +44 -0
- package/dist/ui/audit_log_state.svelte.d.ts +40 -0
- package/dist/ui/audit_log_state.svelte.d.ts.map +1 -0
- package/dist/ui/audit_log_state.svelte.js +153 -0
- package/dist/ui/auth_state.svelte.d.ts +85 -0
- package/dist/ui/auth_state.svelte.d.ts.map +1 -0
- package/dist/ui/auth_state.svelte.js +238 -0
- package/dist/ui/datatable.d.ts +25 -0
- package/dist/ui/datatable.d.ts.map +1 -0
- package/dist/ui/datatable.js +9 -0
- package/dist/ui/enter_advance.d.ts +13 -0
- package/dist/ui/enter_advance.d.ts.map +1 -0
- package/dist/ui/enter_advance.js +30 -0
- package/dist/ui/loadable.svelte.d.ts +55 -0
- package/dist/ui/loadable.svelte.d.ts.map +1 -0
- package/dist/ui/loadable.svelte.js +75 -0
- package/dist/ui/popover.svelte.d.ts +137 -0
- package/dist/ui/popover.svelte.d.ts.map +1 -0
- package/dist/ui/popover.svelte.js +288 -0
- package/dist/ui/position_helpers.d.ts +27 -0
- package/dist/ui/position_helpers.d.ts.map +1 -0
- package/dist/ui/position_helpers.js +81 -0
- package/dist/ui/sidebar_state.svelte.d.ts +30 -0
- package/dist/ui/sidebar_state.svelte.d.ts.map +1 -0
- package/dist/ui/sidebar_state.svelte.js +39 -0
- package/dist/ui/table_state.svelte.d.ts +63 -0
- package/dist/ui/table_state.svelte.d.ts.map +1 -0
- package/dist/ui/table_state.svelte.js +117 -0
- package/dist/ui/ui_fetch.d.ts +29 -0
- package/dist/ui/ui_fetch.d.ts.map +1 -0
- package/dist/ui/ui_fetch.js +37 -0
- package/dist/ui/ui_format.d.ts +63 -0
- package/dist/ui/ui_format.d.ts.map +1 -0
- package/dist/ui/ui_format.js +196 -0
- package/package.json +121 -0
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Daemon token primitives — schema, generation, and validation.
|
|
3
|
+
*
|
|
4
|
+
* Pure auth operations with no I/O or state management.
|
|
5
|
+
* The middleware, rotation, and persistence logic lives in
|
|
6
|
+
* `daemon_token_middleware.ts`.
|
|
7
|
+
*
|
|
8
|
+
* @module
|
|
9
|
+
*/
|
|
10
|
+
import { z } from 'zod';
|
|
11
|
+
/** Daemon token format: 43 base64url characters (256 bits). */
|
|
12
|
+
export declare const DaemonToken: z.ZodString;
|
|
13
|
+
export type DaemonToken = z.infer<typeof DaemonToken>;
|
|
14
|
+
/** The `X-Daemon-Token` header name. */
|
|
15
|
+
export declare const DAEMON_TOKEN_HEADER = "X-Daemon-Token";
|
|
16
|
+
/**
|
|
17
|
+
* Mutable runtime state for daemon token rotation.
|
|
18
|
+
*
|
|
19
|
+
* This is runtime state (not `AppDeps` or `*Options`) — it changes during
|
|
20
|
+
* operation. Created at server startup, passed to the middleware factory.
|
|
21
|
+
*/
|
|
22
|
+
export interface DaemonTokenState {
|
|
23
|
+
/** Current valid token. */
|
|
24
|
+
current_token: string;
|
|
25
|
+
/** Previous token, still valid during the race window. `null` before first rotation. */
|
|
26
|
+
previous_token: string | null;
|
|
27
|
+
/** When the last rotation occurred. */
|
|
28
|
+
rotated_at: Date;
|
|
29
|
+
/** The account ID of the keeper (resolved at startup, set by `on_bootstrap`). */
|
|
30
|
+
keeper_account_id: string | null;
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Generate a new daemon token (256-bit random, base64url).
|
|
34
|
+
*
|
|
35
|
+
* @returns a 43-character base64url string
|
|
36
|
+
*/
|
|
37
|
+
export declare const generate_daemon_token: () => string;
|
|
38
|
+
/**
|
|
39
|
+
* Validate a daemon token against the current state.
|
|
40
|
+
*
|
|
41
|
+
* Accepts both the current and previous token (2-token race window).
|
|
42
|
+
* Uses timing-safe comparison.
|
|
43
|
+
*
|
|
44
|
+
* @param provided - the token from the `X-Daemon-Token` header
|
|
45
|
+
* @param state - the daemon token state
|
|
46
|
+
* @returns `true` if the token is valid
|
|
47
|
+
*/
|
|
48
|
+
export declare const validate_daemon_token: (provided: string, state: DaemonTokenState) => boolean;
|
|
49
|
+
//# sourceMappingURL=daemon_token.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"daemon_token.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAKtB,+DAA+D;AAC/D,eAAO,MAAM,WAAW,aAAyE,CAAC;AAClG,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wCAAwC;AACxC,eAAO,MAAM,mBAAmB,mBAAmB,CAAC;AAEpD;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2BAA2B;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,wFAAwF;IACxF,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,uCAAuC;IACvC,UAAU,EAAE,IAAI,CAAC;IACjB,iFAAiF;IACjF,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;CACjC;AAED;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,QAAO,MAExC,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GAAI,UAAU,MAAM,EAAE,OAAO,gBAAgB,KAAG,OAgBjF,CAAC"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Daemon token primitives — schema, generation, and validation.
|
|
3
|
+
*
|
|
4
|
+
* Pure auth operations with no I/O or state management.
|
|
5
|
+
* The middleware, rotation, and persistence logic lives in
|
|
6
|
+
* `daemon_token_middleware.ts`.
|
|
7
|
+
*
|
|
8
|
+
* @module
|
|
9
|
+
*/
|
|
10
|
+
import { z } from 'zod';
|
|
11
|
+
import { timingSafeEqual } from 'node:crypto';
|
|
12
|
+
import { generate_random_base64url } from '../crypto.js';
|
|
13
|
+
/** Daemon token format: 43 base64url characters (256 bits). */
|
|
14
|
+
export const DaemonToken = z.string().regex(/^[A-Za-z0-9_-]{43}$/, 'Invalid daemon token format');
|
|
15
|
+
/** The `X-Daemon-Token` header name. */
|
|
16
|
+
export const DAEMON_TOKEN_HEADER = 'X-Daemon-Token';
|
|
17
|
+
/**
|
|
18
|
+
* Generate a new daemon token (256-bit random, base64url).
|
|
19
|
+
*
|
|
20
|
+
* @returns a 43-character base64url string
|
|
21
|
+
*/
|
|
22
|
+
export const generate_daemon_token = () => {
|
|
23
|
+
return generate_random_base64url();
|
|
24
|
+
};
|
|
25
|
+
/**
|
|
26
|
+
* Validate a daemon token against the current state.
|
|
27
|
+
*
|
|
28
|
+
* Accepts both the current and previous token (2-token race window).
|
|
29
|
+
* Uses timing-safe comparison.
|
|
30
|
+
*
|
|
31
|
+
* @param provided - the token from the `X-Daemon-Token` header
|
|
32
|
+
* @param state - the daemon token state
|
|
33
|
+
* @returns `true` if the token is valid
|
|
34
|
+
*/
|
|
35
|
+
export const validate_daemon_token = (provided, state) => {
|
|
36
|
+
const provided_buf = Buffer.from(provided);
|
|
37
|
+
const current_buf = Buffer.from(state.current_token);
|
|
38
|
+
if (provided_buf.length === current_buf.length && timingSafeEqual(provided_buf, current_buf)) {
|
|
39
|
+
return true;
|
|
40
|
+
}
|
|
41
|
+
if (state.previous_token !== null) {
|
|
42
|
+
const previous_buf = Buffer.from(state.previous_token);
|
|
43
|
+
if (provided_buf.length === previous_buf.length &&
|
|
44
|
+
timingSafeEqual(provided_buf, previous_buf)) {
|
|
45
|
+
return true;
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
return false;
|
|
49
|
+
};
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Daemon token rotation, persistence, and middleware.
|
|
3
|
+
*
|
|
4
|
+
* Manages the lifecycle of filesystem-resident daemon tokens: writing to disk,
|
|
5
|
+
* rotation on an interval, and HTTP middleware for authentication.
|
|
6
|
+
*
|
|
7
|
+
* Pure token primitives (schema, generation, validation) live in `daemon_token.ts`.
|
|
8
|
+
* See docs/identity.md for design rationale.
|
|
9
|
+
*
|
|
10
|
+
* @module
|
|
11
|
+
*/
|
|
12
|
+
import type { MiddlewareHandler } from 'hono';
|
|
13
|
+
import type { Logger } from '@fuzdev/fuz_util/log.js';
|
|
14
|
+
import { type FsWriteDeps, type FsRemoveDeps, type EnvDeps } from '../runtime/deps.js';
|
|
15
|
+
import type { QueryDeps } from '../db/query_deps.js';
|
|
16
|
+
import { type DaemonTokenState } from './daemon_token.js';
|
|
17
|
+
/** Default rotation interval in milliseconds (30 seconds). */
|
|
18
|
+
export declare const DEFAULT_ROTATION_INTERVAL_MS = 30000;
|
|
19
|
+
/** Deps for writing the daemon token to disk. */
|
|
20
|
+
export type DaemonTokenWriteDeps = Pick<EnvDeps, 'env_get'> & FsWriteDeps & {
|
|
21
|
+
/** Set file permissions. Optional — consumers provide when available (e.g. `Deno.chmod`). */
|
|
22
|
+
chmod?: (path: string, mode: number) => Promise<void>;
|
|
23
|
+
};
|
|
24
|
+
/**
|
|
25
|
+
* Get the daemon token file path (`~/.{name}/run/daemon_token`).
|
|
26
|
+
*
|
|
27
|
+
* @param runtime - runtime with `env_get` capability
|
|
28
|
+
* @param name - application name
|
|
29
|
+
* @returns path to `daemon_token`, or `null` if `$HOME` is not set
|
|
30
|
+
*/
|
|
31
|
+
export declare const get_daemon_token_path: (runtime: Pick<EnvDeps, "env_get">, name: string) => string | null;
|
|
32
|
+
/**
|
|
33
|
+
* Write the current token to disk atomically.
|
|
34
|
+
*
|
|
35
|
+
* Uses `write_file_atomic` (temp file + rename) and optionally sets mode 0600.
|
|
36
|
+
*
|
|
37
|
+
* @param runtime - runtime with file write capabilities
|
|
38
|
+
* @param token_path - path to write the token
|
|
39
|
+
* @param token - the raw token string
|
|
40
|
+
*/
|
|
41
|
+
export declare const write_daemon_token: (runtime: DaemonTokenWriteDeps, token_path: string, token: string) => Promise<void>;
|
|
42
|
+
/**
|
|
43
|
+
* Resolve the keeper account ID by querying for the account with an active keeper permit.
|
|
44
|
+
*
|
|
45
|
+
* There is exactly one keeper account (the bootstrap account). Runs once at
|
|
46
|
+
* server startup — the result is cached in `DaemonTokenState.keeper_account_id`.
|
|
47
|
+
*
|
|
48
|
+
* @param deps - query dependencies
|
|
49
|
+
* @returns the keeper account ID, or `null` if no keeper exists yet (pre-bootstrap)
|
|
50
|
+
*/
|
|
51
|
+
export declare const resolve_keeper_account_id: (deps: QueryDeps) => Promise<string | null>;
|
|
52
|
+
/** Options for daemon token rotation. */
|
|
53
|
+
export interface DaemonTokenRotationOptions {
|
|
54
|
+
/** Application name (for `~/.{name}/run/daemon_token`). */
|
|
55
|
+
app_name: string;
|
|
56
|
+
/** Rotation interval in ms. Default: `30000` (30s). */
|
|
57
|
+
rotation_interval_ms?: number;
|
|
58
|
+
}
|
|
59
|
+
/** Result of starting daemon token rotation. */
|
|
60
|
+
export interface DaemonTokenRotation {
|
|
61
|
+
/** The mutable runtime state. Pass to `create_daemon_token_middleware`. */
|
|
62
|
+
state: DaemonTokenState;
|
|
63
|
+
/** Stop rotation, clean up the interval, and delete the token file. Call on graceful shutdown. */
|
|
64
|
+
stop: () => Promise<void>;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Start daemon token rotation.
|
|
68
|
+
*
|
|
69
|
+
* Generates an initial token, writes it to disk, resolves the keeper account,
|
|
70
|
+
* and sets up periodic rotation. Returns the mutable state object and a stop function.
|
|
71
|
+
*
|
|
72
|
+
* @param runtime - runtime with file, env, and remove capabilities
|
|
73
|
+
* @param deps - query dependencies for resolving keeper account
|
|
74
|
+
* @param options - rotation configuration
|
|
75
|
+
* @param log - the logger instance
|
|
76
|
+
* @returns rotation state and stop function
|
|
77
|
+
*/
|
|
78
|
+
export declare const start_daemon_token_rotation: (runtime: DaemonTokenWriteDeps & FsRemoveDeps, deps: QueryDeps, options: DaemonTokenRotationOptions, log: Logger) => Promise<DaemonTokenRotation>;
|
|
79
|
+
/**
|
|
80
|
+
* Create middleware that authenticates via daemon token.
|
|
81
|
+
*
|
|
82
|
+
* Checks the `X-Daemon-Token` header. Behavior:
|
|
83
|
+
* - No header: pass through (don't touch existing context)
|
|
84
|
+
* - Header present + valid: build `RequestContext` from keeper account,
|
|
85
|
+
* set `credential_type: 'daemon_token'` (overrides any existing session/bearer context)
|
|
86
|
+
* - Header present + invalid: return 401 (fail-closed, no downgrade)
|
|
87
|
+
* - Header present + valid but `keeper_account_id` is null: return 503
|
|
88
|
+
*
|
|
89
|
+
* @param state - the daemon token runtime state
|
|
90
|
+
* @param deps - query dependencies (pool-level db for middleware)
|
|
91
|
+
*/
|
|
92
|
+
export declare const create_daemon_token_middleware: (state: DaemonTokenState, deps: QueryDeps) => MiddlewareHandler;
|
|
93
|
+
//# sourceMappingURL=daemon_token_middleware.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,WAAW,GAAG;IACb,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAoCF,CAAC"}
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Daemon token rotation, persistence, and middleware.
|
|
3
|
+
*
|
|
4
|
+
* Manages the lifecycle of filesystem-resident daemon tokens: writing to disk,
|
|
5
|
+
* rotation on an interval, and HTTP middleware for authentication.
|
|
6
|
+
*
|
|
7
|
+
* Pure token primitives (schema, generation, validation) live in `daemon_token.ts`.
|
|
8
|
+
* See docs/identity.md for design rationale.
|
|
9
|
+
*
|
|
10
|
+
* @module
|
|
11
|
+
*/
|
|
12
|
+
import {} from '../runtime/deps.js';
|
|
13
|
+
import { write_file_atomic } from '../runtime/fs.js';
|
|
14
|
+
import { get_app_dir } from '../cli/config.js';
|
|
15
|
+
import { REQUEST_CONTEXT_KEY, build_request_context } from './request_context.js';
|
|
16
|
+
import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
|
|
17
|
+
import { ERROR_INVALID_DAEMON_TOKEN, ERROR_KEEPER_ACCOUNT_NOT_CONFIGURED, ERROR_KEEPER_ACCOUNT_NOT_FOUND, } from '../http/error_schemas.js';
|
|
18
|
+
import { query_permit_find_account_id_for_role } from './permit_queries.js';
|
|
19
|
+
import { ROLE_KEEPER } from './role_schema.js';
|
|
20
|
+
import { DaemonToken, DAEMON_TOKEN_HEADER, generate_daemon_token, validate_daemon_token, } from './daemon_token.js';
|
|
21
|
+
/** Default rotation interval in milliseconds (30 seconds). */
|
|
22
|
+
export const DEFAULT_ROTATION_INTERVAL_MS = 30_000;
|
|
23
|
+
/**
|
|
24
|
+
* Get the daemon token file path (`~/.{name}/run/daemon_token`).
|
|
25
|
+
*
|
|
26
|
+
* @param runtime - runtime with `env_get` capability
|
|
27
|
+
* @param name - application name
|
|
28
|
+
* @returns path to `daemon_token`, or `null` if `$HOME` is not set
|
|
29
|
+
*/
|
|
30
|
+
export const get_daemon_token_path = (runtime, name) => {
|
|
31
|
+
const app_dir = get_app_dir(runtime, name);
|
|
32
|
+
return app_dir ? `${app_dir}/run/daemon_token` : null;
|
|
33
|
+
};
|
|
34
|
+
/**
|
|
35
|
+
* Write the current token to disk atomically.
|
|
36
|
+
*
|
|
37
|
+
* Uses `write_file_atomic` (temp file + rename) and optionally sets mode 0600.
|
|
38
|
+
*
|
|
39
|
+
* @param runtime - runtime with file write capabilities
|
|
40
|
+
* @param token_path - path to write the token
|
|
41
|
+
* @param token - the raw token string
|
|
42
|
+
*/
|
|
43
|
+
export const write_daemon_token = async (runtime, token_path, token) => {
|
|
44
|
+
await write_file_atomic(runtime, token_path, token + '\n');
|
|
45
|
+
if (runtime.chmod) {
|
|
46
|
+
await runtime.chmod(token_path, 0o600);
|
|
47
|
+
}
|
|
48
|
+
};
|
|
49
|
+
/**
|
|
50
|
+
* Resolve the keeper account ID by querying for the account with an active keeper permit.
|
|
51
|
+
*
|
|
52
|
+
* There is exactly one keeper account (the bootstrap account). Runs once at
|
|
53
|
+
* server startup — the result is cached in `DaemonTokenState.keeper_account_id`.
|
|
54
|
+
*
|
|
55
|
+
* @param deps - query dependencies
|
|
56
|
+
* @returns the keeper account ID, or `null` if no keeper exists yet (pre-bootstrap)
|
|
57
|
+
*/
|
|
58
|
+
export const resolve_keeper_account_id = async (deps) => {
|
|
59
|
+
return query_permit_find_account_id_for_role(deps, ROLE_KEEPER);
|
|
60
|
+
};
|
|
61
|
+
/**
|
|
62
|
+
* Start daemon token rotation.
|
|
63
|
+
*
|
|
64
|
+
* Generates an initial token, writes it to disk, resolves the keeper account,
|
|
65
|
+
* and sets up periodic rotation. Returns the mutable state object and a stop function.
|
|
66
|
+
*
|
|
67
|
+
* @param runtime - runtime with file, env, and remove capabilities
|
|
68
|
+
* @param deps - query dependencies for resolving keeper account
|
|
69
|
+
* @param options - rotation configuration
|
|
70
|
+
* @param log - the logger instance
|
|
71
|
+
* @returns rotation state and stop function
|
|
72
|
+
*/
|
|
73
|
+
export const start_daemon_token_rotation = async (runtime, deps, options, log) => {
|
|
74
|
+
const { app_name, rotation_interval_ms = DEFAULT_ROTATION_INTERVAL_MS } = options;
|
|
75
|
+
const token_path = get_daemon_token_path(runtime, app_name);
|
|
76
|
+
if (!token_path) {
|
|
77
|
+
throw new Error('$HOME not set — cannot determine daemon token path');
|
|
78
|
+
}
|
|
79
|
+
// ensure run directory exists
|
|
80
|
+
const app_dir = get_app_dir(runtime, app_name);
|
|
81
|
+
if (app_dir) {
|
|
82
|
+
await runtime.mkdir(`${app_dir}/run`, { recursive: true });
|
|
83
|
+
}
|
|
84
|
+
// resolve keeper account (may be null pre-bootstrap)
|
|
85
|
+
const keeper_account_id = await resolve_keeper_account_id(deps);
|
|
86
|
+
// generate initial token and write to disk
|
|
87
|
+
const initial_token = generate_daemon_token();
|
|
88
|
+
await write_daemon_token(runtime, token_path, initial_token);
|
|
89
|
+
const state = {
|
|
90
|
+
current_token: initial_token,
|
|
91
|
+
previous_token: null,
|
|
92
|
+
rotated_at: new Date(),
|
|
93
|
+
keeper_account_id,
|
|
94
|
+
};
|
|
95
|
+
let writing = false;
|
|
96
|
+
const interval_id = setInterval(async () => {
|
|
97
|
+
if (writing)
|
|
98
|
+
return; // skip if previous rotation write still in progress
|
|
99
|
+
writing = true;
|
|
100
|
+
try {
|
|
101
|
+
const new_token = generate_daemon_token();
|
|
102
|
+
state.previous_token = state.current_token;
|
|
103
|
+
state.current_token = new_token;
|
|
104
|
+
state.rotated_at = new Date();
|
|
105
|
+
await write_daemon_token(runtime, token_path, new_token);
|
|
106
|
+
}
|
|
107
|
+
catch (err) {
|
|
108
|
+
log.error('Failed to write rotated token:', err);
|
|
109
|
+
}
|
|
110
|
+
finally {
|
|
111
|
+
writing = false;
|
|
112
|
+
}
|
|
113
|
+
}, rotation_interval_ms);
|
|
114
|
+
const stop = async () => {
|
|
115
|
+
clearInterval(interval_id);
|
|
116
|
+
try {
|
|
117
|
+
await runtime.remove(token_path);
|
|
118
|
+
}
|
|
119
|
+
catch {
|
|
120
|
+
// already removed or never written
|
|
121
|
+
}
|
|
122
|
+
};
|
|
123
|
+
return { state, stop };
|
|
124
|
+
};
|
|
125
|
+
/**
|
|
126
|
+
* Create middleware that authenticates via daemon token.
|
|
127
|
+
*
|
|
128
|
+
* Checks the `X-Daemon-Token` header. Behavior:
|
|
129
|
+
* - No header: pass through (don't touch existing context)
|
|
130
|
+
* - Header present + valid: build `RequestContext` from keeper account,
|
|
131
|
+
* set `credential_type: 'daemon_token'` (overrides any existing session/bearer context)
|
|
132
|
+
* - Header present + invalid: return 401 (fail-closed, no downgrade)
|
|
133
|
+
* - Header present + valid but `keeper_account_id` is null: return 503
|
|
134
|
+
*
|
|
135
|
+
* @param state - the daemon token runtime state
|
|
136
|
+
* @param deps - query dependencies (pool-level db for middleware)
|
|
137
|
+
*/
|
|
138
|
+
export const create_daemon_token_middleware = (state, deps) => {
|
|
139
|
+
return async (c, next) => {
|
|
140
|
+
const token_header = c.req.header(DAEMON_TOKEN_HEADER);
|
|
141
|
+
if (!token_header) {
|
|
142
|
+
await next();
|
|
143
|
+
return;
|
|
144
|
+
}
|
|
145
|
+
// Zod-validate the token format at the I/O boundary
|
|
146
|
+
const parse_result = DaemonToken.safeParse(token_header);
|
|
147
|
+
if (!parse_result.success) {
|
|
148
|
+
return c.json({ error: ERROR_INVALID_DAEMON_TOKEN }, 401);
|
|
149
|
+
}
|
|
150
|
+
// fail-closed: header present but invalid token value
|
|
151
|
+
if (!validate_daemon_token(parse_result.data, state)) {
|
|
152
|
+
return c.json({ error: ERROR_INVALID_DAEMON_TOKEN }, 401);
|
|
153
|
+
}
|
|
154
|
+
// daemon token valid — resolve keeper account
|
|
155
|
+
if (!state.keeper_account_id) {
|
|
156
|
+
return c.json({ error: ERROR_KEEPER_ACCOUNT_NOT_CONFIGURED }, 503);
|
|
157
|
+
}
|
|
158
|
+
// build request context from the keeper account (overrides any existing session/bearer context)
|
|
159
|
+
const ctx = await build_request_context(deps, state.keeper_account_id);
|
|
160
|
+
if (!ctx) {
|
|
161
|
+
return c.json({ error: ERROR_KEEPER_ACCOUNT_NOT_FOUND }, 500);
|
|
162
|
+
}
|
|
163
|
+
c.set(REQUEST_CONTEXT_KEY, ctx);
|
|
164
|
+
c.set(CREDENTIAL_TYPE_KEY, 'daemon_token');
|
|
165
|
+
await next();
|
|
166
|
+
};
|
|
167
|
+
};
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Auth table DDL — CREATE TABLE, index, and seed statements.
|
|
3
|
+
*
|
|
4
|
+
* Consumed by `migrations.ts`. Separated from `account_schema.ts`
|
|
5
|
+
* to isolate DDL concerns from runtime types.
|
|
6
|
+
*
|
|
7
|
+
* @module
|
|
8
|
+
*/
|
|
9
|
+
export declare const ACCOUNT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS account (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n username TEXT UNIQUE NOT NULL,\n email TEXT,\n email_verified BOOLEAN NOT NULL DEFAULT false,\n password_hash TEXT NOT NULL,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n created_by UUID,\n updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n updated_by UUID\n)";
|
|
10
|
+
export declare const ACTOR_SCHEMA = "\nCREATE TABLE IF NOT EXISTS actor (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n name TEXT NOT NULL,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n updated_at TIMESTAMPTZ,\n updated_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
|
|
11
|
+
export declare const ACTOR_INDEX = "\nCREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)";
|
|
12
|
+
export declare const PERMIT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS permit (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n role TEXT NOT NULL,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n expires_at TIMESTAMPTZ,\n revoked_at TIMESTAMPTZ,\n revoked_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n granted_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
|
|
13
|
+
export declare const PERMIT_INDEXES: string[];
|
|
14
|
+
export declare const AUTH_SESSION_SCHEMA = "\nCREATE TABLE IF NOT EXISTS auth_session (\n id TEXT PRIMARY KEY,\n account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n expires_at TIMESTAMPTZ NOT NULL,\n last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)";
|
|
15
|
+
export declare const AUTH_SESSION_INDEXES: string[];
|
|
16
|
+
export declare const API_TOKEN_SCHEMA = "\nCREATE TABLE IF NOT EXISTS api_token (\n id TEXT PRIMARY KEY,\n account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n name TEXT NOT NULL,\n token_hash TEXT NOT NULL,\n expires_at TIMESTAMPTZ,\n last_used_at TIMESTAMPTZ,\n last_used_ip TEXT,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)";
|
|
17
|
+
export declare const ACCOUNT_EMAIL_INDEX = "\nCREATE UNIQUE INDEX IF NOT EXISTS idx_account_email ON account (LOWER(email)) WHERE email IS NOT NULL";
|
|
18
|
+
export declare const ACCOUNT_USERNAME_CI_INDEX = "\nCREATE UNIQUE INDEX IF NOT EXISTS idx_account_username_ci ON account (LOWER(username))";
|
|
19
|
+
export declare const API_TOKEN_INDEX = "\nCREATE INDEX IF NOT EXISTS idx_api_token_account ON api_token(account_id)";
|
|
20
|
+
export declare const BOOTSTRAP_LOCK_SCHEMA = "\nCREATE TABLE IF NOT EXISTS bootstrap_lock (\n id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),\n bootstrapped BOOLEAN NOT NULL DEFAULT false\n)";
|
|
21
|
+
/** Seed the bootstrap_lock table, setting `bootstrapped` based on whether accounts exist. */
|
|
22
|
+
export declare const BOOTSTRAP_LOCK_SEED = "\nINSERT INTO bootstrap_lock (id, bootstrapped)\n SELECT 1, EXISTS(SELECT 1 FROM account)\n ON CONFLICT DO NOTHING";
|
|
23
|
+
export declare const INVITE_SCHEMA = "\nCREATE TABLE IF NOT EXISTS invite (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n email TEXT,\n username TEXT,\n claimed_by UUID REFERENCES account(id) ON DELETE SET NULL,\n claimed_at TIMESTAMPTZ,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n created_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n CONSTRAINT invite_has_identifier CHECK (email IS NOT NULL OR username IS NOT NULL)\n)";
|
|
24
|
+
export declare const INVITE_INDEXES: string[];
|
|
25
|
+
export declare const APP_SETTINGS_SCHEMA = "\nCREATE TABLE IF NOT EXISTS app_settings (\n id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),\n open_signup BOOLEAN NOT NULL DEFAULT false,\n updated_at TIMESTAMPTZ,\n updated_by UUID\n)";
|
|
26
|
+
export declare const APP_SETTINGS_SEED = "\nINSERT INTO app_settings (id) VALUES (1) ON CONFLICT DO NOTHING";
|
|
27
|
+
//# sourceMappingURL=ddl.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,eAAO,MAAM,cAAc,8WAWzB,CAAC;AAEH,eAAO,MAAM,YAAY,mUAQvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE,eAAO,MAAM,aAAa,uZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}
|
package/dist/auth/ddl.js
ADDED
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Auth table DDL — CREATE TABLE, index, and seed statements.
|
|
3
|
+
*
|
|
4
|
+
* Consumed by `migrations.ts`. Separated from `account_schema.ts`
|
|
5
|
+
* to isolate DDL concerns from runtime types.
|
|
6
|
+
*
|
|
7
|
+
* @module
|
|
8
|
+
*/
|
|
9
|
+
export const ACCOUNT_SCHEMA = `
|
|
10
|
+
CREATE TABLE IF NOT EXISTS account (
|
|
11
|
+
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
12
|
+
username TEXT UNIQUE NOT NULL,
|
|
13
|
+
email TEXT,
|
|
14
|
+
email_verified BOOLEAN NOT NULL DEFAULT false,
|
|
15
|
+
password_hash TEXT NOT NULL,
|
|
16
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
17
|
+
created_by UUID,
|
|
18
|
+
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
19
|
+
updated_by UUID
|
|
20
|
+
)`;
|
|
21
|
+
export const ACTOR_SCHEMA = `
|
|
22
|
+
CREATE TABLE IF NOT EXISTS actor (
|
|
23
|
+
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
24
|
+
account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,
|
|
25
|
+
name TEXT NOT NULL,
|
|
26
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
27
|
+
updated_at TIMESTAMPTZ,
|
|
28
|
+
updated_by UUID REFERENCES actor(id) ON DELETE SET NULL
|
|
29
|
+
)`;
|
|
30
|
+
export const ACTOR_INDEX = `
|
|
31
|
+
CREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)`;
|
|
32
|
+
export const PERMIT_SCHEMA = `
|
|
33
|
+
CREATE TABLE IF NOT EXISTS permit (
|
|
34
|
+
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
35
|
+
actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,
|
|
36
|
+
role TEXT NOT NULL,
|
|
37
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
38
|
+
expires_at TIMESTAMPTZ,
|
|
39
|
+
revoked_at TIMESTAMPTZ,
|
|
40
|
+
revoked_by UUID REFERENCES actor(id) ON DELETE SET NULL,
|
|
41
|
+
granted_by UUID REFERENCES actor(id) ON DELETE SET NULL
|
|
42
|
+
)`;
|
|
43
|
+
export const PERMIT_INDEXES = [
|
|
44
|
+
`CREATE INDEX IF NOT EXISTS idx_permit_actor ON permit(actor_id)`,
|
|
45
|
+
`CREATE UNIQUE INDEX IF NOT EXISTS permit_actor_role_active_unique
|
|
46
|
+
ON permit (actor_id, role) WHERE revoked_at IS NULL`,
|
|
47
|
+
];
|
|
48
|
+
export const AUTH_SESSION_SCHEMA = `
|
|
49
|
+
CREATE TABLE IF NOT EXISTS auth_session (
|
|
50
|
+
id TEXT PRIMARY KEY,
|
|
51
|
+
account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,
|
|
52
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
53
|
+
expires_at TIMESTAMPTZ NOT NULL,
|
|
54
|
+
last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
|
55
|
+
)`;
|
|
56
|
+
export const AUTH_SESSION_INDEXES = [
|
|
57
|
+
`CREATE INDEX IF NOT EXISTS idx_auth_session_account ON auth_session(account_id)`,
|
|
58
|
+
`CREATE INDEX IF NOT EXISTS idx_auth_session_expires ON auth_session(expires_at)`,
|
|
59
|
+
];
|
|
60
|
+
export const API_TOKEN_SCHEMA = `
|
|
61
|
+
CREATE TABLE IF NOT EXISTS api_token (
|
|
62
|
+
id TEXT PRIMARY KEY,
|
|
63
|
+
account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,
|
|
64
|
+
name TEXT NOT NULL,
|
|
65
|
+
token_hash TEXT NOT NULL,
|
|
66
|
+
expires_at TIMESTAMPTZ,
|
|
67
|
+
last_used_at TIMESTAMPTZ,
|
|
68
|
+
last_used_ip TEXT,
|
|
69
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
|
70
|
+
)`;
|
|
71
|
+
export const ACCOUNT_EMAIL_INDEX = `
|
|
72
|
+
CREATE UNIQUE INDEX IF NOT EXISTS idx_account_email ON account (LOWER(email)) WHERE email IS NOT NULL`;
|
|
73
|
+
export const ACCOUNT_USERNAME_CI_INDEX = `
|
|
74
|
+
CREATE UNIQUE INDEX IF NOT EXISTS idx_account_username_ci ON account (LOWER(username))`;
|
|
75
|
+
export const API_TOKEN_INDEX = `
|
|
76
|
+
CREATE INDEX IF NOT EXISTS idx_api_token_account ON api_token(account_id)`;
|
|
77
|
+
export const BOOTSTRAP_LOCK_SCHEMA = `
|
|
78
|
+
CREATE TABLE IF NOT EXISTS bootstrap_lock (
|
|
79
|
+
id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),
|
|
80
|
+
bootstrapped BOOLEAN NOT NULL DEFAULT false
|
|
81
|
+
)`;
|
|
82
|
+
/** Seed the bootstrap_lock table, setting `bootstrapped` based on whether accounts exist. */
|
|
83
|
+
export const BOOTSTRAP_LOCK_SEED = `
|
|
84
|
+
INSERT INTO bootstrap_lock (id, bootstrapped)
|
|
85
|
+
SELECT 1, EXISTS(SELECT 1 FROM account)
|
|
86
|
+
ON CONFLICT DO NOTHING`;
|
|
87
|
+
export const INVITE_SCHEMA = `
|
|
88
|
+
CREATE TABLE IF NOT EXISTS invite (
|
|
89
|
+
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
90
|
+
email TEXT,
|
|
91
|
+
username TEXT,
|
|
92
|
+
claimed_by UUID REFERENCES account(id) ON DELETE SET NULL,
|
|
93
|
+
claimed_at TIMESTAMPTZ,
|
|
94
|
+
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
|
95
|
+
created_by UUID REFERENCES actor(id) ON DELETE SET NULL,
|
|
96
|
+
CONSTRAINT invite_has_identifier CHECK (email IS NOT NULL OR username IS NOT NULL)
|
|
97
|
+
)`;
|
|
98
|
+
export const INVITE_INDEXES = [
|
|
99
|
+
`CREATE UNIQUE INDEX IF NOT EXISTS idx_invite_email_unclaimed ON invite (LOWER(email)) WHERE email IS NOT NULL AND claimed_at IS NULL`,
|
|
100
|
+
`CREATE UNIQUE INDEX IF NOT EXISTS idx_invite_username_unclaimed ON invite (LOWER(username)) WHERE username IS NOT NULL AND claimed_at IS NULL`,
|
|
101
|
+
`CREATE INDEX IF NOT EXISTS idx_invite_claimed ON invite (claimed_at)`,
|
|
102
|
+
];
|
|
103
|
+
export const APP_SETTINGS_SCHEMA = `
|
|
104
|
+
CREATE TABLE IF NOT EXISTS app_settings (
|
|
105
|
+
id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),
|
|
106
|
+
open_signup BOOLEAN NOT NULL DEFAULT false,
|
|
107
|
+
updated_at TIMESTAMPTZ,
|
|
108
|
+
updated_by UUID
|
|
109
|
+
)`;
|
|
110
|
+
export const APP_SETTINGS_SEED = `
|
|
111
|
+
INSERT INTO app_settings (id) VALUES (1) ON CONFLICT DO NOTHING`;
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Stateless capabilities bundle for fuz_app backends.
|
|
3
|
+
*
|
|
4
|
+
* `AppDeps` is the central dependency injection type — injectable and swappable
|
|
5
|
+
* per environment (production vs test). Does not contain config (static values)
|
|
6
|
+
* or runtime state (mutable refs).
|
|
7
|
+
*
|
|
8
|
+
* @module
|
|
9
|
+
*/
|
|
10
|
+
import type { Logger } from '@fuzdev/fuz_util/log.js';
|
|
11
|
+
import type { Keyring } from './keyring.js';
|
|
12
|
+
import type { PasswordHashDeps } from './password.js';
|
|
13
|
+
import type { Db } from '../db/db.js';
|
|
14
|
+
import type { StatResult } from '../runtime/deps.js';
|
|
15
|
+
import type { AuditLogEvent } from './audit_log_schema.js';
|
|
16
|
+
/**
|
|
17
|
+
* Stateless capabilities bundle for fuz_app backends.
|
|
18
|
+
*
|
|
19
|
+
* Injectable and swappable per environment (production vs test).
|
|
20
|
+
* Does not contain config (static values) or runtime state (mutable refs).
|
|
21
|
+
*/
|
|
22
|
+
export interface AppDeps {
|
|
23
|
+
/** Get file/directory stats, or null if path doesn't exist. */
|
|
24
|
+
stat: (path: string) => Promise<StatResult | null>;
|
|
25
|
+
/** Read a file as text. */
|
|
26
|
+
read_file: (path: string) => Promise<string>;
|
|
27
|
+
/** Delete a file. */
|
|
28
|
+
delete_file: (path: string) => Promise<void>;
|
|
29
|
+
/** HMAC-SHA256 cookie signing keyring. */
|
|
30
|
+
keyring: Keyring;
|
|
31
|
+
/** Password hashing operations. Use `argon2_password_deps` in production. */
|
|
32
|
+
password: PasswordHashDeps;
|
|
33
|
+
/** Database instance. */
|
|
34
|
+
db: Db;
|
|
35
|
+
/** Structured logger instance. */
|
|
36
|
+
log: Logger;
|
|
37
|
+
/**
|
|
38
|
+
* Called after each audit log INSERT succeeds.
|
|
39
|
+
* Use to broadcast audit events via SSE. Flows automatically to all
|
|
40
|
+
* route factories that receive `deps` or `RouteFactoryDeps`.
|
|
41
|
+
* Defaults to a noop when not wired to SSE.
|
|
42
|
+
*/
|
|
43
|
+
on_audit_event: (event: AuditLogEvent) => void;
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Capabilities for route spec factories.
|
|
47
|
+
*
|
|
48
|
+
* `AppDeps` without `db` — route handlers receive database connections
|
|
49
|
+
* via `RouteContext`, so factories don't capture a pool-level `Db`.
|
|
50
|
+
*/
|
|
51
|
+
export type RouteFactoryDeps = Omit<AppDeps, 'db'>;
|
|
52
|
+
//# sourceMappingURL=deps.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"deps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,MAAM,WAAW,OAAO;IACvB,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7C,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,yBAAyB;IACzB,EAAE,EAAE,EAAE,CAAC;IACP,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;OAKG;IACH,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAC/C;AAED;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Stateless capabilities bundle for fuz_app backends.
|
|
3
|
+
*
|
|
4
|
+
* `AppDeps` is the central dependency injection type — injectable and swappable
|
|
5
|
+
* per environment (production vs test). Does not contain config (static values)
|
|
6
|
+
* or runtime state (mutable refs).
|
|
7
|
+
*
|
|
8
|
+
* @module
|
|
9
|
+
*/
|
|
10
|
+
export {};
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Invite database queries.
|
|
3
|
+
*
|
|
4
|
+
* CRUD operations for the invite table — creating invites,
|
|
5
|
+
* finding unclaimed matches, claiming, and cleanup.
|
|
6
|
+
*
|
|
7
|
+
* @module
|
|
8
|
+
*/
|
|
9
|
+
import type { QueryDeps } from '../db/query_deps.js';
|
|
10
|
+
import type { Invite, CreateInviteInput, InviteWithUsernamesJson } from './invite_schema.js';
|
|
11
|
+
/**
|
|
12
|
+
* Create a new invite.
|
|
13
|
+
*
|
|
14
|
+
* @param deps - query dependencies
|
|
15
|
+
* @param input - the invite fields
|
|
16
|
+
* @returns the created invite
|
|
17
|
+
*/
|
|
18
|
+
export declare const query_create_invite: (deps: QueryDeps, input: CreateInviteInput) => Promise<Invite>;
|
|
19
|
+
/**
|
|
20
|
+
* Find an unclaimed invite by email (case-insensitive).
|
|
21
|
+
*/
|
|
22
|
+
export declare const query_invite_find_unclaimed_by_email: (deps: QueryDeps, email: string) => Promise<Invite | undefined>;
|
|
23
|
+
/**
|
|
24
|
+
* Find an unclaimed invite by username (case-insensitive).
|
|
25
|
+
*/
|
|
26
|
+
export declare const query_invite_find_unclaimed_by_username: (deps: QueryDeps, username: string) => Promise<Invite | undefined>;
|
|
27
|
+
/**
|
|
28
|
+
* Find an unclaimed invite matching email and/or username using three scoping modes:
|
|
29
|
+
*
|
|
30
|
+
* - **Email-only invite** (email set, username NULL) → matches only if signup provides matching email.
|
|
31
|
+
* - **Username-only invite** (username set, email NULL) → matches only if signup provides matching username.
|
|
32
|
+
* - **Both-field invite** (both set) → requires BOTH email and username to match.
|
|
33
|
+
*
|
|
34
|
+
* @param deps - query dependencies
|
|
35
|
+
* @param email - email to match (or null if signup provides none)
|
|
36
|
+
* @param username - username to match
|
|
37
|
+
* @returns the matching invite, or `undefined`
|
|
38
|
+
*/
|
|
39
|
+
export declare const query_invite_find_unclaimed_match: (deps: QueryDeps, email: string | null, username: string) => Promise<Invite | undefined>;
|
|
40
|
+
/**
|
|
41
|
+
* Claim an invite by setting the claimed_by and claimed_at fields.
|
|
42
|
+
*
|
|
43
|
+
* @param deps - query dependencies
|
|
44
|
+
* @param invite_id - the invite to claim
|
|
45
|
+
* @param account_id - the account claiming the invite
|
|
46
|
+
* @returns true if the invite was claimed, false if already claimed or not found
|
|
47
|
+
*/
|
|
48
|
+
export declare const query_invite_claim: (deps: QueryDeps, invite_id: string, account_id: string) => Promise<boolean>;
|
|
49
|
+
/**
|
|
50
|
+
* List all invites, newest first.
|
|
51
|
+
*/
|
|
52
|
+
export declare const query_invite_list_all: (deps: QueryDeps) => Promise<Array<Invite>>;
|
|
53
|
+
/**
|
|
54
|
+
* List all invites with resolved creator/claimer usernames, newest first.
|
|
55
|
+
*
|
|
56
|
+
* @param deps - query dependencies
|
|
57
|
+
* @returns invites with `created_by_username` and `claimed_by_username`
|
|
58
|
+
*/
|
|
59
|
+
export declare const query_invite_list_all_with_usernames: (deps: QueryDeps) => Promise<Array<InviteWithUsernamesJson>>;
|
|
60
|
+
/**
|
|
61
|
+
* Delete an unclaimed invite.
|
|
62
|
+
*
|
|
63
|
+
* @param deps - query dependencies
|
|
64
|
+
* @param id - the invite id
|
|
65
|
+
* @returns true if deleted, false if not found or already claimed
|
|
66
|
+
*/
|
|
67
|
+
export declare const query_invite_delete_unclaimed: (deps: QueryDeps, id: string) => Promise<boolean>;
|
|
68
|
+
//# sourceMappingURL=invite_queries.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"invite_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAE,iBAAiB,EAAE,uBAAuB,EAAC,MAAM,oBAAoB,CAAC;AAE3F;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,OAAO,iBAAiB,KACtB,OAAO,CAAC,MAAM,CAQhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,OAAO,MAAM,GAAG,IAAI,EACpB,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAe5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAElF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAUxC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,CAMjB,CAAC"}
|