@fuzdev/fuz_app 0.12.0 → 0.13.1

package/dist/realtime/sse_auth_guard.js

@@ -16,10 +16,14 @@ import { SubscriberRegistry } from './subscriber_registry.js';
  * Audit event types that trigger SSE stream disconnection.
  *
  * `permit_revoke` requires the revoked role to match the guard's `required_role`.
- * `session_revoke_all` and `password_change` close unconditionally for the target account.
+ * `session_revoke_all` and `password_change` close every stream for the target account.
+ * `session_revoke` closes only the stream tied to the specific revoked session
+ * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
+ * all of a user's streams for a single-session revoke would be over-aggressive.
  */
 export const DISCONNECT_EVENT_TYPES = new Set([
     'permit_revoke', // role revoked — user lost access
+    'session_revoke', // single session revoked — close only that stream
     'session_revoke_all', // all sessions invalidated — user should be kicked
     'password_change', // password changed — all sessions revoked implicitly
 ]);
@@ -43,6 +47,26 @@ export const create_sse_auth_guard = (registry, required_role, log) => {
     return (event) => {
         if (!DISCONNECT_EVENT_TYPES.has(event.event_type))
             return;
+        // Only act on successful revocations. Failed attempts carry
+        // attacker-controlled identifiers (e.g., session_revoke with outcome=failure
+        // carries the submitted session_id even when the DB rejected the cross-account
+        // mutation) — reacting to them lets any authenticated user close another
+        // user's SSE stream by guessing or leaking a session hash.
+        if (event.outcome === 'failure')
+            return;
+        // session_revoke is session-scoped, not account-scoped — close only the
+        // stream subscribed under the revoked session's hash. The hash is already
+        // in the event metadata (set by the /sessions/:id/revoke handler).
+        if (event.event_type === 'session_revoke') {
+            const session_id = event.metadata?.session_id;
+            if (typeof session_id !== 'string' || session_id.length === 0)
+                return;
+            const closed = registry.close_by_identity(session_id);
+            if (closed > 0) {
+                log.info(`SSE auth guard: closed ${closed} stream(s) for session ${session_id} (session_revoke)`);
+            }
+            return;
+        }
         // permit_revoke requires matching the specific role
         if (event.event_type === 'permit_revoke') {
             if (event.metadata?.role !== required_role)
@@ -95,9 +119,21 @@ export const AUDIT_LOG_EVENT_SPECS = AUDIT_EVENT_TYPES.map((event_type) => ({
     description: `Audit log: ${event_type.replaceAll('_', ' ')}`,
     channel: 'audit_log',
 }));
+/**
+ * Default max concurrent SSE subscribers per session scope for the audit log.
+ *
+ * The audit log SSE subscribes with `scope = session_hash` and
+ * `groups = [account_id]`. Only `scope` is capped — so this limits tabs
+ * per session. An account's total streams across all sessions is bounded
+ * transitively by `max_sessions × AUDIT_LOG_SSE_MAX_PER_SCOPE`. 10 tabs
+ * per session is a comfortable ceiling for normal use; consumers raising
+ * it above ~50 should consider server-side connection limits.
+ */
+export const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
 export const create_audit_log_sse = (options) => {
     const role = options.role ?? 'admin';
-    const registry = new SubscriberRegistry();
+    const max_per_scope = options.max_per_scope === undefined ? AUDIT_LOG_SSE_MAX_PER_SCOPE : options.max_per_scope;
+    const registry = new SubscriberRegistry({ max_per_scope });
     const guard = create_sse_auth_guard(registry, role, options.log);
     return {
         subscribe: registry.subscribe.bind(registry),

package/dist/realtime/subscriber_registry.d.ts

@@ -3,8 +3,19 @@
  *
  * Supports channel-based filtering — subscribers connect with optional
  * channel filters, and broadcasts reach only matching subscribers.
- * Optional identity keys enable force-closing subscribers by identity
- * (e.g., close all streams for a specific account when their permissions change).
+ *
+ * Two identity slots enable both targeted disconnection and per-scope cap
+ * enforcement:
+ * - `scope` — a single capped identity (e.g., session hash). Subject to
+ *   the per-scope cap and matched by `close_by_identity`. Use for the
+ *   narrowest identity the subscriber belongs to.
+ * - `groups` — any number of uncapped identities (e.g., account id).
+ *   Matched by `close_by_identity` but not subject to any cap. Use for
+ *   coarser scopes a stream should be reachable by.
+ *
+ * The split keeps "tabs-per-session" cap semantics sane when a stream also
+ * carries a broader identity for coarse close — the broader identity
+ * doesn't cap across sessions.
  *
  * @module
  */
@@ -13,23 +24,50 @@ export interface Subscriber<T> {
     stream: SseStream<T>;
     /** Channels this subscriber listens to. `null` means all channels. */
     channels: Set<string> | null;
-    /** Optional identity key for targeted disconnection (e.g., account_id). */
-    identity: string | null;
+    /** Primary (capped) identity. `null` when none. */
+    scope: string | null;
+    /** Grouping identities for `close_by_identity`. `null` when none. */
+    groups: Set<string> | null;
+}
+/** Options for `SubscriberRegistry`. */
+export interface SubscriberRegistryOptions {
+    /**
+     * Max subscribers sharing a single `scope`. On subscribe, when the count
+     * of subscribers with the same `scope` reaches this limit, the oldest
+     * matching subscriber(s) are closed before the new one is added.
+     * `null` (default) disables the cap. `groups` identities are never capped.
+     */
+    max_per_scope?: number | null;
+}
+/** Options for `SubscriberRegistry.subscribe`. */
+export interface SubscribeOptions {
+    /** Channels to subscribe to. Empty/absent = all channels. */
+    channels?: ReadonlyArray<string>;
+    /**
+     * Primary (capped) identity — e.g., session hash. Subject to
+     * `max_per_scope` and matched by `close_by_identity`.
+     */
+    scope?: string;
+    /**
+     * Grouping identities — e.g., account id. Matched by `close_by_identity`
+     * but NOT subject to the cap. Use for coarse-targeted close.
+     */
+    groups?: ReadonlyArray<string>;
 }
 /**
  * Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
  *
- * Subscribers connect with optional channel filters and an optional identity key.
- * Broadcasts go to a specific channel and reach only matching subscribers.
- * `close_by_identity` force-closes all subscribers with a given identity —
- * use for auth revocation (close streams when a user's permissions change).
+ * Subscribers connect with optional channel filters, a capped `scope`, and
+ * uncapped `groups`. Broadcasts go to a specific channel and reach only
+ * matching subscribers. `close_by_identity` force-closes all subscribers
+ * whose `scope` or `groups` contain the given key — use for auth revocation.
  *
  * @example
  * ```ts
  * const registry = new SubscriberRegistry<SseNotification>();
  *
  * // subscriber connects (from SSE endpoint)
- * const unsubscribe = registry.subscribe(stream, ['runs']);
+ * const unsubscribe = registry.subscribe(stream, {channels: ['runs']});
  *
  * // when a run changes
  * registry.broadcast('runs', {method: 'run_created', params: {run}});
@@ -40,26 +78,33 @@ export interface Subscriber<T> {
  *
  * @example
  * ```ts
- * // identity-keyed subscription for auth revocation
- * const unsubscribe = registry.subscribe(stream, ['audit_log'], account_id);
+ * // scope = session hash (capped), groups = [account id] (close-only)
+ * const unsubscribe = registry.subscribe(stream, {
+ *   channels: ['audit_log'],
+ *   scope: session_hash,
+ *   groups: [account_id],
+ * });
  *
- * // when admin revokes the user's role — close their streams
+ * // coarse — close all of a user's streams on role revocation
  * registry.close_by_identity(account_id);
+ *
+ * // fine — close just the stream(s) tied to a specific session
+ * registry.close_by_identity(session_hash);
  * ```
  */
 export declare class SubscriberRegistry<T> {
     #private;
+    constructor(options?: SubscriberRegistryOptions);
     /** Number of active subscribers. */
     get count(): number;
     /**
      * Add a subscriber.
      *
      * @param stream - SSE stream to send data to
-     * @param channels - channels to subscribe to (`undefined` or empty = all channels)
-     * @param identity - optional identity key for targeted disconnection
+     * @param options - channel filter and identity slots (scope + groups)
      * @returns unsubscribe function
      */
-    subscribe(stream: SseStream<T>, channels?: Array<string>, identity?: string): () => void;
+    subscribe(stream: SseStream<T>, options?: SubscribeOptions): () => void;
     /**
      * Broadcast data to all subscribers on a channel.
      *
@@ -71,13 +116,13 @@ export declare class SubscriberRegistry<T> {
      */
     broadcast(channel: string, data: T): void;
     /**
-     * Force-close all subscribers with the given identity.
+     * Force-close all subscribers whose `scope` or `groups` match the given key.
      *
      * Closes each matching stream and removes the subscriber from the registry.
      * Use for auth revocation — when a user's permissions change, close their
      * SSE connections so they must reconnect and re-authenticate.
      *
-     * @param identity - the identity key to match
+     * @param identity - the identity key to match (checked against scope and groups)
      * @returns the number of subscribers closed
      */
     close_by_identity(identity: string): number;

package/dist/realtime/subscriber_registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"subscriber_registry.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/subscriber_registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,UAAU,CAAC;AAExC,MAAM,WAAW,UAAU,CAAC,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACrB,sEAAsE;IACtE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC7B,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,kBAAkB,CAAC,CAAC;;IAGhC,oCAAoC;IACpC,IAAI,KAAK,IAAI,MAAM,CAElB;IAED;;;;;;;OAOG;IACH,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,IAAI;IAYxF;;;;;;;;OAQG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI;IAQzC;;;;;;;;;OASG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAe3C"}
+{"version":3,"file":"subscriber_registry.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/subscriber_registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,UAAU,CAAC;AAExC,MAAM,WAAW,UAAU,CAAC,CAAC;IAC5B,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACrB,sEAAsE;IACtE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;IAC7B,mDAAmD;IACnD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,qEAAqE;IACrE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;CAC3B;AAED,wCAAwC;AACxC,MAAM,WAAW,yBAAyB;IACzC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,kDAAkD;AAClD,MAAM,WAAW,gBAAgB;IAChC,6DAA6D;IAC7D,QAAQ,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACjC;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,MAAM,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,qBAAa,kBAAkB,CAAC,CAAC;;gBAIpB,OAAO,CAAC,EAAE,yBAAyB;IAI/C,oCAAoC;IACpC,IAAI,KAAK,IAAI,MAAM,CAElB;IAED;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,MAAM,IAAI;IAmBvE;;;;;;;;OAQG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI;IAQzC;;;;;;;;;OASG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;CAiC3C"}

package/dist/realtime/subscriber_registry.js

@@ -3,25 +3,36 @@
  *
  * Supports channel-based filtering — subscribers connect with optional
  * channel filters, and broadcasts reach only matching subscribers.
- * Optional identity keys enable force-closing subscribers by identity
- * (e.g., close all streams for a specific account when their permissions change).
+ *
+ * Two identity slots enable both targeted disconnection and per-scope cap
+ * enforcement:
+ * - `scope` — a single capped identity (e.g., session hash). Subject to
+ *   the per-scope cap and matched by `close_by_identity`. Use for the
+ *   narrowest identity the subscriber belongs to.
+ * - `groups` — any number of uncapped identities (e.g., account id).
+ *   Matched by `close_by_identity` but not subject to any cap. Use for
+ *   coarser scopes a stream should be reachable by.
+ *
+ * The split keeps "tabs-per-session" cap semantics sane when a stream also
+ * carries a broader identity for coarse close — the broader identity
+ * doesn't cap across sessions.
  *
  * @module
  */
 /**
  * Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
  *
- * Subscribers connect with optional channel filters and an optional identity key.
- * Broadcasts go to a specific channel and reach only matching subscribers.
- * `close_by_identity` force-closes all subscribers with a given identity —
- * use for auth revocation (close streams when a user's permissions change).
+ * Subscribers connect with optional channel filters, a capped `scope`, and
+ * uncapped `groups`. Broadcasts go to a specific channel and reach only
+ * matching subscribers. `close_by_identity` force-closes all subscribers
+ * whose `scope` or `groups` contain the given key — use for auth revocation.
  *
  * @example
  * ```ts
  * const registry = new SubscriberRegistry<SseNotification>();
  *
  * // subscriber connects (from SSE endpoint)
- * const unsubscribe = registry.subscribe(stream, ['runs']);
+ * const unsubscribe = registry.subscribe(stream, {channels: ['runs']});
  *
  * // when a run changes
  * registry.broadcast('runs', {method: 'run_created', params: {run}});
@@ -32,15 +43,26 @@
  *
  * @example
  * ```ts
- * // identity-keyed subscription for auth revocation
- * const unsubscribe = registry.subscribe(stream, ['audit_log'], account_id);
+ * // scope = session hash (capped), groups = [account id] (close-only)
+ * const unsubscribe = registry.subscribe(stream, {
+ *   channels: ['audit_log'],
+ *   scope: session_hash,
+ *   groups: [account_id],
+ * });
  *
- * // when admin revokes the user's role — close their streams
+ * // coarse — close all of a user's streams on role revocation
  * registry.close_by_identity(account_id);
+ *
+ * // fine — close just the stream(s) tied to a specific session
+ * registry.close_by_identity(session_hash);
  * ```
  */
 export class SubscriberRegistry {
     #subscribers = new Set();
+    #max_per_scope;
+    constructor(options) {
+        this.#max_per_scope = options?.max_per_scope ?? null;
+    }
     /** Number of active subscribers. */
     get count() {
         return this.#subscribers.size;
@@ -49,16 +71,19 @@ export class SubscriberRegistry {
      * Add a subscriber.
      *
      * @param stream - SSE stream to send data to
-     * @param channels - channels to subscribe to (`undefined` or empty = all channels)
-     * @param identity - optional identity key for targeted disconnection
+     * @param options - channel filter and identity slots (scope + groups)
      * @returns unsubscribe function
      */
-    subscribe(stream, channels, identity) {
-        const subscriber = {
-            stream,
-            channels: channels && channels.length > 0 ? new Set(channels) : null,
-            identity: identity ?? null,
-        };
+    subscribe(stream, options) {
+        const channels = options?.channels && options.channels.length > 0 ? new Set(options.channels) : null;
+        const scope = options?.scope ?? null;
+        const groups = options?.groups && options.groups.length > 0 ? new Set(options.groups) : null;
+        // Per-scope cap — only `scope` is capped, `groups` are never capped.
+        // Insertion order of the backing Set preserves FIFO eviction semantics.
+        if (this.#max_per_scope != null && scope !== null) {
+            this.#enforce_scope_limit(scope, this.#max_per_scope);
+        }
+        const subscriber = { stream, channels, scope, groups };
         this.#subscribers.add(subscriber);
         return () => {
             this.#subscribers.delete(subscriber);
@@ -81,13 +106,13 @@ export class SubscriberRegistry {
         }
     }
     /**
-     * Force-close all subscribers with the given identity.
+     * Force-close all subscribers whose `scope` or `groups` match the given key.
      *
      * Closes each matching stream and removes the subscriber from the registry.
      * Use for auth revocation — when a user's permissions change, close their
      * SSE connections so they must reconnect and re-authenticate.
      *
-     * @param identity - the identity key to match
+     * @param identity - the identity key to match (checked against scope and groups)
      * @returns the number of subscribers closed
      */
     close_by_identity(identity) {
@@ -95,7 +120,7 @@ export class SubscriberRegistry {
         // (stream.close() fires on_close listeners which may call unsubscribe)
         const to_close = [];
         for (const subscriber of this.#subscribers) {
-            if (subscriber.identity === identity) {
+            if (subscriber.scope === identity || subscriber.groups?.has(identity)) {
                 to_close.push(subscriber);
             }
         }
@@ -105,4 +130,22 @@ export class SubscriberRegistry {
         }
         return to_close.length;
     }
+    #enforce_scope_limit(scope, max) {
+        // count existing subscribers with this scope (in insertion order)
+        const matching = [];
+        for (const subscriber of this.#subscribers) {
+            if (subscriber.scope === scope)
+                matching.push(subscriber);
+        }
+        // close oldest first, stopping once we've freed up room for one more
+        let overflow = matching.length - (max - 1);
+        let i = 0;
+        while (overflow > 0 && i < matching.length) {
+            const victim = matching[i];
+            victim.stream.close();
+            this.#subscribers.delete(victim);
+            overflow--;
+            i++;
+        }
+    }
 }

package/dist/server/validate_nginx.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validate_nginx.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/validate_nginx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAgCD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,GAAI,QAAQ,MAAM,KAAG,qBA2FtD,CAAC"}
+{"version":3,"file":"validate_nginx.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/validate_nginx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,OAAO,CAAC;IACZ,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAgGD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,qBAAqB,GAAI,QAAQ,MAAM,KAAG,qBA+FtD,CAAC"}

package/dist/server/validate_nginx.js

@@ -11,15 +11,17 @@
 /**
  * Extract location blocks from an nginx config string.
  *
- * Finds `location [= ] <path> {` directives and extracts the full block
- * content including nested braces. Returns the path and full block text.
+ * Finds `location [modifier] <path> {` directives (modifier may be `=`, `~`,
+ * `~*`, `^~`, or absent) and returns the full block content including nested
+ * braces.
  */
 const extract_location_blocks = (config) => {
     const blocks = [];
-    const location_regex = /location\s+(?:=\s+)?(\S+)\s*\{/g;
+    const location_regex = /location\s+(=|~\*?|\^~)?\s*(\S+)\s*\{/g;
     let match;
     while ((match = location_regex.exec(config)) !== null) {
-        const path = match[1];
+        const modifier = match[1] ?? '';
+        const path = match[2];
         const open_brace_index = match.index + match[0].length - 1;
         let depth = 1;
         let block_end = open_brace_index + 1;
@@ -34,10 +36,57 @@ const extract_location_blocks = (config) => {
                 }
             }
         }
-        blocks.push({ path, content: config.slice(match.index, block_end) });
+        blocks.push({ modifier, path, content: config.slice(match.index, block_end) });
     }
     return blocks;
 };
+/**
+ * Canonical `/api` URIs used to probe regex location patterns.
+ *
+ * Two probes cover the common regex shapes:
+ * - `/api` catches `^/api$`, `^/api(/|$)`, `^/(admin|api)`, etc.
+ * - `/api/` catches `^/api/` (which requires the trailing slash).
+ *
+ * Only consulted from the regex branch of `location_matches_api` — non-regex
+ * blocks compare `block.path` literally.
+ */
+const API_TEST_URIS = ['/api', '/api/'];
+/**
+ * Does a location block route `/api` traffic?
+ *
+ * The matching strategy is deliberately asymmetric across modifier types:
+ *
+ * - **Regex (`~`, `~*`)**: compiles `block.path` as a regex and tests it
+ *   against `API_TEST_URIS`. `~*` gets the `i` flag. Any match flags the
+ *   block as `/api`-handling. Invalid regex returns `false` (nginx would
+ *   reject it too). URI-probing is needed because regex patterns don't
+ *   admit a reliable substring check — `^/(admin|api)` has no `/api` prefix
+ *   textually but routes `/api` traffic.
+ * - **Prefix (no modifier, `^~`) and exact (`=`)**: literal check —
+ *   `block.path === '/api'` or `block.path.startsWith('/api/')`. We do NOT
+ *   probe with `API_TEST_URIS` here because that would produce false
+ *   positives on overly broad prefixes: a catch-all `location /` technically
+ *   routes `/api` requests, but nginx would prefer a more specific `/api`
+ *   block when one exists — and we want the separate "No /api block found"
+ *   error when one doesn't.
+ *
+ * Known blind spot: a regex matching only a sub-path that isn't in
+ * `API_TEST_URIS` (e.g. `^/api/v99$`, or `^/api/.+` which requires content
+ * after the slash) won't be flagged. Acceptable for fuz_app deploy configs,
+ * which route all `/api` traffic through a single broad block.
+ */
+const location_matches_api = (block) => {
+    if (block.modifier === '~' || block.modifier === '~*') {
+        try {
+            const re = new RegExp(block.path, block.modifier === '~*' ? 'i' : '');
+            return API_TEST_URIS.some((uri) => re.test(uri));
+        }
+        catch {
+            return false;
+        }
+    }
+    return block.path === '/api' || block.path.startsWith('/api/');
+};
 /**
  * Validate an nginx config template string for security properties.
  *
@@ -57,8 +106,13 @@ export const validate_nginx_config = (config) => {
     const warnings = [];
     const all_blocks = extract_location_blocks(config);
     // 1. proxy_set_header Authorization "" in /api location blocks
-    const api_blocks = all_blocks.filter((b) => b.path === '/api' || b.path.startsWith('/api/') || b.path.startsWith('/api{'));
-    if (api_blocks.length > 0) {
+    const api_blocks = all_blocks.filter(location_matches_api);
+    if (api_blocks.length === 0) {
+        errors.push('No /api location block found — config must have an /api location block ' +
+            'with Authorization header stripping. If you intentionally route /api ' +
+            'through a different structure, skip this validator.');
+    }
+    else {
         const has_auth_strip = api_blocks.some((block) => block.content.includes('proxy_set_header Authorization ""') ||
             block.content.includes("proxy_set_header Authorization ''"));
         if (!has_auth_strip) {

package/dist/testing/admin_integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAGtF,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAUjB;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAgDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAomCF,CAAC"}
+{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAGtF,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAUjB;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAgDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAwnCF,CAAC"}

package/dist/testing/admin_integration.js

@@ -130,9 +130,9 @@ export const describe_standard_admin_integration_tests = (options) => {
                     headers: test_app.create_session_headers(),
                 });
                 assert.strictEqual(res.status, 403);
-                error_collector.record(test_app.route_specs, 'GET', accounts_route.path, 403);
-                const body = await res.json();
+                const body = await res.clone().json();
                 assert.strictEqual(body.error, 'insufficient_permissions');
+                await error_collector.assert_and_record(test_app.route_specs, 'GET', accounts_route.path, res);
             });
         });
         // --- 2. Permit grant lifecycle ---
@@ -167,9 +167,9 @@ export const describe_standard_admin_integration_tests = (options) => {
                     body: JSON.stringify({ role: ROLE_KEEPER }),
                 });
                 assert.strictEqual(res.status, 403);
-                error_collector.record(test_app.route_specs, 'POST', grant_route.path, 403);
-                const body = await res.json();
+                const body = await res.clone().json();
                 assert.strictEqual(body.error, 'role_not_web_grantable');
+                await error_collector.assert_and_record(test_app.route_specs, 'POST', grant_route.path, res);
             });
             test('granting same role twice is idempotent (returns same permit)', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
@@ -227,9 +227,9 @@ export const describe_standard_admin_integration_tests = (options) => {
                     body: JSON.stringify({ role: grantable_role }),
                 });
                 assert.strictEqual(res.status, 404);
-                error_collector.record(test_app.route_specs, 'POST', grant_route.path, 404);
-                const body = await res.json();
+                const body = await res.clone().json();
                 assert.strictEqual(body.error, 'account_not_found');
+                await error_collector.assert_and_record(test_app.route_specs, 'POST', grant_route.path, res);
             });
             test('admin can revoke a permit', async () => {
                 const test_app = await create_test_app(build_admin_test_app_options(options, get_db()));
@@ -309,9 +309,9 @@ export const describe_standard_admin_integration_tests = (options) => {
                     headers: test_app.create_session_headers(),
                 });
                 assert.strictEqual(second.status, 404);
-                error_collector.record(test_app.route_specs, 'POST', revoke_route.path, 404);
-                const body = await second.json();
+                const body = await second.clone().json();
                 assert.strictEqual(body.error, 'permit_not_found');
+                await error_collector.assert_and_record(test_app.route_specs, 'POST', revoke_route.path, second);
             });
         });
         // --- 3. Admin session management ---

package/dist/testing/app_server.d.ts

@@ -17,6 +17,7 @@ import { type Keyring } from '../auth/keyring.js';
 import type { Db, DbType } from '../db/db.js';
 import type { PasswordHashDeps } from '../auth/password.js';
 import { type SessionOptions } from '../auth/session_cookie.js';
+import type { AuditLogEvent } from '../auth/audit_log_schema.js';
 import type { AppBackend } from '../server/app_backend.js';
 import { type AppServerOptions, type AppServerContext } from '../server/app_server.js';
 import type { AppSurface, AppSurfaceSpec } from '../http/surface.js';
@@ -100,6 +101,14 @@ export interface TestAppServerOptions {
     password_value?: string;
     /** Roles to grant. Default: `[ROLE_KEEPER]`. */
     roles?: Array<string>;
+    /**
+     * Backend audit event callback — wired into `backend.deps.on_audit_event`.
+     * When `audit_log_sse: true` is passed to `create_app_server`, this runs
+     * after the audit SSE broadcast (composed downstream by app_server).
+     * Use to wire consumer SSE auth guards in tests.
+     * Default: no-op.
+     */
+    on_audit_event?: (event: AuditLogEvent) => void;
 }
 export declare const create_test_app_server: (options: TestAppServerOptions) => Promise<TestAppServer>;
 /**

package/dist/testing/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAK/B,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAUrD;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAqBD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CAsFvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAkGpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/app_server.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAK/B,OAAO,EAA2B,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAE1E,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAU1D,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG3F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAEN,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAUrD;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,gBAIhC,CAAC;AAEF,gFAAgF;AAChF,eAAO,MAAM,kBAAkB,QAAiB,CAAC;AASjD;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC3C,EAAE,EAAE,EAAE,CAAC;IACP,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACtB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,SAAS,2BAA2B,KAClC,OAAO,CAAC;IACV,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACvB,CAyCA,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAc,SAAQ,UAAU;IAChD,gCAAgC;IAChC,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,uCAAuC;IACvC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,+FAA+F;IAC/F,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,mDAAmD;IACnD,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kGAAkG;IAClG,EAAE,CAAC,EAAE,EAAE,CAAC;IACR,0FAA0F;IAC1F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yHAAyH;IACzH,QAAQ,CAAC,EAAE,gBAAgB,CAAC;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtB;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAChD;AAqBD,eAAO,MAAM,sBAAsB,GAClC,SAAS,oBAAoB,KAC3B,OAAO,CAAC,aAAa,CAuFvB,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,oBAAoB;IACjE,yEAAyE;IACzE,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IACpE,gHAAgH;IAChH,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;CACF;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,OAAO,EAAE;QAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAC,CAAC;IACxC,KAAK,EAAE;QAAC,EAAE,EAAE,MAAM,CAAA;KAAC,CAAC;IACpB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,8DAA8D;IAC9D,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClF;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACvB,GAAG,EAAE,IAAI,CAAC;IACV,OAAO,EAAE,aAAa,CAAC;IACvB,YAAY,EAAE,cAAc,CAAC;IAC7B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,kEAAkE;IAClE,sBAAsB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,gEAAgE;IAChE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClF,iEAAiE;IACjE,2BAA2B,EAAE,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxF,qDAAqD;IACrD,cAAc,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACtB,KAAK,OAAO,CAAC,WAAW,CAAC,CAAC;IAC3B,8DAA8D;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,GAAU,SAAS,oBAAoB,KAAG,OAAO,CAAC,OAAO,CAkGpF,CAAC"}

package/dist/testing/app_server.js

@@ -88,7 +88,8 @@ export const bootstrap_test_account = async (options) => {
 /** Silent logger for tests — suppresses all output. */
 const test_log = new Logger('test', { level: 'off' });
 export const create_test_app_server = async (options) => {
-    const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], } = options;
+    const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], on_audit_event = () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+     } = options;
     // Keyring from test secret
     const keyring_result = create_validated_keyring(TEST_COOKIE_SECRET);
     if (!keyring_result.ok) {
@@ -117,7 +118,7 @@ export const create_test_app_server = async (options) => {
                 password,
                 db: existing_db,
                 log: test_log,
-                on_audit_event: () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+                on_audit_event,
                 ...fs_stubs,
             },
         };
@@ -137,7 +138,7 @@ export const create_test_app_server = async (options) => {
                 password,
                 db,
                 log: test_log,
-                on_audit_event: () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+                on_audit_event,
                 ...fs_stubs,
             },
         };

package/dist/testing/data_exposure.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAc9D;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;;;;GAKG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}
+{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAe9D;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;;;;GAKG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}

package/dist/testing/data_exposure.js

@@ -18,7 +18,7 @@ import { resolve_valid_path, generate_valid_body } from './schema_generators.js'
 import { run_migrations } from '../db/migrate.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
 import { is_null_schema, is_strict_object_schema } from '../http/schema_helpers.js';
-import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensitive_fields_in_json, } from './integration_helpers.js';
+import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
 // --- Schema introspection ---
 /**
  * Recursively collect all property names from a JSON Schema.
@@ -275,22 +275,3 @@ const describe_data_exposure_runtime_tests = (options) => {
         });
     }
 };
-/**
- * Pick auth headers matching a route spec's auth requirement.
- */
-const pick_auth_headers = (spec, test_app, authed_account, admin_account) => {
-    switch (spec.auth.type) {
-        case 'none':
-            return { host: 'localhost', origin: 'http://localhost:5173' };
-        case 'authenticated':
-            return authed_account.create_session_headers();
-        case 'role':
-            if (spec.auth.role === ROLE_ADMIN) {
-                return admin_account.create_session_headers();
-            }
-            // keeper role uses the bootstrapped account
-            return test_app.create_session_headers();
-        case 'keeper':
-            return test_app.create_daemon_token_headers();
-    }
-};