@fuzdev/fuz_app 0.42.0 → 0.44.0

package/dist/actions/CLAUDE.md

@@ -591,6 +591,83 @@ Cast the return to a generated `ActionsApi` interface for full typing:
 codegen via `generate_actions_api_method_signature` keeps the shape
 consistent. See ../../docs/usage.md §Typed Client Codegen.
 
+### Throwing variants — `create_throwing_rpc_call` + `create_throwing_api`
+
+Two helpers wrap a typed `create_rpc_client` Proxy so `{ok: false}` results
+throw an `Error` with `{code, message, data?}` (catch blocks read
+`err.data?.reason` — optional chaining required because JSON-RPC `data`
+is spec-level optional). Same hardening on both: only `{code, data}` cross
+onto the Error, leaving `name` / `stack` as the native Error's own so
+attacker-shaped `result.error` payloads cannot overwrite them.
+
+| Helper                     | Shape                            | Use at                                                                     |
+| -------------------------- | -------------------------------- | -------------------------------------------------------------------------- |
+| `create_throwing_rpc_call` | `(method, input?) => Promise<T>` | adapter wiring (e.g. `ui/admin_rpc_adapters.ts`) — method comes from a map |
+| `create_throwing_api`      | typed Proxy over `ActionsApi`    | direct call sites — `await api.foo(input)` keeps full inference            |
+
+**Recommended consumer convention.** The throwing form is the common
+case at call sites; the Result form is the composable escape hatch for
+sites that want to inspect `error.data.reason` without try/catch. Bind
+them as `api` (throwing wrapper) and `api_raw` (the unwrapped
+underlying, returning Results):
+
+```ts
+const api_raw = create_rpc_client({peer, environment}) as unknown as MyActionsApi;
+const api = create_throwing_api(api_raw);
+// hot path:    await api.foo(input)
+// rare branch: const r = await api_raw.foo(input); if (!r.ok) { … }
+```
+
+Composable — feed the same typed Proxy into both: the loose method-keyed
+form for adapter dispatch, the typed Proxy form for hand-written call
+sites. `ThrowingApi<TApi>` mapped type strips
+`Promise<Result<{value: T}, {error: JsonrpcErrorObject}>>` to `Promise<T>`
+on every method that matches the `request_response` / async `local_call`
+return shape; `remote_notification` (`=> void`) and sync `local_call`
+methods pass through. The Proxy implementation inspects each call's
+result shape at runtime and only unwraps when it sees a Result, so
+non-Result returns flow through unchanged.
+
+Both helpers throw `"rpc method not found: <name>"` on invocation of an
+unknown method. For `create_throwing_api` the thrower is returned from
+the Proxy get trap so `api.missing()` errors with the same clear
+message rather than the JS default `"api.missing is not a function"`.
+Symbol props and `then` stay `undefined` so the Proxy doesn't get
+probed as a thenable by `await`.
+
+### Frontend factory (`frontend_rpc_client.ts`)
+
+`create_frontend_rpc_client<TApi>({specs, path?, transports?})` bundles
+the `ActionRegistry + ActionEventEnvironment + Transports + ActionPeer +
+create_rpc_client` boilerplate every consumer repeats — plus the
+`lookup_action_handler: () => undefined` stub (frontend never registers
+`request_response` handlers; every method dispatches over the wire).
+The `as unknown as TApi` cast happens inside the helper, so call sites
+get a typed return without the cast hostility. Returns
+`{api, peer, environment}` so advanced consumers (zzz-style frontends
+needing extra transports / WS notification handlers / action-history
+wiring) can extend without recreating the bundle.
+
+Default transport is `FrontendHttpTransport(path ?? '/api/rpc')`. Pass
+`transports` for WS-first or mixed setups — when supplied, the default
+HTTP transport is **not** registered. `local_call` specs in `specs`
+silently no-op because `lookup_action_handler` always returns
+`undefined`; this factory targets wire-dispatched actions.
+
+Pair with `create_throwing_api` to land the recommended `api` /
+`api_raw` convention in two lines:
+
+```ts
+const {api: api_raw} = create_frontend_rpc_client<MyActionsApi>({
+	specs: all_standard_action_specs,
+});
+const api = create_throwing_api(api_raw);
+```
+
+`all_standard_action_specs` (in `../auth/standard_action_specs.ts`) is
+the matching aggregate spec list mirroring `create_standard_rpc_actions`
+on the backend — see `../auth/CLAUDE.md` §`standard_rpc_actions.ts`.
+
 ## Broadcast API (`broadcast_api.ts`)
 
 `create_broadcast_api({peer, specs, log?, should_deliver?})` — builds a

package/dist/actions/action_rpc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAAgC,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE9F,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAGrB,MAAM,oBAAoB,CAAC;AAW5B;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,oFAAoF;IACpF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KACvE,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;CACZ;AA4DD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CA6PtF,CAAC"}
+{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAAgC,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE9F,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAGrB,MAAM,oBAAoB,CAAC;AAW5B;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,oFAAoF;IACpF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,KACvE,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;CACZ;AA4DD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAsQtF,CAAC"}

package/dist/actions/action_rpc.js

@@ -17,7 +17,7 @@ import {} from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { get_request_context, has_role } from '../auth/request_context.js';
 import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
-import { is_null_schema } from '../http/schema_helpers.js';
+import { is_null_schema, is_void_schema } from '../http/schema_helpers.js';
 import { JSONRPC_VERSION, JsonrpcRequest, } from '../http/jsonrpc.js';
 import { jsonrpc_error_messages, jsonrpc_error_code_to_http_status, JSONRPC_ERROR_CODES, } from '../http/jsonrpc_errors.js';
 import { ERROR_INSUFFICIENT_PERMISSIONS, ERROR_KEEPER_REQUIRES_DAEMON_TOKEN, } from '../http/error_schemas.js';
@@ -127,6 +127,9 @@ export const create_rpc_endpoint = (options) => {
         if (action_map.has(action.spec.method)) {
             throw new Error(`Duplicate RPC action method: ${action.spec.method}`);
         }
+        if (is_null_schema(action.spec.input)) {
+            throw new Error(`RPC action "${action.spec.method}" uses z.null() for input — JSON-RPC 2.0 §4.2 forbids "params": null on the wire (must be omitted or be a Structured value). Use z.void() for parameterless methods.`);
+        }
         action_map.set(action.spec.method, action);
     }
     /**
@@ -163,12 +166,16 @@ export const create_rpc_endpoint = (options) => {
             return c.json(error, jsonrpc_error_code_to_http_status(auth_error.code));
         }
         // step 4: validate params
-        // Missing `params` on the envelope maps to `null` for `z.null()` input
-        // schemas and `{}` for object inputs — matches HTTP's "empty body = empty
-        // object" convention so callers of all-optional-object RPC methods can
-        // omit `params` on the wire (JSON-RPC envelope still serializes without
-        // a `params` field; no protocol-level change).
-        const params = raw_params ?? (is_null_schema(action.spec.input) ? null : {});
+        // Missing `params` on the envelope maps to `undefined` for `z.void()`
+        // input schemas and `{}` for object inputs (matches HTTP's "empty
+        // body = empty object" convention so callers of all-optional-object
+        // RPC methods can omit `params` on the wire). JSON-RPC 2.0 §4.2
+        // forbids `params: null`, so `z.void()` is the spec-correct schema
+        // for parameterless methods — registration above rejects `z.null()`
+        // inputs to keep this branch from having to consider that legacy
+        // shape. When `raw_params` is present it flows through unchanged so
+        // contract-violating shapes still fail validation.
+        const params = is_void_schema(action.spec.input) ? raw_params : (raw_params ?? {});
         const parse_result = action.spec.input.safeParse(params);
         if (!parse_result.success) {
             const error = jsonrpc_error_response(id, jsonrpc_error_messages.invalid_params('invalid params', {

package/dist/actions/frontend_rpc_client.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Frontend-only typed RPC client factory.
+ *
+ * Bundles the `ActionRegistry + ActionEventEnvironment + Transports +
+ * ActionPeer + create_rpc_client` boilerplate every consumer repeats — plus
+ * the `lookup_action_handler: () => undefined` stub (frontend never registers
+ * `request_response` handlers; every method dispatches over the wire).
+ *
+ * Generic `TApi` is the consumer's typed Proxy interface. The `as unknown
+ * as TApi` double cast happens inside the helper so call sites get a typed
+ * return value without the cast hostility.
+ *
+ * Companion to `create_throwing_api` — typical wiring is two lines:
+ *
+ * ```ts
+ * const {api: api_raw} = create_frontend_rpc_client<MyActionsApi>({specs: all_specs});
+ * const api = create_throwing_api(api_raw);
+ * ```
+ *
+ * Returns the underlying `peer` and `environment` alongside `api` so
+ * advanced consumers (zzz-style frontends needing extra transports / WS
+ * notification handlers / action-history wiring) can extend without
+ * recreating the bundle.
+ *
+ * Note: `local_call` specs in `specs` will silently no-op because
+ * `lookup_action_handler` always returns `undefined` — the frontend
+ * factory is for wire-dispatched actions. Frontend-side `local_call`
+ * needs a different wiring shape (custom `environment.lookup_action_handler`).
+ *
+ * @module
+ */
+import { ActionPeer } from './action_peer.js';
+import { type Transport } from './transports.js';
+import type { ActionEventEnvironment } from './action_event_types.js';
+import type { ActionSpecUnion } from './action_spec.js';
+/** Options for `create_frontend_rpc_client`. */
+export interface CreateFrontendRpcClientOptions {
+    /**
+     * Action specs the typed Proxy can dispatch. Methods absent from this
+     * list silently return `undefined` from the Proxy — the generic `TApi`
+     * cannot constrain runtime membership, so consumers must keep this list
+     * in sync with the typed surface (codegen recommended).
+     */
+    specs: ReadonlyArray<ActionSpecUnion>;
+    /**
+     * HTTP RPC endpoint path for the default `FrontendHttpTransport`.
+     * Defaults to `/api/rpc`. Ignored when `transports` is provided.
+     */
+    path?: string;
+    /**
+     * Optional explicit transport list. When provided, the default
+     * `FrontendHttpTransport(path)` is **not** registered — the caller is
+     * responsible for at least one ready transport. Use for WS-first or
+     * WS+HTTP mixed setups.
+     */
+    transports?: ReadonlyArray<Transport>;
+}
+/** Bundle returned by `create_frontend_rpc_client`. */
+export interface FrontendRpcClient<TApi> {
+    /** Typed Proxy — call `api.method(input)` for `Promise<Result<...>>`. */
+    api: TApi;
+    /** Underlying peer — exposed for consumers that need to register more transports or send raw messages. */
+    peer: ActionPeer;
+    /** Action environment — exposed for consumers that need to share it (e.g. attach a notification handler registry). */
+    environment: ActionEventEnvironment;
+}
+/**
+ * Build a frontend-only typed RPC client.
+ *
+ * @param options - `specs` (required), optional `path` / `transports`
+ * @returns `{api, peer, environment}` — typed Proxy plus the underlying primitives
+ */
+export declare const create_frontend_rpc_client: <TApi>(options: CreateFrontendRpcClientOptions) => FrontendRpcClient<TApi>;
+//# sourceMappingURL=frontend_rpc_client.d.ts.map

package/dist/actions/frontend_rpc_client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"frontend_rpc_client.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/frontend_rpc_client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAGH,OAAO,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAa,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAG3D,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AACpE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAEtD,gDAAgD;AAChD,MAAM,WAAW,8BAA8B;IAC9C;;;;;OAKG;IACH,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IACtC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;;OAKG;IACH,UAAU,CAAC,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;CACtC;AAED,uDAAuD;AACvD,MAAM,WAAW,iBAAiB,CAAC,IAAI;IACtC,yEAAyE;IACzE,GAAG,EAAE,IAAI,CAAC;IACV,0GAA0G;IAC1G,IAAI,EAAE,UAAU,CAAC;IACjB,sHAAsH;IACtH,WAAW,EAAE,sBAAsB,CAAC;CACpC;AAED;;;;;GAKG;AACH,eAAO,MAAM,0BAA0B,GAAI,IAAI,EAC9C,SAAS,8BAA8B,KACrC,iBAAiB,CAAC,IAAI,CAgBxB,CAAC"}

package/dist/actions/frontend_rpc_client.js

@@ -0,0 +1,61 @@
+/**
+ * Frontend-only typed RPC client factory.
+ *
+ * Bundles the `ActionRegistry + ActionEventEnvironment + Transports +
+ * ActionPeer + create_rpc_client` boilerplate every consumer repeats — plus
+ * the `lookup_action_handler: () => undefined` stub (frontend never registers
+ * `request_response` handlers; every method dispatches over the wire).
+ *
+ * Generic `TApi` is the consumer's typed Proxy interface. The `as unknown
+ * as TApi` double cast happens inside the helper so call sites get a typed
+ * return value without the cast hostility.
+ *
+ * Companion to `create_throwing_api` — typical wiring is two lines:
+ *
+ * ```ts
+ * const {api: api_raw} = create_frontend_rpc_client<MyActionsApi>({specs: all_specs});
+ * const api = create_throwing_api(api_raw);
+ * ```
+ *
+ * Returns the underlying `peer` and `environment` alongside `api` so
+ * advanced consumers (zzz-style frontends needing extra transports / WS
+ * notification handlers / action-history wiring) can extend without
+ * recreating the bundle.
+ *
+ * Note: `local_call` specs in `specs` will silently no-op because
+ * `lookup_action_handler` always returns `undefined` — the frontend
+ * factory is for wire-dispatched actions. Frontend-side `local_call`
+ * needs a different wiring shape (custom `environment.lookup_action_handler`).
+ *
+ * @module
+ */
+import { ActionRegistry } from './action_registry.js';
+import { ActionPeer } from './action_peer.js';
+import { Transports } from './transports.js';
+import { FrontendHttpTransport } from './transports_http.js';
+import { create_rpc_client } from './rpc_client.js';
+/**
+ * Build a frontend-only typed RPC client.
+ *
+ * @param options - `specs` (required), optional `path` / `transports`
+ * @returns `{api, peer, environment}` — typed Proxy plus the underlying primitives
+ */
+export const create_frontend_rpc_client = (options) => {
+    const registry = new ActionRegistry([...options.specs]);
+    const environment = {
+        executor: 'frontend',
+        lookup_action_spec: (method) => registry.spec_by_method.get(method),
+        lookup_action_handler: () => undefined,
+    };
+    const transports = new Transports();
+    if (options.transports) {
+        for (const t of options.transports)
+            transports.register_transport(t);
+    }
+    else {
+        transports.register_transport(new FrontendHttpTransport(options.path ?? '/api/rpc'));
+    }
+    const peer = new ActionPeer({ environment, transports });
+    const api = create_rpc_client({ peer, environment });
+    return { api, peer, environment };
+};

package/dist/actions/rpc_client.d.ts

@@ -9,10 +9,12 @@
  *
  * @module
  */
+import type { Result } from '@fuzdev/fuz_util/result.js';
 import type { ActionEventEnvironment } from './action_event_types.js';
 import type { ActionPeer, ActionPeerSendOptions } from './action_peer.js';
 import type { ActionEventDataUnion } from './action_event_data.js';
 import type { TransportName } from './transports.js';
+import type { JsonrpcErrorObject } from '../http/jsonrpc.js';
 /**
  * Optional per-method transport selector. Return the transport to use for a
  * given method, or `undefined` to let the peer pick via its fallback rules.
@@ -113,4 +115,66 @@ export type ThrowingRpcCall = <TOutput = unknown>(method: string, input?: unknow
  *   notably the consumer's generated `ActionsApi` interface)
  */
 export declare const create_throwing_rpc_call: <TApi extends Record<keyof TApi, (input?: any) => Promise<any> | void>>(api: TApi) => ThrowingRpcCall;
+/**
+ * Maps a typed `ActionsApi` to a throwing variant.
+ *
+ * For each method whose return type matches the `create_rpc_client` shape
+ * (`Promise<Result<{value: T}, {error: JsonrpcErrorObject}>>`), the wrapped
+ * method returns `Promise<T>` directly. Other shapes (notifications typed
+ * as `=> void`, sync `local_call` methods) pass through unchanged — there
+ * is nothing to unwrap.
+ *
+ * Input + options parameters are preserved verbatim so generics, branded
+ * Uuids, and per-call `RpcClientCallOptions` keep working.
+ */
+export type ThrowingApi<TApi> = {
+    [K in keyof TApi]: TApi[K] extends (input?: infer TInput, options?: infer TOptions) => Promise<Result<{
+        value: infer TValue;
+    }, {
+        error: JsonrpcErrorObject;
+    }>> ? (input?: TInput, options?: TOptions) => Promise<TValue> : TApi[K];
+};
+/**
+ * Wrap a typed RPC client so every call resolves to its unwrapped value or
+ * throws an `Error` carrying the JSON-RPC `{code, message, data?}` shape.
+ *
+ * Implementation is a Proxy because the underlying `create_rpc_client`
+ * return is itself a Proxy with no concrete keys — a key-by-key wrap would
+ * need to enumerate the typed surface, which only the consumer's generated
+ * `ActionsApi` interface knows.
+ *
+ * Pass-through on non-Result returns is deliberate: sync `local_call`
+ * Proxy methods return values directly (see `create_sync_local_call_method`
+ * above). The Proxy can't distinguish those at get-time, so the wrapper
+ * inspects `result` shape at call-time and only unwraps when it sees a
+ * Result. Non-object returns pass through unchanged.
+ *
+ * Only `{code, data}` cross onto the thrown Error — `name` / `stack` are
+ * left as the Error's own properties so attacker-shaped `result.error`
+ * payloads cannot overwrite them. Same hardening as
+ * `create_throwing_rpc_call`.
+ *
+ * Composable with `create_throwing_rpc_call` — same typed underlying
+ * client feeds both: the Proxy form for direct call sites, the loose
+ * method-keyed form for adapter wiring (`ui/admin_rpc_adapters.ts`).
+ *
+ * Recommended consumer convention: bind the throwing wrapper to `api`
+ * (the common case at call sites) and the underlying Result-returning
+ * Proxy to `api_raw` (the composable escape hatch for callers that
+ * want to inspect `error.data.reason` without try/catch).
+ *
+ * Catch blocks read `err.data?.reason` — optional chaining required
+ * because JSON-RPC `data` is spec-level optional.
+ *
+ * On unknown string-keyed methods, the get trap returns a function that
+ * throws `"rpc method not found: <prop>"` on invocation — symmetric with
+ * `create_throwing_rpc_call` and clearer than the JS default
+ * `"api.foo is not a function"`. Symbol props and `then` stay
+ * undefined so the Proxy isn't accidentally treated as a thenable
+ * (`await api` would otherwise probe `then` and trip the thrower).
+ *
+ * @param api_raw - typed RPC client from `create_rpc_client`, cast
+ *   to a consumer-generated `ActionsApi` interface
+ */
+export declare const create_throwing_api: <TApi extends object>(api_raw: TApi) => ThrowingApi<TApi>;
 //# sourceMappingURL=rpc_client.d.ts.map

package/dist/actions/rpc_client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rpc_client.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/rpc_client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAQH,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAOpE,OAAO,KAAK,EAAC,UAAU,EAAE,qBAAqB,EAAC,MAAM,kBAAkB,CAAC;AACxE,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,wBAAwB,CAAC;AACjE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,iBAAiB,CAAC;AAGnD;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,MAAM,KAAK,aAAa,GAAG,SAAS,CAAC;AAM/E,8EAA8E;AAC9E,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,CAAC,IAAI,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,oBAAoB,CAAA;KAAC,KAC5E;QACA,sBAAsB,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,CAAC;KAC5C,GACD,SAAS,CAAC;CACb;AAED,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,EAAE,sBAAsB,CAAC;IACpC,kEAAkE;IAClE,OAAO,CAAC,EAAE,sBAAsB,CAAC;IACjC;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAgB7C,CAAC;AA2DF;;;;;GAKG;AACH,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;CAAG;AAgItE;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,GAAG,OAAO,EAC/C,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,OAAO,KACX,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,eAAO,MAAM,wBAAwB,GACpC,IAAI,SAAS,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAErE,KAAK,IAAI,KACP,eAcF,CAAC"}
+{"version":3,"file":"rpc_client.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/rpc_client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,4BAA4B,CAAC;AAQvD,OAAO,KAAK,EAAC,sBAAsB,EAAC,MAAM,yBAAyB,CAAC;AAOpE,OAAO,KAAK,EAAC,UAAU,EAAE,qBAAqB,EAAC,MAAM,kBAAkB,CAAC;AACxE,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,wBAAwB,CAAC;AACjE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,iBAAiB,CAAC;AAEnD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AAE3D;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,MAAM,KAAK,aAAa,GAAG,SAAS,CAAC;AAM/E,8EAA8E;AAC9E,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,CAAC,IAAI,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,oBAAoB,CAAA;KAAC,KAC5E;QACA,sBAAsB,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,CAAC;KAC5C,GACD,SAAS,CAAC;CACb;AAED,uCAAuC;AACvC,MAAM,WAAW,sBAAsB;IACtC,IAAI,EAAE,UAAU,CAAC;IACjB,WAAW,EAAE,sBAAsB,CAAC;IACpC,kEAAkE;IAClE,OAAO,CAAC,EAAE,sBAAsB,CAAC;IACjC;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAC7B,SAAS,sBAAsB,KAC7B,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAgB7C,CAAC;AA2DF;;;;;GAKG;AACH,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;CAAG;AAgItE;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,GAAG,OAAO,EAC/C,MAAM,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,OAAO,KACX,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,eAAO,MAAM,wBAAwB,GACpC,IAAI,SAAS,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,EAErE,KAAK,IAAI,KACP,eAcF,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,WAAW,CAAC,IAAI,IAAI;KAC9B,CAAC,IAAI,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAClC,KAAK,CAAC,EAAE,MAAM,MAAM,EACpB,OAAO,CAAC,EAAE,MAAM,QAAQ,KACpB,OAAO,CAAC,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,MAAM,CAAA;KAAC,EAAE;QAAC,KAAK,EAAE,kBAAkB,CAAA;KAAC,CAAC,CAAC,GACrE,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,KAAK,OAAO,CAAC,MAAM,CAAC,GACvD,IAAI,CAAC,CAAC,CAAC;CACV,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,eAAO,MAAM,mBAAmB,GAAI,IAAI,SAAS,MAAM,EAAE,SAAS,IAAI,KAAG,WAAW,CAAC,IAAI,CA8BxF,CAAC"}

package/dist/actions/rpc_client.js

@@ -222,3 +222,80 @@ export const create_throwing_rpc_call = (api) => {
         return result.value;
     };
 };
+/**
+ * Wrap a typed RPC client so every call resolves to its unwrapped value or
+ * throws an `Error` carrying the JSON-RPC `{code, message, data?}` shape.
+ *
+ * Implementation is a Proxy because the underlying `create_rpc_client`
+ * return is itself a Proxy with no concrete keys — a key-by-key wrap would
+ * need to enumerate the typed surface, which only the consumer's generated
+ * `ActionsApi` interface knows.
+ *
+ * Pass-through on non-Result returns is deliberate: sync `local_call`
+ * Proxy methods return values directly (see `create_sync_local_call_method`
+ * above). The Proxy can't distinguish those at get-time, so the wrapper
+ * inspects `result` shape at call-time and only unwraps when it sees a
+ * Result. Non-object returns pass through unchanged.
+ *
+ * Only `{code, data}` cross onto the thrown Error — `name` / `stack` are
+ * left as the Error's own properties so attacker-shaped `result.error`
+ * payloads cannot overwrite them. Same hardening as
+ * `create_throwing_rpc_call`.
+ *
+ * Composable with `create_throwing_rpc_call` — same typed underlying
+ * client feeds both: the Proxy form for direct call sites, the loose
+ * method-keyed form for adapter wiring (`ui/admin_rpc_adapters.ts`).
+ *
+ * Recommended consumer convention: bind the throwing wrapper to `api`
+ * (the common case at call sites) and the underlying Result-returning
+ * Proxy to `api_raw` (the composable escape hatch for callers that
+ * want to inspect `error.data.reason` without try/catch).
+ *
+ * Catch blocks read `err.data?.reason` — optional chaining required
+ * because JSON-RPC `data` is spec-level optional.
+ *
+ * On unknown string-keyed methods, the get trap returns a function that
+ * throws `"rpc method not found: <prop>"` on invocation — symmetric with
+ * `create_throwing_rpc_call` and clearer than the JS default
+ * `"api.foo is not a function"`. Symbol props and `then` stay
+ * undefined so the Proxy isn't accidentally treated as a thenable
+ * (`await api` would otherwise probe `then` and trip the thrower).
+ *
+ * @param api_raw - typed RPC client from `create_rpc_client`, cast
+ *   to a consumer-generated `ActionsApi` interface
+ */
+export const create_throwing_api = (api_raw) => {
+    return new Proxy(api_raw, {
+        get(target, prop) {
+            const fn = target[prop];
+            if (typeof fn === 'function') {
+                return async (...args) => {
+                    const result = await fn.apply(target, args);
+                    if (result === null || typeof result !== 'object')
+                        return result;
+                    const r = result;
+                    if (r.ok === true)
+                        return r.value;
+                    if (r.ok === false && r.error && typeof r.error === 'object') {
+                        const e = r.error;
+                        throw Object.assign(new Error(e.message), {
+                            code: e.code,
+                            data: e.data,
+                        });
+                    }
+                    return result;
+                };
+            }
+            if (fn !== undefined)
+                return fn;
+            // Underlying api has no member by this name. Symbol props and
+            // `then` must stay undefined — `await tapi` reads `then` and
+            // would otherwise trip the thrower.
+            if (typeof prop !== 'string' || prop === 'then')
+                return undefined;
+            return () => {
+                throw new Error(`rpc method not found: ${prop}`);
+            };
+        },
+    });
+};

package/dist/auth/CLAUDE.md

@@ -845,16 +845,16 @@ auth per-spec, so mixed-auth endpoints compose cleanly.
 
 | Spec                                   | Side effects | Input                                                     | Output                        |
 | -------------------------------------- | ------------ | --------------------------------------------------------- | ----------------------------- |
-| `admin_account_list_action_spec`       | false        | `z.null()`                                                | `{accounts, grantable_roles}` |
-| `admin_session_list_action_spec`       | false        | `z.null()`                                                | `{sessions}`                  |
+| `admin_account_list_action_spec`       | false        | `z.void()`                                                | `{accounts, grantable_roles}` |
+| `admin_session_list_action_spec`       | false        | `z.void()`                                                | `{sessions}`                  |
 | `admin_session_revoke_all_action_spec` | true         | `{account_id}`                                            | `{ok, count}`                 |
 | `admin_token_revoke_all_action_spec`   | true         | `{account_id}`                                            | `{ok, count}`                 |
 | `audit_log_list_action_spec`           | false        | `{event_type?, account_id?, limit?, offset?, since_seq?}` | `{events}`                    |
 | `audit_log_permit_history_action_spec` | false        | `{limit?, offset?}`                                       | `{events}`                    |
 | `invite_create_action_spec`            | true         | `{email?, username?}`                                     | `{ok, invite}`                |
-| `invite_list_action_spec`              | false        | `z.null()`                                                | `{invites}`                   |
+| `invite_list_action_spec`              | false        | `z.void()`                                                | `{invites}`                   |
 | `invite_delete_action_spec`            | true         | `{invite_id}`                                             | `{ok}`                        |
-| `app_settings_get_action_spec`         | false        | `z.null()`                                                | `{settings}`                  |
+| `app_settings_get_action_spec`         | false        | `z.void()`                                                | `{settings}`                  |
 | `app_settings_update_action_spec`      | true         | `{open_signup}`                                           | `{ok, settings}`              |
 
 `AUDIT_LOG_LIST_LIMIT_MAX = 200` — page size clamp (mirrors the former REST
@@ -1039,6 +1039,14 @@ the admin integration suite exercises `account_token_create` /
 consumer wiring the admin surface without account actions will hit
 `method not found` on first admin-suite run.
 
+Frontend mirror: `all_standard_action_specs` (in
+`./standard_action_specs.ts`) bundles `all_admin_action_specs +
+all_permit_offer_action_specs + all_account_action_specs` into one
+`ReadonlyArray<RequestResponseActionSpec>` for typed-client codegen
+and `create_frontend_rpc_client({specs})` wiring. Self-service role
+specs are not included (opt-in, app-specific `eligible_roles`) —
+spread `all_self_service_role_action_specs` separately when needed.
+
 ### `account_action_specs.ts` + `account_actions.ts` — seven self-service RPC actions
 
 Counterpart to `account_routes.ts`. Cookie-lifecycle flows (`login`,
@@ -1058,12 +1066,12 @@ exists.
 
 | Spec                                     | Side effects | Input          | Output                  |
 | ---------------------------------------- | ------------ | -------------- | ----------------------- |
-| `account_verify_action_spec`             | false        | `z.null()`     | `SessionAccountJson`    |
-| `account_session_list_action_spec`       | false        | `z.null()`     | `{sessions}`            |
+| `account_verify_action_spec`             | false        | `z.void()`     | `SessionAccountJson`    |
+| `account_session_list_action_spec`       | false        | `z.void()`     | `{sessions}`            |
 | `account_session_revoke_action_spec`     | true         | `{session_id}` | `{ok, revoked}`         |
-| `account_session_revoke_all_action_spec` | true         | `z.null()`     | `{ok, count}`           |
+| `account_session_revoke_all_action_spec` | true         | `z.void()`     | `{ok, count}`           |
 | `account_token_create_action_spec`       | true         | `{name?}`      | `{ok, token, id, name}` |
-| `account_token_list_action_spec`         | false        | `z.null()`     | `{tokens}`              |
+| `account_token_list_action_spec`         | false        | `z.void()`     | `{tokens}`              |
 | `account_token_revoke_action_spec`       | true         | `{token_id}`   | `{ok, revoked}`         |
 
 `session_id` validates as `Blake3Hash`; `token_id` validates as
@@ -1084,15 +1092,17 @@ registry of all seven specs.
 ### `self_service_role_action_specs.ts` + `self_service_role_actions.ts` — opt-in self-service role toggle
 
 Same split as the other registries: `*_action_specs.ts` holds the input/output
-Zod schemas, the two `satisfies RequestResponseActionSpec` literals, the
+Zod schemas, the `satisfies RequestResponseActionSpec` literal, the
 `ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE` reason constant, and the
 `all_self_service_role_action_specs` registry — all client-safe. The
-`*_actions.ts` factory imports the specs and pairs them with handlers.
-
-Two static `request_response` actions — `self_service_role_grant` and
-`self_service_role_revoke` — that take `{role}` as input and toggle a
-global permit on the caller. Both are idempotent: `granted: false` when
-the caller already holds the role, `revoked: false` when they don't.
+`*_actions.ts` factory imports the spec and pairs it with the handler.
+
+One static `request_response` action — `self_service_role_set` — that
+takes `{role, enabled: boolean}` and toggles a global permit on the
+caller. Idempotent in both directions: `changed: false` when the
+post-call state already matched the request (already-held when
+enabling; not-held when disabling). Output is `{ok, enabled, changed}` —
+`enabled` echoes the post-call state for self-describing responses.
 Audit metadata carries `self_service: true` so admin reviewers can
 distinguish self-toggled permits from admin grants/offers. The
 `permit_grant` / `permit_revoke` metadata schemas declare
@@ -1100,7 +1110,7 @@ distinguish self-toggled permits from admin grants/offers. The
 part of the documented surface rather than riding on `z.looseObject`
 permissiveness.
 
-Method names are static — `role` lives in the input, not the method
+Method name is static — `role` lives in the input, not the method
 name. Mirrors the `permit_offer_create({role})` precedent. Per-role
 parameterized methods would break the `satisfies RequestResponseActionSpec`
 codegen invariant and grow the surface linearly per role.
@@ -1110,14 +1120,15 @@ codegen invariant and grow the surface linearly per role.
 - `eligible_roles: ReadonlyArray<string>` — required allowlist. Roles
   outside the list are rejected with `forbidden` + reason
   `role_not_self_service_eligible` (exported as
-  `ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE`).
+  `ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE`). The eligibility check fires
+  before the `enabled` branch — same rejection regardless of direction.
 - `roles?: RoleSchemaResult` — optional. When supplied, every entry in
   `eligible_roles` is checked against `roles.role_options` at factory
   time so typos throw at startup instead of at first call.
 
-Grant path uses `query_permit_has_role` for a benign-TOCTOU pre-check
+Grant branch uses `query_permit_has_role` for a benign-TOCTOU pre-check
 (distinguishes new grant from idempotent re-grant), then
-`query_grant_permit` for the actual insert. Revoke path filters
+`query_grant_permit` for the actual insert. Revoke branch filters
 `query_permit_find_active_for_actor` in JS for the matching
 `(actor, role, scope_id IS NULL)` row before calling
 `query_revoke_permit`. Bundle is **not** included in
@@ -1126,8 +1137,8 @@ spread alongside the standard bundle when needed.
 
 Deps: `SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>`.
 
-`all_self_service_role_action_specs: Array<RequestResponseActionSpec>` —
-codegen-ready registry of both specs.
+`all_self_service_role_action_specs: ReadonlyArray<RequestResponseActionSpec>` —
+codegen-ready registry of the single unified spec.
 
 ## Cleanup
 

package/dist/auth/account_action_specs.d.ts

@@ -10,10 +10,10 @@
 import { z } from 'zod';
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /** Input for `account_verify`. No parameters — the caller is the subject. */
-export declare const VerifyInput: z.ZodNull;
+export declare const VerifyInput: z.ZodVoid;
 export type VerifyInput = z.infer<typeof VerifyInput>;
 /** Input for `account_session_list`. No parameters. */
-export declare const SessionListInput: z.ZodNull;
+export declare const SessionListInput: z.ZodVoid;
 export type SessionListInput = z.infer<typeof SessionListInput>;
 /** Output for `account_session_list`. */
 export declare const SessionListOutput: z.ZodObject<{
@@ -38,7 +38,7 @@ export declare const SessionRevokeOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type SessionRevokeOutput = z.infer<typeof SessionRevokeOutput>;
 /** Input for `account_session_revoke_all`. No parameters. */
-export declare const SessionRevokeAllInput: z.ZodNull;
+export declare const SessionRevokeAllInput: z.ZodVoid;
 export type SessionRevokeAllInput = z.infer<typeof SessionRevokeAllInput>;
 /** Output for `account_session_revoke_all`. */
 export declare const SessionRevokeAllOutput: z.ZodObject<{
@@ -60,7 +60,7 @@ export declare const TokenCreateOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type TokenCreateOutput = z.infer<typeof TokenCreateOutput>;
 /** Input for `account_token_list`. No parameters. */
-export declare const TokenListInput: z.ZodNull;
+export declare const TokenListInput: z.ZodVoid;
 export type TokenListInput = z.infer<typeof TokenListInput>;
 /** Output for `account_token_list`. Hashes are excluded. */
 export declare const TokenListOutput: z.ZodObject<{
@@ -92,7 +92,7 @@ export declare const account_verify_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         username: z.ZodString;
@@ -109,7 +109,7 @@ export declare const account_session_list_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         sessions: z.ZodArray<z.ZodObject<{
             id: z.ZodString;
@@ -144,7 +144,7 @@ export declare const account_session_revoke_all_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: true;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
         count: z.ZodNumber;
@@ -176,7 +176,7 @@ export declare const account_token_list_action_spec: {
     initiator: "frontend";
     auth: "authenticated";
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         tokens: z.ZodArray<z.ZodObject<{
             id: z.ZodString;