@fuzdev/fuz_app 0.11.0 → 0.13.0

package/dist/auth/request_context.d.ts

@@ -23,6 +23,16 @@ export interface RequestContext {
 }
 /** Hono context variable name for the request context. */
 export declare const REQUEST_CONTEXT_KEY = "request_context";
+/**
+ * Hono context variable name for the authenticated session token hash.
+ *
+ * Set by `create_request_context_middleware` after a successful session lookup.
+ * `null` when the request is unauthenticated or authenticated via a non-session
+ * credential (bearer token, daemon token). Exposed so handlers can scope
+ * per-session resources (e.g., SSE stream identity for targeted disconnection
+ * on `session_revoke`) without re-hashing the token.
+ */
+export declare const AUTH_SESSION_TOKEN_HASH_KEY = "auth_session_token_hash";
 /**
  * Get the request context from a Hono context, or `null` if unauthenticated.
  *

package/dist/auth/request_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBAqCF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}
+{"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;;;;GAQG;AACH,eAAO,MAAM,2BAA2B,4BAA4B,CAAC;AAErE;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBAyCF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}

package/dist/auth/request_context.js

@@ -19,6 +19,16 @@ import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, } from '../http/error_schemas.js';
 /** Hono context variable name for the request context. */
 export const REQUEST_CONTEXT_KEY = 'request_context';
+/**
+ * Hono context variable name for the authenticated session token hash.
+ *
+ * Set by `create_request_context_middleware` after a successful session lookup.
+ * `null` when the request is unauthenticated or authenticated via a non-session
+ * credential (bearer token, daemon token). Exposed so handlers can scope
+ * per-session resources (e.g., SSE stream identity for targeted disconnection
+ * on `session_revoke`) without re-hashing the token.
+ */
+export const AUTH_SESSION_TOKEN_HASH_KEY = 'auth_session_token_hash';
 /**
  * Get the request context from a Hono context, or `null` if unauthenticated.
  *
@@ -78,6 +88,7 @@ export const create_request_context_middleware = (deps, log, session_context_key
         if (!session_token) {
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
+            c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
             await next();
             return;
         }
@@ -86,6 +97,7 @@ export const create_request_context_middleware = (deps, log, session_context_key
         if (!session) {
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
+            c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
             await next();
             return;
         }
@@ -93,11 +105,13 @@ export const create_request_context_middleware = (deps, log, session_context_key
         if (!ctx) {
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
+            c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
             await next();
             return;
         }
         c.set(REQUEST_CONTEXT_KEY, ctx);
         c.set(CREDENTIAL_TYPE_KEY, 'session');
+        c.set(AUTH_SESSION_TOKEN_HASH_KEY, token_hash);
         // Touch session (fire-and-forget, don't block the request)
         void session_touch_fire_and_forget(deps, token_hash, c.var.pending_effects, log);
         await next();

package/dist/hono_context.d.ts

@@ -37,6 +37,13 @@ declare module 'hono' {
         validated_query: unknown;
         /** How the request was authenticated (`'session'`, `'api_token'`, or `'daemon_token'`). */
         credential_type: CredentialType | null;
+        /**
+         * blake3 hash of the authenticated session token, or `null` for non-session
+         * credentials. Set by `create_request_context_middleware`. Used to scope
+         * per-session resources (e.g., SSE stream identity for `session_revoke`
+         * disconnection) without re-hashing the cookie in every handler.
+         */
+        auth_session_token_hash: string | null;
         /**
          * Pending fire-and-forget effects for this request (audit logs, usage tracking, etc.).
          * Initialized by `create_app_server`. In test mode (`await_pending_effects: true`),

package/dist/hono_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}
+{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}

package/dist/realtime/sse.d.ts

@@ -62,8 +62,6 @@ export interface EventSpec {
     description: string;
     channel?: string;
 }
-/** @deprecated Use `EventSpec` instead. */
-export type SseEventSpec = EventSpec;
 /**
  * Create a broadcaster that validates events in DEV mode.
  *

package/dist/realtime/sse.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sse.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAElC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC,GAAG,OAAO;IACrC,mDAAmD;IACnD,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC;IACxB,6CAA6C;IAC7C,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,wBAAwB;IACxB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,+FAA+F;IAC/F,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,IAAI,KAAK,IAAI,CAAC;CACnC;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC/B,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,MAAM,EAAE,OAAO,CAAC;CAChB;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,mBAAmB,GAAI,CAAC,GAAG,OAAO,EAC9C,GAAG,OAAO,EACV,KAAK,MAAM,KACT;IAAC,QAAQ,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAA;CAiD3C,CAAC;AAEF,kGAAkG;AAClG,eAAO,MAAM,qBAAqB,oBAAoB,CAAC;AAEvD,gFAAgF;AAChF,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,MAAM,YAAY,GAAG,SAAS,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GAAI,CAAC,SAAS,eAAe,EACrE,aAAa;IAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,KAAK,IAAI,CAAA;CAAC,EAC5D,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,KAAK,MAAM,KACT;IAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,KAAK,IAAI,CAAA;CAmBhD,CAAC"}
+{"version":3,"file":"sse.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAElC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD;;;;GAIG;AACH,MAAM,WAAW,SAAS,CAAC,CAAC,GAAG,OAAO;IACrC,mDAAmD;IACnD,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC;IACxB,6CAA6C;IAC7C,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,wBAAwB;IACxB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,+FAA+F;IAC/F,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,IAAI,KAAK,IAAI,CAAC;CACnC;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC/B,qEAAqE;IACrE,MAAM,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,MAAM,EAAE,OAAO,CAAC;CAChB;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,mBAAmB,GAAI,CAAC,GAAG,OAAO,EAC9C,GAAG,OAAO,EACV,KAAK,MAAM,KACT;IAAC,QAAQ,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAA;CAiD3C,CAAC;AAEF,kGAAkG;AAClG,eAAO,MAAM,qBAAqB,oBAAoB,CAAC;AAEvD,gFAAgF;AAChF,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GAAI,CAAC,SAAS,eAAe,EACrE,aAAa;IAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,KAAK,IAAI,CAAA;CAAC,EAC5D,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,KAAK,MAAM,KACT;IAAC,SAAS,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,KAAK,IAAI,CAAA;CAmBhD,CAAC"}

package/dist/realtime/sse_auth_guard.d.ts

@@ -12,13 +12,16 @@
  */
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import { type AuditLogEvent } from '../auth/audit_log_schema.js';
-import { SubscriberRegistry } from './subscriber_registry.js';
+import { SubscriberRegistry, type SubscribeOptions } from './subscriber_registry.js';
 import type { SseStream, SseNotification, EventSpec } from './sse.js';
 /**
  * Audit event types that trigger SSE stream disconnection.
  *
  * `permit_revoke` requires the revoked role to match the guard's `required_role`.
- * `session_revoke_all` and `password_change` close unconditionally for the target account.
+ * `session_revoke_all` and `password_change` close every stream for the target account.
+ * `session_revoke` closes only the stream tied to the specific revoked session
+ * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
+ * all of a user's streams for a single-session revoke would be over-aggressive.
  */
 export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
 /**
@@ -46,7 +49,7 @@ export declare const create_sse_auth_guard: <T>(registry: SubscriberRegistry<T>,
  */
 export interface AuditLogSse {
     /** Subscribe function — pass as part of `stream` option to `create_audit_log_route_specs`. */
-    subscribe: (stream: SseStream<SseNotification>, channels?: Array<string>, identity?: string) => () => void;
+    subscribe: (stream: SseStream<SseNotification>, options?: SubscribeOptions) => () => void;
     /** Logger — pass as part of `stream` option to `create_audit_log_route_specs`. */
     log: Logger;
     /** Combined broadcast + guard callback. Pass as `on_audit_event` on `CreateAppBackendOptions`. */
@@ -85,9 +88,26 @@ export interface AuditLogSse {
  * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
  */
 export declare const AUDIT_LOG_EVENT_SPECS: Array<EventSpec>;
+/**
+ * Default max concurrent SSE subscribers per session scope for the audit log.
+ *
+ * The audit log SSE subscribes with `scope = session_hash` and
+ * `groups = [account_id]`. Only `scope` is capped — so this limits tabs
+ * per session. An account's total streams across all sessions is bounded
+ * transitively by `max_sessions × AUDIT_LOG_SSE_MAX_PER_SCOPE`. 10 tabs
+ * per session is a comfortable ceiling for normal use; consumers raising
+ * it above ~50 should consider server-side connection limits.
+ */
+export declare const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
 export declare const create_audit_log_sse: (options: {
     /** Role required to access the SSE endpoint. Default `'admin'`. */
     role?: string;
     log: Logger;
+    /**
+     * Max concurrent SSE subscribers per session scope. On overflow, the oldest
+     * matching subscriber is closed. Default `AUDIT_LOG_SSE_MAX_PER_SCOPE`.
+     * Pass `null` to disable the cap.
+     */
+    max_per_scope?: number | null;
 }) => AuditLogSse;
 //# sourceMappingURL=sse_auth_guard.d.ts.map

package/dist/realtime/sse_auth_guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAC,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAIrD,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,EACrB,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAqBjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CACV,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAClC,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EACxB,QAAQ,CAAC,EAAE,MAAM,KACb,MAAM,IAAI,CAAC;IAChB,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACZ,KAAG,WAcH,CAAC"}
+{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAE,KAAK,gBAAgB,EAAC,MAAM,0BAA0B,CAAC;AACnF,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAKrD,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,EACrB,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA2CjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;IAC1F,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,KAAK,CAAC;AAE9C,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,KAAG,WAgBH,CAAC"}

package/dist/realtime/sse_auth_guard.js

@@ -16,10 +16,14 @@ import { SubscriberRegistry } from './subscriber_registry.js';
  * Audit event types that trigger SSE stream disconnection.
  *
  * `permit_revoke` requires the revoked role to match the guard's `required_role`.
- * `session_revoke_all` and `password_change` close unconditionally for the target account.
+ * `session_revoke_all` and `password_change` close every stream for the target account.
+ * `session_revoke` closes only the stream tied to the specific revoked session
+ * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
+ * all of a user's streams for a single-session revoke would be over-aggressive.
  */
 export const DISCONNECT_EVENT_TYPES = new Set([
     'permit_revoke', // role revoked — user lost access
+    'session_revoke', // single session revoked — close only that stream
     'session_revoke_all', // all sessions invalidated — user should be kicked
     'password_change', // password changed — all sessions revoked implicitly
 ]);
@@ -43,6 +47,26 @@ export const create_sse_auth_guard = (registry, required_role, log) => {
     return (event) => {
         if (!DISCONNECT_EVENT_TYPES.has(event.event_type))
             return;
+        // Only act on successful revocations. Failed attempts carry
+        // attacker-controlled identifiers (e.g., session_revoke with outcome=failure
+        // carries the submitted session_id even when the DB rejected the cross-account
+        // mutation) — reacting to them lets any authenticated user close another
+        // user's SSE stream by guessing or leaking a session hash.
+        if (event.outcome === 'failure')
+            return;
+        // session_revoke is session-scoped, not account-scoped — close only the
+        // stream subscribed under the revoked session's hash. The hash is already
+        // in the event metadata (set by the /sessions/:id/revoke handler).
+        if (event.event_type === 'session_revoke') {
+            const session_id = event.metadata?.session_id;
+            if (typeof session_id !== 'string' || session_id.length === 0)
+                return;
+            const closed = registry.close_by_identity(session_id);
+            if (closed > 0) {
+                log.info(`SSE auth guard: closed ${closed} stream(s) for session ${session_id} (session_revoke)`);
+            }
+            return;
+        }
         // permit_revoke requires matching the specific role
         if (event.event_type === 'permit_revoke') {
             if (event.metadata?.role !== required_role)
@@ -95,9 +119,21 @@ export const AUDIT_LOG_EVENT_SPECS = AUDIT_EVENT_TYPES.map((event_type) => ({
     description: `Audit log: ${event_type.replaceAll('_', ' ')}`,
     channel: 'audit_log',
 }));
+/**
+ * Default max concurrent SSE subscribers per session scope for the audit log.
+ *
+ * The audit log SSE subscribes with `scope = session_hash` and
+ * `groups = [account_id]`. Only `scope` is capped — so this limits tabs
+ * per session. An account's total streams across all sessions is bounded
+ * transitively by `max_sessions × AUDIT_LOG_SSE_MAX_PER_SCOPE`. 10 tabs
+ * per session is a comfortable ceiling for normal use; consumers raising
+ * it above ~50 should consider server-side connection limits.
+ */
+export const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
 export const create_audit_log_sse = (options) => {
     const role = options.role ?? 'admin';
-    const registry = new SubscriberRegistry();
+    const max_per_scope = options.max_per_scope === undefined ? AUDIT_LOG_SSE_MAX_PER_SCOPE : options.max_per_scope;
+    const registry = new SubscriberRegistry({ max_per_scope });
     const guard = create_sse_auth_guard(registry, role, options.log);
     return {
         subscribe: registry.subscribe.bind(registry),

package/dist/realtime/subscriber_registry.d.ts

@@ -3,8 +3,19 @@
  *
  * Supports channel-based filtering — subscribers connect with optional
  * channel filters, and broadcasts reach only matching subscribers.
- * Optional identity keys enable force-closing subscribers by identity
- * (e.g., close all streams for a specific account when their permissions change).
+ *
+ * Two identity slots enable both targeted disconnection and per-scope cap
+ * enforcement:
+ * - `scope` — a single capped identity (e.g., session hash). Subject to
+ *   the per-scope cap and matched by `close_by_identity`. Use for the
+ *   narrowest identity the subscriber belongs to.
+ * - `groups` — any number of uncapped identities (e.g., account id).
+ *   Matched by `close_by_identity` but not subject to any cap. Use for
+ *   coarser scopes a stream should be reachable by.
+ *
+ * The split keeps "tabs-per-session" cap semantics sane when a stream also
+ * carries a broader identity for coarse close — the broader identity
+ * doesn't cap across sessions.
  *
  * @module
  */
@@ -13,23 +24,50 @@ export interface Subscriber<T> {
     stream: SseStream<T>;
     /** Channels this subscriber listens to. `null` means all channels. */
     channels: Set<string> | null;
-    /** Optional identity key for targeted disconnection (e.g., account_id). */
-    identity: string | null;
+    /** Primary (capped) identity. `null` when none. */
+    scope: string | null;
+    /** Grouping identities for `close_by_identity`. `null` when none. */
+    groups: Set<string> | null;
+}
+/** Options for `SubscriberRegistry`. */
+export interface SubscriberRegistryOptions {
+    /**
+     * Max subscribers sharing a single `scope`. On subscribe, when the count
+     * of subscribers with the same `scope` reaches this limit, the oldest
+     * matching subscriber(s) are closed before the new one is added.
+     * `null` (default) disables the cap. `groups` identities are never capped.
+     */
+    max_per_scope?: number | null;
+}
+/** Options for `SubscriberRegistry.subscribe`. */
+export interface SubscribeOptions {
+    /** Channels to subscribe to. Empty/absent = all channels. */
+    channels?: ReadonlyArray<string>;
+    /**
+     * Primary (capped) identity — e.g., session hash. Subject to
+     * `max_per_scope` and matched by `close_by_identity`.
+     */
+    scope?: string;
+    /**
+     * Grouping identities — e.g., account id. Matched by `close_by_identity`
+     * but NOT subject to the cap. Use for coarse-targeted close.
+     */
+    groups?: ReadonlyArray<string>;
 }
 /**
  * Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
  *
- * Subscribers connect with optional channel filters and an optional identity key.
- * Broadcasts go to a specific channel and reach only matching subscribers.
- * `close_by_identity` force-closes all subscribers with a given identity —
- * use for auth revocation (close streams when a user's permissions change).
+ * Subscribers connect with optional channel filters, a capped `scope`, and
+ * uncapped `groups`. Broadcasts go to a specific channel and reach only
+ * matching subscribers. `close_by_identity` force-closes all subscribers
+ * whose `scope` or `groups` contain the given key — use for auth revocation.
  *
  * @example
  * ```ts
  * const registry = new SubscriberRegistry<SseNotification>();
  *
  * // subscriber connects (from SSE endpoint)
- * const unsubscribe = registry.subscribe(stream, ['runs']);
+ * const unsubscribe = registry.subscribe(stream, {channels: ['runs']});
  *
  * // when a run changes
  * registry.broadcast('runs', {method: 'run_created', params: {run}});
@@ -40,26 +78,33 @@ export interface Subscriber<T> {
  *
  * @example
  * ```ts
- * // identity-keyed subscription for auth revocation
- * const unsubscribe = registry.subscribe(stream, ['audit_log'], account_id);
+ * // scope = session hash (capped), groups = [account id] (close-only)
+ * const unsubscribe = registry.subscribe(stream, {
+ *   channels: ['audit_log'],
+ *   scope: session_hash,
+ *   groups: [account_id],
+ * });
  *
- * // when admin revokes the user's role — close their streams
+ * // coarse — close all of a user's streams on role revocation
  * registry.close_by_identity(account_id);
+ *
+ * // fine — close just the stream(s) tied to a specific session
+ * registry.close_by_identity(session_hash);
  * ```
  */
 export declare class SubscriberRegistry<T> {
     #private;
+    constructor(options?: SubscriberRegistryOptions);
     /** Number of active subscribers. */
     get count(): number;
     /**
      * Add a subscriber.
      *
      * @param stream - SSE stream to send data to
-     * @param channels - channels to subscribe to (`undefined` or empty = all channels)
-     * @param identity - optional identity key for targeted disconnection
+     * @param options - channel filter and identity slots (scope + groups)
      * @returns unsubscribe function
      */
-    subscribe(stream: SseStream<T>, channels?: Array<string>, identity?: string): () => void;
+    subscribe(stream: SseStream<T>, options?: SubscribeOptions): () => void;
     /**
      * Broadcast data to all subscribers on a channel.
      *
@@ -71,13 +116,13 @@ export declare class SubscriberRegistry<T> {
      */
     broadcast(channel: string, data: T): void;
     /**
-     * Force-close all subscribers with the given identity.
+     * Force-close all subscribers whose `scope` or `groups` match the given key.
      *
      * Closes each matching stream and removes the subscriber from the registry.
      * Use for auth revocation — when a user's permissions change, close their
      * SSE connections so they must reconnect and re-authenticate.
      *
-     * @param identity - the identity key to match
+     * @param identity - the identity key to match (checked against scope and groups)
      * @returns the number of subscribers closed
      */
     close_by_identity(identity: string): number;

package/dist/realtime/subscriber_registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"subscriber_registry.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/subscriber_registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,UAAU,CAAC;AAExC,MAAM,WAAW,UAAU,CAAC,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACrB,sEAAsE;IACtE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC7B,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,kBAAkB,CAAC,CAAC;;IAGhC,oCAAoC;IACpC,IAAI,KAAK,IAAI,MAAM,CAElB;IAED;;;;;;;OAOG;IACH,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,IAAI;IAYxF;;;;;;;;OAQG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI;IAQzC;;;;;;;;;OASG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAe3C"}
+{"version":3,"file":"subscriber_registry.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/subscriber_registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,UAAU,CAAC;AAExC,MAAM,WAAW,UAAU,CAAC,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACrB,sEAAsE;IACtE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC7B,mDAAmD;IACnD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,qEAAqE;IACrE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAC3B;AAED,wCAAwC;AACxC,MAAM,WAAW,yBAAyB;IACzC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,kDAAkD;AAClD,MAAM,WAAW,gBAAgB;IAChC,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACjC;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,MAAM,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,qBAAa,kBAAkB,CAAC,CAAC;;gBAIpB,OAAO,CAAC,EAAE,yBAAyB;IAI/C,oCAAoC;IACpC,IAAI,KAAK,IAAI,MAAM,CAElB;IAED;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,MAAM,IAAI;IAmBvE;;;;;;;;OAQG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI;IAQzC;;;;;;;;;OASG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAiC3C"}

package/dist/realtime/subscriber_registry.js

@@ -3,25 +3,36 @@
  *
  * Supports channel-based filtering — subscribers connect with optional
  * channel filters, and broadcasts reach only matching subscribers.
- * Optional identity keys enable force-closing subscribers by identity
- * (e.g., close all streams for a specific account when their permissions change).
+ *
+ * Two identity slots enable both targeted disconnection and per-scope cap
+ * enforcement:
+ * - `scope` — a single capped identity (e.g., session hash). Subject to
+ *   the per-scope cap and matched by `close_by_identity`. Use for the
+ *   narrowest identity the subscriber belongs to.
+ * - `groups` — any number of uncapped identities (e.g., account id).
+ *   Matched by `close_by_identity` but not subject to any cap. Use for
+ *   coarser scopes a stream should be reachable by.
+ *
+ * The split keeps "tabs-per-session" cap semantics sane when a stream also
+ * carries a broader identity for coarse close — the broader identity
+ * doesn't cap across sessions.
  *
  * @module
  */
 /**
  * Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
  *
- * Subscribers connect with optional channel filters and an optional identity key.
- * Broadcasts go to a specific channel and reach only matching subscribers.
- * `close_by_identity` force-closes all subscribers with a given identity —
- * use for auth revocation (close streams when a user's permissions change).
+ * Subscribers connect with optional channel filters, a capped `scope`, and
+ * uncapped `groups`. Broadcasts go to a specific channel and reach only
+ * matching subscribers. `close_by_identity` force-closes all subscribers
+ * whose `scope` or `groups` contain the given key — use for auth revocation.
  *
  * @example
  * ```ts
  * const registry = new SubscriberRegistry<SseNotification>();
  *
  * // subscriber connects (from SSE endpoint)
- * const unsubscribe = registry.subscribe(stream, ['runs']);
+ * const unsubscribe = registry.subscribe(stream, {channels: ['runs']});
  *
  * // when a run changes
  * registry.broadcast('runs', {method: 'run_created', params: {run}});
@@ -32,15 +43,26 @@
  *
  * @example
  * ```ts
- * // identity-keyed subscription for auth revocation
- * const unsubscribe = registry.subscribe(stream, ['audit_log'], account_id);
+ * // scope = session hash (capped), groups = [account id] (close-only)
+ * const unsubscribe = registry.subscribe(stream, {
+ *   channels: ['audit_log'],
+ *   scope: session_hash,
+ *   groups: [account_id],
+ * });
  *
- * // when admin revokes the user's role — close their streams
+ * // coarse — close all of a user's streams on role revocation
  * registry.close_by_identity(account_id);
+ *
+ * // fine — close just the stream(s) tied to a specific session
+ * registry.close_by_identity(session_hash);
  * ```
  */
 export class SubscriberRegistry {
     #subscribers = new Set();
+    #max_per_scope;
+    constructor(options) {
+        this.#max_per_scope = options?.max_per_scope ?? null;
+    }
     /** Number of active subscribers. */
     get count() {
         return this.#subscribers.size;
@@ -49,16 +71,19 @@ export class SubscriberRegistry {
      * Add a subscriber.
      *
      * @param stream - SSE stream to send data to
-     * @param channels - channels to subscribe to (`undefined` or empty = all channels)
-     * @param identity - optional identity key for targeted disconnection
+     * @param options - channel filter and identity slots (scope + groups)
      * @returns unsubscribe function
      */
-    subscribe(stream, channels, identity) {
-        const subscriber = {
-            stream,
-            channels: channels && channels.length > 0 ? new Set(channels) : null,
-            identity: identity ?? null,
-        };
+    subscribe(stream, options) {
+        const channels = options?.channels && options.channels.length > 0 ? new Set(options.channels) : null;
+        const scope = options?.scope ?? null;
+        const groups = options?.groups && options.groups.length > 0 ? new Set(options.groups) : null;
+        // Per-scope cap — only `scope` is capped, `groups` are never capped.
+        // Insertion order of the backing Set preserves FIFO eviction semantics.
+        if (this.#max_per_scope != null && scope !== null) {
+            this.#enforce_scope_limit(scope, this.#max_per_scope);
+        }
+        const subscriber = { stream, channels, scope, groups };
         this.#subscribers.add(subscriber);
         return () => {
             this.#subscribers.delete(subscriber);
@@ -81,13 +106,13 @@ export class SubscriberRegistry {
         }
     }
     /**
-     * Force-close all subscribers with the given identity.
+     * Force-close all subscribers whose `scope` or `groups` match the given key.
      *
      * Closes each matching stream and removes the subscriber from the registry.
      * Use for auth revocation — when a user's permissions change, close their
      * SSE connections so they must reconnect and re-authenticate.
      *
-     * @param identity - the identity key to match
+     * @param identity - the identity key to match (checked against scope and groups)
      * @returns the number of subscribers closed
      */
     close_by_identity(identity) {
@@ -95,7 +120,7 @@ export class SubscriberRegistry {
         // (stream.close() fires on_close listeners which may call unsubscribe)
         const to_close = [];
         for (const subscriber of this.#subscribers) {
-            if (subscriber.identity === identity) {
+            if (subscriber.scope === identity || subscriber.groups?.has(identity)) {
                 to_close.push(subscriber);
             }
         }
@@ -105,4 +130,22 @@ export class SubscriberRegistry {
         }
         return to_close.length;
     }
+    #enforce_scope_limit(scope, max) {
+        // count existing subscribers with this scope (in insertion order)
+        const matching = [];
+        for (const subscriber of this.#subscribers) {
+            if (subscriber.scope === scope)
+                matching.push(subscriber);
+        }
+        // close oldest first, stopping once we've freed up room for one more
+        let overflow = matching.length - (max - 1);
+        let i = 0;
+        while (overflow > 0 && i < matching.length) {
+            const victim = matching[i];
+            victim.stream.close();
+            this.#subscribers.delete(victim);
+            overflow--;
+            i++;
+        }
+    }
 }

package/dist/server/validate_nginx.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validate_nginx.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/validate_nginx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAgCD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,GAAI,QAAQ,MAAM,KAAG,qBA2FtD,CAAC"}
+{"version":3,"file":"validate_nginx.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/validate_nginx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAgGD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,GAAI,QAAQ,MAAM,KAAG,qBA+FtD,CAAC"}

package/dist/server/validate_nginx.js

@@ -11,15 +11,17 @@
 /**
  * Extract location blocks from an nginx config string.
  *
- * Finds `location [= ] <path> {` directives and extracts the full block
- * content including nested braces. Returns the path and full block text.
+ * Finds `location [modifier] <path> {` directives (modifier may be `=`, `~`,
+ * `~*`, `^~`, or absent) and returns the full block content including nested
+ * braces.
  */
 const extract_location_blocks = (config) => {
     const blocks = [];
-    const location_regex = /location\s+(?:=\s+)?(\S+)\s*\{/g;
+    const location_regex = /location\s+(=|~\*?|\^~)?\s*(\S+)\s*\{/g;
     let match;
     while ((match = location_regex.exec(config)) !== null) {
-        const path = match[1];
+        const modifier = match[1] ?? '';
+        const path = match[2];
         const open_brace_index = match.index + match[0].length - 1;
         let depth = 1;
         let block_end = open_brace_index + 1;
@@ -34,10 +36,57 @@ const extract_location_blocks = (config) => {
                 }
             }
         }
-        blocks.push({ path, content: config.slice(match.index, block_end) });
+        blocks.push({ modifier, path, content: config.slice(match.index, block_end) });
     }
     return blocks;
 };
+/**
+ * Canonical `/api` URIs used to probe regex location patterns.
+ *
+ * Two probes cover the common regex shapes:
+ * - `/api` catches `^/api$`, `^/api(/|$)`, `^/(admin|api)`, etc.
+ * - `/api/` catches `^/api/` (which requires the trailing slash).
+ *
+ * Only consulted from the regex branch of `location_matches_api` — non-regex
+ * blocks compare `block.path` literally.
+ */
+const API_TEST_URIS = ['/api', '/api/'];
+/**
+ * Does a location block route `/api` traffic?
+ *
+ * The matching strategy is deliberately asymmetric across modifier types:
+ *
+ * - **Regex (`~`, `~*`)**: compiles `block.path` as a regex and tests it
+ *   against `API_TEST_URIS`. `~*` gets the `i` flag. Any match flags the
+ *   block as `/api`-handling. Invalid regex returns `false` (nginx would
+ *   reject it too). URI-probing is needed because regex patterns don't
+ *   admit a reliable substring check — `^/(admin|api)` has no `/api` prefix
+ *   textually but routes `/api` traffic.
+ * - **Prefix (no modifier, `^~`) and exact (`=`)**: literal check —
+ *   `block.path === '/api'` or `block.path.startsWith('/api/')`. We do NOT
+ *   probe with `API_TEST_URIS` here because that would produce false
+ *   positives on overly broad prefixes: a catch-all `location /` technically
+ *   routes `/api` requests, but nginx would prefer a more specific `/api`
+ *   block when one exists — and we want the separate "No /api block found"
+ *   error when one doesn't.
+ *
+ * Known blind spot: a regex matching only a sub-path that isn't in
+ * `API_TEST_URIS` (e.g. `^/api/v99$`, or `^/api/.+` which requires content
+ * after the slash) won't be flagged. Acceptable for fuz_app deploy configs,
+ * which route all `/api` traffic through a single broad block.
+ */
+const location_matches_api = (block) => {
+    if (block.modifier === '~' || block.modifier === '~*') {
+        try {
+            const re = new RegExp(block.path, block.modifier === '~*' ? 'i' : '');
+            return API_TEST_URIS.some((uri) => re.test(uri));
+        }
+        catch {
+            return false;
+        }
+    }
+    return block.path === '/api' || block.path.startsWith('/api/');
+};
 /**
  * Validate an nginx config template string for security properties.
  *
@@ -57,8 +106,13 @@ export const validate_nginx_config = (config) => {
     const warnings = [];
     const all_blocks = extract_location_blocks(config);
     // 1. proxy_set_header Authorization "" in /api location blocks
-    const api_blocks = all_blocks.filter((b) => b.path === '/api' || b.path.startsWith('/api/') || b.path.startsWith('/api{'));
-    if (api_blocks.length > 0) {
+    const api_blocks = all_blocks.filter(location_matches_api);
+    if (api_blocks.length === 0) {
+        errors.push('No /api location block found — config must have an /api location block ' +
+            'with Authorization header stripping. If you intentionally route /api ' +
+            'through a different structure, skip this validator.');
+    }
+    else {
         const has_auth_strip = api_blocks.some((block) => block.content.includes('proxy_set_header Authorization ""') ||
             block.content.includes("proxy_set_header Authorization ''"));
         if (!has_auth_strip) {