npm - @fuzdev/fuz_app - Versions diffs - 0.1.0 - Mend

@fuzdev/fuz_app 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (457) hide show

package/LICENSE +21 -0
package/README.md +49 -0
package/dist/actions/action_bridge.d.ts +65 -0
package/dist/actions/action_bridge.d.ts.map +1 -0
package/dist/actions/action_bridge.js +76 -0
package/dist/actions/action_codegen.d.ts +97 -0
package/dist/actions/action_codegen.d.ts.map +1 -0
package/dist/actions/action_codegen.js +280 -0
package/dist/actions/action_registry.d.ts +35 -0
package/dist/actions/action_registry.d.ts.map +1 -0
package/dist/actions/action_registry.js +83 -0
package/dist/actions/action_spec.d.ts +169 -0
package/dist/actions/action_spec.d.ts.map +1 -0
package/dist/actions/action_spec.js +76 -0
package/dist/auth/account_queries.d.ts +96 -0
package/dist/auth/account_queries.d.ts.map +1 -0
package/dist/auth/account_queries.js +172 -0
package/dist/auth/account_routes.d.ts +86 -0
package/dist/auth/account_routes.d.ts.map +1 -0
package/dist/auth/account_routes.js +406 -0
package/dist/auth/account_schema.d.ts +192 -0
package/dist/auth/account_schema.d.ts.map +1 -0
package/dist/auth/account_schema.js +105 -0
package/dist/auth/admin_routes.d.ts +29 -0
package/dist/auth/admin_routes.d.ts.map +1 -0
package/dist/auth/admin_routes.js +193 -0
package/dist/auth/api_token.d.ts +33 -0
package/dist/auth/api_token.d.ts.map +1 -0
package/dist/auth/api_token.js +36 -0
package/dist/auth/api_token_queries.d.ts +80 -0
package/dist/auth/api_token_queries.d.ts.map +1 -0
package/dist/auth/api_token_queries.js +116 -0
package/dist/auth/app_settings_queries.d.ts +33 -0
package/dist/auth/app_settings_queries.d.ts.map +1 -0
package/dist/auth/app_settings_queries.js +51 -0
package/dist/auth/app_settings_routes.d.ts +27 -0
package/dist/auth/app_settings_routes.d.ts.map +1 -0
package/dist/auth/app_settings_routes.js +66 -0
package/dist/auth/app_settings_schema.d.ts +35 -0
package/dist/auth/app_settings_schema.d.ts.map +1 -0
package/dist/auth/app_settings_schema.js +22 -0
package/dist/auth/audit_log_queries.d.ts +90 -0
package/dist/auth/audit_log_queries.d.ts.map +1 -0
package/dist/auth/audit_log_queries.js +205 -0
package/dist/auth/audit_log_routes.d.ts +33 -0
package/dist/auth/audit_log_routes.d.ts.map +1 -0
package/dist/auth/audit_log_routes.js +106 -0
package/dist/auth/audit_log_schema.d.ts +259 -0
package/dist/auth/audit_log_schema.d.ts.map +1 -0
package/dist/auth/audit_log_schema.js +123 -0
package/dist/auth/bearer_auth.d.ts +32 -0
package/dist/auth/bearer_auth.d.ts.map +1 -0
package/dist/auth/bearer_auth.js +90 -0
package/dist/auth/bootstrap_account.d.ts +82 -0
package/dist/auth/bootstrap_account.d.ts.map +1 -0
package/dist/auth/bootstrap_account.js +97 -0
package/dist/auth/bootstrap_routes.d.ts +74 -0
package/dist/auth/bootstrap_routes.d.ts.map +1 -0
package/dist/auth/bootstrap_routes.js +154 -0
package/dist/auth/daemon_token.d.ts +49 -0
package/dist/auth/daemon_token.d.ts.map +1 -0
package/dist/auth/daemon_token.js +49 -0
package/dist/auth/daemon_token_middleware.d.ts +93 -0
package/dist/auth/daemon_token_middleware.d.ts.map +1 -0
package/dist/auth/daemon_token_middleware.js +167 -0
package/dist/auth/ddl.d.ts +27 -0
package/dist/auth/ddl.d.ts.map +1 -0
package/dist/auth/ddl.js +111 -0
package/dist/auth/deps.d.ts +52 -0
package/dist/auth/deps.d.ts.map +1 -0
package/dist/auth/deps.js +10 -0
package/dist/auth/invite_queries.d.ts +68 -0
package/dist/auth/invite_queries.d.ts.map +1 -0
package/dist/auth/invite_queries.js +105 -0
package/dist/auth/invite_routes.d.ts +18 -0
package/dist/auth/invite_routes.d.ts.map +1 -0
package/dist/auth/invite_routes.js +129 -0
package/dist/auth/invite_schema.d.ts +51 -0
package/dist/auth/invite_schema.d.ts.map +1 -0
package/dist/auth/invite_schema.js +25 -0
package/dist/auth/keyring.d.ts +87 -0
package/dist/auth/keyring.d.ts.map +1 -0
package/dist/auth/keyring.js +142 -0
package/dist/auth/middleware.d.ts +40 -0
package/dist/auth/middleware.d.ts.map +1 -0
package/dist/auth/middleware.js +64 -0
package/dist/auth/migrations.d.ts +42 -0
package/dist/auth/migrations.d.ts.map +1 -0
package/dist/auth/migrations.js +79 -0
package/dist/auth/password.d.ts +39 -0
package/dist/auth/password.d.ts.map +1 -0
package/dist/auth/password.js +25 -0
package/dist/auth/password_argon2.d.ts +43 -0
package/dist/auth/password_argon2.d.ts.map +1 -0
package/dist/auth/password_argon2.js +76 -0
package/dist/auth/permit_queries.d.ts +72 -0
package/dist/auth/permit_queries.d.ts.map +1 -0
package/dist/auth/permit_queries.js +116 -0
package/dist/auth/request_context.d.ts +114 -0
package/dist/auth/request_context.d.ts.map +1 -0
package/dist/auth/request_context.js +176 -0
package/dist/auth/require_keeper.d.ts +20 -0
package/dist/auth/require_keeper.d.ts.map +1 -0
package/dist/auth/require_keeper.js +35 -0
package/dist/auth/role_schema.d.ts +69 -0
package/dist/auth/role_schema.d.ts.map +1 -0
package/dist/auth/role_schema.js +70 -0
package/dist/auth/route_guards.d.ts +21 -0
package/dist/auth/route_guards.d.ts.map +1 -0
package/dist/auth/route_guards.js +32 -0
package/dist/auth/session_cookie.d.ts +158 -0
package/dist/auth/session_cookie.d.ts.map +1 -0
package/dist/auth/session_cookie.js +135 -0
package/dist/auth/session_lifecycle.d.ts +35 -0
package/dist/auth/session_lifecycle.d.ts.map +1 -0
package/dist/auth/session_lifecycle.js +27 -0
package/dist/auth/session_middleware.d.ts +33 -0
package/dist/auth/session_middleware.d.ts.map +1 -0
package/dist/auth/session_middleware.js +62 -0
package/dist/auth/session_queries.d.ts +135 -0
package/dist/auth/session_queries.d.ts.map +1 -0
package/dist/auth/session_queries.js +186 -0
package/dist/auth/signup_routes.d.ts +32 -0
package/dist/auth/signup_routes.d.ts.map +1 -0
package/dist/auth/signup_routes.js +150 -0
package/dist/cli/args.d.ts +48 -0
package/dist/cli/args.d.ts.map +1 -0
package/dist/cli/args.js +76 -0
package/dist/cli/config.d.ts +48 -0
package/dist/cli/config.d.ts.map +1 -0
package/dist/cli/config.js +77 -0
package/dist/cli/daemon.d.ts +82 -0
package/dist/cli/daemon.d.ts.map +1 -0
package/dist/cli/daemon.js +149 -0
package/dist/cli/help.d.ts +85 -0
package/dist/cli/help.d.ts.map +1 -0
package/dist/cli/help.js +138 -0
package/dist/cli/logger.d.ts +46 -0
package/dist/cli/logger.d.ts.map +1 -0
package/dist/cli/logger.js +48 -0
package/dist/cli/util.d.ts +36 -0
package/dist/cli/util.d.ts.map +1 -0
package/dist/cli/util.js +50 -0
package/dist/crypto.d.ts +13 -0
package/dist/crypto.d.ts.map +1 -0
package/dist/crypto.js +19 -0
package/dist/db/assert_row.d.ts +18 -0
package/dist/db/assert_row.d.ts.map +1 -0
package/dist/db/assert_row.js +24 -0
package/dist/db/create_db.d.ts +38 -0
package/dist/db/create_db.d.ts.map +1 -0
package/dist/db/create_db.js +57 -0
package/dist/db/db.d.ts +97 -0
package/dist/db/db.d.ts.map +1 -0
package/dist/db/db.js +76 -0
package/dist/db/db_pg.d.ts +21 -0
package/dist/db/db_pg.d.ts.map +1 -0
package/dist/db/db_pg.js +45 -0
package/dist/db/db_pglite.d.ts +21 -0
package/dist/db/db_pglite.d.ts.map +1 -0
package/dist/db/db_pglite.js +28 -0
package/dist/db/migrate.d.ts +67 -0
package/dist/db/migrate.d.ts.map +1 -0
package/dist/db/migrate.js +118 -0
package/dist/db/pg_error.d.ts +16 -0
package/dist/db/pg_error.d.ts.map +1 -0
package/dist/db/pg_error.js +15 -0
package/dist/db/query_deps.d.ts +14 -0
package/dist/db/query_deps.d.ts.map +1 -0
package/dist/db/query_deps.js +9 -0
package/dist/db/sql_identifier.d.ts +27 -0
package/dist/db/sql_identifier.d.ts.map +1 -0
package/dist/db/sql_identifier.js +31 -0
package/dist/db/status.d.ts +62 -0
package/dist/db/status.d.ts.map +1 -0
package/dist/db/status.js +116 -0
package/dist/dev/setup.d.ts +159 -0
package/dist/dev/setup.d.ts.map +1 -0
package/dist/dev/setup.js +265 -0
package/dist/env/dotenv.d.ts +25 -0
package/dist/env/dotenv.d.ts.map +1 -0
package/dist/env/dotenv.js +52 -0
package/dist/env/load.d.ts +52 -0
package/dist/env/load.d.ts.map +1 -0
package/dist/env/load.js +79 -0
package/dist/env/mask.d.ts +19 -0
package/dist/env/mask.d.ts.map +1 -0
package/dist/env/mask.js +26 -0
package/dist/env/resolve.d.ts +126 -0
package/dist/env/resolve.d.ts.map +1 -0
package/dist/env/resolve.js +200 -0
package/dist/hono_context.d.ts +48 -0
package/dist/hono_context.d.ts.map +1 -0
package/dist/hono_context.js +22 -0
package/dist/http/common_routes.d.ts +52 -0
package/dist/http/common_routes.d.ts.map +1 -0
package/dist/http/common_routes.js +65 -0
package/dist/http/db_routes.d.ts +57 -0
package/dist/http/db_routes.d.ts.map +1 -0
package/dist/http/db_routes.js +176 -0
package/dist/http/error_schemas.d.ts +169 -0
package/dist/http/error_schemas.d.ts.map +1 -0
package/dist/http/error_schemas.js +178 -0
package/dist/http/middleware_spec.d.ts +19 -0
package/dist/http/middleware_spec.d.ts.map +1 -0
package/dist/http/middleware_spec.js +9 -0
package/dist/http/origin.d.ts +57 -0
package/dist/http/origin.d.ts.map +1 -0
package/dist/http/origin.js +207 -0
package/dist/http/proxy.d.ts +112 -0
package/dist/http/proxy.d.ts.map +1 -0
package/dist/http/proxy.js +240 -0
package/dist/http/route_spec.d.ts +197 -0
package/dist/http/route_spec.d.ts.map +1 -0
package/dist/http/route_spec.js +243 -0
package/dist/http/schema_helpers.d.ts +64 -0
package/dist/http/schema_helpers.d.ts.map +1 -0
package/dist/http/schema_helpers.js +90 -0
package/dist/http/surface.d.ts +132 -0
package/dist/http/surface.d.ts.map +1 -0
package/dist/http/surface.js +156 -0
package/dist/http/surface_query.d.ts +77 -0
package/dist/http/surface_query.d.ts.map +1 -0
package/dist/http/surface_query.js +86 -0
package/dist/rate_limiter.d.ts +94 -0
package/dist/rate_limiter.d.ts.map +1 -0
package/dist/rate_limiter.js +156 -0
package/dist/realtime/sse.d.ts +80 -0
package/dist/realtime/sse.d.ts.map +1 -0
package/dist/realtime/sse.js +109 -0
package/dist/realtime/sse_auth_guard.d.ts +93 -0
package/dist/realtime/sse_auth_guard.d.ts.map +1 -0
package/dist/realtime/sse_auth_guard.js +111 -0
package/dist/realtime/subscriber_registry.d.ts +85 -0
package/dist/realtime/subscriber_registry.d.ts.map +1 -0
package/dist/realtime/subscriber_registry.js +108 -0
package/dist/runtime/deno.d.ts +21 -0
package/dist/runtime/deno.d.ts.map +1 -0
package/dist/runtime/deno.js +83 -0
package/dist/runtime/deps.d.ts +113 -0
package/dist/runtime/deps.d.ts.map +1 -0
package/dist/runtime/deps.js +10 -0
package/dist/runtime/fs.d.ts +15 -0
package/dist/runtime/fs.d.ts.map +1 -0
package/dist/runtime/fs.js +17 -0
package/dist/runtime/mock.d.ts +81 -0
package/dist/runtime/mock.d.ts.map +1 -0
package/dist/runtime/mock.js +195 -0
package/dist/runtime/node.d.ts +17 -0
package/dist/runtime/node.d.ts.map +1 -0
package/dist/runtime/node.js +117 -0
package/dist/schema_meta.d.ts +16 -0
package/dist/schema_meta.d.ts.map +1 -0
package/dist/schema_meta.js +9 -0
package/dist/sensitivity.d.ts +15 -0
package/dist/sensitivity.d.ts.map +1 -0
package/dist/sensitivity.js +9 -0
package/dist/server/app_backend.d.ts +74 -0
package/dist/server/app_backend.d.ts.map +1 -0
package/dist/server/app_backend.js +39 -0
package/dist/server/app_server.d.ts +201 -0
package/dist/server/app_server.d.ts.map +1 -0
package/dist/server/app_server.js +266 -0
package/dist/server/env.d.ts +68 -0
package/dist/server/env.d.ts.map +1 -0
package/dist/server/env.js +95 -0
package/dist/server/startup.d.ts +22 -0
package/dist/server/startup.d.ts.map +1 -0
package/dist/server/startup.js +48 -0
package/dist/server/static.d.ts +39 -0
package/dist/server/static.d.ts.map +1 -0
package/dist/server/static.js +38 -0
package/dist/server/validate_nginx.d.ts +34 -0
package/dist/server/validate_nginx.d.ts.map +1 -0
package/dist/server/validate_nginx.js +118 -0
package/dist/testing/CLAUDE.md +3 -0
package/dist/testing/admin_integration.d.ts +45 -0
package/dist/testing/admin_integration.d.ts.map +1 -0
package/dist/testing/admin_integration.js +840 -0
package/dist/testing/adversarial_404.d.ts +15 -0
package/dist/testing/adversarial_404.d.ts.map +1 -0
package/dist/testing/adversarial_404.js +118 -0
package/dist/testing/adversarial_headers.d.ts +36 -0
package/dist/testing/adversarial_headers.d.ts.map +1 -0
package/dist/testing/adversarial_headers.js +128 -0
package/dist/testing/adversarial_input.d.ts +56 -0
package/dist/testing/adversarial_input.d.ts.map +1 -0
package/dist/testing/adversarial_input.js +494 -0
package/dist/testing/app_server.d.ts +169 -0
package/dist/testing/app_server.d.ts.map +1 -0
package/dist/testing/app_server.js +240 -0
package/dist/testing/assert_dev_env.d.ts +10 -0
package/dist/testing/assert_dev_env.d.ts.map +1 -0
package/dist/testing/assert_dev_env.js +13 -0
package/dist/testing/assertions.d.ts +61 -0
package/dist/testing/assertions.d.ts.map +1 -0
package/dist/testing/assertions.js +96 -0
package/dist/testing/attack_surface.d.ts +63 -0
package/dist/testing/attack_surface.d.ts.map +1 -0
package/dist/testing/attack_surface.js +224 -0
package/dist/testing/audit_completeness.d.ts +29 -0
package/dist/testing/audit_completeness.d.ts.map +1 -0
package/dist/testing/audit_completeness.js +410 -0
package/dist/testing/auth_apps.d.ts +55 -0
package/dist/testing/auth_apps.d.ts.map +1 -0
package/dist/testing/auth_apps.js +122 -0
package/dist/testing/data_exposure.d.ts +62 -0
package/dist/testing/data_exposure.d.ts.map +1 -0
package/dist/testing/data_exposure.js +297 -0
package/dist/testing/db.d.ts +111 -0
package/dist/testing/db.d.ts.map +1 -0
package/dist/testing/db.js +258 -0
package/dist/testing/entities.d.ts +21 -0
package/dist/testing/entities.d.ts.map +1 -0
package/dist/testing/entities.js +42 -0
package/dist/testing/error_coverage.d.ts +78 -0
package/dist/testing/error_coverage.d.ts.map +1 -0
package/dist/testing/error_coverage.js +135 -0
package/dist/testing/integration.d.ts +37 -0
package/dist/testing/integration.d.ts.map +1 -0
package/dist/testing/integration.js +1139 -0
package/dist/testing/integration_helpers.d.ts +107 -0
package/dist/testing/integration_helpers.d.ts.map +1 -0
package/dist/testing/integration_helpers.js +246 -0
package/dist/testing/middleware.d.ts +125 -0
package/dist/testing/middleware.d.ts.map +1 -0
package/dist/testing/middleware.js +210 -0
package/dist/testing/rate_limiting.d.ts +43 -0
package/dist/testing/rate_limiting.d.ts.map +1 -0
package/dist/testing/rate_limiting.js +216 -0
package/dist/testing/round_trip.d.ts +37 -0
package/dist/testing/round_trip.d.ts.map +1 -0
package/dist/testing/round_trip.js +128 -0
package/dist/testing/schema_generators.d.ts +33 -0
package/dist/testing/schema_generators.d.ts.map +1 -0
package/dist/testing/schema_generators.js +137 -0
package/dist/testing/standard.d.ts +49 -0
package/dist/testing/standard.d.ts.map +1 -0
package/dist/testing/standard.js +16 -0
package/dist/testing/stubs.d.ts +96 -0
package/dist/testing/stubs.d.ts.map +1 -0
package/dist/testing/stubs.js +192 -0
package/dist/testing/surface_invariants.d.ts +189 -0
package/dist/testing/surface_invariants.d.ts.map +1 -0
package/dist/testing/surface_invariants.js +450 -0
package/dist/ui/AccountSessions.svelte +75 -0
package/dist/ui/AccountSessions.svelte.d.ts +19 -0
package/dist/ui/AccountSessions.svelte.d.ts.map +1 -0
package/dist/ui/AdminAccounts.svelte +107 -0
package/dist/ui/AdminAccounts.svelte.d.ts +19 -0
package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -0
package/dist/ui/AdminAuditLog.svelte +144 -0
package/dist/ui/AdminAuditLog.svelte.d.ts +4 -0
package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -0
package/dist/ui/AdminInvites.svelte +142 -0
package/dist/ui/AdminInvites.svelte.d.ts +4 -0
package/dist/ui/AdminInvites.svelte.d.ts.map +1 -0
package/dist/ui/AdminOverview.svelte +337 -0
package/dist/ui/AdminOverview.svelte.d.ts +4 -0
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -0
package/dist/ui/AdminPermitHistory.svelte +61 -0
package/dist/ui/AdminPermitHistory.svelte.d.ts +19 -0
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -0
package/dist/ui/AdminSessions.svelte +85 -0
package/dist/ui/AdminSessions.svelte.d.ts +19 -0
package/dist/ui/AdminSessions.svelte.d.ts.map +1 -0
package/dist/ui/AdminSettings.svelte +32 -0
package/dist/ui/AdminSettings.svelte.d.ts +19 -0
package/dist/ui/AdminSettings.svelte.d.ts.map +1 -0
package/dist/ui/AdminSurface.svelte +42 -0
package/dist/ui/AdminSurface.svelte.d.ts +4 -0
package/dist/ui/AdminSurface.svelte.d.ts.map +1 -0
package/dist/ui/AppShell.svelte +93 -0
package/dist/ui/AppShell.svelte.d.ts +20 -0
package/dist/ui/AppShell.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +105 -0
package/dist/ui/BootstrapForm.svelte.d.ts +4 -0
package/dist/ui/BootstrapForm.svelte.d.ts.map +1 -0
package/dist/ui/ColumnLayout.svelte +46 -0
package/dist/ui/ColumnLayout.svelte.d.ts +11 -0
package/dist/ui/ColumnLayout.svelte.d.ts.map +1 -0
package/dist/ui/ConfirmButton.svelte +125 -0
package/dist/ui/ConfirmButton.svelte.d.ts +54 -0
package/dist/ui/ConfirmButton.svelte.d.ts.map +1 -0
package/dist/ui/Datatable.svelte +185 -0
package/dist/ui/Datatable.svelte.d.ts +35 -0
package/dist/ui/Datatable.svelte.d.ts.map +1 -0
package/dist/ui/LoginForm.svelte +82 -0
package/dist/ui/LoginForm.svelte.d.ts +8 -0
package/dist/ui/LoginForm.svelte.d.ts.map +1 -0
package/dist/ui/LogoutButton.svelte +36 -0
package/dist/ui/LogoutButton.svelte.d.ts +10 -0
package/dist/ui/LogoutButton.svelte.d.ts.map +1 -0
package/dist/ui/MenuLink.svelte +35 -0
package/dist/ui/MenuLink.svelte.d.ts +12 -0
package/dist/ui/MenuLink.svelte.d.ts.map +1 -0
package/dist/ui/OpenSignupToggle.svelte +36 -0
package/dist/ui/OpenSignupToggle.svelte.d.ts +19 -0
package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -0
package/dist/ui/PopoverButton.svelte +136 -0
package/dist/ui/PopoverButton.svelte.d.ts +63 -0
package/dist/ui/PopoverButton.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +117 -0
package/dist/ui/SignupForm.svelte.d.ts +7 -0
package/dist/ui/SignupForm.svelte.d.ts.map +1 -0
package/dist/ui/SurfaceExplorer.svelte +287 -0
package/dist/ui/SurfaceExplorer.svelte.d.ts +8 -0
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -0
package/dist/ui/account_sessions_state.svelte.d.ts +15 -0
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -0
package/dist/ui/account_sessions_state.svelte.js +45 -0
package/dist/ui/admin_accounts_state.svelte.d.ts +19 -0
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -0
package/dist/ui/admin_accounts_state.svelte.js +65 -0
package/dist/ui/admin_invites_state.svelte.d.ts +19 -0
package/dist/ui/admin_invites_state.svelte.d.ts.map +1 -0
package/dist/ui/admin_invites_state.svelte.js +71 -0
package/dist/ui/admin_sessions_state.svelte.d.ts +18 -0
package/dist/ui/admin_sessions_state.svelte.d.ts.map +1 -0
package/dist/ui/admin_sessions_state.svelte.js +62 -0
package/dist/ui/app_settings_state.svelte.d.ts +14 -0
package/dist/ui/app_settings_state.svelte.d.ts.map +1 -0
package/dist/ui/app_settings_state.svelte.js +44 -0
package/dist/ui/audit_log_state.svelte.d.ts +40 -0
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -0
package/dist/ui/audit_log_state.svelte.js +153 -0
package/dist/ui/auth_state.svelte.d.ts +85 -0
package/dist/ui/auth_state.svelte.d.ts.map +1 -0
package/dist/ui/auth_state.svelte.js +238 -0
package/dist/ui/datatable.d.ts +25 -0
package/dist/ui/datatable.d.ts.map +1 -0
package/dist/ui/datatable.js +9 -0
package/dist/ui/enter_advance.d.ts +13 -0
package/dist/ui/enter_advance.d.ts.map +1 -0
package/dist/ui/enter_advance.js +30 -0
package/dist/ui/loadable.svelte.d.ts +55 -0
package/dist/ui/loadable.svelte.d.ts.map +1 -0
package/dist/ui/loadable.svelte.js +75 -0
package/dist/ui/popover.svelte.d.ts +137 -0
package/dist/ui/popover.svelte.d.ts.map +1 -0
package/dist/ui/popover.svelte.js +288 -0
package/dist/ui/position_helpers.d.ts +27 -0
package/dist/ui/position_helpers.d.ts.map +1 -0
package/dist/ui/position_helpers.js +81 -0
package/dist/ui/sidebar_state.svelte.d.ts +30 -0
package/dist/ui/sidebar_state.svelte.d.ts.map +1 -0
package/dist/ui/sidebar_state.svelte.js +39 -0
package/dist/ui/table_state.svelte.d.ts +63 -0
package/dist/ui/table_state.svelte.d.ts.map +1 -0
package/dist/ui/table_state.svelte.js +117 -0
package/dist/ui/ui_fetch.d.ts +29 -0
package/dist/ui/ui_fetch.d.ts.map +1 -0
package/dist/ui/ui_fetch.js +37 -0
package/dist/ui/ui_format.d.ts +63 -0
package/dist/ui/ui_format.d.ts.map +1 -0
package/dist/ui/ui_format.js +196 -0
package/package.json +121 -0

package/dist/auth/invite_queries.js ADDED Viewed

@@ -0,0 +1,105 @@
+/**
+ * Invite database queries.
+ *
+ * CRUD operations for the invite table — creating invites,
+ * finding unclaimed matches, claiming, and cleanup.
+ *
+ * @module
+ */
+import { assert_row } from '../db/assert_row.js';
+/**
+ * Create a new invite.
+ *
+ * @param deps - query dependencies
+ * @param input - the invite fields
+ * @returns the created invite
+ */
+export const query_create_invite = async (deps, input) => {
+    const row = await deps.db.query_one(`INSERT INTO invite (email, username, created_by)
+		 VALUES ($1, $2, $3)
+		 RETURNING *`, [input.email ?? null, input.username ?? null, input.created_by]);
+    return assert_row(row, 'INSERT INTO invite');
+};
+/**
+ * Find an unclaimed invite by email (case-insensitive).
+ */
+export const query_invite_find_unclaimed_by_email = async (deps, email) => {
+    return deps.db.query_one(`SELECT * FROM invite WHERE LOWER(email) = LOWER($1) AND claimed_at IS NULL`, [email]);
+};
+/**
+ * Find an unclaimed invite by username (case-insensitive).
+ */
+export const query_invite_find_unclaimed_by_username = async (deps, username) => {
+    return deps.db.query_one(`SELECT * FROM invite WHERE LOWER(username) = LOWER($1) AND claimed_at IS NULL`, [username]);
+};
+/**
+ * Find an unclaimed invite matching email and/or username using three scoping modes:
+ *
+ * - **Email-only invite** (email set, username NULL) → matches only if signup provides matching email.
+ * - **Username-only invite** (username set, email NULL) → matches only if signup provides matching username.
+ * - **Both-field invite** (both set) → requires BOTH email and username to match.
+ *
+ * @param deps - query dependencies
+ * @param email - email to match (or null if signup provides none)
+ * @param username - username to match
+ * @returns the matching invite, or `undefined`
+ */
+export const query_invite_find_unclaimed_match = async (deps, email, username) => {
+    return deps.db.query_one(`SELECT * FROM invite WHERE claimed_at IS NULL AND (
+			(email IS NOT NULL AND username IS NULL
+			 AND $1::text IS NOT NULL AND LOWER(email) = LOWER($1::text))
+			OR
+			(username IS NOT NULL AND email IS NULL
+			 AND LOWER(username) = LOWER($2))
+			OR
+			(email IS NOT NULL AND username IS NOT NULL
+			 AND $1::text IS NOT NULL AND LOWER(email) = LOWER($1::text)
+			 AND LOWER(username) = LOWER($2))
+		) ORDER BY created_at ASC, id ASC LIMIT 1`, [email, username]);
+};
+/**
+ * Claim an invite by setting the claimed_by and claimed_at fields.
+ *
+ * @param deps - query dependencies
+ * @param invite_id - the invite to claim
+ * @param account_id - the account claiming the invite
+ * @returns true if the invite was claimed, false if already claimed or not found
+ */
+export const query_invite_claim = async (deps, invite_id, account_id) => {
+    const rows = await deps.db.query(`UPDATE invite SET claimed_by = $1, claimed_at = NOW()
+		 WHERE id = $2 AND claimed_at IS NULL
+		 RETURNING id`, [account_id, invite_id]);
+    return rows.length > 0;
+};
+/**
+ * List all invites, newest first.
+ */
+export const query_invite_list_all = async (deps) => {
+    return deps.db.query(`SELECT * FROM invite ORDER BY created_at DESC`);
+};
+/**
+ * List all invites with resolved creator/claimer usernames, newest first.
+ *
+ * @param deps - query dependencies
+ * @returns invites with `created_by_username` and `claimed_by_username`
+ */
+export const query_invite_list_all_with_usernames = async (deps) => {
+    return deps.db.query(`SELECT i.*,
+			act.name AS created_by_username,
+			a.username AS claimed_by_username
+		 FROM invite i
+		 LEFT JOIN actor act ON act.id = i.created_by
+		 LEFT JOIN account a ON a.id = i.claimed_by
+		 ORDER BY i.created_at DESC`);
+};
+/**
+ * Delete an unclaimed invite.
+ *
+ * @param deps - query dependencies
+ * @param id - the invite id
+ * @returns true if deleted, false if not found or already claimed
+ */
+export const query_invite_delete_unclaimed = async (deps, id) => {
+    const rows = await deps.db.query(`DELETE FROM invite WHERE id = $1 AND claimed_at IS NULL RETURNING id`, [id]);
+    return rows.length > 0;
+};

package/dist/auth/invite_routes.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Admin invite route specs for invite-based signup.
+ *
+ * All routes require the `admin` role. Provides CRUD for invites
+ * that gate who can sign up.
+ *
+ * @module
+ */
+import { type RouteSpec } from '../http/route_spec.js';
+import type { RouteFactoryDeps } from './deps.js';
+/**
+ * Create admin invite route specs.
+ *
+ * @param deps - stateless capabilities (log)
+ * @returns route specs for invite management
+ */
+export declare const create_invite_route_specs: (deps: Pick<RouteFactoryDeps, "log" | "on_audit_event">) => Array<RouteSpec>;
+//# sourceMappingURL=invite_routes.d.ts.map

package/dist/auth/invite_routes.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"invite_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAYxF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAUhD;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC,KACpD,KAAK,CAAC,SAAS,CAwHjB,CAAC"}

package/dist/auth/invite_routes.js ADDED Viewed

@@ -0,0 +1,129 @@
+/**
+ * Admin invite route specs for invite-based signup.
+ *
+ * All routes require the `admin` role. Provides CRUD for invites
+ * that gate who can sign up.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { get_route_input, get_route_params } from '../http/route_spec.js';
+import { require_request_context } from './request_context.js';
+import { get_client_ip } from '../http/proxy.js';
+import { audit_log_fire_and_forget } from './audit_log_queries.js';
+import { query_account_by_username, query_account_by_email } from './account_queries.js';
+import { query_create_invite, query_invite_list_all_with_usernames, query_invite_delete_unclaimed, } from './invite_queries.js';
+import { InviteJson, InviteWithUsernamesJson } from './invite_schema.js';
+import { Username, Email } from './account_schema.js';
+import { is_pg_unique_violation } from '../db/pg_error.js';
+import { ERROR_INVITE_NOT_FOUND, ERROR_INVITE_MISSING_IDENTIFIER, ERROR_INVITE_DUPLICATE, ERROR_INVITE_ACCOUNT_EXISTS_USERNAME, ERROR_INVITE_ACCOUNT_EXISTS_EMAIL, } from '../http/error_schemas.js';
+/**
+ * Create admin invite route specs.
+ *
+ * @param deps - stateless capabilities (log)
+ * @returns route specs for invite management
+ */
+export const create_invite_route_specs = (deps) => {
+    return [
+        {
+            method: 'POST',
+            path: '/invites',
+            auth: { type: 'role', role: 'admin' },
+            description: 'Create an invite',
+            input: z.strictObject({
+                email: Email.nullish(),
+                username: Username.nullish(),
+            }),
+            output: z.strictObject({ ok: z.literal(true), invite: InviteJson }),
+            errors: {
+                400: z.looseObject({ error: z.literal(ERROR_INVITE_MISSING_IDENTIFIER) }),
+                409: z.looseObject({
+                    error: z.enum([
+                        ERROR_INVITE_DUPLICATE,
+                        ERROR_INVITE_ACCOUNT_EXISTS_USERNAME,
+                        ERROR_INVITE_ACCOUNT_EXISTS_EMAIL,
+                    ]),
+                }),
+            },
+            handler: async (c, route) => {
+                const ctx = require_request_context(c);
+                const { email, username } = get_route_input(c);
+                if (!email && !username) {
+                    return c.json({ error: ERROR_INVITE_MISSING_IDENTIFIER }, 400);
+                }
+                if (username) {
+                    const existing = await query_account_by_username(route, username);
+                    if (existing) {
+                        return c.json({ error: ERROR_INVITE_ACCOUNT_EXISTS_USERNAME }, 409);
+                    }
+                }
+                if (email) {
+                    const existing = await query_account_by_email(route, email);
+                    if (existing) {
+                        return c.json({ error: ERROR_INVITE_ACCOUNT_EXISTS_EMAIL }, 409);
+                    }
+                }
+                let invite;
+                try {
+                    invite = await query_create_invite(route, {
+                        email: email ?? null,
+                        username: username ?? null,
+                        created_by: ctx.actor.id,
+                    });
+                }
+                catch (e) {
+                    if (is_pg_unique_violation(e)) {
+                        return c.json({ error: ERROR_INVITE_DUPLICATE }, 409);
+                    }
+                    throw e;
+                }
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'invite_create',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { invite_id: invite.id, email: email ?? null, username: username ?? null },
+                }, deps.log, deps.on_audit_event);
+                return c.json({ ok: true, invite });
+            },
+        },
+        {
+            method: 'GET',
+            path: '/invites',
+            auth: { type: 'role', role: 'admin' },
+            description: 'List all invites',
+            input: z.null(),
+            output: z.strictObject({ invites: z.array(InviteWithUsernamesJson) }),
+            handler: async (c, route) => {
+                const invites = await query_invite_list_all_with_usernames(route);
+                return c.json({ invites });
+            },
+        },
+        {
+            method: 'DELETE',
+            path: '/invites/:id',
+            auth: { type: 'role', role: 'admin' },
+            description: 'Delete an unclaimed invite',
+            params: z.strictObject({ id: z.uuid() }),
+            input: z.null(),
+            output: z.strictObject({ ok: z.literal(true) }),
+            errors: { 404: z.looseObject({ error: z.literal(ERROR_INVITE_NOT_FOUND) }) },
+            handler: async (c, route) => {
+                const { id } = get_route_params(c);
+                const deleted = await query_invite_delete_unclaimed(route, id);
+                if (!deleted) {
+                    return c.json({ error: ERROR_INVITE_NOT_FOUND }, 404);
+                }
+                const ctx = require_request_context(c);
+                void audit_log_fire_and_forget(route, {
+                    event_type: 'invite_delete',
+                    actor_id: ctx.actor.id,
+                    account_id: ctx.account.id,
+                    ip: get_client_ip(c),
+                    metadata: { invite_id: id },
+                }, deps.log, deps.on_audit_event);
+                return c.json({ ok: true });
+            },
+        },
+    ];
+};

package/dist/auth/invite_schema.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+/**
+ * Invite types and client-safe schemas.
+ *
+ * Defines the runtime types for the invite system: invite creation,
+ * matching, and claiming.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Username, Email } from './account_schema.js';
+/** Invite row from the database. */
+export interface Invite {
+    id: string;
+    email: Email | null;
+    username: Username | null;
+    claimed_by: string | null;
+    claimed_at: string | null;
+    created_at: string;
+    created_by: string | null;
+}
+/** Zod schema for client-safe invite data. */
+export declare const InviteJson: z.ZodObject<{
+    id: z.ZodString;
+    email: z.ZodNullable<z.ZodEmail>;
+    username: z.ZodNullable<z.ZodString>;
+    claimed_by: z.ZodNullable<z.ZodString>;
+    claimed_at: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    created_by: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+export type InviteJson = z.infer<typeof InviteJson>;
+/** Zod schema for invite data with resolved creator/claimer usernames. */
+export declare const InviteWithUsernamesJson: z.ZodObject<{
+    id: z.ZodString;
+    email: z.ZodNullable<z.ZodEmail>;
+    username: z.ZodNullable<z.ZodString>;
+    claimed_by: z.ZodNullable<z.ZodString>;
+    claimed_at: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    created_by: z.ZodNullable<z.ZodString>;
+    created_by_username: z.ZodNullable<z.ZodString>;
+    claimed_by_username: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+export type InviteWithUsernamesJson = z.infer<typeof InviteWithUsernamesJson>;
+/** Input for creating an invite. */
+export interface CreateInviteInput {
+    email?: Email | null;
+    username?: Username | null;
+    created_by: string | null;
+}
+//# sourceMappingURL=invite_schema.d.ts.map

package/dist/auth/invite_schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"invite_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAC,QAAQ,EAAE,KAAK,EAAC,MAAM,qBAAqB,CAAC;AAEpD,oCAAoC;AACpC,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,8CAA8C;AAC9C,eAAO,MAAM,UAAU;;;;;;;;kBAQrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,0EAA0E;AAC1E,eAAO,MAAM,uBAAuB;;;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;IACrB,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC3B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B"}

package/dist/auth/invite_schema.js ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Invite types and client-safe schemas.
+ *
+ * Defines the runtime types for the invite system: invite creation,
+ * matching, and claiming.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Username, Email } from './account_schema.js';
+/** Zod schema for client-safe invite data. */
+export const InviteJson = z.strictObject({
+    id: z.string(),
+    email: Email.nullable(),
+    username: Username.nullable(),
+    claimed_by: z.string().nullable(),
+    claimed_at: z.string().nullable(),
+    created_at: z.string(),
+    created_by: z.string().nullable(),
+});
+/** Zod schema for invite data with resolved creator/claimer usernames. */
+export const InviteWithUsernamesJson = InviteJson.extend({
+    created_by_username: z.string().nullable(),
+    claimed_by_username: z.string().nullable(),
+});

package/dist/auth/keyring.d.ts ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+ * Key ring for cookie signing.
+ *
+ * Encapsulates secret keys and crypto operations. Keys are never exposed -
+ * only sign/verify operations are available. This prevents accidental
+ * logging or leakage of secrets.
+ *
+ * @example
+ * ```ts
+ * const keyring = create_keyring(process.env.SECRET_COOKIE_KEYS);
+ * if (!keyring) throw new Error('No keys configured');
+ *
+ * const signed = await keyring.sign('user:123:1700000000');
+ * const result = await keyring.verify(signed);
+ * // result = { value: 'user:123:1700000000', key_index: 0 }
+ * ```
+ *
+ * @module
+ */
+/**
+ * Opaque keyring that encapsulates secret keys.
+ * Only exposes sign/verify operations, never the raw keys.
+ */
+export interface Keyring {
+    /**
+     * Sign a value with HMAC SHA-256.
+     * @returns signed value in format: `value.signature`
+     */
+    sign: (value: string) => Promise<string>;
+    /**
+     * Verify a signed value and extract the original.
+     * Tries all keys in order to support key rotation.
+     * @returns object with value and key_index, or null if invalid
+     */
+    verify: (signed_value: string) => Promise<{
+        value: string;
+        key_index: number;
+    } | null>;
+}
+/**
+ * Create a keyring from environment variable.
+ *
+ * Keys are separated by `__` for rotation support. First key is used
+ * for signing, all keys are tried for verification.
+ *
+ * CryptoKeys are cached on first use for performance.
+ *
+ * **Security: key rotation is an operational concern.** Old keys remain valid
+ * for verification indefinitely — a leaked old key can forge session cookies
+ * until it is removed from `SECRET_COOKIE_KEYS`. After rotating to a new
+ * signing key, remove the old key within a grace period (e.g. 24–48 hours,
+ * long enough for active sessions to re-sign with the new key via cookie
+ * refresh). Treat `SECRET_COOKIE_KEYS` changes as security-critical deploys.
+ *
+ * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @returns keyring or null if no keys configured
+ */
+export declare const create_keyring: (env_value: string | undefined) => Keyring | null;
+/**
+ * Validate key ring configuration.
+ *
+ * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @returns array of validation errors (empty if valid)
+ */
+export declare const validate_keyring: (env_value: string | undefined) => Array<string>;
+/**
+ * Result of `create_validated_keyring`.
+ * Discriminated union — callers handle the error case their own way.
+ */
+export type ValidatedKeyringResult = {
+    ok: true;
+    keyring: Keyring;
+} | {
+    ok: false;
+    errors: Array<string>;
+};
+/**
+ * Validate and create a keyring in one step.
+ *
+ * Returns a discriminated union so callers handle exit/logging their own way
+ * (e.g. `Deno.exit(1)` vs `runtime.exit(1)`).
+ *
+ * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @returns `{ok: true, keyring}` or `{ok: false, errors}`
+ */
+export declare const create_validated_keyring: (env_value: string | undefined) => ValidatedKeyringResult;
+//# sourceMappingURL=keyring.d.ts.map

package/dist/auth/keyring.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"keyring.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH;;;GAGG;AACH,MAAM,WAAW,OAAO;IACvB;;;OAGG;IACH,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzC;;;;OAIG;IACH,MAAM,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAC,GAAG,IAAI,CAAC,CAAC;CACrF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,cAAc,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,OAAO,GAAG,IAkCxE,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,KAAK,CAAC,MAAM,CAW5E,CAAC;AA6CF;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAC/B;IAAC,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,GAC5B;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;CAAC,CAAC;AAEtC;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,sBAUxE,CAAC"}

package/dist/auth/keyring.js ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+ * Key ring for cookie signing.
+ *
+ * Encapsulates secret keys and crypto operations. Keys are never exposed -
+ * only sign/verify operations are available. This prevents accidental
+ * logging or leakage of secrets.
+ *
+ * @example
+ * ```ts
+ * const keyring = create_keyring(process.env.SECRET_COOKIE_KEYS);
+ * if (!keyring) throw new Error('No keys configured');
+ *
+ * const signed = await keyring.sign('user:123:1700000000');
+ * const result = await keyring.verify(signed);
+ * // result = { value: 'user:123:1700000000', key_index: 0 }
+ * ```
+ *
+ * @module
+ */
+const KEY_SEPARATOR = '__';
+const MIN_KEY_LENGTH = 32;
+const encoder = new TextEncoder();
+/**
+ * Create a keyring from environment variable.
+ *
+ * Keys are separated by `__` for rotation support. First key is used
+ * for signing, all keys are tried for verification.
+ *
+ * CryptoKeys are cached on first use for performance.
+ *
+ * **Security: key rotation is an operational concern.** Old keys remain valid
+ * for verification indefinitely — a leaked old key can forge session cookies
+ * until it is removed from `SECRET_COOKIE_KEYS`. After rotating to a new
+ * signing key, remove the old key within a grace period (e.g. 24–48 hours,
+ * long enough for active sessions to re-sign with the new key via cookie
+ * refresh). Treat `SECRET_COOKIE_KEYS` changes as security-critical deploys.
+ *
+ * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @returns keyring or null if no keys configured
+ */
+export const create_keyring = (env_value) => {
+    const secrets = parse_keys(env_value);
+    if (secrets.length === 0)
+        return null;
+    // Cache CryptoKey promises - imported once on first use
+    const key_cache = [];
+    const get_key = (index) => {
+        if (!key_cache[index]) {
+            key_cache[index] = create_hmac_key(secrets[index]);
+        }
+        return key_cache[index];
+    };
+    // Create the opaque key ring - secrets captured in closure, never exposed
+    return {
+        async sign(value) {
+            const key = await get_key(0);
+            return sign_with_crypto_key(value, key);
+        },
+        async verify(signed_value) {
+            for (let i = 0; i < secrets.length; i++) {
+                // eslint-disable-next-line no-await-in-loop
+                const key = await get_key(i);
+                // eslint-disable-next-line no-await-in-loop
+                const result = await verify_with_crypto_key(signed_value, key);
+                if (result !== false) {
+                    return { value: result, key_index: i };
+                }
+            }
+            return null;
+        },
+    };
+};
+/**
+ * Validate key ring configuration.
+ *
+ * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @returns array of validation errors (empty if valid)
+ */
+export const validate_keyring = (env_value) => {
+    const keys = parse_keys(env_value);
+    const errors = [];
+    for (const [i, key] of keys.entries()) {
+        if (key.length < MIN_KEY_LENGTH) {
+            errors.push(`Key ${i + 1} is too short (${key.length} chars, min ${MIN_KEY_LENGTH})`);
+        }
+    }
+    return errors;
+};
+const create_hmac_key = (secret) => {
+    return crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign', 'verify']);
+};
+const sign_with_crypto_key = async (value, key) => {
+    const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(value));
+    const signature_base64 = btoa(String.fromCharCode(...new Uint8Array(signature)));
+    return `${value}.${signature_base64}`;
+};
+const verify_with_crypto_key = async (signed_value, key) => {
+    const dot_index = signed_value.lastIndexOf('.');
+    if (dot_index === -1)
+        return false;
+    const value = signed_value.slice(0, dot_index);
+    const signature_base64 = signed_value.slice(dot_index + 1);
+    let signature;
+    try {
+        const decoded = atob(signature_base64);
+        const bytes = new Uint8Array(decoded.length);
+        for (let i = 0; i < decoded.length; i++) {
+            bytes[i] = decoded.charCodeAt(i);
+        }
+        signature = bytes.buffer;
+    }
+    catch {
+        return false;
+    }
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(value));
+    return valid ? value : false;
+};
+/**
+ * Validate and create a keyring in one step.
+ *
+ * Returns a discriminated union so callers handle exit/logging their own way
+ * (e.g. `Deno.exit(1)` vs `runtime.exit(1)`).
+ *
+ * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @returns `{ok: true, keyring}` or `{ok: false, errors}`
+ */
+export const create_validated_keyring = (env_value) => {
+    const errors = validate_keyring(env_value);
+    if (errors.length > 0) {
+        return { ok: false, errors };
+    }
+    const keyring = create_keyring(env_value);
+    if (!keyring) {
+        return { ok: false, errors: ['SECRET_COOKIE_KEYS is required'] };
+    }
+    return { ok: true, keyring };
+};
+const parse_keys = (env_value) => {
+    if (!env_value)
+        return [];
+    return env_value.split(KEY_SEPARATOR).filter((k) => k.length > 0);
+};

package/dist/auth/middleware.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Auth middleware stack factory.
+ *
+ * Creates the standard middleware layers (origin, session, request_context,
+ * bearer_auth, optional daemon_token) from configuration.
+ *
+ * @module
+ */
+import type { SessionOptions } from './session_cookie.js';
+import type { AppDeps } from './deps.js';
+import type { DaemonTokenState } from './daemon_token.js';
+import type { RateLimiter } from '../rate_limiter.js';
+import type { MiddlewareSpec } from '../http/middleware_spec.js';
+/**
+ * Per-factory configuration for the standard auth middleware stack.
+ */
+export interface AuthMiddlewareOptions {
+    allowed_origins: Array<RegExp>;
+    session_options: SessionOptions<string>;
+    /** Path pattern for middleware (default: `'/api/*'`). */
+    path?: string;
+    /** Daemon token state for keeper auth. Omit to disable daemon token middleware. */
+    daemon_token_state?: DaemonTokenState;
+    /** Rate limiter for bearer token auth attempts (per-IP). Pass `null` to disable. */
+    bearer_ip_rate_limiter: RateLimiter | null;
+}
+/**
+ * Create the auth middleware stack.
+ *
+ * Returns `[origin, session, request_context, bearer_auth]` middleware specs
+ * for the given path pattern. When `daemon_token_state` is provided, appends
+ * a 5th `daemon_token` layer. Apps can append extra entries for non-standard
+ * paths (e.g., tx's `/tx` binary endpoint).
+ *
+ * @param deps - stateless capabilities (keyring, db)
+ * @param options - middleware configuration (allowed_origins, session_options, path, daemon_token_state)
+ * @returns the middleware spec array
+ */
+export declare const create_auth_middleware_specs: (deps: AppDeps, options: AuthMiddlewareOptions) => Promise<Array<MiddlewareSpec>>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AACxD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,WAAW,CAAC;AACvC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AACpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAG/D;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/B,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,mFAAmF;IACnF,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IACtC,oFAAoF;IACpF,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;CAC3C;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,OAAO,EACb,SAAS,qBAAqB,KAC5B,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CA+D/B,CAAC"}