@fuzdev/fuz_app 0.38.1 → 0.39.0

package/dist/http/jsonrpc_errors.d.ts

@@ -27,71 +27,22 @@ export type JsonrpcErrorName = 'parse_error' | 'invalid_request' | 'method_not_f
  * Extensible — consumers add domain-specific codes to their own objects
  * by casting `as JsonrpcErrorCode`. Application codes use the -32000 to
  * -32099 range reserved by the JSON-RPC spec.
+ *
+ * Frozen with `Object.freeze` to convert accidental mutation (test
+ * cross-contamination, cast escapes) into loud TypeErrors. Spread into
+ * a fresh object to extend.
  */
-export declare const JSONRPC_ERROR_CODES: {
-    readonly parse_error: JsonrpcErrorCode;
-    readonly invalid_request: JsonrpcErrorCode;
-    readonly method_not_found: JsonrpcErrorCode;
-    readonly invalid_params: JsonrpcErrorCode;
-    readonly internal_error: JsonrpcErrorCode;
-    /**
-     * Same as HTTP 401 "unauthorized", but correctly named.
-     *
-     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status#client_error_responses
-     */
-    readonly unauthenticated: JsonrpcErrorCode;
-    /**
-     * Named to match HTTP 403 — avoids confusion with 401 which
-     * is incorrectly named "unauthorized" in HTTP.
-     */
-    readonly forbidden: JsonrpcErrorCode;
-    readonly not_found: JsonrpcErrorCode;
-    readonly conflict: JsonrpcErrorCode;
-    /**
-     * Application-level validation failures (business logic).
-     * Use `invalid_params` (-32602) for schema/parsing failures.
-     */
-    readonly validation_error: JsonrpcErrorCode;
-    readonly rate_limited: JsonrpcErrorCode;
-    readonly service_unavailable: JsonrpcErrorCode;
-    readonly timeout: JsonrpcErrorCode;
-    /**
-     * Client-side backpressure — an outbound buffer (e.g. `FrontendWebsocketClient`'s
-     * disconnected request queue) refused a new request because it was full.
-     * Distinct from `rate_limited`, which signals a server-side policy.
-     */
-    readonly queue_overflow: JsonrpcErrorCode;
-    /**
-     * Caller-initiated cancellation (e.g. `AbortSignal` fired). Cooperative,
-     * not a failure — the request did not complete because the caller asked
-     * for it to stop.
-     */
-    readonly request_cancelled: JsonrpcErrorCode;
-};
+export declare const JSONRPC_ERROR_CODES: Readonly<Record<JsonrpcErrorName, JsonrpcErrorCode>>;
 /**
  * Named constructors for `JsonrpcErrorObject` values.
  *
  * Each function creates a JSON-RPC error object with the correct
  * code and a sensible default message. Used by the catch layer in
  * `apply_route_specs` to build response bodies.
+ *
+ * Frozen so tests must compose new objects rather than monkey-patch.
  */
-export declare const jsonrpc_error_messages: {
-    readonly parse_error: (data?: unknown) => JsonrpcErrorObject;
-    readonly invalid_request: (data?: unknown) => JsonrpcErrorObject;
-    readonly method_not_found: (method?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly invalid_params: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly internal_error: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly unauthenticated: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly forbidden: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly not_found: (resource?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly conflict: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly validation_error: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly rate_limited: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly service_unavailable: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly timeout: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly queue_overflow: (message?: string, data?: unknown) => JsonrpcErrorObject;
-    readonly request_cancelled: (message?: string, data?: unknown) => JsonrpcErrorObject;
-};
+export declare const jsonrpc_error_messages: Readonly<Record<JsonrpcErrorName, (...args: Array<any>) => JsonrpcErrorObject>>;
 /**
  * Error class carrying a JSON-RPC error code — thrown by handlers,
  * caught by `apply_route_specs` and mapped to HTTP status + JSON-RPC error response.
@@ -109,29 +60,30 @@ export declare class ThrownJsonrpcError extends Error {
  * Usage: `throw jsonrpc_errors.not_found('user')` or `throw jsonrpc_errors.forbidden()`.
  */
 export declare const jsonrpc_errors: {
-    readonly parse_error: (data?: unknown) => ThrownJsonrpcError;
-    readonly invalid_request: (data?: unknown) => ThrownJsonrpcError;
-    readonly method_not_found: (method?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly invalid_params: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly internal_error: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly unauthenticated: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly forbidden: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly not_found: (resource?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly conflict: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly validation_error: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly rate_limited: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly service_unavailable: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly timeout: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly queue_overflow: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
-    readonly request_cancelled: (message?: string | undefined, data?: unknown) => ThrownJsonrpcError;
+    readonly parse_error: (...args: any[]) => ThrownJsonrpcError;
+    readonly invalid_request: (...args: any[]) => ThrownJsonrpcError;
+    readonly method_not_found: (...args: any[]) => ThrownJsonrpcError;
+    readonly invalid_params: (...args: any[]) => ThrownJsonrpcError;
+    readonly internal_error: (...args: any[]) => ThrownJsonrpcError;
+    readonly unauthenticated: (...args: any[]) => ThrownJsonrpcError;
+    readonly forbidden: (...args: any[]) => ThrownJsonrpcError;
+    readonly not_found: (...args: any[]) => ThrownJsonrpcError;
+    readonly conflict: (...args: any[]) => ThrownJsonrpcError;
+    readonly validation_error: (...args: any[]) => ThrownJsonrpcError;
+    readonly rate_limited: (...args: any[]) => ThrownJsonrpcError;
+    readonly service_unavailable: (...args: any[]) => ThrownJsonrpcError;
+    readonly timeout: (...args: any[]) => ThrownJsonrpcError;
+    readonly queue_overflow: (...args: any[]) => ThrownJsonrpcError;
+    readonly request_cancelled: (...args: any[]) => ThrownJsonrpcError;
 };
 /**
  * Maps JSON-RPC error codes to HTTP status codes.
  *
  * Extensible — consumers with domain-specific error codes can spread
- * this into their own mapping object.
+ * this into their own mapping object. Frozen so the source can't be
+ * accidentally mutated; spread copies are mutable.
  */
-export declare const JSONRPC_ERROR_CODE_TO_HTTP_STATUS: Record<number, number>;
+export declare const JSONRPC_ERROR_CODE_TO_HTTP_STATUS: Readonly<Record<number, number>>;
 /**
  * Maps HTTP status codes to JSON-RPC error codes (reverse mapping).
  *
@@ -139,7 +91,7 @@ export declare const JSONRPC_ERROR_CODE_TO_HTTP_STATUS: Record<number, number>;
  * and invalid_request both map to 400), the last one wins. Use for
  * best-effort HTTP → JSON-RPC translation.
  */
-export declare const HTTP_STATUS_TO_JSONRPC_ERROR_CODE: Record<number, JsonrpcErrorCode>;
+export declare const HTTP_STATUS_TO_JSONRPC_ERROR_CODE: Readonly<Record<number, JsonrpcErrorCode>>;
 /**
  * Map a JSON-RPC error code to an HTTP status code.
  *

package/dist/http/jsonrpc_errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jsonrpc_errors.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/jsonrpc_errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAMN,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,MAAM,cAAc,CAAC;AAEtB,0CAA0C;AAC1C,eAAO,MAAM,qBAAqB,kBAAkB,CAAC;AAErD,sEAAsE;AACtE,MAAM,MAAM,gBAAgB,GACzB,aAAa,GACb,iBAAiB,GACjB,kBAAkB,GAClB,gBAAgB,GAChB,gBAAgB,GAChB,iBAAiB,GACjB,WAAW,GACX,WAAW,GACX,UAAU,GACV,kBAAkB,GAClB,cAAc,GACd,qBAAqB,GACrB,SAAS,GACT,gBAAgB,GAChB,mBAAmB,CAAC;AAEvB;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB;0BAEK,gBAAgB;8BACR,gBAAgB;+BACd,gBAAgB;6BACpB,gBAAgB;6BAChB,gBAAgB;IAG1D;;;;OAIG;8BACwB,gBAAgB;IAC3C;;;OAGG;wBACkB,gBAAgB;wBAChB,gBAAgB;uBACjB,gBAAgB;IACpC;;;OAGG;+BACyB,gBAAgB;2BACpB,gBAAgB;kCACT,gBAAgB;sBAC5B,gBAAgB;IACnC;;;;OAIG;6BACuB,gBAAgB;IAC1C;;;;OAIG;gCAC0B,gBAAgB;CACiB,CAAC;AAEhE;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;kCACb,OAAO,KAAG,kBAAkB;sCAMxB,OAAO,KAAG,kBAAkB;yCAMzB,MAAM,SAAS,OAAO,KAAG,kBAAkB;wCAM5C,MAAM,SAAS,OAAO,KAAG,kBAAkB;wCAO5D,MAAM,SACR,OAAO,KACZ,kBAAkB;yCAMM,MAAM,SAA6B,OAAO,KAAG,kBAAkB;mCAMrE,MAAM,SAAuB,OAAO,KAAG,kBAAkB;oCAMvD,MAAM,SAAS,OAAO,KAAG,kBAAkB;kCAM9C,MAAM,SAAsB,OAAO,KAAG,kBAAkB;0CAMhD,MAAM,SAA8B,OAAO,KAAG,kBAAkB;sCAMpE,MAAM,SAA0B,OAAO,KAAG,kBAAkB;6CAO1E,MAAM,SACR,OAAO,KACZ,kBAAkB;iCAMF,MAAM,SAAqB,OAAO,KAAG,kBAAkB;wCAMhD,MAAM,SAA4B,OAAO,KAAG,kBAAkB;2CAO9E,MAAM,SACR,OAAO,KACZ,kBAAkB;CAKoE,CAAC;AAE3F;;;;;GAKG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;IAC5C,IAAI,EAAE,gBAAgB,CAAC;IACvB,IAAI,CAAC,EAAE,OAAO,CAAC;gBAEH,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,YAAY;CAK3F;AAWD;;;;GAIG;AACH,eAAO,MAAM,cAAc;8CAXQ,kBAAkB;kDAAlB,kBAAkB;gFAAlB,kBAAkB;+EAAlB,kBAAkB;+EAAlB,kBAAkB;gFAAlB,kBAAkB;0EAAlB,kBAAkB;2EAAlB,kBAAkB;yEAAlB,kBAAkB;iFAAlB,kBAAkB;6EAAlB,kBAAkB;oFAAlB,kBAAkB;wEAAlB,kBAAkB;+EAAlB,kBAAkB;kFAAlB,kBAAkB;CA2BqC,CAAC;AAI3F;;;;;GAKG;AACH,eAAO,MAAM,iCAAiC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAkBpE,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,iCAAiC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAMzC,CAAC;AAEvC;;;;;;;;GAQG;AACH,eAAO,MAAM,iCAAiC,GAAI,MAAM,gBAAgB,KAAG,MAClB,CAAC;AAE1D;;;;;;;GAOG;AACH,eAAO,MAAM,iCAAiC,GAAI,QAAQ,MAAM,KAAG,gBACa,CAAC"}
+{"version":3,"file":"jsonrpc_errors.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/jsonrpc_errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAMN,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,MAAM,cAAc,CAAC;AAEtB,0CAA0C;AAC1C,eAAO,MAAM,qBAAqB,kBAAkB,CAAC;AAErD,sEAAsE;AACtE,MAAM,MAAM,gBAAgB,GACzB,aAAa,GACb,iBAAiB,GACjB,kBAAkB,GAClB,gBAAgB,GAChB,gBAAgB,GAChB,iBAAiB,GACjB,WAAW,GACX,WAAW,GACX,UAAU,GACV,kBAAkB,GAClB,cAAc,GACd,qBAAqB,GACrB,SAAS,GACT,gBAAgB,GAChB,mBAAmB,CAAC;AAEvB;;;;;;;;;;GAUG;AACH,eAAO,MAAM,mBAAmB,EA0C1B,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAE3D;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,EAmG7B,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,kBAAkB,CAAC,CAAC,CAAC;AAEtF;;;;;GAKG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;IAC5C,IAAI,EAAE,gBAAgB,CAAC;IACvB,IAAI,CAAC,EAAE,OAAO,CAAC;gBAEH,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,YAAY;CAK3F;AAWD;;;;GAIG;AACH,eAAO,MAAM,cAAc;8CAXQ,kBAAkB;kDAAlB,kBAAkB;mDAAlB,kBAAkB;iDAAlB,kBAAkB;iDAAlB,kBAAkB;kDAAlB,kBAAkB;4CAAlB,kBAAkB;4CAAlB,kBAAkB;2CAAlB,kBAAkB;mDAAlB,kBAAkB;+CAAlB,kBAAkB;sDAAlB,kBAAkB;0CAAlB,kBAAkB;iDAAlB,kBAAkB;oDAAlB,kBAAkB;CA2BqC,CAAC;AAI3F;;;;;;GAMG;AACH,eAAO,MAAM,iCAAiC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAkB7E,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,iCAAiC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAQvF,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,iCAAiC,GAAI,MAAM,gBAAgB,KAAG,MAClB,CAAC;AAE1D;;;;;;;GAOG;AACH,eAAO,MAAM,iCAAiC,GAAI,QAAQ,MAAM,KAAG,gBACa,CAAC"}

package/dist/http/jsonrpc_errors.js

@@ -25,8 +25,12 @@ export const UNKNOWN_ERROR_MESSAGE = 'unknown error';
  * Extensible — consumers add domain-specific codes to their own objects
  * by casting `as JsonrpcErrorCode`. Application codes use the -32000 to
  * -32099 range reserved by the JSON-RPC spec.
+ *
+ * Frozen with `Object.freeze` to convert accidental mutation (test
+ * cross-contamination, cast escapes) into loud TypeErrors. Spread into
+ * a fresh object to extend.
  */
-export const JSONRPC_ERROR_CODES = {
+export const JSONRPC_ERROR_CODES = Object.freeze({
     // Standard JSON-RPC errors — values from jsonrpc.ts
     parse_error: JSONRPC_PARSE_ERROR,
     invalid_request: JSONRPC_INVALID_REQUEST,
@@ -67,15 +71,17 @@ export const JSONRPC_ERROR_CODES = {
      * for it to stop.
      */
     request_cancelled: -32010,
-};
+});
 /**
  * Named constructors for `JsonrpcErrorObject` values.
  *
  * Each function creates a JSON-RPC error object with the correct
  * code and a sensible default message. Used by the catch layer in
  * `apply_route_specs` to build response bodies.
+ *
+ * Frozen so tests must compose new objects rather than monkey-patch.
  */
-export const jsonrpc_error_messages = {
+export const jsonrpc_error_messages = Object.freeze({
     parse_error: (data) => ({
         code: JSONRPC_ERROR_CODES.parse_error,
         message: 'parse error',
@@ -151,7 +157,7 @@ export const jsonrpc_error_messages = {
         message,
         data,
     }),
-};
+});
 /**
  * Error class carrying a JSON-RPC error code — thrown by handlers,
  * caught by `apply_route_specs` and mapped to HTTP status + JSON-RPC error response.
@@ -198,9 +204,10 @@ export const jsonrpc_errors = {
  * Maps JSON-RPC error codes to HTTP status codes.
  *
  * Extensible — consumers with domain-specific error codes can spread
- * this into their own mapping object.
+ * this into their own mapping object. Frozen so the source can't be
+ * accidentally mutated; spread copies are mutable.
  */
-export const JSONRPC_ERROR_CODE_TO_HTTP_STATUS = {
+export const JSONRPC_ERROR_CODE_TO_HTTP_STATUS = Object.freeze({
     [-32700]: 400, // parse_error
     [-32600]: 400, // invalid_request
     [-32601]: 404, // method_not_found
@@ -218,7 +225,7 @@ export const JSONRPC_ERROR_CODE_TO_HTTP_STATUS = {
     [-32007]: 503, // service_unavailable
     [-32008]: 504, // timeout
     [-32010]: 499, // request_cancelled (nginx "client closed request")
-};
+});
 /**
  * Maps HTTP status codes to JSON-RPC error codes (reverse mapping).
  *
@@ -226,10 +233,10 @@ export const JSONRPC_ERROR_CODE_TO_HTTP_STATUS = {
  * and invalid_request both map to 400), the last one wins. Use for
  * best-effort HTTP → JSON-RPC translation.
  */
-export const HTTP_STATUS_TO_JSONRPC_ERROR_CODE = Object.fromEntries(Object.entries(JSONRPC_ERROR_CODE_TO_HTTP_STATUS).map(([code, status]) => [
+export const HTTP_STATUS_TO_JSONRPC_ERROR_CODE = Object.freeze(Object.fromEntries(Object.entries(JSONRPC_ERROR_CODE_TO_HTTP_STATUS).map(([code, status]) => [
     status,
     Number(code),
-]));
+])));
 /**
  * Map a JSON-RPC error code to an HTTP status code.
  *

package/dist/server/app_backend.d.ts

@@ -17,7 +17,7 @@ import type { DbType } from '../db/db.js';
 import type { Keyring } from '../auth/keyring.js';
 import type { PasswordHashDeps } from '../auth/password.js';
 import type { StatResult } from '../runtime/deps.js';
-import { type MigrationResult } from '../db/migrate.js';
+import { type MigrationNamespace, type MigrationResult } from '../db/migrate.js';
 /**
  * Result of `create_app_backend()` — database metadata + deps bundle.
  *
@@ -28,7 +28,7 @@ export interface AppBackend {
     deps: AppDeps;
     db_type: DbType;
     db_name: string;
-    /** Migration results from `create_app_backend` (auth migrations only). */
+    /** Migration results from `create_app_backend` — auth migrations plus any consumer namespaces passed via `migration_namespaces`. */
     readonly migration_results: ReadonlyArray<MigrationResult>;
     /** Close the database connection. Bound to the actual driver. */
     close: () => Promise<void>;
@@ -60,15 +60,26 @@ export interface CreateAppBackendOptions {
      * to all route factories automatically. Defaults to a noop.
      */
     on_audit_event?: (event: AuditLogEvent) => void;
+    /**
+     * Additional migration namespaces to run after the builtin auth namespace.
+     * Each namespace's own `schema_version` row tracks progress; order is
+     * append-only so forward-only guarantees hold per-namespace.
+     *
+     * The reserved `'fuz_auth'` namespace is rejected at startup. Omit for no
+     * extra namespaces. This is the only place to splice consumer migrations
+     * — DB init belongs to the backend lifecycle, not server assembly.
+     */
+    migration_namespaces?: ReadonlyArray<MigrationNamespace>;
 }
 /**
  * Initialize the backend: database + auth migrations + deps.
  *
- * Calls `create_db` → `run_migrations` (auth namespace) and bundles
- * the result with the provided keyring and password deps.
+ * Calls `create_db` → `run_migrations` (auth namespace, then any
+ * `migration_namespaces` from options in order) and bundles the result
+ * with the provided keyring and password deps.
  *
- * @param options - keyring, password deps, and optional database URL
- * @returns app backend with deps, database metadata, and migration results
+ * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
+ * @returns app backend with deps, database metadata, and combined migration results
  */
 export declare const create_app_backend: (options: CreateAppBackendOptions) => Promise<AppBackend>;
 //# sourceMappingURL=app_backend.d.ts.map

package/dist/server/app_backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAE/C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAiB,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAItE;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,iEAAiE;IACjE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,iFAAiF;IACjF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAAU,SAAS,uBAAuB,KAAG,OAAO,CAAC,UAAU,CAa7F,CAAC"}
+{"version":3,"file":"app_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAE/C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAiB,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAI/F;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,oIAAoI;IACpI,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,iEAAiE;IACjE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,iFAAiF;IACjF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;CACzD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAAU,SAAS,uBAAuB,KAAG,OAAO,CAAC,UAAU,CAyB7F,CAAC"}

package/dist/server/app_backend.js

@@ -12,23 +12,34 @@
  */
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { AUTH_MIGRATION_NS, AUTH_MIGRATION_NAMESPACE } from '../auth/migrations.js';
 import { create_db } from '../db/create_db.js';
 /**
  * Initialize the backend: database + auth migrations + deps.
  *
- * Calls `create_db` → `run_migrations` (auth namespace) and bundles
- * the result with the provided keyring and password deps.
+ * Calls `create_db` → `run_migrations` (auth namespace, then any
+ * `migration_namespaces` from options in order) and bundles the result
+ * with the provided keyring and password deps.
  *
- * @param options - keyring, password deps, and optional database URL
- * @returns app backend with deps, database metadata, and migration results
+ * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
+ * @returns app backend with deps, database metadata, and combined migration results
  */
 export const create_app_backend = async (options) => {
     const { database_url, keyring, password, stat, read_text_file, delete_file } = options;
     const log = options.log ?? new Logger('server');
     const on_audit_event = options.on_audit_event ?? (() => { }); // eslint-disable-line @typescript-eslint/no-empty-function
     const { db, close, db_type, db_name } = await create_db(database_url);
-    const migration_results = await run_migrations(db, [AUTH_MIGRATION_NS]);
+    if (options.migration_namespaces?.length) {
+        for (const ns of options.migration_namespaces) {
+            if (ns.namespace === AUTH_MIGRATION_NAMESPACE) {
+                throw new Error(`Migration namespace "${AUTH_MIGRATION_NAMESPACE}" is reserved by fuz_app — choose a different namespace`);
+            }
+        }
+    }
+    const migration_results = await run_migrations(db, [
+        AUTH_MIGRATION_NS,
+        ...(options.migration_namespaces ?? []),
+    ]);
     return {
         db_type,
         db_name,

package/dist/server/app_server.d.ts

@@ -17,7 +17,7 @@ import { type AuditLogSse } from '../realtime/sse_auth_guard.js';
 import type { AppSettings } from '../auth/app_settings_schema.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { DaemonTokenState } from '../auth/daemon_token.js';
-import { type MigrationNamespace, type MigrationResult } from '../db/migrate.js';
+import type { MigrationResult } from '../db/migrate.js';
 import type { AppDeps } from '../auth/deps.js';
 import type { AppBackend } from './app_backend.js';
 import '../hono_context.js';
@@ -104,8 +104,6 @@ export interface AppServerOptions {
      * Default: auto-created (authenticated).
      */
     surface_route?: false;
-    /** Consumer migration namespaces — run after auth migrations during init. */
-    migration_namespaces?: Array<MigrationNamespace>;
     /**
      * Build route specs from the initialized backend.
      * Called after all middleware is ready.
@@ -191,7 +189,7 @@ export interface AppServer {
     bootstrap_status: BootstrapStatus;
     /** Global app settings (mutable ref — mutated by settings admin route). */
     app_settings: AppSettings;
-    /** Combined migration results — auth migrations from `create_app_backend` plus consumer migrations. */
+    /** Migration results from `create_app_backend` (auth + any `migration_namespaces` passed there). */
     migration_results: ReadonlyArray<MigrationResult>;
     /** Factory-managed audit log SSE. `null` when `audit_log_sse` option is not set. */
     audit_sse: AuditLogSse | null;
@@ -203,9 +201,10 @@ export declare const DEFAULT_MAX_BODY_SIZE: number;
 /**
  * Create a fully assembled Hono app with auth, middleware, and routes.
  *
- * Handles the full lifecycle: consumer migrations → proxy middleware →
- * auth middleware → bootstrap status → route specs → surface generation →
- * Hono app assembly → static serving.
+ * Handles the assembly lifecycle: proxy middleware → auth middleware →
+ * bootstrap status → route specs → surface generation → Hono app assembly →
+ * static serving. Database migrations belong to the backend lifecycle —
+ * pass `migration_namespaces` to `create_app_backend`.
  *
  * @param options - server configuration
  * @returns assembled Hono app, backend, surface build, and bootstrap status

package/dist/server/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,IAAI,EAAE,KAAK,OAAO,EAAC,MAAM,MAAM,CAAC;AAGxC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAEN,KAAK,cAAc,EAEnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAC;AAEhE,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAiB,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAE/F,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,oBAAoB,CAAC;AAE5B,OAAO,EAA2B,KAAK,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAE9E,OAAO,EAEN,KAAK,cAAc,EAEnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAGN,KAAK,eAAe,EACpB,MAAM,6BAA6B,CAAC;AAOrC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2DAA2D;IAC3D,OAAO,EAAE,UAAU,CAAC;IACpB,6CAA6C;IAC7C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,sCAAsC;IACtC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,EAAE;QACN,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;KACtD,CAAC;IAEF;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACrC;;;;;OAKG;IACH,0BAA0B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,2DAA2D;IAC3D,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IAEtC,yEAAyE;IACzE,SAAS,CAAC,EAAE;QACX,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,mEAAmE;QACnE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;WAGG;QACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9E,CAAC;IAEF;;;OAGG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;IAEtB,6EAA6E;IAC7E,oBAAoB,CAAC,EAAE,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAEjD;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAE/E;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,IAAI,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAEvC,gFAAgF;IAChF,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAE/B;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAEjG,gHAAgH;IAChH,UAAU,EAAE,CAAC,CAAC,SAAS,CAAC;IAExB,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,cAAc,CAAC,EAAE;QAChB,YAAY,EAAE,kBAAkB,CAAC;QACjC,YAAY,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAEhC;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAExE,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yEAAyE;IACzE,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IACpC,iFAAiF;IACjF,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,kFAAkF;IAClF,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,SAAS;IACzB,GAAG,EAAE,IAAI,CAAC;IACV,wEAAwE;IACxE,YAAY,EAAE,cAAc,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,uGAAuG;IACvG,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9B,mEAAmE;IACnE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED,gDAAgD;AAChD,eAAO,MAAM,qBAAqB,QAAc,CAAC;AAEjD;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,SAAS,CA2QpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,IAAI,EAAE,KAAK,OAAO,EAAC,MAAM,MAAM,CAAC;AAGxC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAEN,KAAK,cAAc,EAEnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAC;AAEhE,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,oBAAoB,CAAC;AAE5B,OAAO,EAA2B,KAAK,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAE9E,OAAO,EAEN,KAAK,cAAc,EAEnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAGN,KAAK,eAAe,EACpB,MAAM,6BAA6B,CAAC;AAOrC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2DAA2D;IAC3D,OAAO,EAAE,UAAU,CAAC;IACpB,6CAA6C;IAC7C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,sCAAsC;IACtC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,EAAE;QACN,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;KACtD,CAAC;IAEF;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACrC;;;;;OAKG;IACH,0BAA0B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,2DAA2D;IAC3D,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IAEtC,yEAAyE;IACzE,SAAS,CAAC,EAAE;QACX,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,mEAAmE;QACnE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;WAGG;QACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9E,CAAC;IAEF;;;OAGG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAE/E;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,IAAI,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAEvC,gFAAgF;IAChF,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAE/B;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAEjG,gHAAgH;IAChH,UAAU,EAAE,CAAC,CAAC,SAAS,CAAC;IAExB,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,cAAc,CAAC,EAAE;QAChB,YAAY,EAAE,kBAAkB,CAAC;QACjC,YAAY,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAEhC;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAExE,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yEAAyE;IACzE,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IACpC,iFAAiF;IACjF,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,kFAAkF;IAClF,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,SAAS;IACzB,GAAG,EAAE,IAAI,CAAC;IACV,wEAAwE;IACxE,YAAY,EAAE,cAAc,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oGAAoG;IACpG,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9B,mEAAmE;IACnE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED,gDAAgD;AAChD,eAAO,MAAM,qBAAqB,QAAc,CAAC;AAEjD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,SAAS,CA4PpF,CAAC"}

package/dist/server/app_server.js

@@ -16,8 +16,6 @@ import { SESSION_COOKIE_OPTIONS, } from '../auth/session_cookie.js';
 import { create_audit_log_sse, AUDIT_LOG_EVENT_SPECS, } from '../realtime/sse_auth_guard.js';
 import { query_app_settings_load } from '../auth/app_settings_queries.js';
 import { create_rate_limiter, DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT, } from '../rate_limiter.js';
-import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NAMESPACE } from '../auth/migrations.js';
 // Side-effect import: augments Hono's ContextVariableMap so consumers
 // that import app_server get type-safe c.get('auth_session_id') etc.
 import '../hono_context.js';
@@ -37,9 +35,10 @@ export const DEFAULT_MAX_BODY_SIZE = 1024 * 1024;
 /**
  * Create a fully assembled Hono app with auth, middleware, and routes.
  *
- * Handles the full lifecycle: consumer migrations → proxy middleware →
- * auth middleware → bootstrap status → route specs → surface generation →
- * Hono app assembly → static serving.
+ * Handles the assembly lifecycle: proxy middleware → auth middleware →
+ * bootstrap status → route specs → surface generation → Hono app assembly →
+ * static serving. Database migrations belong to the backend lifecycle —
+ * pass `migration_namespaces` to `create_app_backend`.
  *
  * @param options - server configuration
  * @returns assembled Hono app, backend, surface build, and bootstrap status
@@ -47,19 +46,7 @@ export const DEFAULT_MAX_BODY_SIZE = 1024 * 1024;
 export const create_app_server = async (options) => {
     const { backend } = options;
     const { log } = backend.deps;
-    // 1. Consumer migrations
-    let all_migration_results = backend.migration_results;
-    if (options.migration_namespaces?.length) {
-        // guard against namespace collision with fuz_app's internal migrations
-        for (const ns of options.migration_namespaces) {
-            if (ns.namespace === AUTH_MIGRATION_NAMESPACE) {
-                throw new Error(`Migration namespace "${AUTH_MIGRATION_NAMESPACE}" is reserved by fuz_app — choose a different namespace`);
-            }
-        }
-        const consumer_results = await run_migrations(backend.deps.db, options.migration_namespaces);
-        all_migration_results = [...backend.migration_results, ...consumer_results];
-    }
-    // 2. Rate limiter defaults (undefined = default, null = disable)
+    // Rate limiter defaults (undefined = default, null = disable)
     const ip_rate_limiter = options.ip_rate_limiter === undefined ? create_rate_limiter() : options.ip_rate_limiter;
     const login_account_rate_limiter = options.login_account_rate_limiter === undefined
         ? create_rate_limiter(DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT)
@@ -70,7 +57,7 @@ export const create_app_server = async (options) => {
     const bearer_ip_rate_limiter = options.bearer_ip_rate_limiter === undefined
         ? create_rate_limiter()
         : options.bearer_ip_rate_limiter;
-    // 3. Factory-managed audit SSE (shallow copy deps, no mutation of backend.deps)
+    // Factory-managed audit SSE (shallow copy deps, no mutation of backend.deps)
     const audit_sse = options.audit_log_sse
         ? create_audit_log_sse({
             log,
@@ -86,9 +73,9 @@ export const create_app_server = async (options) => {
             },
         }
         : backend.deps;
-    // 4. Proxy middleware
+    // Proxy middleware
     const proxy_spec = create_proxy_middleware_spec({ ...options.proxy, log });
-    // 5. Auth middleware
+    // Auth middleware
     const auth_middleware = await create_auth_middleware_specs(deps, {
         allowed_origins: options.allowed_origins,
         session_options: options.session_options,
@@ -99,16 +86,16 @@ export const create_app_server = async (options) => {
     if (options.transform_middleware) {
         middleware_specs = options.transform_middleware(middleware_specs);
     }
-    // 6. Bootstrap status + app settings
+    // Bootstrap status + app settings
     const bootstrap_status = options.bootstrap
         ? await check_bootstrap_status(deps, { token_path: options.bootstrap.token_path })
         : { available: false, token_path: null };
     const app_settings = await query_app_settings_load({ db: deps.db });
-    // 7. Surface route ref — factory manages the circular ref
+    // Surface route ref — factory manages the circular ref
     const surface_ref = {
         surface: { middleware: [], routes: [], rpc_endpoints: [], env: [], events: [], diagnostics: [] },
     };
-    // 8. Route specs (consumer routes + factory-managed routes)
+    // Route specs (consumer routes + factory-managed routes)
     const context = {
         deps,
         backend,
@@ -149,7 +136,7 @@ export const create_app_server = async (options) => {
         factory_routes.push(create_surface_route_spec(surface_ref));
     }
     const route_specs = [...consumer_routes, ...factory_routes];
-    // 9. Surface + logging
+    // Surface + logging
     const surface_middleware = options.post_route_middleware
         ? [...middleware_specs, ...options.post_route_middleware]
         : middleware_specs;
@@ -210,7 +197,7 @@ export const create_app_server = async (options) => {
     // Backfill the surface ref — factory owns this lifecycle
     surface_ref.surface = surface_spec.surface;
     log_startup_summary(surface_spec.surface, log, options.env_values);
-    // 10. Hono app assembly
+    // Hono app assembly
     const app = new Hono();
     // Pending effects — collects fire-and-forget promises (audit logs, usage tracking).
     // In test mode, effects are awaited before the response returns.
@@ -255,11 +242,11 @@ export const create_app_server = async (options) => {
     }
     apply_middleware_specs(app, middleware_specs);
     apply_route_specs(app, route_specs, fuz_auth_guard_resolver, log, deps.db);
-    // 11. Post-route middleware (before static serving)
+    // Post-route middleware (before static serving)
     if (options.post_route_middleware) {
         apply_middleware_specs(app, options.post_route_middleware);
     }
-    // 12. Static file serving
+    // Static file serving
     if (options.static_serving) {
         const { serve_static, spa_fallback } = options.static_serving;
         for (const mw of create_static_middleware(serve_static, { spa_fallback })) {
@@ -271,7 +258,7 @@ export const create_app_server = async (options) => {
         surface_spec,
         bootstrap_status,
         app_settings,
-        migration_results: all_migration_results,
+        migration_results: backend.migration_results,
         audit_sse,
         close: backend.close,
     };

package/dist/ui/AdminAccounts.svelte

@@ -5,9 +5,16 @@
 	import type {DatatableColumn} from './datatable.js';
 	import type {AdminAccountEntryJson} from '../auth/account_schema.js';
 	import {format_relative_time, format_datetime_local} from './ui_format.js';
+	import {format_scope_context, resolve_scope_label} from './format_scope.js';
 
 	const get_rpc = admin_accounts_rpc_context.get();
 	const admin_accounts = new AdminAccountsState({get_rpc});
+	const get_format_scope = format_scope_context.get();
+	const format_scope = $derived(get_format_scope());
+
+	// `null` global label: global permits render no scope chip — the implicit default in admin tables.
+	const scope_label = (scope_id: string | null, role: string): string | null =>
+		resolve_scope_label(scope_id, role, format_scope, null);
 
 	void admin_accounts.fetch();
 
@@ -57,8 +64,14 @@
 					{/if}
 				{:else if column.key === 'permits'}
 					{#each row.permits as permit (permit.id)}
+						{@const scope = scope_label(permit.scope_id, permit.role)}
 						<div class="row">
 							<span class="chip color_b">{permit.role}</span>
+							{#if scope !== null}
+								<span class="text_50 font_size_sm" title={permit.scope_id ?? undefined}>
+									{scope}
+								</span>
+							{/if}
 							{#if permit.expires_at}
 								<span class="text_50 font_size_sm" title={format_datetime_local(permit.expires_at)}>
 									expires {format_relative_time(permit.expires_at)}
@@ -80,6 +93,7 @@
 						</div>
 					{/each}
 					{#each row.pending_offers as offer (offer.id)}
+						{@const offer_scope = scope_label(offer.scope_id, offer.role)}
 						<div class="row">
 							<span
 								class="chip"
@@ -87,6 +101,11 @@
 							>
 								{offer.role} (pending from @{offer.from_username})
 							</span>
+							{#if offer_scope !== null}
+								<span class="text_50 font_size_sm" title={offer.scope_id ?? undefined}>
+									{offer_scope}
+								</span>
+							{/if}
 							{#if admin_accounts.has_rpc}
 								<ConfirmButton
 									onconfirm={() => admin_accounts.retract_offer(offer.id)}

package/dist/ui/AdminAccounts.svelte.d.ts

@@ -1,19 +1,4 @@
-interface $$__sveltets_2_IsomorphicComponent<Props extends Record<string, any> = any, Events extends Record<string, any> = any, Slots extends Record<string, any> = any, Exports = {}, Bindings = string> {
-    new (options: import('svelte').ComponentConstructorOptions<Props>): import('svelte').SvelteComponent<Props, Events, Slots> & {
-        $$bindings?: Bindings;
-    } & Exports;
-    (internal: unknown, props: {
-        $$events?: Events;
-        $$slots?: Slots;
-    }): Exports & {
-        $set?: any;
-        $on?: any;
-    };
-    z_$$bindings?: Bindings;
-}
-declare const AdminAccounts: $$__sveltets_2_IsomorphicComponent<Record<string, never>, {
-    [evt: string]: CustomEvent<any>;
-}, {}, {}, string>;
-type AdminAccounts = InstanceType<typeof AdminAccounts>;
+declare const AdminAccounts: import("svelte").Component<Record<string, never>, {}, "">;
+type AdminAccounts = ReturnType<typeof AdminAccounts>;
 export default AdminAccounts;
 //# sourceMappingURL=AdminAccounts.svelte.d.ts.map

package/dist/ui/AdminAccounts.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AdminAccounts.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminAccounts.svelte"],"names":[],"mappings":"AAgIA,UAAU,kCAAkC,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,GAAG,MAAM;IACpM,KAAK,OAAO,EAAE,OAAO,QAAQ,EAAE,2BAA2B,CAAC,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG;QAAE,UAAU,CAAC,EAAE,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC;IACjK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAA;KAAC,GAAG,OAAO,GAAG;QAAE,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,GAAG,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;IACtG,YAAY,CAAC,EAAE,QAAQ,CAAC;CAC3B;AAKD,QAAA,MAAM,aAAa;;kBAA+E,CAAC;AACjF,KAAK,aAAa,GAAG,YAAY,CAAC,OAAO,aAAa,CAAC,CAAC;AAC1D,eAAe,aAAa,CAAC"}
+{"version":3,"file":"AdminAccounts.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminAccounts.svelte"],"names":[],"mappings":"AAoJA,QAAA,MAAM,aAAa,2DAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}