@fuzdev/fuz_app 0.41.1 → 0.43.0

package/dist/actions/action_rpc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAAgC,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE9F,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAGrB,MAAM,oBAAoB,CAAC;AAW5B;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,oFAAoF;IACpF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KACvE,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;CACZ;AA4DD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CA6PtF,CAAC"}
+{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAAgC,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE9F,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAGrB,MAAM,oBAAoB,CAAC;AAW5B;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,oFAAoF;IACpF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KACvE,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;CACZ;AA4DD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAsQtF,CAAC"}

package/dist/actions/action_rpc.js

@@ -17,7 +17,7 @@ import {} from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { get_request_context, has_role } from '../auth/request_context.js';
 import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
-import { is_null_schema } from '../http/schema_helpers.js';
+import { is_null_schema, is_void_schema } from '../http/schema_helpers.js';
 import { JSONRPC_VERSION, JsonrpcRequest, } from '../http/jsonrpc.js';
 import { jsonrpc_error_messages, jsonrpc_error_code_to_http_status, JSONRPC_ERROR_CODES, } from '../http/jsonrpc_errors.js';
 import { ERROR_INSUFFICIENT_PERMISSIONS, ERROR_KEEPER_REQUIRES_DAEMON_TOKEN, } from '../http/error_schemas.js';
@@ -127,6 +127,9 @@ export const create_rpc_endpoint = (options) => {
         if (action_map.has(action.spec.method)) {
             throw new Error(`Duplicate RPC action method: ${action.spec.method}`);
         }
+        if (is_null_schema(action.spec.input)) {
+            throw new Error(`RPC action "${action.spec.method}" uses z.null() for input — JSON-RPC 2.0 §4.2 forbids "params": null on the wire (must be omitted or be a Structured value). Use z.void() for parameterless methods.`);
+        }
         action_map.set(action.spec.method, action);
     }
     /**
@@ -163,12 +166,16 @@ export const create_rpc_endpoint = (options) => {
             return c.json(error, jsonrpc_error_code_to_http_status(auth_error.code));
         }
         // step 4: validate params
-        // Missing `params` on the envelope maps to `null` for `z.null()` input
-        // schemas and `{}` for object inputs — matches HTTP's "empty body = empty
-        // object" convention so callers of all-optional-object RPC methods can
-        // omit `params` on the wire (JSON-RPC envelope still serializes without
-        // a `params` field; no protocol-level change).
-        const params = raw_params ?? (is_null_schema(action.spec.input) ? null : {});
+        // Missing `params` on the envelope maps to `undefined` for `z.void()`
+        // input schemas and `{}` for object inputs (matches HTTP's "empty
+        // body = empty object" convention so callers of all-optional-object
+        // RPC methods can omit `params` on the wire). JSON-RPC 2.0 §4.2
+        // forbids `params: null`, so `z.void()` is the spec-correct schema
+        // for parameterless methods — registration above rejects `z.null()`
+        // inputs to keep this branch from having to consider that legacy
+        // shape. When `raw_params` is present it flows through unchanged so
+        // contract-violating shapes still fail validation.
+        const params = is_void_schema(action.spec.input) ? raw_params : (raw_params ?? {});
         const parse_result = action.spec.input.safeParse(params);
         if (!parse_result.success) {
             const error = jsonrpc_error_response(id, jsonrpc_error_messages.invalid_params('invalid params', {

package/dist/auth/CLAUDE.md

@@ -513,9 +513,96 @@ run'` if the seed somehow missed (defensive — migrations always seed).
     `permit_actor_role_active_unique` and installs scope-aware
     `permit_actor_role_scope_active_unique` using the
     `PERMIT_OFFER_SCOPE_SENTINEL_UUID`.
-- Forward-only (no down). Named migrations are preferred so the name
+- Forward-only (no down). Migrations are `{name, up}` objects; the name
   surfaces in error messages.
 
+#### Runner contract (`db/migrate.ts`)
+
+The `schema_version` table stores **one row per applied migration**, keyed
+by `(namespace, name)` with a monotonically-increasing per-namespace
+`sequence` and `applied_at`. `run_migrations` reads applied rows ordered
+by `sequence`, then enforces:
+
+1. **Length check first.** If `applied.length > code.length`, throw
+   `binary-older-than-db` listing the unknown names. Short-circuits
+   before name verify so a binary-older case with a rename in the overlap
+   doesn't fire `name-divergence-at-N` first and send the operator chasing
+   a phantom source-revert.
+2. **Name-prefix verify.** For each `i < applied.length`, assert
+   `applied[i].name === code[i].name`; mismatch throws
+   `name-divergence-at-N` with `at_index`.
+3. **Run the pending tail** (`code[applied.length..]`) inside a single
+   chain transaction; each `INSERT` uses `sequence = max(sequence) + 1`.
+
+**Append-only after first publish.** Once a fuz_app version containing a
+migration is published, the migration's name and position are frozen.
+Pre-publish, anything goes; the cliff is the publish event. Body edits to
+a published migration slip past the runner (no content hashing) — schema-
+snapshot tests in consumers catch these.
+
+`MigrationError` is the only error class thrown from `run_migrations` /
+`baseline`; branch on `.kind` (never on message text). Kinds:
+`binary-older-than-db`, `name-divergence-at-N`, `old-tracker-shape`,
+`migration-failed`, `baseline-name-not-in-code`,
+`baseline-name-out-of-order`, `baseline-namespace-already-populated`.
+
+`baseline(db, ns, names)` is the only sanctioned non-execution path —
+INSERTs tracker rows for a name-prefix of `ns.migrations` without running
+their `up` functions. Used to promote an existing schema (e.g. preserved
+through a tracker-shape upgrade) into the new tracker. Per-namespace
+populated guard lets multi-call cutover scripts resume after partial
+failure. `baseline()` does **not** verify the schema actually matches
+what the named migrations would have produced — pair with a
+schema-assertion script post-baseline.
+
+There is **no programmatic bypass on the main `run_migrations` path**.
+No `--force`, no `skip_verification`. If you need to deviate, reach for
+`baseline()` (named, narrow) or direct SQL on the tracker (operator
+explicitly states intent).
+
+#### Operator recipes (run with the service stopped — these bypass the advisory lock)
+
+**Rename a migration** (typo fix, etc.). This is a coordinated code+SQL
+change, not just SQL:
+
+1. Stop the service. Disable auto-restart for the cutover window.
+2. Run the SQL `UPDATE` first — old code on disk doesn't read `name`, so
+   running this with the old build still deployed is harmless and the
+   safer order.
+3. Deploy the build with the renamed migration in the code array.
+4. Start the service — boot's name-prefix verify passes.
+
+The bad order is "deploy code with new name, then SQL UPDATE" — boot
+fires `name-divergence-at-N` and refuses to start in between.
+
+```sql
+UPDATE schema_version SET name = 'new_name'
+ WHERE namespace = $ns AND name = 'old_name';
+```
+
+**Mark a single migration applied without running it** (extreme repair —
+prefer `baseline()` when promoting a whole prefix):
+
+```sql
+INSERT INTO schema_version (namespace, name, sequence, applied_at)
+VALUES ($ns, $name,
+        (SELECT COALESCE(MAX(sequence), -1) + 1
+           FROM schema_version WHERE namespace = $ns),
+        NOW());
+```
+
+**Reset a namespace** (drop tracker rows; idempotent migrations re-apply
+on next boot):
+
+```sql
+DELETE FROM schema_version WHERE namespace = $ns;
+```
+
+A `set_applied()` / `rename_applied()` helper was considered and
+rejected — even one sanctioned bypass that doesn't name the operator's
+intent invites use as a regular tool. Direct SQL forces the operator to
+consciously violate the contract.
+
 ## Middleware
 
 Side of the chain ordering (concept-level — see the root `../../../CLAUDE.md`
@@ -758,16 +845,16 @@ auth per-spec, so mixed-auth endpoints compose cleanly.
 
 | Spec                                   | Side effects | Input                                                     | Output                        |
 | -------------------------------------- | ------------ | --------------------------------------------------------- | ----------------------------- |
-| `admin_account_list_action_spec`       | false        | `z.null()`                                                | `{accounts, grantable_roles}` |
-| `admin_session_list_action_spec`       | false        | `z.null()`                                                | `{sessions}`                  |
+| `admin_account_list_action_spec`       | false        | `z.void()`                                                | `{accounts, grantable_roles}` |
+| `admin_session_list_action_spec`       | false        | `z.void()`                                                | `{sessions}`                  |
 | `admin_session_revoke_all_action_spec` | true         | `{account_id}`                                            | `{ok, count}`                 |
 | `admin_token_revoke_all_action_spec`   | true         | `{account_id}`                                            | `{ok, count}`                 |
 | `audit_log_list_action_spec`           | false        | `{event_type?, account_id?, limit?, offset?, since_seq?}` | `{events}`                    |
 | `audit_log_permit_history_action_spec` | false        | `{limit?, offset?}`                                       | `{events}`                    |
 | `invite_create_action_spec`            | true         | `{email?, username?}`                                     | `{ok, invite}`                |
-| `invite_list_action_spec`              | false        | `z.null()`                                                | `{invites}`                   |
+| `invite_list_action_spec`              | false        | `z.void()`                                                | `{invites}`                   |
 | `invite_delete_action_spec`            | true         | `{invite_id}`                                             | `{ok}`                        |
-| `app_settings_get_action_spec`         | false        | `z.null()`                                                | `{settings}`                  |
+| `app_settings_get_action_spec`         | false        | `z.void()`                                                | `{settings}`                  |
 | `app_settings_update_action_spec`      | true         | `{open_signup}`                                           | `{ok, settings}`              |
 
 `AUDIT_LOG_LIST_LIMIT_MAX = 200` — page size clamp (mirrors the former REST
@@ -971,12 +1058,12 @@ exists.
 
 | Spec                                     | Side effects | Input          | Output                  |
 | ---------------------------------------- | ------------ | -------------- | ----------------------- |
-| `account_verify_action_spec`             | false        | `z.null()`     | `SessionAccountJson`    |
-| `account_session_list_action_spec`       | false        | `z.null()`     | `{sessions}`            |
+| `account_verify_action_spec`             | false        | `z.void()`     | `SessionAccountJson`    |
+| `account_session_list_action_spec`       | false        | `z.void()`     | `{sessions}`            |
 | `account_session_revoke_action_spec`     | true         | `{session_id}` | `{ok, revoked}`         |
-| `account_session_revoke_all_action_spec` | true         | `z.null()`     | `{ok, count}`           |
+| `account_session_revoke_all_action_spec` | true         | `z.void()`     | `{ok, count}`           |
 | `account_token_create_action_spec`       | true         | `{name?}`      | `{ok, token, id, name}` |
-| `account_token_list_action_spec`         | false        | `z.null()`     | `{tokens}`              |
+| `account_token_list_action_spec`         | false        | `z.void()`     | `{tokens}`              |
 | `account_token_revoke_action_spec`       | true         | `{token_id}`   | `{ok, revoked}`         |
 
 `session_id` validates as `Blake3Hash`; `token_id` validates as

package/dist/auth/account_action_specs.d.ts

@@ -10,10 +10,10 @@
 import { z } from 'zod';
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /** Input for `account_verify`. No parameters — the caller is the subject. */
-export declare const VerifyInput: z.ZodNull;
+export declare const VerifyInput: z.ZodVoid;
 export type VerifyInput = z.infer<typeof VerifyInput>;
 /** Input for `account_session_list`. No parameters. */
-export declare const SessionListInput: z.ZodNull;
+export declare const SessionListInput: z.ZodVoid;
 export type SessionListInput = z.infer<typeof SessionListInput>;
 /** Output for `account_session_list`. */
 export declare const SessionListOutput: z.ZodObject<{
@@ -38,7 +38,7 @@ export declare const SessionRevokeOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type SessionRevokeOutput = z.infer<typeof SessionRevokeOutput>;
 /** Input for `account_session_revoke_all`. No parameters. */
-export declare const SessionRevokeAllInput: z.ZodNull;
+export declare const SessionRevokeAllInput: z.ZodVoid;
 export type SessionRevokeAllInput = z.infer<typeof SessionRevokeAllInput>;
 /** Output for `account_session_revoke_all`. */
 export declare const SessionRevokeAllOutput: z.ZodObject<{
@@ -60,7 +60,7 @@ export declare const TokenCreateOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type TokenCreateOutput = z.infer<typeof TokenCreateOutput>;
 /** Input for `account_token_list`. No parameters. */
-export declare const TokenListInput: z.ZodNull;
+export declare const TokenListInput: z.ZodVoid;
 export type TokenListInput = z.infer<typeof TokenListInput>;
 /** Output for `account_token_list`. Hashes are excluded. */
 export declare const TokenListOutput: z.ZodObject<{
@@ -92,7 +92,7 @@ export declare const account_verify_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         username: z.ZodString;
@@ -109,7 +109,7 @@ export declare const account_session_list_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         sessions: z.ZodArray<z.ZodObject<{
             id: z.ZodString;
@@ -144,7 +144,7 @@ export declare const account_session_revoke_all_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: true;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
         count: z.ZodNumber;
@@ -176,7 +176,7 @@ export declare const account_token_list_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         tokens: z.ZodArray<z.ZodObject<{
             id: z.ZodString;

package/dist/auth/account_action_specs.js

@@ -13,9 +13,9 @@ import { AuthSessionJson, ClientApiTokenJson, SessionAccountJson } from './accou
 import { ApiTokenId } from './api_token.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `account_verify`. No parameters — the caller is the subject. */
-export const VerifyInput = z.null();
+export const VerifyInput = z.void();
 /** Input for `account_session_list`. No parameters. */
-export const SessionListInput = z.null();
+export const SessionListInput = z.void();
 /** Output for `account_session_list`. */
 export const SessionListOutput = z.strictObject({
     sessions: z.array(AuthSessionJson),
@@ -30,7 +30,7 @@ export const SessionRevokeOutput = z.strictObject({
     revoked: z.boolean(),
 });
 /** Input for `account_session_revoke_all`. No parameters. */
-export const SessionRevokeAllInput = z.null();
+export const SessionRevokeAllInput = z.void();
 /** Output for `account_session_revoke_all`. */
 export const SessionRevokeAllOutput = z.strictObject({
     ok: z.literal(true),
@@ -51,7 +51,7 @@ export const TokenCreateOutput = z.strictObject({
     name: z.string(),
 });
 /** Input for `account_token_list`. No parameters. */
-export const TokenListInput = z.null();
+export const TokenListInput = z.void();
 /** Output for `account_token_list`. Hashes are excluded. */
 export const TokenListOutput = z.strictObject({
     tokens: z.array(ClientApiTokenJson),

package/dist/auth/admin_action_specs.d.ts

@@ -20,7 +20,7 @@ import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /** Max audit-log page size. Mirrors the former REST route's clamp. */
 export declare const AUDIT_LOG_LIST_LIMIT_MAX = 200;
 /** Input for `admin_account_list`. No parameters — the caller is the subject. */
-export declare const AdminAccountListInput: z.ZodNull;
+export declare const AdminAccountListInput: z.ZodVoid;
 export type AdminAccountListInput = z.infer<typeof AdminAccountListInput>;
 /** Output for `admin_account_list`. */
 export declare const AdminAccountListOutput: z.ZodObject<{
@@ -60,7 +60,7 @@ export declare const AdminAccountListOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type AdminAccountListOutput = z.infer<typeof AdminAccountListOutput>;
 /** Input for `admin_session_list`. No parameters — reads every active session. */
-export declare const AdminSessionListInput: z.ZodNull;
+export declare const AdminSessionListInput: z.ZodVoid;
 export type AdminSessionListInput = z.infer<typeof AdminSessionListInput>;
 /** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
 export declare const AdminSessionListOutput: z.ZodObject<{
@@ -183,7 +183,7 @@ export declare const InviteCreateOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type InviteCreateOutput = z.infer<typeof InviteCreateOutput>;
 /** Input for `invite_list`. */
-export declare const InviteListInput: z.ZodNull;
+export declare const InviteListInput: z.ZodVoid;
 export type InviteListInput = z.infer<typeof InviteListInput>;
 /** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
 export declare const InviteListOutput: z.ZodObject<{
@@ -211,7 +211,7 @@ export declare const InviteDeleteOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type InviteDeleteOutput = z.infer<typeof InviteDeleteOutput>;
 /** Input for `app_settings_get`. No parameters. */
-export declare const AppSettingsGetInput: z.ZodNull;
+export declare const AppSettingsGetInput: z.ZodVoid;
 export type AppSettingsGetInput = z.infer<typeof AppSettingsGetInput>;
 /** Output for `app_settings_get`. */
 export declare const AppSettingsGetOutput: z.ZodObject<{
@@ -247,7 +247,7 @@ export declare const admin_account_list_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         accounts: z.ZodArray<z.ZodObject<{
             account: z.ZodObject<{
@@ -294,7 +294,7 @@ export declare const admin_session_list_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         sessions: z.ZodArray<z.ZodObject<{
             id: z.ZodString;
@@ -454,7 +454,7 @@ export declare const invite_list_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         invites: z.ZodArray<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -496,7 +496,7 @@ export declare const app_settings_get_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         settings: z.ZodObject<{
             open_signup: z.ZodBoolean;

package/dist/auth/admin_action_specs.js

@@ -26,14 +26,14 @@ import { AppSettingsWithUsernameJson } from './app_settings_schema.js';
 export const AUDIT_LOG_LIST_LIMIT_MAX = 200;
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `admin_account_list`. No parameters — the caller is the subject. */
-export const AdminAccountListInput = z.null();
+export const AdminAccountListInput = z.void();
 /** Output for `admin_account_list`. */
 export const AdminAccountListOutput = z.strictObject({
     accounts: z.array(AdminAccountEntryJson),
     grantable_roles: z.array(RoleName),
 });
 /** Input for `admin_session_list`. No parameters — reads every active session. */
-export const AdminSessionListInput = z.null();
+export const AdminSessionListInput = z.void();
 /** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
 export const AdminSessionListOutput = z.strictObject({
     sessions: z.array(AdminSessionJson),
@@ -116,7 +116,7 @@ export const InviteCreateOutput = z.strictObject({
     invite: InviteJson,
 });
 /** Input for `invite_list`. */
-export const InviteListInput = z.null();
+export const InviteListInput = z.void();
 /** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
 export const InviteListOutput = z.strictObject({
     invites: z.array(InviteWithUsernamesJson),
@@ -130,7 +130,7 @@ export const InviteDeleteOutput = z.strictObject({
     ok: z.literal(true),
 });
 /** Input for `app_settings_get`. No parameters. */
-export const AppSettingsGetInput = z.null();
+export const AppSettingsGetInput = z.void();
 /** Output for `app_settings_get`. */
 export const AppSettingsGetOutput = z.strictObject({
     settings: AppSettingsWithUsernameJson,

package/dist/auth/migrations.d.ts

@@ -1,17 +1,20 @@
 /**
  * Auth schema migrations.
  *
- * Single v0 migration for the fuz identity system tables.
+ * Ordered list of `{name, up}` migrations for the fuz identity system tables.
  * Consumed by `run_migrations` with namespace `'fuz_auth'`.
  *
- * Collapsed to a single v0 for the 0.1.0 release — no production databases
- * exist, so the prior v0–v6 development iterations are consolidated.
- * Post-0.1.0, each new migration appends as v1, v2, etc.
+ * **Append-only after first publish.** Once a fuz_app version containing a
+ * given migration is published (`npm publish` / `jsr publish`), that
+ * migration's name and position are frozen. Never edit, rename, or reorder —
+ * append only. Pre-publish, anything goes; the cliff is the publish event.
+ * Body edits to a published migration slip past the runner (no content
+ * hashing) and are caught by schema-snapshot tests in consumers.
  *
  * To add a migration, append a new entry to `AUTH_MIGRATIONS`:
  *
  * ```ts
- * // v1: add display_name to account
+ * // v2: add display_name to account
  * {
  *   name: 'account_display_name',
  *   up: async (db) => {
@@ -21,8 +24,7 @@
  * ```
  *
  * Migrations are forward-only (no down). Use `IF NOT EXISTS` / `IF EXISTS`
- * for DDL safety. Named migrations (`{name, up}`) are preferred for
- * debuggability — the name appears in error messages on failure.
+ * for DDL safety. The `name` appears in error messages on failure.
  *
  * @module
  */

package/dist/auth/migrations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrations.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/migrations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AA6BH,OAAO,KAAK,EAAC,SAAS,EAAE,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEpE,wDAAwD;AACxD,eAAO,MAAM,wBAAwB,aAAa,CAAC;AAEnD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,SAAS,CA6D5C,CAAC;AAEF,wDAAwD;AACxD,eAAO,MAAM,iBAAiB,EAAE,kBAG/B,CAAC"}
+{"version":3,"file":"migrations.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/migrations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AA6BH,OAAO,KAAK,EAAC,SAAS,EAAE,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEpE,wDAAwD;AACxD,eAAO,MAAM,wBAAwB,aAAa,CAAC;AAEnD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,SAAS,CA6D5C,CAAC;AAEF,wDAAwD;AACxD,eAAO,MAAM,iBAAiB,EAAE,kBAG/B,CAAC"}

package/dist/auth/migrations.js

@@ -1,17 +1,20 @@
 /**
  * Auth schema migrations.
  *
- * Single v0 migration for the fuz identity system tables.
+ * Ordered list of `{name, up}` migrations for the fuz identity system tables.
  * Consumed by `run_migrations` with namespace `'fuz_auth'`.
  *
- * Collapsed to a single v0 for the 0.1.0 release — no production databases
- * exist, so the prior v0–v6 development iterations are consolidated.
- * Post-0.1.0, each new migration appends as v1, v2, etc.
+ * **Append-only after first publish.** Once a fuz_app version containing a
+ * given migration is published (`npm publish` / `jsr publish`), that
+ * migration's name and position are frozen. Never edit, rename, or reorder —
+ * append only. Pre-publish, anything goes; the cliff is the publish event.
+ * Body edits to a published migration slip past the runner (no content
+ * hashing) and are caught by schema-snapshot tests in consumers.
  *
  * To add a migration, append a new entry to `AUTH_MIGRATIONS`:
  *
  * ```ts
- * // v1: add display_name to account
+ * // v2: add display_name to account
  * {
  *   name: 'account_display_name',
  *   up: async (db) => {
@@ -21,8 +24,7 @@
  * ```
  *
  * Migrations are forward-only (no down). Use `IF NOT EXISTS` / `IF EXISTS`
- * for DDL safety. Named migrations (`{name, up}`) are preferred for
- * debuggability — the name appears in error messages on failure.
+ * for DDL safety. The `name` appears in error messages on failure.
  *
  * @module
  */