npm - @fuzdev/fuz_app - Versions diffs - 0.12.0 → 0.13.0 - Mend

@fuzdev/fuz_app 0.12.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/auth/account_routes.d.ts +30 -0
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +44 -9
package/dist/auth/admin_routes.d.ts.map +1 -1
package/dist/auth/admin_routes.js +33 -2
package/dist/auth/audit_log_routes.d.ts +2 -1
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +11 -2
package/dist/auth/audit_log_schema.d.ts +1 -1
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +3 -1
package/dist/auth/permit_queries.d.ts +19 -0
package/dist/auth/permit_queries.d.ts.map +1 -1
package/dist/auth/permit_queries.js +21 -0
package/dist/auth/request_context.d.ts +10 -0
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +14 -0
package/dist/hono_context.d.ts +7 -0
package/dist/hono_context.d.ts.map +1 -1
package/dist/realtime/sse_auth_guard.d.ts +23 -3
package/dist/realtime/sse_auth_guard.d.ts.map +1 -1
package/dist/realtime/sse_auth_guard.js +38 -2
package/dist/realtime/subscriber_registry.d.ts +62 -17
package/dist/realtime/subscriber_registry.d.ts.map +1 -1
package/dist/realtime/subscriber_registry.js +64 -21
package/dist/server/validate_nginx.d.ts.map +1 -1
package/dist/server/validate_nginx.js +61 -7
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +8 -8
package/dist/testing/app_server.d.ts +9 -0
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +4 -3
package/dist/testing/data_exposure.d.ts.map +1 -1
package/dist/testing/data_exposure.js +1 -20
package/dist/testing/error_coverage.d.ts +93 -27
package/dist/testing/error_coverage.d.ts.map +1 -1
package/dist/testing/error_coverage.js +160 -67
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +6 -6
package/dist/testing/integration_helpers.d.ts +17 -0
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +31 -0
package/dist/testing/round_trip.d.ts.map +1 -1
package/dist/testing/round_trip.js +41 -55
package/dist/testing/sse_round_trip.d.ts +64 -0
package/dist/testing/sse_round_trip.d.ts.map +1 -0
package/dist/testing/sse_round_trip.js +241 -0
package/package.json +1 -1

package/dist/actions/action_codegen.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"action_codegen.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_codegen.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,eAAe,EAAE,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;~~AAKxE~~;;GAEG;AACH,UAAU,UAAU;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,WAAW,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,aAAa;;IACzB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAa;IAE1D;;;;OAIG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAQrC;;;;OAIG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAI1C;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI;IAOrD;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI;IAgCtD;;;OAGG;IACH,KAAK,IAAI,MAAM;IAIf;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACH,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED;;;OAGG;IACH,OAAO,IAAI,KAAK,CAAC,MAAM,CAAC;IAIxB;;OAEG;IACH,KAAK,IAAI,IAAI;CAqDb;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,eAAe,EACrB,UAAU,UAAU,GAAG,SAAS,KAC9B,KAAK,CAAC,gBAAgB,CA4DxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,eAAe,EACrB,OAAO,gBAAgB,EACvB,SAAS,aAAa,EACtB,aAAa,MAAM,KACjB,MAkBF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,eAAe,EACrB,UAAU,UAAU,GAAG,SAAS,EAChC,SAAS,aAAa,EACtB,UAAU;IAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAAC,KACpC,MA4BF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,GAAI,aAAa,MAAM,KAAG,MACU,CAAC;AAG/D,eAAO,MAAM,yBAAyB,GAAI,QAAQ,MAAM,KAAG,MAAiC,CAAC;AAC7F,eAAO,MAAM,+BAA+B,GAAI,QAAQ,MAAM,KAAG,MACpB,CAAC;AAC9C,eAAO,MAAM,gCAAgC,GAAI,QAAQ,MAAM,KAAG,MACpB,CAAC;AAE/C;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,CAAC,CAAC,OAwBxD,CAAC;AAEF,eAAO,MAAM,uBAAuB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,MAI3D,CAAC"}
1	+ {"version":3,"file":"action_codegen.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_codegen.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,eAAe,EAAE,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAOxE;;GAEG;AACH,UAAU,UAAU;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,WAAW,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,aAAa;;IACzB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAa;IAE1D;;;;OAIG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAQrC;;;;OAIG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI;IAI1C;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI;IAOrD;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI;IAgCtD;;;OAGG;IACH,KAAK,IAAI,MAAM;IAIf;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACH,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED;;;OAGG;IACH,OAAO,IAAI,KAAK,CAAC,MAAM,CAAC;IAIxB;;OAEG;IACH,KAAK,IAAI,IAAI;CAqDb;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,eAAe,EACrB,UAAU,UAAU,GAAG,SAAS,KAC9B,KAAK,CAAC,gBAAgB,CA4DxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,eAAe,EACrB,OAAO,gBAAgB,EACvB,SAAS,aAAa,EACtB,aAAa,MAAM,KACjB,MAkBF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,eAAe,EACrB,UAAU,UAAU,GAAG,SAAS,EAChC,SAAS,aAAa,EACtB,UAAU;IAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAAC,KACpC,MA4BF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,GAAI,aAAa,MAAM,KAAG,MACU,CAAC;AAG/D,eAAO,MAAM,yBAAyB,GAAI,QAAQ,MAAM,KAAG,MAAiC,CAAC;AAC7F,eAAO,MAAM,+BAA+B,GAAI,QAAQ,MAAM,KAAG,MACpB,CAAC;AAC9C,eAAO,MAAM,gCAAgC,GAAI,QAAQ,MAAM,KAAG,MACpB,CAAC;AAE/C;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,CAAC,CAAC,OAwBxD,CAAC;AAEF,eAAO,MAAM,uBAAuB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,MAI3D,CAAC"}

package/dist/auth/account_routes.d.ts CHANGED Viewed

@@ -51,6 +51,25 @@ export interface AccountStatusOptions {
 export declare const DEFAULT_MAX_SESSIONS = 5;
 /** Default maximum API tokens per account. */
 export declare const DEFAULT_MAX_TOKENS = 10;
+/**
+ * Default minimum wall-clock time (ms) for a login failure (401) response.
+ *
+ * Picked to exceed the p99 of every 401 code path (Argon2id dominates at
+ * ~100ms, plus DB + overhead). The handler races failure work against
+ * `sleep(floor + jitter)` via `await`, so observed response time = max(work,
+ * delay). Found-vs-not-found and rate-limit-skipped-vs-not paths converge.
+ * Only 401 is padded — 429 stays fast by design to keep rate-limit DoS
+ * handling cheap.
+ */
+export declare const DEFAULT_LOGIN_FAIL_FLOOR_MS = 250;
+/**
+ * Default uniform jitter window (±ms) layered on the floor.
+ *
+ * Random jitter prevents a stable clamp point from leaking whenever a path
+ * occasionally exceeds the floor. `Math.random` is sufficient — we only need
+ * unpredictability of the exact delay, not cryptographic guarantees.
+ */
+export declare const DEFAULT_LOGIN_FAIL_JITTER_MS = 25;
 /**
  * Shared options for route factories that create sessions and rate-limit by IP.
  *
@@ -72,6 +91,17 @@ export interface AccountRouteOptions extends AuthSessionRouteOptions {
     max_sessions?: number | null;
     /** Max API tokens per account. Evicts oldest on creation. Default 10, `null` disables. */
     max_tokens?: number | null;
+    /**
+     * Minimum wall-clock time (ms) for login 401 responses. Set to `0` or a
+     * negative number to disable (e.g., in tests). Default
+     * `DEFAULT_LOGIN_FAIL_FLOOR_MS`.
+     */
+    login_fail_floor_ms?: number;
+    /**
+     * Uniform jitter window (±ms) layered on the floor. Set to `0` to disable
+     * jitter while keeping the floor. Default `DEFAULT_LOGIN_FAIL_JITTER_MS`.
+     */
+    login_fail_jitter_ms?: number;
 }
 /**
  * Create account route specs for session-based auth.

package/dist/auth/account_routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA+BxD,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExF,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAGhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SA0BhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,0FAA0F;IAC1F,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;~~CAC3B~~;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,~~CAkYjB~~,CAAC"}
1	+ {"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA+BxD,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExF,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAGhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SA0BhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,0FAA0F;IAC1F,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAgZjB,CAAC"}

package/dist/auth/account_routes.js CHANGED Viewed

@@ -77,6 +77,31 @@ export const create_account_status_route_spec = (options) => ({
 export const DEFAULT_MAX_SESSIONS = 5;
 /** Default maximum API tokens per account. */
 export const DEFAULT_MAX_TOKENS = 10;
+/**
+ * Default minimum wall-clock time (ms) for a login failure (401) response.
+ *
+ * Picked to exceed the p99 of every 401 code path (Argon2id dominates at
+ * ~100ms, plus DB + overhead). The handler races failure work against
+ * `sleep(floor + jitter)` via `await`, so observed response time = max(work,
+ * delay). Found-vs-not-found and rate-limit-skipped-vs-not paths converge.
+ * Only 401 is padded — 429 stays fast by design to keep rate-limit DoS
+ * handling cheap.
+ */
+export const DEFAULT_LOGIN_FAIL_FLOOR_MS = 250;
+/**
+ * Default uniform jitter window (±ms) layered on the floor.
+ *
+ * Random jitter prevents a stable clamp point from leaking whenever a path
+ * occasionally exceeds the floor. `Math.random` is sufficient — we only need
+ * unpredictability of the exact delay, not cryptographic guarantees.
+ */
+export const DEFAULT_LOGIN_FAIL_JITTER_MS = 25;
+const login_fail_delay = (floor_ms, jitter_ms) => {
+    if (floor_ms <= 0)
+        return Promise.resolve();
+    const jitter = jitter_ms > 0 ? Math.floor(Math.random() * (jitter_ms * 2 + 1)) - jitter_ms : 0;
+    return new Promise((resolve) => setTimeout(resolve, floor_ms + jitter));
+};
 /**
  * Create account route specs for session-based auth.
  *
@@ -88,7 +113,7 @@ export const DEFAULT_MAX_TOKENS = 10;
  */
 export const create_account_route_specs = (deps, options) => {
     const { keyring, password, on_audit_event } = deps;
-    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, max_tokens = DEFAULT_MAX_TOKENS, } = options;
+    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, max_tokens = DEFAULT_MAX_TOKENS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, } = options;
     return [
         {
             method: 'POST',
@@ -113,28 +138,37 @@ export const create_account_route_specs = (deps, options) => {
                 }
                 const { username: raw_username, password: pw } = get_route_input(c);
                 const username = raw_username.trim().toLowerCase();
-                // Per-account rate limit check (after input parsing, before DB work)
+                // DB lookup first so we can key the per-account rate limit by a canonical value
+                // (account.id) rather than the submitted identifier. Otherwise an attacker could
+                // alternate between username and email to double the per-account bucket.
+                const account = await query_account_by_username_or_email(route, username);
+                const account_rate_key = account ? account.id : username;
+                // Per-account rate limit check (after DB lookup so the key is canonical)
                 if (login_account_rate_limiter) {
-                    const check = login_account_rate_limiter.check(username);
+                    const check = login_account_rate_limiter.check(account_rate_key);
                     if (!check.allowed) {
                         return rate_limit_exceeded_response(c, check.retry_after);
                     }
                 }
-                const account = await query_account_by_username_or_email(route, username);
+                // Start the minimum-delay timer concurrently with failure work.
+                // Observed response time is max(work, delay) so all 401 paths
+                // (found-wrong-pw, not-found) return in similar time.
+                const delay = login_fail_delay(login_fail_floor_ms, login_fail_jitter_ms);
                 if (!account) {
-                    // enumeration prevention: verify_dummy equalizes timing, and both failure
-                    // paths return identical errors with identical rate limiting behavior
+                    // enumeration prevention: verify_dummy equalizes Argon2id timing;
+                    // login_fail_delay equalizes every other path difference.
                     await password.verify_dummy(pw);
                     if (ip_rate_limiter && ip)
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
-                        login_account_rate_limiter.record(username);
+                        login_account_rate_limiter.record(account_rate_key);
                     void audit_log_fire_and_forget(route, {
                         event_type: 'login',
                         outcome: 'failure',
                         ip: get_client_ip(c),
                         metadata: { username },
                     }, deps.log, on_audit_event);
+                    await delay;
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
                 const valid = await password.verify_password(pw, account.password_hash);
@@ -142,7 +176,7 @@ export const create_account_route_specs = (deps, options) => {
                     if (ip_rate_limiter && ip)
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
-                        login_account_rate_limiter.record(username);
+                        login_account_rate_limiter.record(account_rate_key);
                     void audit_log_fire_and_forget(route, {
                         event_type: 'login',
                         outcome: 'failure',
@@ -150,13 +184,14 @@ export const create_account_route_specs = (deps, options) => {
                         ip: get_client_ip(c),
                         metadata: { username },
                     }, deps.log, on_audit_event);
+                    await delay;
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
                 // Successful login — reset rate limits
                 if (ip_rate_limiter && ip)
                     ip_rate_limiter.reset(ip);
                 if (login_account_rate_limiter)
-                    login_account_rate_limiter.reset(username);
+                    login_account_rate_limiter.reset(account_rate_key);
                 await create_session_and_set_cookie({
                     keyring,
                     deps: route,

package/dist/auth/admin_routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"admin_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAA8C,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAGpG,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;~~AAUxF~~,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAShD,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IACjC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC,EACtD,UAAU,iBAAiB,KACzB,KAAK,CAAC,SAAS,~~CAoMjB~~,CAAC"}
1	+ {"version":3,"file":"admin_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAA8C,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAGpG,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAcxF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAShD,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IACjC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC,EACtD,UAAU,iBAAiB,KACzB,KAAK,CAAC,SAAS,CAkPjB,CAAC"}

package/dist/auth/admin_routes.js CHANGED Viewed

@@ -11,7 +11,7 @@ import { AdminAccountEntryJson } from './account_schema.js';
 import { require_request_context } from './request_context.js';
 import { get_route_input, get_route_params } from '../http/route_spec.js';
 import { query_account_by_id, query_actor_by_account, query_admin_account_list, } from './account_queries.js';
-import { query_grant_permit, query_revoke_permit } from './permit_queries.js';
+import { query_grant_permit, query_permit_find_active_role_for_actor, query_revoke_permit, } from './permit_queries.js';
 import { query_session_revoke_all_for_account } from './session_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
 import { audit_log_fire_and_forget } from './audit_log_queries.js';
@@ -70,17 +70,26 @@ export const create_admin_account_route_specs = (deps, options) => {
             handler: async (c, route) => {
                 const { account_id } = get_route_params(c);
                 const { role: role_name } = get_route_input(c);
+                const ctx = require_request_context(c);
                 // Enforce web_grantable — direct API calls must respect the same
                 // restrictions as the UI. Keeper role can only be granted via daemon token.
                 const rc = role_options.get(role_name);
                 if (!rc?.web_grantable) {
+                    void audit_log_fire_and_forget(route, {
+                        event_type: 'permit_grant',
+                        outcome: 'failure',
+                        actor_id: ctx.actor.id,
+                        account_id: ctx.account.id,
+                        target_account_id: account_id,
+                        ip: get_client_ip(c),
+                        metadata: { role: role_name },
+                    }, deps.log, on_audit_event);
                     return c.json({ error: ERROR_ROLE_NOT_WEB_GRANTABLE }, 403);
                 }
                 const actor = await query_actor_by_account(route, account_id);
                 if (!actor) {
                     return c.json({ error: ERROR_ACCOUNT_NOT_FOUND }, 404);
                 }
-                const ctx = require_request_context(c);
                 const permit = await query_grant_permit(route, {
                     actor_id: actor.id,
                     role: role_name,
@@ -162,6 +171,7 @@ export const create_admin_account_route_specs = (deps, options) => {
             input: z.null(),
             output: z.strictObject({ ok: z.literal(true), revoked: z.literal(true) }),
             errors: {
+                403: z.looseObject({ error: z.literal(ERROR_ROLE_NOT_WEB_GRANTABLE) }),
                 404: z.looseObject({
                     error: z.enum([ERROR_ACCOUNT_NOT_FOUND, ERROR_PERMIT_NOT_FOUND]),
                 }),
@@ -174,6 +184,27 @@ export const create_admin_account_route_specs = (deps, options) => {
                 if (!target_actor) {
                     return c.json({ error: ERROR_ACCOUNT_NOT_FOUND }, 404);
                 }
+                // Look up the permit's role so we can enforce web_grantable symmetrically
+                // with the grant route. Without this, an admin could revoke the keeper
+                // permit via the web, breaking the "only daemon token manages keeper" invariant.
+                // Route wraps POST handlers in a transaction, so SELECT-then-UPDATE is atomic.
+                const permit_row = await query_permit_find_active_role_for_actor(route, permit_id, target_actor.id);
+                if (!permit_row) {
+                    return c.json({ error: ERROR_PERMIT_NOT_FOUND }, 404);
+                }
+                const rc = role_options.get(permit_row.role);
+                if (!rc?.web_grantable) {
+                    void audit_log_fire_and_forget(route, {
+                        event_type: 'permit_revoke',
+                        outcome: 'failure',
+                        actor_id: ctx.actor.id,
+                        account_id: ctx.account.id,
+                        target_account_id: account_id,
+                        ip: get_client_ip(c),
+                        metadata: { role: permit_row.role, permit_id },
+                    }, deps.log, on_audit_event);
+                    return c.json({ error: ERROR_ROLE_NOT_WEB_GRANTABLE }, 403);
+                }
                 const result = await query_revoke_permit(route, permit_id, target_actor.id, ctx.actor.id);
                 if (!result) {
                     return c.json({ error: ERROR_PERMIT_NOT_FOUND }, 404);

package/dist/auth/audit_log_routes.d.ts CHANGED Viewed

@@ -9,6 +9,7 @@
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { RouteSpec } from '../http/route_spec.js';
 import { type SseStream, type SseNotification } from '../realtime/sse.js';
+import type { SubscribeOptions } from '../realtime/subscriber_registry.js';
 /** Options for audit log route specs. */
 export interface AuditLogRouteOptions {
     /** Role required to access audit routes. Default `'admin'`. */
@@ -19,7 +20,7 @@ export interface AuditLogRouteOptions {
      * as an identity key — enabling `close_by_identity()` for auth revocation.
      */
     stream?: {
-        subscribe: (stream: SseStream<SseNotification>, channels?: Array<string>, identity?: string) => () => void;
+        subscribe: (stream: SseStream<SseNotification>, options?: SubscribeOptions) => () => void;
         log: Logger;
     };
 }

package/dist/auth/audit_log_routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAQpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;~~AAU7F~~,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,~~CACV~~,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,~~EAClC,QAAQ,CAAC,~~EAAE,~~KAAK~~,CAAC,~~MAAM,CAAC,EACxB,QAAQ,CAAC,~~EAAE,~~MAAM~~,~~KACb~~,MAAM,IAAI,CAAC;~~QAChB~~,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,~~CAuF5F~~,CAAC"}
1	+ {"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAQpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAUzE,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;GAKG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAgG5F,CAAC"}

package/dist/auth/audit_log_routes.js CHANGED Viewed

@@ -12,7 +12,7 @@ import { AUDIT_LOG_DEFAULT_LIMIT, query_audit_log_list_with_usernames, query_aud
 import { query_session_list_all_active } from './session_queries.js';
 import { ERROR_INVALID_EVENT_TYPE } from '../http/error_schemas.js';
 import { create_sse_response } from '../realtime/sse.js';
-import { require_request_context } from './request_context.js';
+import { AUTH_SESSION_TOKEN_HASH_KEY, require_request_context } from './request_context.js';
 // TODO upstream to fuz_util
 /** Parse a string to an integer, returning `undefined` for non-numeric input (including `NaN`). */
 const parse_int_or_undefined = (value) => {
@@ -95,8 +95,17 @@ export const create_audit_log_route_specs = (options) => {
             output: z.null(), // SSE — no JSON response
             handler: (c) => {
                 const ctx = require_request_context(c);
+                // scope = session hash (capped → tabs-per-session limit and
+                // session-specific `session_revoke` close). groups = [account_id]
+                // (uncapped → coarse close on permit_revoke / session_revoke_all
+                // / password_change).
+                const token_hash = c.get(AUTH_SESSION_TOKEN_HASH_KEY) ?? null;
                 const { response, stream } = create_sse_response(c, log);
-                const unsubscribe = subscribe(stream, ['audit_log'], ctx.account.id);
+                const unsubscribe = subscribe(stream, {
+                    channels: ['audit_log'],
+                    scope: token_hash ?? undefined,
+                    groups: [ctx.account.id],
+                });
                 stream.on_close(unsubscribe);
                 return response;
             },

package/dist/auth/audit_log_schema.d.ts CHANGED Viewed

@@ -75,7 +75,7 @@ export declare const AUDIT_METADATA_SCHEMAS: {
     }, z.core.$loose>;
     permit_grant: z.ZodObject<{
         role: z.ZodString;
-        permit_id: z.ZodString;
+        permit_id: z.ZodOptional<z.ZodString>;
     }, z.core.$loose>;
     permit_revoke: z.ZodObject<{
         role: z.ZodString;

package/dist/auth/audit_log_schema.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,oCAAoC;AACpC,eAAO,MAAM,iBAAiB,8PAgBpB,CAAC;AAEX,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~CA4BU~~,CAAC;AAE9C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,cAAc,CAAC;IAC3B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACvE,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,QAAQ,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAClE;AAED,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,aAAa,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kDAAkD;AAClD,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}
1	+ {"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,oCAAoC;AACpC,eAAO,MAAM,iBAAiB,8PAgBpB,CAAC;AAEX,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8BU,CAAC;AAE9C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,cAAc,CAAC;IAC3B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACvE,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,QAAQ,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAClE;AAED,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,aAAa,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kDAAkD;AAClD,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}

package/dist/auth/audit_log_schema.js CHANGED Viewed

@@ -52,7 +52,9 @@ export const AUDIT_METADATA_SCHEMAS = {
     token_create: z.looseObject({ token_id: z.string(), name: z.string() }),
     token_revoke: z.looseObject({ token_id: z.string() }),
     token_revoke_all: z.looseObject({ count: z.number() }),
-    permit_grant: z.looseObject({ role: z.string(), permit_id: z.string() }),
+    // `permit_id` is optional on `permit_grant` because failed grants
+    // (e.g. `web_grantable` denied) never produce a permit row.
+    permit_grant: z.looseObject({ role: z.string(), permit_id: z.string().optional() }),
     permit_revoke: z.looseObject({ role: z.string(), permit_id: z.string() }),
     invite_create: z.looseObject({
         invite_id: z.string(),

package/dist/auth/permit_queries.d.ts CHANGED Viewed

@@ -18,6 +18,25 @@ import type { Permit, GrantPermitInput } from './account_schema.js';
  * @returns the created or existing active permit
  */
 export declare const query_grant_permit: (deps: QueryDeps, input: GrantPermitInput) => Promise<Permit>;
+/**
+ * Look up the role of an active permit, constrained to a specific actor.
+ *
+ * Used by admin routes to inspect the permit's role before acting
+ * (e.g., enforcing `web_grantable` on revoke). The actor constraint
+ * mirrors `query_revoke_permit` so IDOR protection is consistent:
+ * a caller can only see permits belonging to the target actor.
+ *
+ * Returns `null` if the permit is not found, already revoked, or
+ * belongs to a different actor.
+ *
+ * @param deps - query dependencies
+ * @param permit_id - the permit id to look up
+ * @param actor_id - the actor that must own the permit
+ * @returns `{role}` on a match, or `null`
+ */
+export declare const query_permit_find_active_role_for_actor: (deps: QueryDeps, permit_id: string, actor_id: string) => Promise<{
+    role: string;
+} | null>;
 /**
  * Revoke a permit by id, constrained to a specific actor.
  *

package/dist/auth/permit_queries.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAGlE;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CAiBhB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,EAChB,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAQ3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAYjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC"}
1	+ {"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAGlE;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CAiBhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,EAChB,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAQ3C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAYjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC"}

package/dist/auth/permit_queries.js CHANGED Viewed

@@ -29,6 +29,27 @@ export const query_grant_permit = async (deps, input) => {
 		 WHERE actor_id = $1 AND role = $2 AND revoked_at IS NULL`, [input.actor_id, input.role]);
     return assert_row(existing, 'idempotent permit grant');
 };
+/**
+ * Look up the role of an active permit, constrained to a specific actor.
+ *
+ * Used by admin routes to inspect the permit's role before acting
+ * (e.g., enforcing `web_grantable` on revoke). The actor constraint
+ * mirrors `query_revoke_permit` so IDOR protection is consistent:
+ * a caller can only see permits belonging to the target actor.
+ *
+ * Returns `null` if the permit is not found, already revoked, or
+ * belongs to a different actor.
+ *
+ * @param deps - query dependencies
+ * @param permit_id - the permit id to look up
+ * @param actor_id - the actor that must own the permit
+ * @returns `{role}` on a match, or `null`
+ */
+export const query_permit_find_active_role_for_actor = async (deps, permit_id, actor_id) => {
+    const row = await deps.db.query_one(`SELECT role FROM permit
+		 WHERE id = $1 AND actor_id = $2 AND revoked_at IS NULL`, [permit_id, actor_id]);
+    return row ?? null;
+};
 /**
  * Revoke a permit by id, constrained to a specific actor.
  *

package/dist/auth/request_context.d.ts CHANGED Viewed

@@ -23,6 +23,16 @@ export interface RequestContext {
 }
 /** Hono context variable name for the request context. */
 export declare const REQUEST_CONTEXT_KEY = "request_context";
+/**
+ * Hono context variable name for the authenticated session token hash.
+ *
+ * Set by `create_request_context_middleware` after a successful session lookup.
+ * `null` when the request is unauthenticated or authenticated via a non-session
+ * credential (bearer token, daemon token). Exposed so handlers can scope
+ * per-session resources (e.g., SSE stream identity for targeted disconnection
+ * on `session_revoke`) without re-hashing the token.
+ */
+export declare const AUTH_SESSION_TOKEN_HASH_KEY = "auth_session_token_hash";
 /**
  * Get the request context from a Hono context, or `null` if unauthenticated.
  *

package/dist/auth/request_context.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,~~iBAqCF~~,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}
1	+ {"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;;;;GAQG;AACH,eAAO,MAAM,2BAA2B,4BAA4B,CAAC;AAErE;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBAyCF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}

package/dist/auth/request_context.js CHANGED Viewed

@@ -19,6 +19,16 @@ import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, } from '../http/error_schemas.js';
 /** Hono context variable name for the request context. */
 export const REQUEST_CONTEXT_KEY = 'request_context';
+/**
+ * Hono context variable name for the authenticated session token hash.
+ *
+ * Set by `create_request_context_middleware` after a successful session lookup.
+ * `null` when the request is unauthenticated or authenticated via a non-session
+ * credential (bearer token, daemon token). Exposed so handlers can scope
+ * per-session resources (e.g., SSE stream identity for targeted disconnection
+ * on `session_revoke`) without re-hashing the token.
+ */
+export const AUTH_SESSION_TOKEN_HASH_KEY = 'auth_session_token_hash';
 /**
  * Get the request context from a Hono context, or `null` if unauthenticated.
  *
@@ -78,6 +88,7 @@ export const create_request_context_middleware = (deps, log, session_context_key
         if (!session_token) {
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
+            c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
             await next();
             return;
         }
@@ -86,6 +97,7 @@ export const create_request_context_middleware = (deps, log, session_context_key
         if (!session) {
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
+            c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
             await next();
             return;
         }
@@ -93,11 +105,13 @@ export const create_request_context_middleware = (deps, log, session_context_key
         if (!ctx) {
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
+            c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
             await next();
             return;
         }
         c.set(REQUEST_CONTEXT_KEY, ctx);
         c.set(CREDENTIAL_TYPE_KEY, 'session');
+        c.set(AUTH_SESSION_TOKEN_HASH_KEY, token_hash);
         // Touch session (fire-and-forget, don't block the request)
         void session_touch_fire_and_forget(deps, token_hash, c.var.pending_effects, log);
         await next();

package/dist/hono_context.d.ts CHANGED Viewed

@@ -37,6 +37,13 @@ declare module 'hono' {
         validated_query: unknown;
         /** How the request was authenticated (`'session'`, `'api_token'`, or `'daemon_token'`). */
         credential_type: CredentialType | null;
+        /**
+         * blake3 hash of the authenticated session token, or `null` for non-session
+         * credentials. Set by `create_request_context_middleware`. Used to scope
+         * per-session resources (e.g., SSE stream identity for `session_revoke`
+         * disconnection) without re-hashing the cookie in every handler.
+         */
+        auth_session_token_hash: string | null;
         /**
          * Pending fire-and-forget effects for this request (audit logs, usage tracking, etc.).
          * Initialized by `create_app_server`. In test mode (`await_pending_effects: true`),

package/dist/hono_context.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}
1	+ {"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}

package/dist/realtime/sse_auth_guard.d.ts CHANGED Viewed

@@ -12,13 +12,16 @@
  */
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import { type AuditLogEvent } from '../auth/audit_log_schema.js';
-import { SubscriberRegistry } from './subscriber_registry.js';
+import { SubscriberRegistry, type SubscribeOptions } from './subscriber_registry.js';
 import type { SseStream, SseNotification, EventSpec } from './sse.js';
 /**
  * Audit event types that trigger SSE stream disconnection.
  *
  * `permit_revoke` requires the revoked role to match the guard's `required_role`.
- * `session_revoke_all` and `password_change` close unconditionally for the target account.
+ * `session_revoke_all` and `password_change` close every stream for the target account.
+ * `session_revoke` closes only the stream tied to the specific revoked session
+ * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
+ * all of a user's streams for a single-session revoke would be over-aggressive.
  */
 export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
 /**
@@ -46,7 +49,7 @@ export declare const create_sse_auth_guard: <T>(registry: SubscriberRegistry<T>,
  */
 export interface AuditLogSse {
     /** Subscribe function — pass as part of `stream` option to `create_audit_log_route_specs`. */
-    subscribe: (stream: SseStream<SseNotification>, channels?: Array<string>, identity?: string) => () => void;
+    subscribe: (stream: SseStream<SseNotification>, options?: SubscribeOptions) => () => void;
     /** Logger — pass as part of `stream` option to `create_audit_log_route_specs`. */
     log: Logger;
     /** Combined broadcast + guard callback. Pass as `on_audit_event` on `CreateAppBackendOptions`. */
@@ -85,9 +88,26 @@ export interface AuditLogSse {
  * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
  */
 export declare const AUDIT_LOG_EVENT_SPECS: Array<EventSpec>;
+/**
+ * Default max concurrent SSE subscribers per session scope for the audit log.
+ *
+ * The audit log SSE subscribes with `scope = session_hash` and
+ * `groups = [account_id]`. Only `scope` is capped — so this limits tabs
+ * per session. An account's total streams across all sessions is bounded
+ * transitively by `max_sessions × AUDIT_LOG_SSE_MAX_PER_SCOPE`. 10 tabs
+ * per session is a comfortable ceiling for normal use; consumers raising
+ * it above ~50 should consider server-side connection limits.
+ */
+export declare const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
 export declare const create_audit_log_sse: (options: {
     /** Role required to access the SSE endpoint. Default `'admin'`. */
     role?: string;
     log: Logger;
+    /**
+     * Max concurrent SSE subscribers per session scope. On overflow, the oldest
+     * matching subscriber is closed. Default `AUDIT_LOG_SSE_MAX_PER_SCOPE`.
+     * Pass `null` to disable the cap.
+     */
+    max_per_scope?: number | null;
 }) => AuditLogSse;
 //# sourceMappingURL=sse_auth_guard.d.ts.map

package/dist/realtime/sse_auth_guard.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAC,MAAM,0BAA0B,CAAC;~~AAC5D~~,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE~~;;;;;GAKG~~;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,~~CAIrD~~,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,EACrB,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,~~CAqBjC~~,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,~~CACV~~,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,~~EAClC,QAAQ,CAAC,~~EAAE,~~KAAK~~,CAAC,~~MAAM,CAAC,EACxB,QAAQ,CAAC,~~EAAE,~~MAAM~~,~~KACb~~,MAAM,IAAI,CAAC;~~IAChB~~,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;~~CACZ~~,KAAG,~~WAcH~~,CAAC"}
1	+ {"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAE,KAAK,gBAAgB,EAAC,MAAM,0BAA0B,CAAC;AACnF,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAKrD,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,EACrB,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA2CjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;IAC1F,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,KAAK,CAAC;AAE9C,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,KAAG,WAgBH,CAAC"}