@fuzdev/fuz_app 0.14.0 → 0.16.0

package/dist/actions/register_action_ws.d.ts

@@ -0,0 +1,108 @@
+/**
+ * WebSocket JSON-RPC dispatch — the canonical WS transport binding.
+ *
+ * Symmetric to `create_rpc_endpoint` (from `actions/action_rpc.ts`):
+ * consumer supplies action specs + a handler map, the dispatcher parses the
+ * envelope, checks per-action auth, validates input, invokes the handler with
+ * a per-request context, and writes the response.
+ *
+ * Extracted from zzz's `register_websocket_actions` to converge pattern drift
+ * across consumers (zzz, tx, undying). Broadcast-style notifications remain
+ * domain-shaped today — this module only covers per-request dispatch + the
+ * socket-scoped `ctx.notify` + per-socket `ctx.signal`. See
+ * `BackendWebsocketTransport.send` for broadcast.
+ *
+ * ## Auth expectations
+ *
+ * The consumer is responsible for rejecting unauthenticated upgrades *before*
+ * routing to this handler (fuz_app's `require_auth` middleware). Inside the
+ * dispatcher, `get_request_context(c)` is treated as guaranteed non-null and
+ * per-action auth is enforced on each message.
+ *
+ * @module
+ */
+import type { Context, Hono } from 'hono';
+import type { UpgradeWebSocket } from 'hono/ws';
+import { type Logger as LoggerType } from '@fuzdev/fuz_util/log.js';
+import { type JsonrpcRequestId } from '../http/jsonrpc.js';
+import type { ActionSpecUnion } from './action_spec.js';
+import { BackendWebsocketTransport } from './transports_ws_backend.js';
+/**
+ * Minimum per-request context every handler receives.
+ *
+ * Consumers extend this with domain-specific fields via
+ * `RegisterActionWsOptions.extend_context` (e.g., a `backend` singleton
+ * or the authenticated `RequestContext`). Keeping the base minimal matches
+ * the HTTP-side `ActionContext` (from `actions/action_rpc.ts`) and mirrors
+ * Rust's `Ctx<'a>` shape (`request_id` + `NotifyFn` + `CancellationToken`).
+ */
+export interface BaseHandlerContext {
+    /** JSON-RPC envelope request id — echoed back on the response. */
+    request_id: JsonrpcRequestId;
+    /**
+     * Send a request-scoped JSON-RPC notification to the originating socket.
+     * Not a broadcast — the message only reaches the client whose request
+     * triggered this handler. Streaming handlers (e.g. `completion_progress`)
+     * route chunks through this.
+     */
+    notify: (method: string, params: unknown) => void;
+    /** Fires on socket close; streaming handlers poll for early termination. */
+    signal: AbortSignal;
+}
+/** Handler signature — receives validated input and per-request context. */
+export type WsActionHandler<TCtx extends BaseHandlerContext> = (input: unknown, ctx: TCtx) => unknown;
+/** Options for `register_action_ws`. */
+export interface RegisterActionWsOptions<TCtx extends BaseHandlerContext> {
+    /** Mount path (e.g., `/api/ws`). */
+    path: string;
+    /** The Hono app to mount on. */
+    app: Hono;
+    /** Hono's `upgradeWebSocket` helper from the runtime adapter. */
+    upgradeWebSocket: UpgradeWebSocket;
+    /** Action specs — drives method lookup, per-action auth, and input/output validation. */
+    specs: ReadonlyArray<ActionSpecUnion>;
+    /** Handler map keyed by `spec.method`. */
+    handlers: Record<string, WsActionHandler<TCtx>>;
+    /**
+     * Build the per-request context from the base and the upgrade-time Hono
+     * context. Called once per incoming message. Consumers use this to attach
+     * domain singletons (`backend`) or per-socket auth (`auth`,
+     * `credential_type`) without re-reading them from `c` inside every handler.
+     */
+    extend_context: (base: BaseHandlerContext, c: Context) => TCtx;
+    /**
+     * Existing transport to register connections with. When omitted, a fresh
+     * one is created and returned in the result. Pass your own to keep a
+     * handle for `create_ws_auth_guard` and `send_to`/`broadcast`.
+     */
+    transport?: BackendWebsocketTransport;
+    /** Optional per-message delay for testing loading states. Ignored when `0`. */
+    artificial_delay?: number;
+    /** Optional logger; defaults to `[ws]` namespace. */
+    log?: LoggerType;
+}
+/** Result of `register_action_ws`. */
+export interface RegisterActionWsResult {
+    /** The transport bound to the endpoint — supplied or freshly created. */
+    transport: BackendWebsocketTransport;
+}
+/**
+ * Mount a JSON-RPC WebSocket endpoint that dispatches to the supplied handler
+ * map. Per-request context is built from the base + consumer-provided
+ * `RegisterActionWsOptions.extend_context`.
+ *
+ * Wire behavior:
+ * - Batch JSON-RPC is rejected (single-message only).
+ * - Notifications (method + no id) are silently dropped per JSON-RPC spec.
+ * - Per-action auth: `public` / `authenticated` pass through (upgrade auth
+ *   already verified identity); `keeper` requires `daemon_token` credential
+ *   type *and* the keeper role; role-based `{role}` is currently rejected as
+ *   not-yet-supported.
+ * - DEV mode validates handler output against the spec's `output` schema and
+ *   warns on mismatches.
+ *
+ * @returns the transport (supplied or freshly created) — retain it to wire
+ *   `create_ws_auth_guard` or broadcast on audit events.
+ */
+export declare const register_action_ws: <TCtx extends BaseHandlerContext>(options: RegisterActionWsOptions<TCtx>) => RegisterActionWsResult;
+//# sourceMappingURL=register_action_ws.d.ts.map

package/dist/actions/register_action_ws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,SAAS,CAAC;AAE9C,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAK1E,OAAO,EAAkB,KAAK,gBAAgB,EAAC,MAAM,oBAAoB,CAAC;AAY1E,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AACtD,OAAO,EAAC,yBAAyB,EAAC,MAAM,4BAA4B,CAAC;AAErE;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,UAAU,EAAE,gBAAgB,CAAC;IAC7B;;;;;OAKG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,4EAA4E;IAC5E,MAAM,EAAE,WAAW,CAAC;CACpB;AAED,4EAA4E;AAC5E,MAAM,MAAM,eAAe,CAAC,IAAI,SAAS,kBAAkB,IAAI,CAC9D,KAAK,EAAE,OAAO,EACd,GAAG,EAAE,IAAI,KACL,OAAO,CAAC;AAEb,wCAAwC;AACxC,MAAM,WAAW,uBAAuB,CAAC,IAAI,SAAS,kBAAkB;IACvE,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,yFAAyF;IACzF,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IACtC,0CAA0C;IAC1C,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;IAChD;;;;;OAKG;IACH,cAAc,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAC/D;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;CACjB;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,kBAAkB,GAAI,IAAI,SAAS,kBAAkB,EACjE,SAAS,uBAAuB,CAAC,IAAI,CAAC,KACpC,sBA0NF,CAAC"}

package/dist/actions/register_action_ws.js

@@ -0,0 +1,187 @@
+/**
+ * WebSocket JSON-RPC dispatch — the canonical WS transport binding.
+ *
+ * Symmetric to `create_rpc_endpoint` (from `actions/action_rpc.ts`):
+ * consumer supplies action specs + a handler map, the dispatcher parses the
+ * envelope, checks per-action auth, validates input, invokes the handler with
+ * a per-request context, and writes the response.
+ *
+ * Extracted from zzz's `register_websocket_actions` to converge pattern drift
+ * across consumers (zzz, tx, undying). Broadcast-style notifications remain
+ * domain-shaped today — this module only covers per-request dispatch + the
+ * socket-scoped `ctx.notify` + per-socket `ctx.signal`. See
+ * `BackendWebsocketTransport.send` for broadcast.
+ *
+ * ## Auth expectations
+ *
+ * The consumer is responsible for rejecting unauthenticated upgrades *before*
+ * routing to this handler (fuz_app's `require_auth` middleware). Inside the
+ * dispatcher, `get_request_context(c)` is treated as guaranteed non-null and
+ * per-action auth is enforced on each message.
+ *
+ * @module
+ */
+import { DEV } from 'esm-env';
+import { wait } from '@fuzdev/fuz_util/async.js';
+import { Logger } from '@fuzdev/fuz_util/log.js';
+import { get_request_context, has_role } from '../auth/request_context.js';
+import { hash_session_token } from '../auth/session_queries.js';
+import { ROLE_KEEPER } from '../auth/role_schema.js';
+import { JSONRPC_VERSION } from '../http/jsonrpc.js';
+import { jsonrpc_error_messages } from '../http/jsonrpc_errors.js';
+import { create_jsonrpc_error_response, create_jsonrpc_error_response_from_thrown, create_jsonrpc_notification, to_jsonrpc_message_id, to_jsonrpc_params, is_jsonrpc_request, } from '../http/jsonrpc_helpers.js';
+import { CREDENTIAL_TYPE_KEY, AUTH_API_TOKEN_ID_KEY } from '../hono_context.js';
+import { BackendWebsocketTransport } from './transports_ws_backend.js';
+/**
+ * Mount a JSON-RPC WebSocket endpoint that dispatches to the supplied handler
+ * map. Per-request context is built from the base + consumer-provided
+ * `RegisterActionWsOptions.extend_context`.
+ *
+ * Wire behavior:
+ * - Batch JSON-RPC is rejected (single-message only).
+ * - Notifications (method + no id) are silently dropped per JSON-RPC spec.
+ * - Per-action auth: `public` / `authenticated` pass through (upgrade auth
+ *   already verified identity); `keeper` requires `daemon_token` credential
+ *   type *and* the keeper role; role-based `{role}` is currently rejected as
+ *   not-yet-supported.
+ * - DEV mode validates handler output against the spec's `output` schema and
+ *   warns on mismatches.
+ *
+ * @returns the transport (supplied or freshly created) — retain it to wire
+ *   `create_ws_auth_guard` or broadcast on audit events.
+ */
+export const register_action_ws = (options) => {
+    const { path, app, upgradeWebSocket, specs, handlers, extend_context, transport = new BackendWebsocketTransport(), artificial_delay = 0, log = new Logger('[ws]'), } = options;
+    // Build spec lookup for per-action auth and input validation.
+    const spec_by_method = new Map(specs.map((spec) => [spec.method, spec]));
+    app.get(path, upgradeWebSocket((c) => {
+        // Upgrade-time auth extraction — `require_auth` middleware has already
+        // rejected unauthenticated requests, so request_context is guaranteed
+        // non-null by the time we get here.
+        const request_context = get_request_context(c);
+        const account_id = request_context.account.id;
+        const credential_type = c.get(CREDENTIAL_TYPE_KEY);
+        // Session-based connections have a token hash for targeted revocation.
+        // Bearer/daemon connections pass null — still reachable via
+        // `close_sockets_for_account` / `close_sockets_for_token`.
+        const token_hash = credential_type === 'session' ? hash_session_token(c.get('auth_session_id')) : null;
+        // `api_token.id` — set only for bearer connections; enables
+        // `close_sockets_for_token` to tear down just this socket on
+        // `token_revoke` without affecting the account's other sockets.
+        const api_token_id = c.get(AUTH_API_TOKEN_ID_KEY);
+        // Per-socket abort controller — fires on socket close, threaded into
+        // every in-flight handler's ctx.signal on this connection. A
+        // dedicated per-request controller linked to this is future work;
+        // a single socket-scoped signal is sufficient today since cancel
+        // granularity tracks connection lifetime, not individual requests.
+        const socket_abort_controller = new AbortController();
+        return {
+            onOpen: (event, ws) => {
+                const connection_id = transport.add_connection(ws, token_hash, account_id, api_token_id);
+                log.debug('ws opened', connection_id, event);
+            },
+            onMessage: async (event, ws) => {
+                let json;
+                try {
+                    json = JSON.parse(String(event.data)); // eslint-disable-line @typescript-eslint/no-base-to-string
+                }
+                catch (error) {
+                    log.error('JSON parse error:', error);
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(null, jsonrpc_error_messages.parse_error())));
+                    return;
+                }
+                // Batch JSON-RPC is not supported on the WebSocket path.
+                if (Array.isArray(json)) {
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(null, jsonrpc_error_messages.invalid_request('batch JSON-RPC requests are not supported on WebSocket'))));
+                    return;
+                }
+                // Only handle requests (method + id). Notifications (no id) are silenced per JSON-RPC spec.
+                if (!is_jsonrpc_request(json)) {
+                    if (typeof json === 'object' && json !== null && 'method' in json && !('id' in json)) {
+                        return;
+                    }
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(to_jsonrpc_message_id(json), jsonrpc_error_messages.invalid_request())));
+                    return;
+                }
+                const { method, id, params } = json;
+                // Per-action auth check — enforce auth level from spec.
+                const spec = spec_by_method.get(method);
+                if (!spec) {
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(id, jsonrpc_error_messages.method_not_found(method))));
+                    return;
+                }
+                const { auth } = spec;
+                if (auth === 'keeper') {
+                    if (credential_type !== 'daemon_token' || !has_role(request_context, ROLE_KEEPER)) {
+                        ws.send(JSON.stringify(create_jsonrpc_error_response(id, jsonrpc_error_messages.forbidden('keeper actions require daemon_token credential with keeper role'))));
+                        return;
+                    }
+                }
+                else if (typeof auth === 'object' && auth !== null) {
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(id, jsonrpc_error_messages.internal_error('role-based action auth is not yet supported on WebSocket'))));
+                    return;
+                }
+                // Look up handler — method is validated against spec_by_method above.
+                const handler = handlers[method];
+                if (!handler) {
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(id, jsonrpc_error_messages.method_not_found(method))));
+                    return;
+                }
+                // Validate input against spec schema.
+                const parsed = spec.input.safeParse(params);
+                if (!parsed.success) {
+                    ws.send(JSON.stringify(create_jsonrpc_error_response(id, jsonrpc_error_messages.invalid_params(`invalid params for ${method}`, {
+                        issues: parsed.error.issues,
+                    }))));
+                    return;
+                }
+                const validated_input = parsed.data;
+                if (artificial_delay > 0) {
+                    log.debug(`throttling ${artificial_delay}ms`);
+                    await wait(artificial_delay);
+                }
+                // Socket-scoped notification — routes to originator only, not
+                // broadcast. Future work (websockets quest Phase 3/4): other
+                // audiences — account-scoped, ACL-filtered, broadcast —
+                // likely via a transport-level policy hook.
+                const notify = (notify_method, notify_params) => {
+                    try {
+                        const notification = create_jsonrpc_notification(notify_method, to_jsonrpc_params(notify_params));
+                        ws.send(JSON.stringify(notification));
+                    }
+                    catch (error) {
+                        log.error('notify send failed:', notify_method, error);
+                    }
+                };
+                const base = {
+                    request_id: id,
+                    notify,
+                    signal: socket_abort_controller.signal,
+                };
+                const ctx = extend_context(base, c);
+                try {
+                    const output = await handler(validated_input, ctx);
+                    // DEV-only output validation — catches handler bugs during development.
+                    if (DEV) {
+                        const output_parsed = spec.output.safeParse(output);
+                        if (!output_parsed.success) {
+                            log.error(`output validation failed for ${method}:`, output_parsed.error.issues);
+                        }
+                    }
+                    // Send result directly — null stays null, matching the HTTP RPC path.
+                    ws.send(JSON.stringify({ jsonrpc: JSONRPC_VERSION, id, result: output }));
+                }
+                catch (error) {
+                    log.error('handler error:', method, error);
+                    ws.send(JSON.stringify(create_jsonrpc_error_response_from_thrown(id, error)));
+                }
+            },
+            onClose: (event, ws) => {
+                socket_abort_controller.abort();
+                transport.remove_connection(ws);
+                log.debug('ws closed', event);
+            },
+        };
+    }));
+    return { transport };
+};

package/dist/actions/transports_ws_auth_guard.d.ts

@@ -0,0 +1,43 @@
+/**
+ * WebSocket auth guard — bridges audit events to `BackendWebsocketTransport`.
+ *
+ * Mirror of `realtime/sse_auth_guard.ts` for the backend WebSocket transport.
+ * Dispatches audit events to the right `close_sockets_for_*` method so
+ * consumers do not re-implement the switch themselves.
+ *
+ * Consumers wire it as `on_audit_event` on their `AppBackend` (or compose
+ * it with other callbacks via `create_app_server`'s `audit_log_sse` path).
+ *
+ * @module
+ */
+import type { Logger } from '@fuzdev/fuz_util/log.js';
+import type { AuditLogEvent } from '../auth/audit_log_schema.js';
+import type { BackendWebsocketTransport } from './transports_ws_backend.js';
+/**
+ * Audit event types that trigger WebSocket socket closure.
+ *
+ * - `session_revoke` — close only the socket tied to the revoked session hash.
+ * - `token_revoke` — close only the socket(s) authenticated with the revoked `api_token.id`.
+ * - `session_revoke_all` / `token_revoke_all` / `password_change` — close every socket
+ *   for the affected account (all credentials invalidated).
+ *
+ * `permit_revoke` is intentionally omitted: the WS transport does not track
+ * per-connection role requirements, so role-scoped disconnection would
+ * require either closing all sockets (too aggressive) or new tracking
+ * (out of scope). Consumers that need it compose their own callback.
+ */
+export declare const WS_DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
+/**
+ * Create an audit event handler that closes WebSocket connections on auth changes.
+ *
+ * Ignores `outcome === 'failure'` events — they carry attacker-controlled
+ * identifiers (e.g. a `session_revoke` that the DB rejected still records
+ * the submitted session_id), so reacting to them would let any authenticated
+ * user close another user's socket by guessing a session hash or token id.
+ *
+ * @param transport - the backend WebSocket transport to guard
+ * @param log - logger for disconnect events (info level on non-zero closures)
+ * @returns an `on_audit_event` callback suitable for `CreateAppBackendOptions`
+ */
+export declare const create_ws_auth_guard: (transport: BackendWebsocketTransport, log: Logger) => ((event: AuditLogEvent) => void);
+//# sourceMappingURL=transports_ws_auth_guard.d.ts.map

package/dist/actions/transports_ws_auth_guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transports_ws_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAE/D,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,4BAA4B,CAAC;AAE1E;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,EAAE,WAAW,CAAC,MAAM,CAMxD,CAAC;AAEH;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,oBAAoB,GAChC,WAAW,yBAAyB,EACpC,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA6CjC,CAAC"}

package/dist/actions/transports_ws_auth_guard.js

@@ -0,0 +1,86 @@
+/**
+ * WebSocket auth guard — bridges audit events to `BackendWebsocketTransport`.
+ *
+ * Mirror of `realtime/sse_auth_guard.ts` for the backend WebSocket transport.
+ * Dispatches audit events to the right `close_sockets_for_*` method so
+ * consumers do not re-implement the switch themselves.
+ *
+ * Consumers wire it as `on_audit_event` on their `AppBackend` (or compose
+ * it with other callbacks via `create_app_server`'s `audit_log_sse` path).
+ *
+ * @module
+ */
+/**
+ * Audit event types that trigger WebSocket socket closure.
+ *
+ * - `session_revoke` — close only the socket tied to the revoked session hash.
+ * - `token_revoke` — close only the socket(s) authenticated with the revoked `api_token.id`.
+ * - `session_revoke_all` / `token_revoke_all` / `password_change` — close every socket
+ *   for the affected account (all credentials invalidated).
+ *
+ * `permit_revoke` is intentionally omitted: the WS transport does not track
+ * per-connection role requirements, so role-scoped disconnection would
+ * require either closing all sockets (too aggressive) or new tracking
+ * (out of scope). Consumers that need it compose their own callback.
+ */
+export const WS_DISCONNECT_EVENT_TYPES = new Set([
+    'session_revoke',
+    'token_revoke',
+    'session_revoke_all',
+    'token_revoke_all',
+    'password_change',
+]);
+/**
+ * Create an audit event handler that closes WebSocket connections on auth changes.
+ *
+ * Ignores `outcome === 'failure'` events — they carry attacker-controlled
+ * identifiers (e.g. a `session_revoke` that the DB rejected still records
+ * the submitted session_id), so reacting to them would let any authenticated
+ * user close another user's socket by guessing a session hash or token id.
+ *
+ * @param transport - the backend WebSocket transport to guard
+ * @param log - logger for disconnect events (info level on non-zero closures)
+ * @returns an `on_audit_event` callback suitable for `CreateAppBackendOptions`
+ */
+export const create_ws_auth_guard = (transport, log) => {
+    return (event) => {
+        if (!WS_DISCONNECT_EVENT_TYPES.has(event.event_type))
+            return;
+        // Failed mutations carry attacker-controlled metadata — never act on them.
+        if (event.outcome === 'failure')
+            return;
+        if (event.event_type === 'session_revoke') {
+            const session_id = event.metadata?.session_id;
+            if (typeof session_id !== 'string' || session_id.length === 0)
+                return;
+            const closed = transport.close_sockets_for_session(session_id);
+            if (closed > 0) {
+                log.info(`WS auth guard: closed ${closed} socket(s) for session ${session_id} (session_revoke)`);
+            }
+            return;
+        }
+        if (event.event_type === 'token_revoke') {
+            const token_id = event.metadata?.token_id;
+            if (typeof token_id !== 'string' || token_id.length === 0)
+                return;
+            const closed = transport.close_sockets_for_token(token_id);
+            if (closed > 0) {
+                log.info(`WS auth guard: closed ${closed} socket(s) for token ${token_id} (token_revoke)`);
+            }
+            return;
+        }
+        // session_revoke_all / token_revoke_all / password_change — all of the
+        // account's credentials are invalidated; close every socket on the account.
+        // Admin actions set `target_account_id`; self-service actions only set `account_id`.
+        const target = event.target_account_id ?? event.account_id;
+        if (!target)
+            return;
+        // `target` is a DB account id (string); the transport's account map is
+        // keyed by the branded `Uuid` used elsewhere in fuz_app. Same value,
+        // differing type disciplines across the audit-log and transport layers.
+        const closed = transport.close_sockets_for_account(target);
+        if (closed > 0) {
+            log.info(`WS auth guard: closed ${closed} socket(s) for account ${target} (${event.event_type})`);
+        }
+    };
+};

package/dist/actions/transports_ws_backend.d.ts

@@ -8,16 +8,35 @@ import type { WSContext } from 'hono/ws';
 import type { JsonrpcNotification, JsonrpcRequest, JsonrpcResponseOrError, JsonrpcErrorResponse } from '../http/jsonrpc.js';
 import { type Uuid } from '../uuid.js';
 import { type Transport } from './transports.js';
+/**
+ * Auth identity attached to a single WebSocket connection.
+ *
+ * One record per connection. `token_hash` is set for cookie-session
+ * connections, `api_token_id` for bearer (`api_token`) connections, and
+ * both are null for daemon-token connections (reachable only via
+ * `BackendWebsocketTransport.close_sockets_for_account`).
+ */
+export interface ConnectionIdentity {
+    /** Blake3 session token hash, or null for non-session credentials. */
+    token_hash: string | null;
+    /** Authenticated account id. Always set. */
+    account_id: Uuid;
+    /** `api_token.id` for bearer-authenticated connections, else null. */
+    api_token_id: string | null;
+}
 export declare class BackendWebsocketTransport implements Transport {
     #private;
     readonly transport_name: "backend_websocket_rpc";
     /**
      * Add a new WebSocket connection with auth info.
      * Session connections pass a token hash for targeted revocation.
-     * Bearer token connections (api_token, daemon_token) pass null —
-     * they're still reachable via {@link close_sockets_for_account}.
+     * Bearer token connections (api_token) pass the `api_token.id` so the
+     * socket can be closed when that specific token is revoked without
+     * tearing down the account's other sockets. Daemon-token connections
+     * pass `null` for both — they're only reachable via
+     * `close_sockets_for_account`.
      */
-    add_connection(ws: WSContext, token_hash: string | null, account_id: Uuid): Uuid;
+    add_connection(ws: WSContext, token_hash: string | null, account_id: Uuid, api_token_id?: string | null): Uuid;
     /**
      * Remove a WebSocket connection and its auth tracking data.
      * Idempotent — safe to call after revocation has already cleaned up.
@@ -35,6 +54,16 @@ export declare class BackendWebsocketTransport implements Transport {
      * @returns the number of sockets closed
      */
     close_sockets_for_account(account_id: Uuid): number;
+    /**
+     * Close all sockets associated with a specific API token.
+     *
+     * Used on `token_revoke` audit events so revoking one token doesn't
+     * tear down the account's session-authenticated sockets or other
+     * tokens' sockets.
+     *
+     * @returns the number of sockets closed
+     */
+    close_sockets_for_token(api_token_id: string): number;
     send(message: JsonrpcRequest): Promise<JsonrpcResponseOrError>;
     send(message: JsonrpcNotification): Promise<JsonrpcErrorResponse | null>;
     is_ready(): boolean;

package/dist/actions/transports_ws_backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transports_ws_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_backend.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,SAAS,CAAC;AAEvC,OAAO,KAAK,EAGX,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,YAAY,CAAC;AAClD,OAAO,EAA2B,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAIzE,qBAAa,yBAA0B,YAAW,SAAS;;IAC1D,QAAQ,CAAC,cAAc,EAAG,uBAAuB,CAAU;IAY3D;;;;;OAKG;IACH,cAAc,CAAC,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,EAAE,UAAU,EAAE,IAAI,GAAG,IAAI;IAWhF;;;OAGG;IACH,iBAAiB,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IAOtC;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAcrD;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,IAAI,GAAG,MAAM;IAiC7C,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAC9D,IAAI,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IA4C9E,QAAQ,IAAI,OAAO;CAGnB"}
+{"version":3,"file":"transports_ws_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_backend.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,SAAS,CAAC;AAEvC,OAAO,KAAK,EAGX,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,YAAY,CAAC;AAClD,OAAO,EAA2B,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAIzE;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,sEAAsE;IACtE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,4CAA4C;IAC5C,UAAU,EAAE,IAAI,CAAC;IACjB,sEAAsE;IACtE,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,qBAAa,yBAA0B,YAAW,SAAS;;IAC1D,QAAQ,CAAC,cAAc,EAAG,uBAAuB,CAAU;IAY3D;;;;;;;;OAQG;IACH,cAAc,CACb,EAAE,EAAE,SAAS,EACb,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,IAAI,EAChB,YAAY,GAAE,MAAM,GAAG,IAAW,GAChC,IAAI;IAQP;;;OAGG;IACH,iBAAiB,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IA0BtC;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAIrD;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,IAAI,GAAG,MAAM;IAInD;;;;;;;;OAQG;IACH,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM;IAsB/C,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAC9D,IAAI,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IA4C9E,QAAQ,IAAI,OAAO;CAGnB"}

package/dist/actions/transports_ws_backend.js

@@ -8,30 +8,29 @@ import { jsonrpc_error_messages } from '../http/jsonrpc_errors.js';
 import { create_jsonrpc_error_response, to_jsonrpc_message_id, is_jsonrpc_request, } from '../http/jsonrpc_helpers.js';
 import { create_uuid } from '../uuid.js';
 import { WS_CLOSE_SESSION_REVOKED } from './transports.js';
-// TODO support a SSE backend transport
 export class BackendWebsocketTransport {
     transport_name = 'backend_websocket_rpc';
     // Map connection IDs to WebSocket contexts
     #connections = new Map();
     // Reverse map to find connection ID by socket
     #connection_ids = new WeakMap();
-    // Session auth tracking — parallel maps keyed by connection ID
-    #connection_token_hashes = new Map();
-    #connection_account_ids = new Map();
+    // Auth identity per connection. Adding a new identity scope (e.g.
+    // `device_id`) means adding a field here, not a new parallel map.
+    #connection_identities = new Map();
     /**
      * Add a new WebSocket connection with auth info.
      * Session connections pass a token hash for targeted revocation.
-     * Bearer token connections (api_token, daemon_token) pass null —
-     * they're still reachable via {@link close_sockets_for_account}.
+     * Bearer token connections (api_token) pass the `api_token.id` so the
+     * socket can be closed when that specific token is revoked without
+     * tearing down the account's other sockets. Daemon-token connections
+     * pass `null` for both — they're only reachable via
+     * `close_sockets_for_account`.
      */
-    add_connection(ws, token_hash, account_id) {
+    add_connection(ws, token_hash, account_id, api_token_id = null) {
         const connection_id = create_uuid();
         this.#connections.set(connection_id, ws);
         this.#connection_ids.set(ws, connection_id);
-        if (token_hash !== null) {
-            this.#connection_token_hashes.set(connection_id, token_hash);
-        }
-        this.#connection_account_ids.set(connection_id, account_id);
+        this.#connection_identities.set(connection_id, { token_hash, account_id, api_token_id });
         return connection_id;
     }
     /**
@@ -45,14 +44,14 @@ export class BackendWebsocketTransport {
         }
     }
     /**
-     * Close all sockets associated with a specific session token hash.
+     * Close every connection whose identity matches the predicate.
      *
      * @returns the number of sockets closed
      */
-    close_sockets_for_session(token_hash) {
+    #close_where(predicate) {
         let count = 0;
-        for (const [connection_id, hash] of this.#connection_token_hashes) {
-            if (hash === token_hash) {
+        for (const [connection_id, identity] of this.#connection_identities) {
+            if (predicate(identity)) {
                 const ws = this.#connections.get(connection_id);
                 if (ws) {
                     this.#revoke_connection(connection_id, ws);
@@ -62,23 +61,33 @@ export class BackendWebsocketTransport {
         }
         return count;
     }
+    /**
+     * Close all sockets associated with a specific session token hash.
+     *
+     * @returns the number of sockets closed
+     */
+    close_sockets_for_session(token_hash) {
+        return this.#close_where((id) => id.token_hash === token_hash);
+    }
     /**
      * Close all sockets associated with a specific account.
      *
      * @returns the number of sockets closed
      */
     close_sockets_for_account(account_id) {
-        let count = 0;
-        for (const [connection_id, id] of this.#connection_account_ids) {
-            if (id === account_id) {
-                const ws = this.#connections.get(connection_id);
-                if (ws) {
-                    this.#revoke_connection(connection_id, ws);
-                    count++;
-                }
-            }
-        }
-        return count;
+        return this.#close_where((id) => id.account_id === account_id);
+    }
+    /**
+     * Close all sockets associated with a specific API token.
+     *
+     * Used on `token_revoke` audit events so revoking one token doesn't
+     * tear down the account's session-authenticated sockets or other
+     * tokens' sockets.
+     *
+     * @returns the number of sockets closed
+     */
+    close_sockets_for_token(api_token_id) {
+        return this.#close_where((id) => id.api_token_id === api_token_id);
     }
     /**
      * Remove all tracking state for a connection.
@@ -86,8 +95,7 @@ export class BackendWebsocketTransport {
     #cleanup_connection(connection_id, ws) {
         this.#connections.delete(connection_id);
         this.#connection_ids.delete(ws);
-        this.#connection_token_hashes.delete(connection_id);
-        this.#connection_account_ids.delete(connection_id);
+        this.#connection_identities.delete(connection_id);
     }
     /**
      * Clean up a connection and close its socket with a revocation code.

package/dist/auth/bearer_auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAqFF,CAAC"}
+{"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}

package/dist/auth/bearer_auth.js

@@ -11,7 +11,7 @@
  * @module
  */
 import { REQUEST_CONTEXT_KEY, build_request_context } from './request_context.js';
-import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { query_validate_api_token } from './api_token_queries.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
@@ -107,6 +107,7 @@ export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
         }
         c.set(REQUEST_CONTEXT_KEY, ctx);
         c.set(CREDENTIAL_TYPE_KEY, 'api_token');
+        c.set(AUTH_API_TOKEN_ID_KEY, api_token.id);
         await next();
     };
 };

package/dist/auth/daemon_token_middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAoCF,CAAC"}
+{"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAqCF,CAAC"}

package/dist/auth/daemon_token_middleware.js

@@ -13,7 +13,7 @@ import {} from '../runtime/deps.js';
 import { write_file_atomic } from '../runtime/fs.js';
 import { get_app_dir } from '../cli/config.js';
 import { REQUEST_CONTEXT_KEY, build_request_context } from './request_context.js';
-import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { ERROR_INVALID_DAEMON_TOKEN, ERROR_KEEPER_ACCOUNT_NOT_CONFIGURED, ERROR_KEEPER_ACCOUNT_NOT_FOUND, } from '../http/error_schemas.js';
 import { query_permit_find_account_id_for_role } from './permit_queries.js';
 import { ROLE_KEEPER } from './role_schema.js';
@@ -162,6 +162,7 @@ export const create_daemon_token_middleware = (state, deps) => {
         }
         c.set(REQUEST_CONTEXT_KEY, ctx);
         c.set(CREDENTIAL_TYPE_KEY, 'daemon_token');
+        c.set(AUTH_API_TOKEN_ID_KEY, null);
         await next();
     };
 };

package/dist/auth/keyring.d.ts

@@ -61,7 +61,7 @@ export declare const create_keyring: (env_value: string | undefined) => Keyring
  *
  * Returns an error when no keys are configured (undefined, empty string,
  * or all-separator input like `'____'`), and for each key shorter than
- * {@link MIN_KEY_LENGTH} characters.
+ * `MIN_KEY_LENGTH` characters.
  *
  * @param env_value - the SECRET_COOKIE_KEYS environment variable
  * @returns array of validation errors (empty if valid)

package/dist/auth/keyring.js

@@ -75,7 +75,7 @@ export const create_keyring = (env_value) => {
  *
  * Returns an error when no keys are configured (undefined, empty string,
  * or all-separator input like `'____'`), and for each key shorter than
- * {@link MIN_KEY_LENGTH} characters.
+ * `MIN_KEY_LENGTH` characters.
  *
  * @param env_value - the SECRET_COOKIE_KEYS environment variable
  * @returns array of validation errors (empty if valid)

package/dist/auth/request_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;;;;GAQG;AACH,eAAO,MAAM,2BAA2B,4BAA4B,CAAC;AAErE;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBAyCF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}
+{"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;;;;GAQG;AACH,eAAO,MAAM,2BAA2B,4BAA4B,CAAC;AAErE;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBA6CF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}

package/dist/auth/request_context.js

@@ -15,7 +15,7 @@ import { is_permit_active } from './account_schema.js';
 import { hash_session_token, session_touch_fire_and_forget, query_session_get_valid, } from './session_queries.js';
 import { query_actor_by_account, query_account_by_id } from './account_queries.js';
 import { query_permit_find_active_for_actor } from './permit_queries.js';
-import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, } from '../http/error_schemas.js';
 /** Hono context variable name for the request context. */
 export const REQUEST_CONTEXT_KEY = 'request_context';
@@ -89,6 +89,7 @@ export const create_request_context_middleware = (deps, log, session_context_key
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
             c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
+            c.set(AUTH_API_TOKEN_ID_KEY, null);
             await next();
             return;
         }
@@ -98,6 +99,7 @@ export const create_request_context_middleware = (deps, log, session_context_key
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
             c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
+            c.set(AUTH_API_TOKEN_ID_KEY, null);
             await next();
             return;
         }
@@ -106,12 +108,14 @@ export const create_request_context_middleware = (deps, log, session_context_key
             c.set(REQUEST_CONTEXT_KEY, null);
             c.set(CREDENTIAL_TYPE_KEY, null);
             c.set(AUTH_SESSION_TOKEN_HASH_KEY, null);
+            c.set(AUTH_API_TOKEN_ID_KEY, null);
             await next();
             return;
         }
         c.set(REQUEST_CONTEXT_KEY, ctx);
         c.set(CREDENTIAL_TYPE_KEY, 'session');
         c.set(AUTH_SESSION_TOKEN_HASH_KEY, token_hash);
+        c.set(AUTH_API_TOKEN_ID_KEY, null);
         // Touch session (fire-and-forget, don't block the request)
         void session_touch_fire_and_forget(deps, token_hash, c.var.pending_effects, log);
         await next();

package/dist/hono_context.d.ts

@@ -26,6 +26,8 @@ export declare const CredentialType: z.ZodEnum<{
 export type CredentialType = z.infer<typeof CredentialType>;
 /** Hono context variable name for the credential type. */
 export declare const CREDENTIAL_TYPE_KEY = "credential_type";
+/** Hono context variable name for the authenticated API token id. */
+export declare const AUTH_API_TOKEN_ID_KEY = "auth_api_token_id";
 declare module 'hono' {
     interface ContextVariableMap {
         /** Resolved client IP, set by the trusted proxy middleware. */
@@ -44,6 +46,14 @@ declare module 'hono' {
          * disconnection) without re-hashing the cookie in every handler.
          */
         auth_session_token_hash: string | null;
+        /**
+         * `api_token.id` when the request authenticated via `Authorization: Bearer`,
+         * or `null` for session/daemon-token/unauthenticated requests. Set by
+         * `create_bearer_auth_middleware`. Used to scope per-token resources
+         * (e.g., WS connection revocation on `token_revoke`) without re-looking
+         * up the token.
+         */
+        auth_api_token_id: string | null;
         /**
          * Pending fire-and-forget effects for this request (audit logs, usage tracking, etc.).
          * Initialized by `create_app_server`. In test mode (`await_pending_effects: true`),

package/dist/hono_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}
+{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}

package/dist/hono_context.js

@@ -20,3 +20,5 @@ export const CREDENTIAL_TYPES = ['session', 'api_token', 'daemon_token'];
 export const CredentialType = z.enum(CREDENTIAL_TYPES);
 /** Hono context variable name for the credential type. */
 export const CREDENTIAL_TYPE_KEY = 'credential_type';
+/** Hono context variable name for the authenticated API token id. */
+export const AUTH_API_TOKEN_ID_KEY = 'auth_api_token_id';

package/dist/realtime/sse_auth_guard.d.ts

@@ -17,7 +17,9 @@ import type { SseStream, SseNotification, EventSpec } from './sse.js';
 /**
  * Audit event types that trigger SSE stream disconnection.
  *
- * `permit_revoke` requires the revoked role to match the guard's `required_role`.
+ * `permit_revoke` requires the revoked role to match the guard's `required_role`
+ * (or is skipped entirely when `required_role` is `null` — useful for streams
+ * not gated by any specific permit).
  * `session_revoke_all` and `password_change` close every stream for the target account.
  * `session_revoke` closes only the stream tied to the specific revoked session
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
@@ -36,11 +38,13 @@ export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
  * (passed as the third argument to `registry.subscribe()`).
  *
  * @param registry - the subscriber registry to guard
- * @param required_role - the role that grants access to the SSE endpoint
+ * @param required_role - the role that grants access to the SSE endpoint,
+ *   or `null` to skip `permit_revoke` handling entirely (for streams not gated
+ *   by a specific permit)
  * @param log - logger for disconnect events
  * @returns an `on_audit_event` callback
  */
-export declare const create_sse_auth_guard: <T>(registry: SubscriberRegistry<T>, required_role: string, log: Logger) => ((event: AuditLogEvent) => void);
+export declare const create_sse_auth_guard: <T>(registry: SubscriberRegistry<T>, required_role: string | null, log: Logger) => ((event: AuditLogEvent) => void);
 /**
  * Convenience factory result for audit log SSE.
  *

package/dist/realtime/sse_auth_guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAE,KAAK,gBAAgB,EAAC,MAAM,0BAA0B,CAAC;AACnF,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAKrD,CAAC;AAEH;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,EACrB,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA2CjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;IAC1F,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,KAAK,CAAC;AAE9C,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,KAAG,WAgBH,CAAC"}
+{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAE,KAAK,gBAAgB,EAAC,MAAM,0BAA0B,CAAC;AACnF,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAKrD,CAAC;AAEH;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,GAAG,IAAI,EAC5B,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA6CjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;IAC1F,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,kGAAkG;IAClG,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,KAAK,CAAC;AAE9C,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,KAAG,WAgBH,CAAC"}

package/dist/realtime/sse_auth_guard.js

@@ -15,7 +15,9 @@ import { SubscriberRegistry } from './subscriber_registry.js';
 /**
  * Audit event types that trigger SSE stream disconnection.
  *
- * `permit_revoke` requires the revoked role to match the guard's `required_role`.
+ * `permit_revoke` requires the revoked role to match the guard's `required_role`
+ * (or is skipped entirely when `required_role` is `null` — useful for streams
+ * not gated by any specific permit).
  * `session_revoke_all` and `password_change` close every stream for the target account.
  * `session_revoke` closes only the stream tied to the specific revoked session
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
@@ -39,7 +41,9 @@ export const DISCONNECT_EVENT_TYPES = new Set([
  * (passed as the third argument to `registry.subscribe()`).
  *
  * @param registry - the subscriber registry to guard
- * @param required_role - the role that grants access to the SSE endpoint
+ * @param required_role - the role that grants access to the SSE endpoint,
+ *   or `null` to skip `permit_revoke` handling entirely (for streams not gated
+ *   by a specific permit)
  * @param log - logger for disconnect events
  * @returns an `on_audit_event` callback
  */
@@ -67,8 +71,11 @@ export const create_sse_auth_guard = (registry, required_role, log) => {
             }
             return;
         }
-        // permit_revoke requires matching the specific role
+        // permit_revoke requires matching the specific role. `null` means the
+        // stream isn't gated by a specific permit, so permit_revoke is a no-op.
         if (event.event_type === 'permit_revoke') {
+            if (required_role === null)
+                return;
             if (event.metadata?.role !== required_role)
                 return;
         }

package/dist/testing/middleware.d.ts

@@ -42,6 +42,8 @@ export interface BearerAuthTestCase extends BearerAuthTestOptions {
     validate_expectation: 'called' | 'not_called';
     /** If true, assert `REQUEST_CONTEXT_KEY` and `CREDENTIAL_TYPE_KEY` were set to api_token values. */
     assert_context_set?: boolean;
+    /** If set, assert `AUTH_API_TOKEN_ID_KEY` was set to this value after a successful bearer auth. */
+    expected_api_token_id?: string;
     /** If true, assert the pre-existing session context and credential type are preserved. */
     assert_context_preserved?: boolean;
     /** Optional callback for custom spy assertions on the mocks bundle. */

package/dist/testing/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,EAAE,EAAyB,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC1B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAU3B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAqBpF,gEAAgE;AAChE,MAAM,WAAW,qBAAqB;IACrC,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,oEAAoE;IACpE,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,4CAA4C;IAC5C,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,+CAA+C;IAC/C,2BAA2B,CAAC,EAAE,OAAO,CAAC;IACtC,2DAA2D;IAC3D,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gFAAgF;IAChF,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;CAClC;AAED,gEAAgE;AAChE,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAChE,+EAA+E;IAC/E,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;IAC9C,oGAAoG;IACpG,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,0FAA0F;IAC1F,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,uEAAuE;IACvE,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;CAChD;AAID,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,oBAAoB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC/C,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAKD;;;;;;;;;GASG;AACH,eAAO,MAAM,wBAAwB,GAAI,IAAI,qBAAqB,KAAG,eAoBpE,CAAC;AAEF,4DAA4D;AAC5D,eAAO,MAAM,cAAc,cAAc,CAAC;AAE1C;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,GACvC,IAAI,qBAAqB,EACzB,kBAAiB,WAAW,GAAG,IAAW,KACxC;IAAC,GAAG,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;CA2CpC,CAAC;AAIF;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,YAAY,MAAM,EAClB,OAAO,KAAK,CAAC,kBAAkB,CAAC,EAChC,kBAAiB,WAAW,GAAG,IAAW,KACxC,IA0DF,CAAC;AAIF,yEAAyE;AACzE,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAEhD,sDAAsD;AACtD,MAAM,WAAW,0BAA0B;IAC1C,iDAAiD;IACjD,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC;IACpD,oDAAoD;IACpD,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACrC;AAED,yDAAyD;AACzD,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,IAAI,CAAC;IACV,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,oBAAoB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC/C,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,gCAAgC,GAC5C,UAAU,0BAA0B,KAClC,sBAiDF,CAAC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,EAAE,EAAyB,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC1B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAU3B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAqBpF,gEAAgE;AAChE,MAAM,WAAW,qBAAqB;IACrC,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,oEAAoE;IACpE,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,4CAA4C;IAC5C,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,+CAA+C;IAC/C,2BAA2B,CAAC,EAAE,OAAO,CAAC;IACtC,2DAA2D;IAC3D,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gFAAgF;IAChF,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;CAClC;AAED,gEAAgE;AAChE,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAChE,+EAA+E;IAC/E,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;IAC9C,oGAAoG;IACpG,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mGAAmG;IACnG,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,0FAA0F;IAC1F,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,uEAAuE;IACvE,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;CAChD;AAID,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,oBAAoB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC/C,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAKD;;;;;;;;;GASG;AACH,eAAO,MAAM,wBAAwB,GAAI,IAAI,qBAAqB,KAAG,eAoBpE,CAAC;AAEF,4DAA4D;AAC5D,eAAO,MAAM,cAAc,cAAc,CAAC;AAE1C;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,GACvC,IAAI,qBAAqB,EACzB,kBAAiB,WAAW,GAAG,IAAW,KACxC;IAAC,GAAG,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;CA6CpC,CAAC;AAIF;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,YAAY,MAAM,EAClB,OAAO,KAAK,CAAC,kBAAkB,CAAC,EAChC,kBAAiB,WAAW,GAAG,IAAW,KACxC,IAkEF,CAAC;AAIF,yEAAyE;AACzE,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAEhD,sDAAsD;AACtD,MAAM,WAAW,0BAA0B;IAC1C,iDAAiD;IACjD,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC;IACpD,oDAAoD;IACpD,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACrC;AAED,yDAAyD;AACzD,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,IAAI,CAAC;IACV,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,oBAAoB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC/C,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,gCAAgC,GAC5C,UAAU,0BAA0B,KAClC,sBAiDF,CAAC"}

package/dist/testing/middleware.js

@@ -18,7 +18,7 @@ import { query_permit_find_active_for_actor } from '../auth/permit_queries.js';
 import { create_proxy_middleware, get_client_ip } from '../http/proxy.js';
 import { verify_request_source, parse_allowed_origins } from '../http/origin.js';
 import { REQUEST_CONTEXT_KEY } from '../auth/request_context.js';
-import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { ApiError } from '../http/error_schemas.js';
 // Mock the query modules so test cases can control return values.
 // vi.mock() is hoisted by vitest, so these run before any imports resolve.
@@ -97,6 +97,7 @@ export const create_bearer_auth_test_app = (tc, ip_rate_limiter = null) => {
     app.get('/api/test', (c) => {
         const ctx = c.get(REQUEST_CONTEXT_KEY);
         const cred = c.get(CREDENTIAL_TYPE_KEY);
+        const api_token_id = c.get(AUTH_API_TOKEN_ID_KEY);
         return c.json({
             ok: true,
             has_context: ctx != null,
@@ -104,6 +105,7 @@ export const create_bearer_auth_test_app = (tc, ip_rate_limiter = null) => {
             account_id: ctx?.account.id ?? null,
             actor_id: ctx?.actor.id ?? null,
             permit_count: ctx?.permits.length ?? 0,
+            api_token_id: api_token_id ?? null,
         });
     });
     return { app, mocks };
@@ -149,6 +151,9 @@ export const describe_bearer_auth_cases = (suite_name, cases, ip_rate_limiter =
                     assert.strictEqual(body.has_context, true, 'REQUEST_CONTEXT_KEY should be set');
                     assert.strictEqual(body.credential_type, 'api_token', 'CREDENTIAL_TYPE_KEY should be api_token');
                 }
+                if (tc.expected_api_token_id !== undefined) {
+                    assert.strictEqual(body.api_token_id, tc.expected_api_token_id, 'AUTH_API_TOKEN_ID_KEY should match the validated api_token.id');
+                }
                 if (tc.assert_context_preserved) {
                     assert.strictEqual(body.has_context, true, 'original context should be preserved');
                     assert.strictEqual(body.credential_type, 'session', 'credential type should remain session');

package/dist/ui/form_state.svelte.d.ts

@@ -5,7 +5,7 @@
  * `attempted` state (set on submit attempt). Errors show after a field is blurred or
  * after a submit attempt, avoiding premature validation while the user is still typing.
  *
- * The {@link FormState.form | form} attachment also handles Enter key advancing
+ * The `FormState.form` attachment also handles Enter key advancing
  * between focusable elements.
  *
  * All trackable inputs must have a `name` attribute — an error is thrown in dev

package/dist/ui/form_state.svelte.js

@@ -5,7 +5,7 @@
  * `attempted` state (set on submit attempt). Errors show after a field is blurred or
  * after a submit attempt, avoiding premature validation while the user is still typing.
  *
- * The {@link FormState.form | form} attachment also handles Enter key advancing
+ * The `FormState.form` attachment also handles Enter key advancing
  * between focusable elements.
  *
  * All trackable inputs must have a `name` attribute — an error is thrown in dev

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.14.0",
+  "version": "0.16.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",