@fuzdev/fuz_app 0.23.0 → 0.25.0

package/dist/actions/transports_ws.js

@@ -1,82 +1,79 @@
 /**
- * WebSocket transport — sends JSON-RPC messages via WebSocket with request tracking.
+ * Frontend WebSocket transport — thin adapter over `WebsocketRpcConnection`.
+ *
+ * Delegates request/response correlation, the durable queue, the heartbeat,
+ * and `AbortSignal`-driven cancel to the underlying connection (the
+ * canonical implementation is `FrontendWebsocketClient`). The transport's
+ * own job is the `Transport` contract: route inbound server-pushed
+ * messages into `peer.receive` and translate the connection's
+ * `Promise<R>`/`ThrownJsonrpcError` shape into `JsonrpcResponseOrError`
+ * envelopes. No parallel pending-request map.
  *
  * @module
  */
-import { ThrownJsonrpcError, jsonrpc_error_messages, UNKNOWN_ERROR_MESSAGE, } from '../http/jsonrpc_errors.js';
-import { is_jsonrpc_notification, is_jsonrpc_request, is_jsonrpc_response, is_jsonrpc_error_response, to_jsonrpc_message_id, create_jsonrpc_error_response, } from '../http/jsonrpc_helpers.js';
-import { RequestTracker } from './request_tracker.svelte.js';
+import { ThrownJsonrpcError, jsonrpc_error_messages } from '../http/jsonrpc_errors.js';
+import { is_jsonrpc_notification, is_jsonrpc_request, to_jsonrpc_message_id, to_jsonrpc_result, create_jsonrpc_response, create_jsonrpc_error_response, } from '../http/jsonrpc_helpers.js';
 export class FrontendWebsocketTransport {
     transport_name = 'frontend_websocket_rpc';
     #connection;
     #receive;
-    #request_tracker;
     #remove_message_handler;
     #remove_error_handler;
-    constructor(connection, receive, request_timeout_ms) {
+    constructor(connection, receive) {
         this.#connection = connection;
         this.#receive = receive;
-        this.#request_tracker = new RequestTracker(request_timeout_ms);
-        // TODO maybe we want to do this setup elsewhere, not hardcoded like this
+        // Inbound dispatch — only server-pushed requests/notifications need
+        // routing here. Responses to requests we sent are correlated by the
+        // connection's own `request()` pending map.
         this.#remove_message_handler = connection.add_message_handler(async (event) => {
             try {
                 const data = JSON.parse(event.data);
-                // TODO the `data.id !== null` check should be refactored, maybe we want the "Error Message Response" concept for non-null ids
-                // Check if this is a response to one of our requests
-                if (is_jsonrpc_response(data) || (is_jsonrpc_error_response(data) && data.id !== null)) {
-                    // This is a response to a request we sent
-                    this.#request_tracker.handle_message(data);
-                }
-                else if (is_jsonrpc_request(data) || is_jsonrpc_notification(data)) {
-                    // This is a new request/notification from the server
+                if (is_jsonrpc_request(data) || is_jsonrpc_notification(data)) {
                     await this.#receive(data);
                 }
-                else {
-                    console.warn('[ws_transport] received unknown message type:', data);
-                }
+                // Responses are owned by `connection.request()` — ignore here.
             }
             catch (error) {
                 console.error('[ws_transport] error parsing WebSocket message:', error);
-                // TODO maybe send the whole thing back wrapped in an error?
-                // can't reference anything else for a response
             }
         });
         this.#remove_error_handler = connection.add_error_handler((event) => {
             console.error('[ws_transport] WebSocket error:', event);
         });
     }
-    async send(message) {
+    async send(message, options) {
+        // Fail-fast at the transport boundary. The connection's own queue
+        // would buffer the request and flush on reconnect; that's the right
+        // default for direct `client.request()` callers but the typed Proxy
+        // path expects "service unavailable" semantics when the WS is down.
         if (!this.is_ready()) {
             return create_jsonrpc_error_response(to_jsonrpc_message_id(message), jsonrpc_error_messages.service_unavailable('WebSocket not connected'));
         }
-        try {
-            // If this is a JSON-RPC request with an id (not a notification), set up request tracking.
-            if (is_jsonrpc_request(message)) {
-                // TODO track the whole request?
-                const deferred = this.#request_tracker.track_request(message.id);
-                this.#connection.send(message);
-                // Return the promise that will resolve when the response is received
-                const result = await deferred.promise;
-                return result;
+        if (is_jsonrpc_request(message)) {
+            try {
+                const result = await this.#connection.request(message.method, message.params, {
+                    id: message.id,
+                    signal: options?.signal,
+                    queue: false,
+                });
+                return create_jsonrpc_response(message.id, to_jsonrpc_result(result));
             }
-            else if (is_jsonrpc_notification(message)) {
-                // For notifications, just send without tracking
-                this.#connection.send(message);
-                return null;
+            catch (error) {
+                if (error instanceof ThrownJsonrpcError) {
+                    return create_jsonrpc_error_response(message.id, {
+                        code: error.code,
+                        message: error.message,
+                        data: error.data,
+                    });
+                }
+                return create_jsonrpc_error_response(message.id, jsonrpc_error_messages.internal_error(error instanceof Error ? error.message : String(error)));
             }
-            // Invalid message type - return error with id if available
-            return create_jsonrpc_error_response(to_jsonrpc_message_id(message), jsonrpc_error_messages.invalid_request());
         }
-        catch (error) {
-            if (error instanceof ThrownJsonrpcError) {
-                return create_jsonrpc_error_response(to_jsonrpc_message_id(message), {
-                    code: error.code,
-                    message: error.message,
-                    data: error.data,
-                });
-            }
-            return create_jsonrpc_error_response(to_jsonrpc_message_id(message), jsonrpc_error_messages.internal_error(error.message || UNKNOWN_ERROR_MESSAGE));
+        if (is_jsonrpc_notification(message)) {
+            this.#connection.send(message);
+            return null;
         }
+        return create_jsonrpc_error_response(to_jsonrpc_message_id(message), jsonrpc_error_messages.invalid_request());
     }
     is_ready() {
         return this.#connection.connected;

package/dist/actions/transports_ws_backend.d.ts

@@ -7,7 +7,7 @@
 import type { WSContext } from 'hono/ws';
 import type { JsonrpcMessageFromServerToClient, JsonrpcNotification, JsonrpcRequest, JsonrpcResponseOrError, JsonrpcErrorResponse } from '../http/jsonrpc.js';
 import { type Uuid } from '../uuid.js';
-import { type Transport } from './transports.js';
+import { type Transport, type TransportSendOptions } from './transports.js';
 /**
  * Auth identity attached to a single WebSocket connection.
  *
@@ -78,8 +78,8 @@ export declare class BackendWebsocketTransport implements FilterableBroadcastTra
      * @returns the number of sockets closed
      */
     close_sockets_for_token(api_token_id: string): number;
-    send(message: JsonrpcRequest): Promise<JsonrpcResponseOrError>;
-    send(message: JsonrpcNotification): Promise<JsonrpcErrorResponse | null>;
+    send(message: JsonrpcRequest, options?: TransportSendOptions): Promise<JsonrpcResponseOrError>;
+    send(message: JsonrpcNotification, options?: TransportSendOptions): Promise<JsonrpcErrorResponse | null>;
     /**
      * Broadcast to connections whose identity satisfies a predicate.
      *
@@ -92,5 +92,14 @@ export declare class BackendWebsocketTransport implements FilterableBroadcastTra
      */
     broadcast_filtered(message: JsonrpcMessageFromServerToClient, predicate: (identity: ConnectionIdentity) => boolean): number;
     is_ready(): boolean;
+    /**
+     * Number of currently tracked WebSocket connections.
+     *
+     * Read-only counter intended for telemetry, logging, and tests.
+     * Counts every entry in the connection map — including connections
+     * that have been closed by the peer but not yet removed by the WS
+     * adapter's `onClose` callback.
+     */
+    get_connection_count(): number;
 }
 //# sourceMappingURL=transports_ws_backend.d.ts.map

package/dist/actions/transports_ws_backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transports_ws_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_backend.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,SAAS,CAAC;AAEvC,OAAO,KAAK,EAEX,gCAAgC,EAChC,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,YAAY,CAAC;AAClD,OAAO,EAA2B,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAIzE;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,sEAAsE;IACtE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,4CAA4C;IAC5C,UAAU,EAAE,IAAI,CAAC;IACjB,sEAAsE;IACtE,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,4BAA6B,SAAQ,SAAS;IAC9D,kBAAkB,EAAE,CACnB,OAAO,EAAE,gCAAgC,EACzC,SAAS,EAAE,CAAC,QAAQ,EAAE,kBAAkB,KAAK,OAAO,KAChD,MAAM,CAAC;CACZ;AAED,qDAAqD;AACrD,eAAO,MAAM,iCAAiC,GAC7C,WAAW,SAAS,KAClB,SAAS,IAAI,4BAEqE,CAAC;AAEtF,qBAAa,yBAA0B,YAAW,4BAA4B;;IAC7E,QAAQ,CAAC,cAAc,EAAG,uBAAuB,CAAU;IAY3D;;;;;;;;OAQG;IACH,cAAc,CACb,EAAE,EAAE,SAAS,EACb,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,IAAI,EAChB,YAAY,GAAE,MAAM,GAAG,IAAW,GAChC,IAAI;IAQP;;;OAGG;IACH,iBAAiB,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IA0BtC;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAIrD;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,IAAI,GAAG,MAAM;IAInD;;;;;;;;OAQG;IACH,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM;IAsB/C,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAC9D,IAAI,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IA4C9E;;;;;;;;;OASG;IACH,kBAAkB,CACjB,OAAO,EAAE,gCAAgC,EACzC,SAAS,EAAE,CAAC,QAAQ,EAAE,kBAAkB,KAAK,OAAO,GAClD,MAAM;IAoBT,QAAQ,IAAI,OAAO;CAGnB"}
+{"version":3,"file":"transports_ws_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_backend.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,SAAS,CAAC;AAEvC,OAAO,KAAK,EAEX,gCAAgC,EAChC,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,oBAAoB,EACpB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,EAAc,KAAK,IAAI,EAAC,MAAM,YAAY,CAAC;AAClD,OAAO,EAA2B,KAAK,SAAS,EAAE,KAAK,oBAAoB,EAAC,MAAM,iBAAiB,CAAC;AAIpG;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,sEAAsE;IACtE,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,4CAA4C;IAC5C,UAAU,EAAE,IAAI,CAAC;IACjB,sEAAsE;IACtE,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,4BAA6B,SAAQ,SAAS;IAC9D,kBAAkB,EAAE,CACnB,OAAO,EAAE,gCAAgC,EACzC,SAAS,EAAE,CAAC,QAAQ,EAAE,kBAAkB,KAAK,OAAO,KAChD,MAAM,CAAC;CACZ;AAED,qDAAqD;AACrD,eAAO,MAAM,iCAAiC,GAC7C,WAAW,SAAS,KAClB,SAAS,IAAI,4BAEqE,CAAC;AAEtF,qBAAa,yBAA0B,YAAW,4BAA4B;;IAC7E,QAAQ,CAAC,cAAc,EAAG,uBAAuB,CAAU;IAY3D;;;;;;;;OAQG;IACH,cAAc,CACb,EAAE,EAAE,SAAS,EACb,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,UAAU,EAAE,IAAI,EAChB,YAAY,GAAE,MAAM,GAAG,IAAW,GAChC,IAAI;IAQP;;;OAGG;IACH,iBAAiB,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IA0BtC;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAIrD;;;;OAIG;IACH,yBAAyB,CAAC,UAAU,EAAE,IAAI,GAAG,MAAM;IAInD;;;;;;;;OAQG;IACH,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM;IAsB/C,IAAI,CACT,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,oBAAoB,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAC5B,IAAI,CACT,OAAO,EAAE,mBAAmB,EAC5B,OAAO,CAAC,EAAE,oBAAoB,GAC5B,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IA6CvC;;;;;;;;;OASG;IACH,kBAAkB,CACjB,OAAO,EAAE,gCAAgC,EACzC,SAAS,EAAE,CAAC,QAAQ,EAAE,kBAAkB,KAAK,OAAO,GAClD,MAAM;IAoBT,QAAQ,IAAI,OAAO;IAInB;;;;;;;OAOG;IACH,oBAAoB,IAAI,MAAM;CAG9B"}

package/dist/actions/transports_ws_backend.js

@@ -107,7 +107,7 @@ export class BackendWebsocketTransport {
         this.#cleanup_connection(connection_id, ws);
         ws.close(WS_CLOSE_SESSION_REVOKED, 'Session revoked');
     }
-    async send(message) {
+    async send(message, _options) {
         // TODO currently just broadcasts all messages to all clients, the transport abstraction is still a WIP
         if (is_jsonrpc_request(message)) {
             return create_jsonrpc_error_response(message.id, 
@@ -170,4 +170,15 @@ export class BackendWebsocketTransport {
     is_ready() {
         return this.#connections.size > 0;
     }
+    /**
+     * Number of currently tracked WebSocket connections.
+     *
+     * Read-only counter intended for telemetry, logging, and tests.
+     * Counts every entry in the connection map — including connections
+     * that have been closed by the peer but not yet removed by the WS
+     * adapter's `onClose` callback.
+     */
+    get_connection_count() {
+        return this.#connections.size;
+    }
 }

package/dist/auth/bearer_auth.js

@@ -50,7 +50,6 @@ export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
         // Case-insensitive scheme matching per RFC 7235 §2.1 — defense-in-depth:
         // without this, a `bearer` (lowercase) header silently bypasses token
         // validation and browser-context rejection instead of being processed.
-        // eslint-disable-next-line @typescript-eslint/prefer-optional-chain
         if (!auth_header || auth_header.slice(0, 7).toLowerCase() !== 'bearer ') {
             await next();
             return;

package/dist/auth/keyring.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keyring.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH;;;GAGG;AACH,MAAM,WAAW,OAAO;IACvB;;;OAGG;IACH,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzC;;;;OAIG;IACH,MAAM,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAC,GAAG,IAAI,CAAC,CAAC;CACrF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,cAAc,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,OAAO,GAAG,IAkCxE,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,KAAK,CAAC,MAAM,CAc5E,CAAC;AA6CF;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAC/B;IAAC,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,GAC5B;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;CAAC,CAAC;AAEtC;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,sBAUxE,CAAC"}
+{"version":3,"file":"keyring.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH;;;GAGG;AACH,MAAM,WAAW,OAAO;IACvB;;;OAGG;IACH,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzC;;;;OAIG;IACH,MAAM,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAC,GAAG,IAAI,CAAC,CAAC;CACrF;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,cAAc,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,OAAO,GAAG,IAiCxE,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,KAAK,CAAC,MAAM,CAc5E,CAAC;AA6CF;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAC/B;IAAC,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAC,GAC5B;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAA;CAAC,CAAC;AAEtC;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,sBAUxE,CAAC"}

package/dist/auth/keyring.js

@@ -58,9 +58,7 @@ export const create_keyring = (env_value) => {
         },
         async verify(signed_value) {
             for (let i = 0; i < secrets.length; i++) {
-                // eslint-disable-next-line no-await-in-loop
                 const key = await get_key(i);
-                // eslint-disable-next-line no-await-in-loop
                 const result = await verify_with_crypto_key(signed_value, key);
                 if (result !== false) {
                     return { value: result, key_index: i };

package/dist/auth/migrations.js

@@ -49,23 +49,23 @@ export const AUTH_MIGRATIONS = [
             await db.query(ACTOR_INDEX);
             await db.query(PERMIT_SCHEMA);
             for (const sql of PERMIT_INDEXES) {
-                await db.query(sql); // eslint-disable-line no-await-in-loop
+                await db.query(sql);
             }
             await db.query(AUTH_SESSION_SCHEMA);
             for (const sql of AUTH_SESSION_INDEXES) {
-                await db.query(sql); // eslint-disable-line no-await-in-loop
+                await db.query(sql);
             }
             await db.query(API_TOKEN_SCHEMA);
             await db.query(API_TOKEN_INDEX);
             await db.query(AUDIT_LOG_SCHEMA);
             for (const sql of AUDIT_LOG_INDEXES) {
-                await db.query(sql); // eslint-disable-line no-await-in-loop
+                await db.query(sql);
             }
             await db.query(BOOTSTRAP_LOCK_SCHEMA);
             await db.query(BOOTSTRAP_LOCK_SEED);
             await db.query(INVITE_SCHEMA);
             for (const sql of INVITE_INDEXES) {
-                await db.query(sql); // eslint-disable-line no-await-in-loop
+                await db.query(sql);
             }
             await db.query(APP_SETTINGS_SCHEMA);
             await db.query(APP_SETTINGS_SEED);

package/dist/db/migrate.d.ts

@@ -3,7 +3,11 @@
  *
  * Migrations are functions in ordered arrays, grouped by namespace.
  * A `schema_version` table tracks progress per namespace.
- * Each migration runs in its own transaction.
+ *
+ * **Chain-level transactions**: All pending migrations in a namespace run in a
+ * single transaction. Any failure rolls back every migration in that run —
+ * no partial-state recovery. This rules out non-transactional DDL (e.g.,
+ * `CREATE INDEX CONCURRENTLY`); run those out of band.
  *
  * **Forward-only**: No down-migrations. Schema changes are additive.
  * For pre-release development, collapse migrations into a single v0.
@@ -53,9 +57,15 @@ export interface MigrationResult {
  *
  * Creates the `schema_version` tracking table if it does not exist,
  * then for each namespace: acquires an advisory lock, reads the current
- * version, runs pending migrations in order (each in its own transaction),
+ * version, runs all pending migrations in order inside a single transaction,
  * updates the stored version, and releases the lock.
  *
+ * **Atomicity**: The pending chain for each namespace runs in one transaction —
+ * any failure rolls back every migration that ran in that invocation. The
+ * next run starts from the previously-stored version, re-running the whole
+ * (fixed) chain. Namespaces are independent: a later namespace's failure
+ * does not roll back an earlier namespace that already committed.
+ *
  * **Concurrency**: Uses PostgreSQL advisory locks to serialize concurrent
  * callers on the same namespace. Safe for multi-instance deployments.
  *

package/dist/db/migrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrate.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,SAAS,CAAC;AAEhC;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAEpD;;;;GAIG;AACH,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,WAAW,CAAA;CAAC,CAAC;AAEtE;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAC7B;AAED,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;CAC3B;AA8BD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,cAAc,GAC1B,IAAI,EAAE,EACN,YAAY,KAAK,CAAC,kBAAkB,CAAC,KACnC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CA2EhC,CAAC"}
+{"version":3,"file":"migrate.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,SAAS,CAAC;AAEhC;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAEpD;;;;GAIG;AACH,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,WAAW,CAAA;CAAC,CAAC;AAEtE;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAC7B;AAED,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;CAC3B;AA8BD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,cAAc,GAC1B,IAAI,EAAE,EACN,YAAY,KAAK,CAAC,kBAAkB,CAAC,KACnC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CA0EhC,CAAC"}

package/dist/db/migrate.js

@@ -3,7 +3,11 @@
  *
  * Migrations are functions in ordered arrays, grouped by namespace.
  * A `schema_version` table tracks progress per namespace.
- * Each migration runs in its own transaction.
+ *
+ * **Chain-level transactions**: All pending migrations in a namespace run in a
+ * single transaction. Any failure rolls back every migration in that run —
+ * no partial-state recovery. This rules out non-transactional DDL (e.g.,
+ * `CREATE INDEX CONCURRENTLY`); run those out of band.
  *
  * **Forward-only**: No down-migrations. Schema changes are additive.
  * For pre-release development, collapse migrations into a single v0.
@@ -46,9 +50,15 @@ const namespace_lock_key = (namespace) => {
  *
  * Creates the `schema_version` tracking table if it does not exist,
  * then for each namespace: acquires an advisory lock, reads the current
- * version, runs pending migrations in order (each in its own transaction),
+ * version, runs all pending migrations in order inside a single transaction,
  * updates the stored version, and releases the lock.
  *
+ * **Atomicity**: The pending chain for each namespace runs in one transaction —
+ * any failure rolls back every migration that ran in that invocation. The
+ * next run starts from the previously-stored version, re-running the whole
+ * (fixed) chain. Namespaces are independent: a later namespace's failure
+ * does not roll back an earlier namespace that already committed.
+ *
  * **Concurrency**: Uses PostgreSQL advisory locks to serialize concurrent
  * callers on the same namespace. Safe for multi-instance deployments.
  *
@@ -59,7 +69,6 @@ const namespace_lock_key = (namespace) => {
 export const run_migrations = async (db, namespaces) => {
     await db.query(SCHEMA_VERSION_DDL);
     const results = [];
-    /* eslint-disable no-await-in-loop */
     for (const { namespace, migrations } of namespaces) {
         const lock_key = namespace_lock_key(namespace);
         // Acquire advisory lock — serializes concurrent migration runs
@@ -78,24 +87,25 @@ export const run_migrations = async (db, namespaces) => {
             if (current_version === migrations.length) {
                 continue; // up to date
             }
-            // run pending migrations, each in its own transaction with version upsert
-            for (let i = current_version; i < migrations.length; i++) {
-                const { fn, name } = resolve_migration(migrations[i]);
-                const label = name != null ? `"${name}"` : '';
-                try {
-                    await db.transaction(async (tx) => {
+            // run all pending migrations in a single transaction — any failure
+            // rolls back the whole pending chain
+            await db.transaction(async (tx) => {
+                for (let i = current_version; i < migrations.length; i++) {
+                    const { fn, name } = resolve_migration(migrations[i]);
+                    const label = name != null ? `"${name}"` : '';
+                    try {
                         await fn(tx);
                         await tx.query(`INSERT INTO schema_version (namespace, version, applied_at)
 							 VALUES ($1, $2, NOW())
 							 ON CONFLICT (namespace)
 							 DO UPDATE SET version = $2, applied_at = NOW()`, [namespace, i + 1]);
-                    });
-                }
-                catch (err) {
-                    const name_part = label ? ` ${label}` : '';
-                    throw new Error(`Migration ${namespace}[${i}]${name_part} failed: ${err instanceof Error ? err.message : String(err)}`, { cause: err });
+                    }
+                    catch (err) {
+                        const name_part = label ? ` ${label}` : '';
+                        throw new Error(`Migration ${namespace}[${i}]${name_part} failed: ${err instanceof Error ? err.message : String(err)}`, { cause: err });
+                    }
                 }
-            }
+            });
             results.push({
                 namespace,
                 from_version: current_version,
@@ -113,6 +123,5 @@ export const run_migrations = async (db, namespaces) => {
             }
         }
     }
-    /* eslint-enable no-await-in-loop */
     return results;
 };

package/dist/db/status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"status.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/status.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,SAAS,CAAC;AAChC,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,cAAc,CAAC;AAErD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,qDAAqD;IACrD,eAAe,EAAE,MAAM,CAAC;IACxB,mDAAmD;IACnD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,wCAAwC;IACxC,UAAU,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACxB,yCAAyC;IACzC,SAAS,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,MAAM,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IAC3B,sCAAsC;IACtC,UAAU,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CACnC;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,GAC3B,IAAI,EAAE,EACN,aAAa,KAAK,CAAC,kBAAkB,CAAC,KACpC,OAAO,CAAC,QAAQ,CA+ElB,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,QAAQ,QAAQ,KAAG,MA6BnD,CAAC"}
+{"version":3,"file":"status.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/status.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,SAAS,CAAC;AAChC,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,cAAc,CAAC;AAErD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,qDAAqD;IACrD,eAAe,EAAE,MAAM,CAAC;IACxB,mDAAmD;IACnD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,wCAAwC;IACxC,UAAU,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACxB,yCAAyC;IACzC,SAAS,EAAE,OAAO,CAAC;IACnB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,MAAM,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IAC3B,sCAAsC;IACtC,UAAU,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CACnC;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,eAAe,GAC3B,IAAI,EAAE,EACN,aAAa,KAAK,CAAC,kBAAkB,CAAC,KACpC,OAAO,CAAC,QAAQ,CA8ElB,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,QAAQ,QAAQ,KAAG,MA6BnD,CAAC"}

package/dist/db/status.js

@@ -36,7 +36,6 @@ export const query_db_status = async (db, namespaces) => {
     const tables = [];
     for (const { table_name } of table_rows) {
         // table_name from information_schema is trusted
-        // eslint-disable-next-line no-await-in-loop
         const result = await db.query_one(`SELECT COUNT(*) as count FROM "${table_name}"`);
         tables.push({
             name: table_name,
@@ -53,7 +52,6 @@ export const query_db_status = async (db, namespaces) => {
 			) as exists`);
         if (sv_exists?.exists) {
             for (const { namespace, migrations: ns_migrations } of namespaces) {
-                // eslint-disable-next-line no-await-in-loop
                 const row = await db.query_one('SELECT version FROM schema_version WHERE namespace = $1', [namespace]);
                 const current_version = row?.version ?? 0;
                 migrations.push({

package/dist/dev/setup.js

@@ -93,7 +93,7 @@ export const setup_env_file = async (deps, env_path, example_path, options) => {
         for (const [key, generate] of Object.entries(replacements)) {
             const pattern = new RegExp(`^${key}=$`, 'm');
             if (pattern.test(content)) {
-                const value = await generate(); // eslint-disable-line no-await-in-loop
+                const value = await generate();
                 content = content.replace(pattern, `${key}=${value}`);
                 changed = true;
                 log.ok(`Generated ${key} in existing ${env_path}`);
@@ -114,7 +114,7 @@ export const setup_env_file = async (deps, env_path, example_path, options) => {
     for (const [key, generate] of Object.entries(replacements)) {
         const pattern = new RegExp(`^${key}=$`, 'm');
         if (pattern.test(content)) {
-            const value = await generate(); // eslint-disable-line no-await-in-loop
+            const value = await generate();
             content = content.replace(pattern, `${key}=${value}`);
         }
     }

package/dist/http/db_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/db_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAmB,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAWjE;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,WAAW,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3D,+EAA+E;IAC/E,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GAAI,SAAS,cAAc,KAAG,KAAK,CAAC,SAAS,CAuN9E,CAAC"}
+{"version":3,"file":"db_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/db_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAmB,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAWjE;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,WAAW,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3D,+EAA+E;IAC/E,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GAAI,SAAS,cAAc,KAAG,KAAK,CAAC,SAAS,CAsN9E,CAAC"}

package/dist/http/db_routes.js

@@ -66,7 +66,6 @@ export const create_db_route_specs = (options) => {
 					 ORDER BY table_name`);
                 const tables = [];
                 for (const { table_name } of table_names) {
-                    // eslint-disable-next-line no-await-in-loop
                     const result = await route.db.query_one(`SELECT COUNT(*) as count FROM "${assert_valid_sql_identifier(table_name)}"`);
                     tables.push({
                         name: table_name,

package/dist/testing/admin_integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAGtF,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAUjB;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAgDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAwnCF,CAAC"}
+{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAGtF,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAUjB;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAgDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAsnCF,CAAC"}

package/dist/testing/admin_integration.js

@@ -804,7 +804,6 @@ export const describe_standard_admin_integration_tests = (options) => {
                 const admin_routes = test_app.route_specs.filter((s) => s.path.startsWith(prefix) && s.auth.type === 'role' && s.auth.role === 'admin');
                 // Hit admin routes without auth to exercise 401 error schemas
                 for (const route of admin_routes.slice(0, 5)) {
-                    // eslint-disable-next-line no-await-in-loop
                     const res = await test_app.app.request(route.path, {
                         method: route.method,
                         headers: { host: 'localhost' },
@@ -826,12 +825,10 @@ export const describe_standard_admin_integration_tests = (options) => {
                     s.auth.role === 'admin');
                 assert.ok(admin_get_routes.length > 0, 'Expected at least one admin GET route — ensure create_route_specs includes admin routes');
                 for (const route of admin_get_routes) {
-                    // eslint-disable-next-line no-await-in-loop
                     const res = await test_app.app.request(route.path, {
                         headers: test_app.create_session_headers(),
                     });
                     assert.strictEqual(res.status, 200, `${route.method} ${route.path} should return 200`);
-                    // eslint-disable-next-line no-await-in-loop
                     await assert_response_matches_spec(test_app.route_specs, route.method, route.path, res);
                 }
             });

package/dist/testing/app_server.js

@@ -51,7 +51,7 @@ export const bootstrap_test_account = async (options) => {
     });
     // Grant roles
     for (const role of roles) {
-        await query_grant_permit(deps, { actor_id: actor.id, role, granted_by: null }); // eslint-disable-line no-await-in-loop
+        await query_grant_permit(deps, { actor_id: actor.id, role, granted_by: null });
     }
     // Create API token
     const { token: api_token, id: token_id, token_hash } = generate_api_token();

package/dist/testing/data_exposure.js

@@ -171,18 +171,17 @@ const describe_data_exposure_runtime_tests = (options) => {
                     if (skip_set.has(route_key))
                         continue;
                     const url = resolve_valid_path(spec.path, spec.params);
-                    // eslint-disable-next-line no-await-in-loop
                     const res = await test_app.app.request(url, {
                         method: spec.method,
                         headers: { host: 'localhost', origin: 'http://localhost:5173' },
                     });
                     if (res.headers.get('Content-Type')?.includes('text/event-stream')) {
-                        await res.body?.cancel(); // eslint-disable-line no-await-in-loop
+                        await res.body?.cancel();
                         continue;
                     }
                     let error_body;
                     try {
-                        error_body = await res.clone().json(); // eslint-disable-line no-await-in-loop
+                        error_body = await res.clone().json();
                     }
                     catch {
                         continue;
@@ -200,7 +199,6 @@ const describe_data_exposure_runtime_tests = (options) => {
                         continue;
                     const url = resolve_valid_path(spec.path, spec.params);
                     const headers = authed_account.create_session_headers();
-                    // eslint-disable-next-line no-await-in-loop
                     const res = await test_app.app.request(url, {
                         method: spec.method,
                         headers,
@@ -208,7 +206,7 @@ const describe_data_exposure_runtime_tests = (options) => {
                     assert.strictEqual(res.status, 403, `${route_key} should return 403 for non-admin user`);
                     let error_body;
                     try {
-                        error_body = await res.clone().json(); // eslint-disable-line no-await-in-loop
+                        error_body = await res.clone().json();
                     }
                     catch {
                         continue;
@@ -247,16 +245,16 @@ const describe_data_exposure_runtime_tests = (options) => {
                         },
                         ...(body ? { body: JSON.stringify(body) } : {}),
                     };
-                    const res = await test_app.app.request(url, request_init); // eslint-disable-line no-await-in-loop
+                    const res = await test_app.app.request(url, request_init);
                     if (res.headers.get('Content-Type')?.includes('text/event-stream')) {
-                        await res.body?.cancel(); // eslint-disable-line no-await-in-loop
+                        await res.body?.cancel();
                         continue;
                     }
                     if (!res.ok)
                         continue;
                     let response_body;
                     try {
-                        response_body = await res.clone().json(); // eslint-disable-line no-await-in-loop
+                        response_body = await res.clone().json();
                     }
                     catch {
                         continue;

package/dist/testing/db.js

@@ -206,7 +206,7 @@ export const AUTH_DROP_TABLES = [
  */
 export const drop_auth_schema = async (db) => {
     for (const table of AUTH_DROP_TABLES) {
-        await db.query(`DROP TABLE IF EXISTS ${assert_valid_sql_identifier(table)} CASCADE`); // eslint-disable-line no-await-in-loop
+        await db.query(`DROP TABLE IF EXISTS ${assert_valid_sql_identifier(table)} CASCADE`);
     }
     await db.query('DROP TABLE IF EXISTS schema_version CASCADE');
 };

package/dist/testing/integration.js

@@ -840,7 +840,6 @@ export const describe_standard_integration_tests = (options) => {
                     const route = find_auth_route(test_app.route_specs, suffix, suffix === '/tokens/create' || suffix === '/sessions/revoke-all' ? 'POST' : 'GET');
                     if (!route)
                         continue;
-                    // eslint-disable-next-line no-await-in-loop
                     const res = await test_app.app.request(route.path, {
                         method: route.method,
                         headers: { host: 'localhost' },

package/dist/testing/rate_limiting.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate_limiting.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rate_limiting.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAKrD,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACvC,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF;;OAEG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IA+N/E,CAAC"}
+{"version":3,"file":"rate_limiting.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rate_limiting.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAKrD,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACvC,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF;;OAEG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IA4N/E,CAAC"}

package/dist/testing/rate_limiting.js

@@ -64,7 +64,6 @@ export const describe_rate_limiting_tests = (options) => {
                     const login_route = find_auth_route(test_app.route_specs, '/login', 'POST');
                     assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
                     // Fire max_attempts failed login requests (sequential — must exhaust the window)
-                    /* eslint-disable no-await-in-loop */
                     for (let i = 0; i < max_attempts; i++) {
                         const res = await test_app.app.request(login_route.path, {
                             method: 'POST',
@@ -77,7 +76,6 @@ export const describe_rate_limiting_tests = (options) => {
                         });
                         assert.notStrictEqual(res.status, 429, `Request ${i + 1}/${max_attempts} should not be rate limited`);
                     }
-                    /* eslint-enable no-await-in-loop */
                     // The next request should be rate limited
                     const blocked_res = await test_app.app.request(login_route.path, {
                         method: 'POST',
@@ -119,7 +117,6 @@ export const describe_rate_limiting_tests = (options) => {
                     assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
                     const target_username = 'rate_limit_target';
                     // Fire max_attempts failed login requests for the same username
-                    /* eslint-disable no-await-in-loop */
                     for (let i = 0; i < max_attempts; i++) {
                         const res = await test_app.app.request(login_route.path, {
                             method: 'POST',
@@ -132,7 +129,6 @@ export const describe_rate_limiting_tests = (options) => {
                         });
                         assert.notStrictEqual(res.status, 429, `Request ${i + 1}/${max_attempts} should not be rate limited`);
                     }
-                    /* eslint-enable no-await-in-loop */
                     // The next request for the same username should be rate limited
                     const blocked_res = await test_app.app.request(login_route.path, {
                         method: 'POST',
@@ -184,7 +180,6 @@ export const describe_rate_limiting_tests = (options) => {
                     const verify_route = find_auth_route(test_app.route_specs, '/verify', 'GET');
                     assert.ok(verify_route, 'Expected GET /verify route — ensure create_route_specs includes account routes');
                     // Fire max_attempts invalid bearer requests (sequential — must exhaust the window)
-                    /* eslint-disable no-await-in-loop */
                     for (let i = 0; i < max_attempts; i++) {
                         const res = await test_app.app.request(verify_route.path, {
                             headers: {
@@ -194,7 +189,6 @@ export const describe_rate_limiting_tests = (options) => {
                         });
                         assert.notStrictEqual(res.status, 429, `Request ${i + 1}/${max_attempts} should not be rate limited`);
                     }
-                    /* eslint-enable no-await-in-loop */
                     // The next request should be rate limited
                     const blocked_res = await test_app.app.request(verify_route.path, {
                         headers: {