@fuzdev/fuz_app 0.33.0 → 0.35.0

package/dist/actions/action_rpc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAAgC,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE9F,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAGrB,MAAM,oBAAoB,CAAC;AAW5B;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,oFAAoF;IACpF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KACvE,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;CACZ;AA4DD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAwPtF,CAAC"}
+{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAAgC,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE9F,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAGrB,MAAM,oBAAoB,CAAC;AAW5B;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,oFAAoF;IACpF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KACvE,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;CACZ;AA4DD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CA6PtF,CAAC"}

package/dist/actions/action_rpc.js

@@ -163,7 +163,12 @@ export const create_rpc_endpoint = (options) => {
             return c.json(error, jsonrpc_error_code_to_http_status(auth_error.code));
         }
         // step 4: validate params
-        const params = raw_params ?? (is_null_schema(action.spec.input) ? null : undefined);
+        // Missing `params` on the envelope maps to `null` for `z.null()` input
+        // schemas and `{}` for object inputs — matches HTTP's "empty body = empty
+        // object" convention so callers of all-optional-object RPC methods can
+        // omit `params` on the wire (JSON-RPC envelope still serializes without
+        // a `params` field; no protocol-level change).
+        const params = raw_params ?? (is_null_schema(action.spec.input) ? null : {});
         const parse_result = action.spec.input.safeParse(params);
         if (!parse_result.success) {
             const error = jsonrpc_error_response(id, jsonrpc_error_messages.invalid_params('invalid params', {

package/dist/actions/rpc_client.d.ts

@@ -77,11 +77,12 @@ export type ThrowingRpcCall = <TOutput = unknown>(method: string, input?: unknow
 /**
  * Wrap a typed RPC client so every call returns its unwrapped value or throws.
  *
- * On `{ok: false}`, throws an `Error` with the JSON-RPC error object's
- * `{code, message, data}` spread onto it — so catch blocks that inspect
- * `err.data?.reason` continue to work. On unknown method, throws a clear
- * "rpc method not found" error instead of the cryptic `undefined is not a
- * function` that would otherwise surface.
+ * On `{ok: false}`, throws an `Error` whose `message` comes from the
+ * JSON-RPC error object, plus `{code, data}` as own properties — so
+ * catch blocks reading `err.message` / `err.code` / `err.data?.reason`
+ * all work. On unknown method, throws a clear "rpc method not found"
+ * error instead of the cryptic `undefined is not a function` that
+ * would otherwise surface.
  *
  * Invariant upheld by `create_rpc_client`: every `{ok: false}` return
  * carries a well-formed `JsonrpcErrorObject` with `code` + `message`.
@@ -90,8 +91,22 @@ export type ThrowingRpcCall = <TOutput = unknown>(method: string, input?: unknow
  * `jsonrpc_errors.forbidden()` without a `data` argument produces
  * `err.data === undefined`.
  *
- * @param api - typed RPC client from `create_rpc_client` (or any Proxy-like
- *   object mapping method names to `(input) => Promise<Result<T, error>>`)
+ * Only `{code, data}` cross onto the thrown Error — `message` flows
+ * through the `Error` constructor argument, and `name` / `stack` are
+ * left as the Error's own so attacker-shaped `result.error` payloads
+ * cannot overwrite them.
+ *
+ * The mapped-type generic constraint accepts both shapes without a cast:
+ * a codegen-derived typed `ActionsApi` (named-method interface, e.g.
+ * `{account_verify: (input) => Promise<Result<...>>, ...}`) and a loose
+ * `Record<string, (input?: any) => Promise<any>>`. Using `keyof TApi` in
+ * the constraint avoids the index-signature requirement that would
+ * otherwise force consumers to `as unknown as Record<string, …>` their
+ * generated client.
+ *
+ * @param api - typed RPC client from `create_rpc_client` (or any object
+ *   whose values are all `(input?) => Promise<...>` functions — notably
+ *   the consumer's generated `ActionsApi` interface)
  */
-export declare const create_throwing_rpc_call: (api: Record<string, ((input?: any) => Promise<any>) | undefined>) => ThrowingRpcCall;
+export declare const create_throwing_rpc_call: <TApi extends Record<keyof TApi, (input?: any) => Promise<any>>>(api: TApi) => ThrowingRpcCall;
 //# sourceMappingURL=rpc_client.d.ts.map

package/dist/actions/rpc_client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rpc_client.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/rpc_client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAQH,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAOpE,OAAO,KAAK,EAAC,UAAU,EAAE,qBAAqB,EAAC,MAAM,kBAAkB,CAAC;AACxE,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,wBAAwB,CAAC;AACjE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,iBAAiB,CAAC;AAGnD;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,MAAM,KAAK,aAAa,GAAG,SAAS,CAAC;AAM/E,8EAA8E;AAC9E,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,CAAC,IAAI,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,oBAAoB,CAAA;KAAC,KAC5E;QACA,sBAAsB,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,CAAC;KAC5C,GACD,SAAS,CAAC;CACb;AAED,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,EAAE,sBAAsB,CAAC;IACpC,kEAAkE;IAClE,OAAO,CAAC,EAAE,sBAAsB,CAAC;IACjC;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAgB7C,CAAC;AA2DF;;;;;GAKG;AACH,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;CAAG;AAgItE;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,GAAG,OAAO,EAC/C,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,OAAO,KACX,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACpC,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,SAAS,CAAC,KAC9D,eAUF,CAAC"}
+{"version":3,"file":"rpc_client.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/rpc_client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAQH,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAOpE,OAAO,KAAK,EAAC,UAAU,EAAE,qBAAqB,EAAC,MAAM,kBAAkB,CAAC;AACxE,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,wBAAwB,CAAC;AACjE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,iBAAiB,CAAC;AAGnD;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,MAAM,KAAK,aAAa,GAAG,SAAS,CAAC;AAM/E,8EAA8E;AAC9E,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,CAAC,IAAI,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,oBAAoB,CAAA;KAAC,KAC5E;QACA,sBAAsB,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,CAAC;KAC5C,GACD,SAAS,CAAC;CACb;AAED,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,EAAE,sBAAsB,CAAC;IACpC,kEAAkE;IAClE,OAAO,CAAC,EAAE,sBAAsB,CAAC;IACjC;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAgB7C,CAAC;AA2DF;;;;;GAKG;AACH,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;CAAG;AAgItE;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,GAAG,OAAO,EAC/C,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,OAAO,KACX,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,eAAO,MAAM,wBAAwB,GACpC,IAAI,SAAS,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,EAE9D,KAAK,IAAI,KACP,eAcF,CAAC"}

package/dist/actions/rpc_client.js

@@ -171,11 +171,12 @@ const create_remote_notification_method = (peer, environment, spec, actions, tra
 /**
  * Wrap a typed RPC client so every call returns its unwrapped value or throws.
  *
- * On `{ok: false}`, throws an `Error` with the JSON-RPC error object's
- * `{code, message, data}` spread onto it — so catch blocks that inspect
- * `err.data?.reason` continue to work. On unknown method, throws a clear
- * "rpc method not found" error instead of the cryptic `undefined is not a
- * function` that would otherwise surface.
+ * On `{ok: false}`, throws an `Error` whose `message` comes from the
+ * JSON-RPC error object, plus `{code, data}` as own properties — so
+ * catch blocks reading `err.message` / `err.code` / `err.data?.reason`
+ * all work. On unknown method, throws a clear "rpc method not found"
+ * error instead of the cryptic `undefined is not a function` that
+ * would otherwise surface.
  *
  * Invariant upheld by `create_rpc_client`: every `{ok: false}` return
  * carries a well-formed `JsonrpcErrorObject` with `code` + `message`.
@@ -184,17 +185,35 @@ const create_remote_notification_method = (peer, environment, spec, actions, tra
  * `jsonrpc_errors.forbidden()` without a `data` argument produces
  * `err.data === undefined`.
  *
- * @param api - typed RPC client from `create_rpc_client` (or any Proxy-like
- *   object mapping method names to `(input) => Promise<Result<T, error>>`)
+ * Only `{code, data}` cross onto the thrown Error — `message` flows
+ * through the `Error` constructor argument, and `name` / `stack` are
+ * left as the Error's own so attacker-shaped `result.error` payloads
+ * cannot overwrite them.
+ *
+ * The mapped-type generic constraint accepts both shapes without a cast:
+ * a codegen-derived typed `ActionsApi` (named-method interface, e.g.
+ * `{account_verify: (input) => Promise<Result<...>>, ...}`) and a loose
+ * `Record<string, (input?: any) => Promise<any>>`. Using `keyof TApi` in
+ * the constraint avoids the index-signature requirement that would
+ * otherwise force consumers to `as unknown as Record<string, …>` their
+ * generated client.
+ *
+ * @param api - typed RPC client from `create_rpc_client` (or any object
+ *   whose values are all `(input?) => Promise<...>` functions — notably
+ *   the consumer's generated `ActionsApi` interface)
  */
 export const create_throwing_rpc_call = (api) => {
+    const rec = api;
     return async (method, input) => {
-        const fn = api[method];
+        const fn = rec[method];
         if (!fn)
             throw new Error(`rpc method not found: ${method}`);
         const result = await fn(input);
         if (!result.ok) {
-            throw Object.assign(new Error(result.error?.message ?? 'rpc error'), result.error);
+            throw Object.assign(new Error(result.error?.message ?? 'rpc error'), {
+                code: result.error?.code,
+                data: result.error?.data,
+            });
         }
         return result.value;
     };

package/dist/auth/CLAUDE.md

@@ -836,20 +836,25 @@ Options:
 `all_permit_offer_action_specs: Array<RequestResponseActionSpec>` —
 codegen-ready registry.
 
-### `admin_rpc_actions.ts` — combined admin + permit-offer factory
-
-`create_admin_rpc_actions(deps, options)` spreads
-`create_admin_actions` and `create_permit_offer_actions` into a single
-`Array<RpcAction>`, so consumers that mount the stock fuz_app admin
-surface don't hand-wire the two factories. `roles` is shared between
-both factories; `app_settings` flows to admin only; `default_ttl_ms`
-and `authorize` flow to permit-offer only; `notification_sender` is
-wired through to permit-offer (admin ignores it).
-
-`AdminRpcActionsOptions` composes `AdminActionOptions` +
-`PermitOfferActionOptions`. `AdminRpcActionsDeps` is the same shape as
-`PermitOfferActionDeps` — `log`, `on_audit_event`, optional
-`notification_sender`.
+### `standard_rpc_actions.ts` — combined admin + permit-offer + account factory
+
+`create_standard_rpc_actions(deps, options)` spreads
+`create_admin_actions`, `create_permit_offer_actions`, and
+`create_account_actions` into a single `Array<RpcAction>` — the
+canonical fuz_app "standard" RPC surface (25 actions with
+`app_settings` wired, 23 without). Consumers that want a narrower
+surface drop down to the per-domain factories directly.
+
+Option routing: `roles` is shared between admin and permit-offer;
+`app_settings` flows to admin only; `default_ttl_ms` and `authorize`
+flow to permit-offer only; `max_tokens` flows to account only;
+`notification_sender` is wired through to permit-offer (admin +
+account ignore it).
+
+`StandardRpcActionsOptions` composes `AdminActionOptions` +
+`PermitOfferActionOptions` + `AccountActionOptions`.
+`StandardRpcActionsDeps` is the same shape as `PermitOfferActionDeps`
+— `log`, `on_audit_event`, optional `notification_sender`.
 
 Pair this with `create_app_server`'s `rpc_endpoints` factory form
 (`(ctx) => Array<RpcEndpointSpec>`) so the combined action list gets
@@ -858,6 +863,15 @@ endpoint via `create_rpc_endpoint`, so consumers don't need to mount it
 again in `create_route_specs`. See `../../../docs/usage.md` §Server
 Assembly.
 
+Pre-bundle consumers spread `create_admin_actions` and
+`create_permit_offer_actions` separately, then also
+`create_account_actions`. The bundled helper replaces all three —
+bundling account actions into the "standard" surface is deliberate:
+the admin integration suite exercises `account_token_create` /
+`account_token_revoke` (cross-account isolation scenarios), so a
+consumer wiring the admin surface without account actions will hit
+`method not found` on first admin-suite run.
+
 ### `account_action_specs.ts` + `account_actions.ts` — seven self-service RPC actions
 
 Counterpart to `account_routes.ts`. Cookie-lifecycle flows (`login`,

package/dist/auth/standard_rpc_actions.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Combined admin + permit-offer + account RPC actions for fuz_app consumers.
+ *
+ * The canonical "standard" RPC surface: every stock fuz_app RPC action a
+ * typical web consumer wants on one endpoint. Consumers that want a
+ * narrower surface drop down to the per-domain factories directly
+ * (`create_admin_actions` / `create_permit_offer_actions` /
+ * `create_account_actions`).
+ *
+ * Option routing: shared `roles` flows to both admin and permit-offer;
+ * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
+ * to permit-offer only; `max_tokens` goes to account only;
+ * `notification_sender` reaches permit-offer transparently (admin + account
+ * ignore it).
+ *
+ * Paired with `create_admin_rpc_adapters` on the UI side.
+ *
+ * @module
+ */
+import { type AdminActionOptions } from './admin_actions.js';
+import { type PermitOfferActionDeps, type PermitOfferActionOptions } from './permit_offer_actions.js';
+import { type AccountActionOptions } from './account_actions.js';
+import type { RpcAction } from '../actions/action_rpc.js';
+/**
+ * Options for `create_standard_rpc_actions`.
+ *
+ * Composes `AdminActionOptions` (`roles`, `app_settings`),
+ * `PermitOfferActionOptions` (`roles`, `default_ttl_ms`, `authorize`), and
+ * `AccountActionOptions` (`max_tokens`). `roles` is shared between admin
+ * and permit-offer — the caller supplies it once and the helper threads
+ * the same reference to both.
+ */
+export interface StandardRpcActionsOptions extends AdminActionOptions, PermitOfferActionOptions, AccountActionOptions {
+}
+/**
+ * Dependencies for `create_standard_rpc_actions`.
+ *
+ * Same shape as `PermitOfferActionDeps` — `log`, `on_audit_event`, and an
+ * optional `notification_sender` for permit-offer WS fan-out. Admin and
+ * account factories only read `log` + `on_audit_event`; the extra field
+ * is harmless.
+ */
+export type StandardRpcActionsDeps = PermitOfferActionDeps;
+/**
+ * Build the combined admin + permit-offer + account RPC action set.
+ *
+ * Spreads `create_admin_actions(deps, {roles, app_settings})`,
+ * `create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
+ * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
+ * option flows to admin + permit-offer.
+ *
+ * @param deps - stateless capabilities (log, on_audit_event, optional notification_sender)
+ * @param options - role schema, optional app-settings ref, permit-offer config, account config
+ * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
+ */
+export declare const create_standard_rpc_actions: (deps: StandardRpcActionsDeps, options?: StandardRpcActionsOptions) => Array<RpcAction>;
+//# sourceMappingURL=standard_rpc_actions.d.ts.map

package/dist/auth/standard_rpc_actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,qBAAqB,EAC1B,KAAK,wBAAwB,EAC7B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,wBAAwB,EAAE,oBAAoB;CAAG;AAE9E;;;;;;;GAOG;AACH,MAAM,MAAM,sBAAsB,GAAG,qBAAqB,CAAC;AAE3D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}

package/dist/auth/standard_rpc_actions.js

@@ -0,0 +1,39 @@
+/**
+ * Combined admin + permit-offer + account RPC actions for fuz_app consumers.
+ *
+ * The canonical "standard" RPC surface: every stock fuz_app RPC action a
+ * typical web consumer wants on one endpoint. Consumers that want a
+ * narrower surface drop down to the per-domain factories directly
+ * (`create_admin_actions` / `create_permit_offer_actions` /
+ * `create_account_actions`).
+ *
+ * Option routing: shared `roles` flows to both admin and permit-offer;
+ * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
+ * to permit-offer only; `max_tokens` goes to account only;
+ * `notification_sender` reaches permit-offer transparently (admin + account
+ * ignore it).
+ *
+ * Paired with `create_admin_rpc_adapters` on the UI side.
+ *
+ * @module
+ */
+import { create_admin_actions } from './admin_actions.js';
+import { create_permit_offer_actions, } from './permit_offer_actions.js';
+import { create_account_actions } from './account_actions.js';
+/**
+ * Build the combined admin + permit-offer + account RPC action set.
+ *
+ * Spreads `create_admin_actions(deps, {roles, app_settings})`,
+ * `create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
+ * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
+ * option flows to admin + permit-offer.
+ *
+ * @param deps - stateless capabilities (log, on_audit_event, optional notification_sender)
+ * @param options - role schema, optional app-settings ref, permit-offer config, account config
+ * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
+ */
+export const create_standard_rpc_actions = (deps, options = {}) => [
+    ...create_admin_actions(deps, options),
+    ...create_permit_offer_actions(deps, options),
+    ...create_account_actions(deps, options),
+];

package/dist/server/app_server.d.ts

@@ -139,7 +139,7 @@ export interface AppServerOptions {
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` (evaluated after the
      * server context is assembled). Use the factory form when action lists
      * depend on `ctx.deps` / `ctx.app_settings` — e.g.
-     * `create_admin_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})`.
+     * `create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})`.
      */
     rpc_endpoints?: Array<RpcEndpointSpec> | ((context: AppServerContext) => Array<RpcEndpointSpec>);
     /** Env schema for surface generation. Pass `z.object({})` when there are no env vars beyond `BaseServerEnv`. */

package/dist/testing/CLAUDE.md

@@ -267,8 +267,13 @@ Walks Zod schemas to generate valid values for adversarial/round-trip tests.
 - `generate_valid_value(field, field_schema)` — base-type switch
   producing a valid sample (UUIDs → nil UUID, strings → `'xxxxxxxxxx'`,
   numbers → `1`, objects → recurse, enums → first entry, etc.).
-  Falls back through `/` + URL prefixes if a branded-string refinement
-  rejects the plain base.
+  For branded-string refinements, walks a fallback chain synthesized
+  from the `pattern` string the JSON Schema representation exposes:
+  fixed-length hex (`^[0-9a-f]{N}$` — blake3 / sha256 / md5 digests;
+  `0`.repeat(N)), prefix-lengthed slug (`^<prefix>_[A-Za-z0-9_-]{N}$`
+  — `ApiTokenId`-style ids; `<prefix>_` + `x`.repeat(N)), absolute
+  path prefix, URL prefix. First candidate that `safeParse` accepts
+  is used.
 - `resolve_valid_path(path, params_schema?)` — swaps `:param` for
   valid-format values (nil UUID for UUID params, `test_param` otherwise).
 - `generate_valid_body(input_schema) => Record<string, unknown> | undefined` —
@@ -546,7 +551,7 @@ the same `RpcEndpointsSuiteOption` union every DB-backed suite accepts
 `rpc_round_trip`, `sse_round_trip`). Prefer the factory form: it forwards
 raw to `app_options.rpc_endpoints` so `create_app_server` resolves it per-test
 with the real ctx — the only way action handlers can close over
-`ctx.deps` / `ctx.app_settings` (e.g. `create_admin_rpc_actions(ctx.deps,
+`ctx.deps` / `ctx.app_settings` (e.g. `create_standard_rpc_actions(ctx.deps,
 {app_settings: ctx.app_settings})`). Factory must return the same endpoint
 `path` regardless of ctx — `resolve_rpc_endpoints_for_setup` invokes it
 once with a stub ctx for path lookup and `create_app_server` invokes it
@@ -558,9 +563,23 @@ revoke-all plus audit-log list/history are all RPC-only since the
 2026-04-22 migration. A confusing test failure mid-suite is worse than a
 clear setup error.
 
+The suite also exercises `account_token_create` (and
+`account_token_revoke`) for the cross-admin isolation + audit-trail
+scenarios. Wire the account actions alongside admin / permit-offer —
+the easiest path is `create_standard_rpc_actions`, which bundles all
+three. Consumers that only wire admin will hit `method not found:
+account_token_create` on first run.
+
 Error-coverage scope is narrowed to the REST suffixes still on the
-admin surface (`/sessions`, `/audit-log/stream`); the RPC surface is
-covered by `describe_rpc_round_trip_tests`.
+admin surface (`/audit-log/stream`); the RPC surface is covered by
+`describe_rpc_round_trip_tests`. Post-RPC-migration that surface is
+0–1 routes — when the scoped count is ≤1, the `afterAll` hook logs
+`[error coverage] skipped admin REST coverage assertion — …` and
+does not fail. The 20% `DEFAULT_INTEGRATION_ERROR_COVERAGE` baseline
+is a REST-era threshold; the RPC surface has its own coverage via
+`describe_rpc_round_trip_tests`. TODO: move this error-coverage
+collector to the RPC round-trip suite entirely and delete this skip
+branch.
 
 ### `audit_completeness.ts` — `describe_audit_completeness_tests`
 

package/dist/testing/admin_integration.d.ts

@@ -24,7 +24,7 @@ export interface StandardAdminIntegrationTestOptions {
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form
      * is required when action handlers must close over the per-test
      * `ctx.app_settings` / `ctx.deps` (e.g. the canonical
-     * `create_admin_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})`
+     * `create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})`
      * pattern). The factory must return the same endpoint `path` regardless
      * of ctx — it is invoked once at setup with a stub ctx for path lookup
      * and again per-test by `create_app_server` for live dispatch.
@@ -32,9 +32,9 @@ export interface StandardAdminIntegrationTestOptions {
     rpc_endpoints: RpcEndpointsSuiteOption;
     /**
      * Path prefix where admin routes are mounted (e.g., `'/api/admin'`).
-     * Used by the schema validation test to scope to fuz_app admin routes only,
-     * avoiding app-specific admin-gated routes that may use stub deps.
-     * Default `'/api/admin'`.
+     * Used by the 401/403 error-coverage probe to scope to fuz_app admin
+     * routes only, avoiding app-specific admin-gated routes that may use
+     * stub deps. Default `'/api/admin'`.
      */
     admin_prefix?: string;
     /** Optional overrides for `AppServerOptions`. */
@@ -49,8 +49,10 @@ export interface StandardAdminIntegrationTestOptions {
  * Standard admin integration test suite for fuz_app admin routes.
  *
  * Exercises account listing, permit grant/revoke (via RPC), session
- * management, token management, audit log routes, admin-to-admin isolation,
- * and response schema validation.
+ * management, token management, audit log reads, admin-to-admin
+ * isolation, and 401/403 error-coverage on the admin REST surface.
+ * Output-schema conformance is not in scope — see the module docstring
+ * for the suites that cover it.
  *
  * @param options - session config, route factory, role schema, RPC endpoints
  */

package/dist/testing/admin_integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAA6C,KAAK,eAAe,EAAC,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AASjB,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAgCD;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IA02BF,CAAC"}
+{"version":3,"file":"admin_integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/admin_integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA+B7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAA0B,KAAK,gBAAgB,EAAC,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAA6C,KAAK,eAAe,EAAC,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AASjB,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,mCAAmC;IACnD,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,4GAA4G;IAC5G,KAAK,EAAE,gBAAgB,CAAC;IACxB;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAgCD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,mCAAmC,KAC1C,IAy1BF,CAAC"}