@fuzdev/fuz_app 0.49.0 → 0.51.0

package/dist/actions/protocol.js

@@ -0,0 +1,46 @@
+/**
+ * Canonical bundles of fuz_app's protocol actions — `heartbeat` and
+ * `cancel`. Spread these into consumer registrations on both sides of the
+ * wire so the registries stay symmetric without per-consumer plumbing.
+ *
+ * Protocol actions are wire-protocol concerns (liveness, abort) shipped by
+ * fuz_app, not consumer domain logic. The split is intentional: the server
+ * needs `{spec, handler}` tuples to drive dispatch; the frontend
+ * `ActionRegistry` only stores specs. The codegen
+ * `include_protocol_actions: false` default (in `actions/action_codegen.ts`) is the
+ * third leg of this contract — protocol actions are excluded from
+ * generated typed surfaces because consumers spread them in at
+ * registration time.
+ *
+ * Adding a future protocol action (e.g. clock-skew probe, reconnect-resume
+ * token) means appending to these arrays in one place; no consumer
+ * migration required.
+ *
+ * @module
+ */
+import { cancel_action } from './cancel.js';
+import { heartbeat_action } from './heartbeat.js';
+/**
+ * Canonical protocol `{spec, handler}` tuples for the server's
+ * `register_action_ws` `actions` array. Spread before consumer-owned actions
+ * so disconnect detection and per-request cancel work uniformly:
+ *
+ * ```ts
+ * register_action_ws({actions: [...protocol_actions, ...consumer_actions], ...})
+ * ```
+ */
+export const protocol_actions = [heartbeat_action, cancel_action];
+/**
+ * Canonical protocol specs for `ActionRegistry` construction on the
+ * frontend. Spread before consumer-owned specs so dispatcher-owned methods
+ * are present in the lookup map even though codegen excludes them from the
+ * generated `action_specs` array:
+ *
+ * ```ts
+ * new ActionRegistry([...protocol_action_specs, ...action_specs])
+ * ```
+ *
+ * Derived from `protocol_actions` so a future protocol action lands in one
+ * place — the two arrays cannot drift.
+ */
+export const protocol_action_specs = protocol_actions.map((a) => a.spec);

package/dist/actions/register_action_ws.d.ts

@@ -2,7 +2,7 @@
  * WebSocket JSON-RPC dispatch — the low-level WS transport binding.
  *
  * Most consumers should mount WS endpoints via `register_ws_endpoint`
- * (`./register_ws_endpoint.js`), which wraps this function with the standard
+ * (`actions/register_ws_endpoint.ts`), which wraps this function with the standard
  * upgrade stack (origin check + auth + optional role). This module stays
  * exported as the lower-level entry point for tests that drive the
  * dispatcher directly via `create_ws_test_harness`.
@@ -97,8 +97,9 @@ export interface RegisterActionWsOptions<TCtx extends BaseHandlerContext> {
      * The actions registered on this endpoint — each carries a spec (drives
      * method lookup, per-action auth, input/output validation) and an
      * optional handler (omit for client-only specs like inbound
-     * notifications). Include the shared `heartbeat_action` here to
-     * complete the disconnect-detection pairing with the frontend client.
+     * notifications). Spread `protocol_actions` from `actions/protocol.ts`
+     * here to complete the disconnect-detection + per-request cancel
+     * pairing with the frontend client.
      */
     actions: ReadonlyArray<Action<TCtx>>;
     /**
@@ -156,7 +157,7 @@ export interface RegisterActionWsResult {
  * - Per-action auth: `public` / `authenticated` pass through (upgrade auth
  *   already verified identity); `keeper` requires `daemon_token` credential
  *   type *and* the keeper role; role-based `{role}` requires the named role
- *   via `has_role`, matching the HTTP path in `action_rpc.ts`.
+ *   via `has_role`, matching the HTTP path in `actions/action_rpc.ts`.
  * - DEV mode validates handler output against the spec's `output` schema and
  *   warns on mismatches.
  *

package/dist/actions/register_action_ws.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAGH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,SAAS,CAAC;AAEzD,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAiBjD,OAAO,EAAC,KAAK,MAAM,EAAE,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,mBAAmB,CAAC;AAG7F,OAAO,EAAC,yBAAyB,EAAE,KAAK,kBAAkB,EAAC,MAAM,4BAA4B,CAAC;AAE9F,YAAY,EAAC,MAAM,EAAE,kBAAkB,EAAE,eAAe,EAAC,CAAC;AAE1D,0EAA0E;AAC1E,eAAO,MAAM,gCAAgC,QAAS,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,qFAAqF;IACrF,EAAE,EAAE,SAAS,CAAC;IACd,4EAA4E;IAC5E,aAAa,EAAE,IAAI,CAAC;IACpB,oDAAoD;IACpD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,wFAAwF;IACxF,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,+CAA+C;IAC/C,EAAE,EAAE,SAAS,CAAC;IACd,2CAA2C;IAC3C,aAAa,EAAE,IAAI,CAAC;IACpB,kGAAkG;IAClG,QAAQ,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACtC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wCAAwC;AACxC,MAAM,WAAW,uBAAuB,CAAC,IAAI,SAAS,kBAAkB;IACvE,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC;;;;;;OAMG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACrC;;;;;OAKG;IACH,cAAc,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAC/D;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpE;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,kBAAkB,GAAI,IAAI,SAAS,kBAAkB,EACjE,SAAS,uBAAuB,CAAC,IAAI,CAAC,KACpC,sBA8WF,CAAC"}
+{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAGH,OAAO,KAAK,EAAC,OAAO,EAAE,IAAI,EAAC,MAAM,MAAM,CAAC;AACxC,OAAO,KAAK,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,SAAS,CAAC;AAEzD,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAiBjD,OAAO,EAAC,KAAK,MAAM,EAAE,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,mBAAmB,CAAC;AAG7F,OAAO,EAAC,yBAAyB,EAAE,KAAK,kBAAkB,EAAC,MAAM,4BAA4B,CAAC;AAE9F,YAAY,EAAC,MAAM,EAAE,kBAAkB,EAAE,eAAe,EAAC,CAAC;AAE1D,0EAA0E;AAC1E,eAAO,MAAM,gCAAgC,QAAS,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,qFAAqF;IACrF,EAAE,EAAE,SAAS,CAAC;IACd,4EAA4E;IAC5E,aAAa,EAAE,IAAI,CAAC;IACpB,oDAAoD;IACpD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,wFAAwF;IACxF,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,+CAA+C;IAC/C,EAAE,EAAE,SAAS,CAAC;IACd,2CAA2C;IAC3C,aAAa,EAAE,IAAI,CAAC;IACpB,kGAAkG;IAClG,QAAQ,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACtC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wCAAwC;AACxC,MAAM,WAAW,uBAAuB,CAAC,IAAI,SAAS,kBAAkB;IACvE,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC;;;;;;;OAOG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACrC;;;;;OAKG;IACH,cAAc,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAC/D;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpE;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,kBAAkB,GAAI,IAAI,SAAS,kBAAkB,EACjE,SAAS,uBAAuB,CAAC,IAAI,CAAC,KACpC,sBA8WF,CAAC"}

package/dist/actions/register_action_ws.js

@@ -2,7 +2,7 @@
  * WebSocket JSON-RPC dispatch — the low-level WS transport binding.
  *
  * Most consumers should mount WS endpoints via `register_ws_endpoint`
- * (`./register_ws_endpoint.js`), which wraps this function with the standard
+ * (`actions/register_ws_endpoint.ts`), which wraps this function with the standard
  * upgrade stack (origin check + auth + optional role). This module stays
  * exported as the lower-level entry point for tests that drive the
  * dispatcher directly via `create_ws_test_harness`.
@@ -55,7 +55,7 @@ export const DEFAULT_SERVER_HEARTBEAT_TIMEOUT = 60_000;
  * - Per-action auth: `public` / `authenticated` pass through (upgrade auth
  *   already verified identity); `keeper` requires `daemon_token` credential
  *   type *and* the keeper role; role-based `{role}` requires the named role
- *   via `has_role`, matching the HTTP path in `action_rpc.ts`.
+ *   via `has_role`, matching the HTTP path in `actions/action_rpc.ts`.
  * - DEV mode validates handler output against the spec's `output` schema and
  *   warns on mismatches.
  *

package/dist/auth/account_action_specs.d.ts

@@ -2,7 +2,7 @@
  * Account RPC action specs — declarative contract for self-service account
  * operations. Import this module for the specs, Input/Output schemas, and
  * the `all_account_action_specs` registry. Handlers live in
- * `./account_actions.js` so consumers doing typed-client codegen or surface
+ * `auth/account_actions.ts` so consumers doing typed-client codegen or surface
  * reporting don't transitively drag in server-only query code.
  *
  * @module

package/dist/auth/account_action_specs.js

@@ -2,7 +2,7 @@
  * Account RPC action specs — declarative contract for self-service account
  * operations. Import this module for the specs, Input/Output schemas, and
  * the `all_account_action_specs` registry. Handlers live in
- * `./account_actions.js` so consumers doing typed-client codegen or surface
+ * `auth/account_actions.ts` so consumers doing typed-client codegen or surface
  * reporting don't transitively drag in server-only query code.
  *
  * @module

package/dist/auth/account_actions.d.ts

@@ -9,14 +9,14 @@
  * - API token management: `account_token_create`, `account_token_list`,
  *   `account_token_revoke`.
  *
- * The action specs themselves live in `./account_action_specs.js`. Every spec
+ * The action specs themselves live in `auth/account_action_specs.ts`. Every spec
  * declares `auth: 'authenticated'` so the dispatcher enforces auth before the
  * handler runs. Revoke operations are account-scoped (via
  * `query_session_revoke_for_account` / `query_revoke_api_token_for_account`)
  * so passing another account's session or token id returns `revoked: false`
  * rather than revealing whether the id exists.
  *
- * Counterpart to `account_routes.ts`, which keeps the cookie-lifecycle flows
+ * Counterpart to `auth/account_routes.ts`, which keeps the cookie-lifecycle flows
  * (`login`, `logout`, `password`, `signup`, `bootstrap`) on REST.
  *
  * @module

package/dist/auth/account_actions.js

@@ -9,14 +9,14 @@
  * - API token management: `account_token_create`, `account_token_list`,
  *   `account_token_revoke`.
  *
- * The action specs themselves live in `./account_action_specs.js`. Every spec
+ * The action specs themselves live in `auth/account_action_specs.ts`. Every spec
  * declares `auth: 'authenticated'` so the dispatcher enforces auth before the
  * handler runs. Revoke operations are account-scoped (via
  * `query_session_revoke_for_account` / `query_revoke_api_token_for_account`)
  * so passing another account's session or token id returns `revoked: false`
  * rather than revealing whether the id exists.
  *
- * Counterpart to `account_routes.ts`, which keeps the cookie-lifecycle flows
+ * Counterpart to `auth/account_routes.ts`, which keeps the cookie-lifecycle flows
  * (`login`, `logout`, `password`, `signup`, `bootstrap`) on REST.
  *
  * @module

package/dist/auth/account_routes.d.ts

@@ -4,7 +4,7 @@
  * Returns `RouteSpec[]` — caller applies them to Hono via `apply_route_specs`.
  *
  * Four REST flows remain here; each has a concrete reason to stay REST
- * rather than moving to `account_actions.ts`:
+ * rather than moving to `auth/account_actions.ts`:
  *
  * - `POST /login` — issues a signed `Set-Cookie` and pre-handler rate-limits
  *   by IP + per-canonical-account before password hashing.
@@ -15,7 +15,7 @@
  *   callers should use the `account_verify` RPC action for the typed payload.
  *
  * Session listing/revocation and API token CRUD are on the RPC endpoint —
- * see `account_actions.ts`. Signup is in `signup_routes.ts`. Defaults are
+ * see `auth/account_actions.ts`. Signup is in `auth/signup_routes.ts`. Defaults are
  * closed/safe: accounts are created through bootstrap, admin action, or
  * invite.
  *
@@ -184,7 +184,7 @@ export type PasswordChangeOutput = z.infer<typeof PasswordChangeOutput>;
  *
  * The returned specs cover the three flows that stay REST after the RPC
  * migration (login, logout, password change). Self-service session/token
- * management and verify are on `account_actions.ts`.
+ * management and verify are on `auth/account_actions.ts`.
  *
  * @param deps - stateless capabilities (keyring, password, log)
  * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)

package/dist/auth/account_routes.js

@@ -4,7 +4,7 @@
  * Returns `RouteSpec[]` — caller applies them to Hono via `apply_route_specs`.
  *
  * Four REST flows remain here; each has a concrete reason to stay REST
- * rather than moving to `account_actions.ts`:
+ * rather than moving to `auth/account_actions.ts`:
  *
  * - `POST /login` — issues a signed `Set-Cookie` and pre-handler rate-limits
  *   by IP + per-canonical-account before password hashing.
@@ -15,7 +15,7 @@
  *   callers should use the `account_verify` RPC action for the typed payload.
  *
  * Session listing/revocation and API token CRUD are on the RPC endpoint —
- * see `account_actions.ts`. Signup is in `signup_routes.ts`. Defaults are
+ * see `auth/account_actions.ts`. Signup is in `auth/signup_routes.ts`. Defaults are
  * closed/safe: accounts are created through bootstrap, admin action, or
  * invite.
  *
@@ -167,7 +167,7 @@ export const PasswordChangeOutput = z.strictObject({
  *
  * The returned specs cover the three flows that stay REST after the RPC
  * migration (login, logout, password change). Self-service session/token
- * management and verify are on `account_actions.ts`.
+ * management and verify are on `auth/account_actions.ts`.
  *
  * @param deps - stateless capabilities (keyring, password, log)
  * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)

package/dist/auth/account_schema.d.ts

@@ -4,7 +4,7 @@
  * Defines the runtime types for the fuz identity system:
  * `Account`, `Actor`, `Permit`, `AuthSession`, and `ApiToken`.
  *
- * DDL lives in `ddl.ts`; role system in `role_schema.ts`.
+ * DDL lives in `auth/ddl.ts`; role system in `auth/role_schema.ts`.
  * See docs/identity.md for design rationale.
  *
  * @module

package/dist/auth/account_schema.js

@@ -4,7 +4,7 @@
  * Defines the runtime types for the fuz identity system:
  * `Account`, `Actor`, `Permit`, `AuthSession`, and `ApiToken`.
  *
- * DDL lives in `ddl.ts`; role system in `role_schema.ts`.
+ * DDL lives in `auth/ddl.ts`; role system in `auth/role_schema.ts`.
  * See docs/identity.md for design rationale.
  *
  * @module

package/dist/auth/admin_action_specs.d.ts

@@ -2,7 +2,7 @@
  * Admin RPC action specs — declarative contract for admin-only operations.
  *
  * Import this module for the specs, Input/Output schemas, and the
- * `all_admin_action_specs` registry. Handlers live in `./admin_actions.js`.
+ * `all_admin_action_specs` registry. Handlers live in `auth/admin_actions.ts`.
  *
  * Authorization is declared at the spec level (`auth: {role: ROLE_ADMIN}`)
  * so the RPC dispatcher enforces admin before the handler runs and the

package/dist/auth/admin_action_specs.js

@@ -2,7 +2,7 @@
  * Admin RPC action specs — declarative contract for admin-only operations.
  *
  * Import this module for the specs, Input/Output schemas, and the
- * `all_admin_action_specs` registry. Handlers live in `./admin_actions.js`.
+ * `all_admin_action_specs` registry. Handlers live in `auth/admin_actions.ts`.
  *
  * Authorization is declared at the spec level (`auth: {role: ROLE_ADMIN}`)
  * so the RPC dispatcher enforces admin before the handler runs and the

package/dist/auth/admin_actions.d.ts

@@ -11,13 +11,13 @@
  *   when `AdminActionOptions.app_settings` is provided — the mutable ref is
  *   owned by the server context and shared with signup middleware).
  *
- * The action specs themselves live in `./admin_action_specs.js`. Mutations
+ * The action specs themselves live in `auth/admin_action_specs.ts`. Mutations
  * emit matching audit events via `audit_log_fire_and_forget`.
  *
  * Authorization is declared at the spec level (`auth: {role: 'admin'}`) so
  * the RPC dispatcher enforces it before the handler runs and the generated
  * surface accurately reports the requirement. `permit_revoke` in
- * `permit_offer_actions.ts` uses the same spec-level pattern even though its
+ * `auth/permit_offer_actions.ts` uses the same spec-level pattern even though its
  * sibling methods are authenticated-but-not-admin — the dispatcher checks
  * auth per-spec, so mixed-auth endpoints compose cleanly. Handler-level
  * gates are reserved for input-dependent elevation (e.g.

package/dist/auth/admin_actions.js

@@ -11,13 +11,13 @@
  *   when `AdminActionOptions.app_settings` is provided — the mutable ref is
  *   owned by the server context and shared with signup middleware).
  *
- * The action specs themselves live in `./admin_action_specs.js`. Mutations
+ * The action specs themselves live in `auth/admin_action_specs.ts`. Mutations
  * emit matching audit events via `audit_log_fire_and_forget`.
  *
  * Authorization is declared at the spec level (`auth: {role: 'admin'}`) so
  * the RPC dispatcher enforces it before the handler runs and the generated
  * surface accurately reports the requirement. `permit_revoke` in
- * `permit_offer_actions.ts` uses the same spec-level pattern even though its
+ * `auth/permit_offer_actions.ts` uses the same spec-level pattern even though its
  * sibling methods are authenticated-but-not-admin — the dispatcher checks
  * auth per-spec, so mixed-auth endpoints compose cleanly. Handler-level
  * gates are reserved for input-dependent elevation (e.g.

package/dist/auth/api_token.d.ts

@@ -4,7 +4,7 @@
  * Tokens use the format `secret_fuz_token_<base64url>` and are stored
  * as blake3 hashes. These are pure cryptographic operations with no
  * framework dependency — the bearer auth middleware that validates
- * tokens lives in `bearer_auth.ts`.
+ * tokens lives in `auth/bearer_auth.ts`.
  *
  * @module
  */

package/dist/auth/api_token.js

@@ -4,7 +4,7 @@
  * Tokens use the format `secret_fuz_token_<base64url>` and are stored
  * as blake3 hashes. These are pure cryptographic operations with no
  * framework dependency — the bearer auth middleware that validates
- * tokens lives in `bearer_auth.ts`.
+ * tokens lives in `auth/bearer_auth.ts`.
  *
  * @module
  */

package/dist/auth/audit_log_routes.d.ts

@@ -2,7 +2,7 @@
  * Audit log SSE stream route.
  *
  * The two list-reads (`audit_log_list`, `audit_log_permit_history`) moved to
- * RPC in `admin_actions.ts`, and the admin session listing moved to
+ * RPC in `auth/admin_actions.ts`, and the admin session listing moved to
  * `admin_session_list` on the same file. What remains here is the optional
  * `GET /audit-log/stream` SSE route — streams aren't an action-kind, so they
  * stay on REST. The event payload broadcast on the stream surfaces via

package/dist/auth/audit_log_routes.js

@@ -2,7 +2,7 @@
  * Audit log SSE stream route.
  *
  * The two list-reads (`audit_log_list`, `audit_log_permit_history`) moved to
- * RPC in `admin_actions.ts`, and the admin session listing moved to
+ * RPC in `auth/admin_actions.ts`, and the admin session listing moved to
  * `admin_session_list` on the same file. What remains here is the optional
  * `GET /audit-log/stream` SSE route — streams aren't an action-kind, so they
  * stay on REST. The event payload broadcast on the stream surfaces via

package/dist/auth/audit_log_schema.d.ts

@@ -242,7 +242,7 @@ export interface CreateAuditLogConfigOptions {
      *
      * Collisions with builtin event-type strings throw at construction.
      * Schemas are run via `safeParse` at insert time; mismatches log + count
-     * but never throw (fail-open — see the drift counters in `audit_log_queries.ts`).
+     * but never throw (fail-open — see the drift counters in `auth/audit_log_queries.ts`).
      */
     extra_events?: Readonly<Record<string, z.ZodType | null>>;
 }

package/dist/auth/daemon_token.d.ts

@@ -3,7 +3,7 @@
  *
  * Pure auth operations with no I/O or state management.
  * The middleware, rotation, and persistence logic lives in
- * `daemon_token_middleware.ts`.
+ * `auth/daemon_token_middleware.ts`.
  *
  * @module
  */

package/dist/auth/daemon_token.js

@@ -3,7 +3,7 @@
  *
  * Pure auth operations with no I/O or state management.
  * The middleware, rotation, and persistence logic lives in
- * `daemon_token_middleware.ts`.
+ * `auth/daemon_token_middleware.ts`.
  *
  * @module
  */

package/dist/auth/daemon_token_middleware.d.ts

@@ -4,7 +4,7 @@
  * Manages the lifecycle of filesystem-resident daemon tokens: writing to disk,
  * rotation on an interval, and HTTP middleware for authentication.
  *
- * Pure token primitives (schema, generation, validation) live in `daemon_token.ts`.
+ * Pure token primitives (schema, generation, validation) live in `auth/daemon_token.ts`.
  * See docs/identity.md for design rationale.
  *
  * @module

package/dist/auth/daemon_token_middleware.js

@@ -4,7 +4,7 @@
  * Manages the lifecycle of filesystem-resident daemon tokens: writing to disk,
  * rotation on an interval, and HTTP middleware for authentication.
  *
- * Pure token primitives (schema, generation, validation) live in `daemon_token.ts`.
+ * Pure token primitives (schema, generation, validation) live in `auth/daemon_token.ts`.
  * See docs/identity.md for design rationale.
  *
  * @module

package/dist/auth/ddl.d.ts

@@ -1,7 +1,7 @@
 /**
  * Auth table DDL — CREATE TABLE, index, and seed statements.
  *
- * Consumed by `migrations.ts`. Separated from `account_schema.ts`
+ * Consumed by `auth/migrations.ts`. Separated from `auth/account_schema.ts`
  * to isolate DDL concerns from runtime types.
  *
  * @module

package/dist/auth/ddl.js

@@ -1,7 +1,7 @@
 /**
  * Auth table DDL — CREATE TABLE, index, and seed statements.
  *
- * Consumed by `migrations.ts`. Separated from `account_schema.ts`
+ * Consumed by `auth/migrations.ts`. Separated from `auth/account_schema.ts`
  * to isolate DDL concerns from runtime types.
  *
  * @module

package/dist/auth/password.d.ts

@@ -2,7 +2,7 @@
  * Password hashing type definitions.
  *
  * Defines the `PasswordHashDeps` injectable interface and `PASSWORD_LENGTH_MIN`.
- * Concrete Argon2id implementation lives in `password_argon2.ts`.
+ * Concrete Argon2id implementation lives in `auth/password_argon2.ts`.
  *
  * @module
  */

package/dist/auth/password.js

@@ -2,7 +2,7 @@
  * Password hashing type definitions.
  *
  * Defines the `PasswordHashDeps` injectable interface and `PASSWORD_LENGTH_MIN`.
- * Concrete Argon2id implementation lives in `password_argon2.ts`.
+ * Concrete Argon2id implementation lives in `auth/password_argon2.ts`.
  *
  * @module
  */

package/dist/auth/permit_offer_action_specs.d.ts

@@ -4,7 +4,7 @@
  *
  * Import this module for the specs, Input/Output schemas, `ERROR_OFFER_*`
  * reason constants, and the `all_permit_offer_action_specs` registry.
- * Handlers live in `./permit_offer_actions.js`.
+ * Handlers live in `auth/permit_offer_actions.ts`.
  *
  * Authorization enforcement: offer-lifecycle specs declare
  * `auth: 'authenticated'` and rely on `query_*` IDOR guards or in-handler

package/dist/auth/permit_offer_action_specs.js

@@ -4,7 +4,7 @@
  *
  * Import this module for the specs, Input/Output schemas, `ERROR_OFFER_*`
  * reason constants, and the `all_permit_offer_action_specs` registry.
- * Handlers live in `./permit_offer_actions.js`.
+ * Handlers live in `auth/permit_offer_actions.ts`.
  *
  * Authorization enforcement: offer-lifecycle specs declare
  * `auth: 'authenticated'` and rely on `query_*` IDOR guards or in-handler

package/dist/auth/permit_offer_actions.d.ts

@@ -4,7 +4,7 @@
  * Seven actions: six offer-lifecycle methods (create / accept / decline /
  * retract / list / history) plus `permit_revoke` (admin-only). All mount
  * on a consumer's JSON-RPC endpoint via `create_rpc_endpoint`. The action
- * specs themselves live in `./permit_offer_action_specs.js`. Mutations
+ * specs themselves live in `auth/permit_offer_action_specs.ts`. Mutations
  * declare `side_effects: true` so the RPC dispatcher wraps the handler in
  * a DB transaction; `permit_offer_list` and `permit_offer_history` declare
  * `side_effects: false` so they are addressable via GET.

package/dist/auth/permit_offer_actions.js

@@ -4,7 +4,7 @@
  * Seven actions: six offer-lifecycle methods (create / accept / decline /
  * retract / list / history) plus `permit_revoke` (admin-only). All mount
  * on a consumer's JSON-RPC endpoint via `create_rpc_endpoint`. The action
- * specs themselves live in `./permit_offer_action_specs.js`. Mutations
+ * specs themselves live in `auth/permit_offer_action_specs.ts`. Mutations
  * declare `side_effects: true` so the RPC dispatcher wraps the handler in
  * a DB transaction; `permit_offer_list` and `permit_offer_history` declare
  * `side_effects: false` so they are addressable via GET.

package/dist/auth/route_guards.d.ts

@@ -3,7 +3,7 @@
  *
  * Maps `RouteAuth` discriminants to auth middleware handlers.
  * Injected into `apply_route_specs` to decouple the generic HTTP
- * framework (`route_spec.ts`) from auth-specific middleware.
+ * framework (`http/route_spec.ts`) from auth-specific middleware.
  *
  * @module
  */

package/dist/auth/route_guards.js

@@ -3,7 +3,7 @@
  *
  * Maps `RouteAuth` discriminants to auth middleware handlers.
  * Injected into `apply_route_specs` to decouple the generic HTTP
- * framework (`route_spec.ts`) from auth-specific middleware.
+ * framework (`http/route_spec.ts`) from auth-specific middleware.
  *
  * @module
  */

package/dist/auth/self_service_role_action_specs.d.ts

@@ -3,7 +3,7 @@
  * and the codegen-ready registry.
  *
  * Client-safe: no query-layer or audit-write imports. Handler factory
- * lives in `self_service_role_actions.ts`.
+ * lives in `auth/self_service_role_actions.ts`.
  *
  * @module
  */

package/dist/auth/self_service_role_action_specs.js

@@ -3,7 +3,7 @@
  * and the codegen-ready registry.
  *
  * Client-safe: no query-layer or audit-write imports. Handler factory
- * lives in `self_service_role_actions.ts`.
+ * lives in `auth/self_service_role_actions.ts`.
  *
  * @module
  */

package/dist/auth/self_service_role_actions.d.ts

@@ -25,7 +25,7 @@
  * the existing `permit_offer_create({role})` precedent rather than
  * generating per-role methods.
  *
- * Specs and schemas live in `self_service_role_action_specs.ts` so
+ * Specs and schemas live in `auth/self_service_role_action_specs.ts` so
  * client-side codegen can import the surface without dragging in the
  * query layer.
  *

package/dist/auth/self_service_role_actions.js

@@ -25,7 +25,7 @@
  * the existing `permit_offer_create({role})` precedent rather than
  * generating per-role methods.
  *
- * Specs and schemas live in `self_service_role_action_specs.ts` so
+ * Specs and schemas live in `auth/self_service_role_action_specs.ts` so
  * client-side codegen can import the surface without dragging in the
  * query layer.
  *

package/dist/auth/session_queries.d.ts

@@ -57,7 +57,7 @@ export declare const query_session_touch: (deps: QueryDeps, token_hash: string)
  * The `_unscoped` suffix is the safety signal — there is no `account_id`
  * constraint, so callers must guarantee the hash came from a trusted
  * source (the authenticated session cookie path is the only safe production
- * caller — see `account_routes.ts` `/logout`). For user-facing revocation
+ * caller — see `auth/account_routes.ts` `/logout`). For user-facing revocation
  * of a specific session by ID, use `query_session_revoke_for_account`
  * (IDOR-guarded).
  */

package/dist/auth/session_queries.js

@@ -77,7 +77,7 @@ export const query_session_touch = async (deps, token_hash) => {
  * The `_unscoped` suffix is the safety signal — there is no `account_id`
  * constraint, so callers must guarantee the hash came from a trusted
  * source (the authenticated session cookie path is the only safe production
- * caller — see `account_routes.ts` `/logout`). For user-facing revocation
+ * caller — see `auth/account_routes.ts` `/logout`). For user-facing revocation
  * of a specific session by ID, use `query_session_revoke_for_account`
  * (IDOR-guarded).
  */

package/dist/auth/signup_routes.d.ts

@@ -3,7 +3,7 @@
  *
  * Public endpoint that creates an account. When `open_signup` is disabled
  * (default), a matching unclaimed invite is required. When enabled, anyone
- * can sign up without an invite. Follows the `bootstrap_routes.ts` pattern.
+ * can sign up without an invite. Follows the `auth/bootstrap_routes.ts` pattern.
  *
  * @module
  */

package/dist/auth/signup_routes.js

@@ -3,7 +3,7 @@
  *
  * Public endpoint that creates an account. When `open_signup` is disabled
  * (default), a matching unclaimed invite is required. When enabled, anyone
- * can sign up without an invite. Follows the `bootstrap_routes.ts` pattern.
+ * can sign up without an invite. Follows the `auth/bootstrap_routes.ts` pattern.
  *
  * @module
  */

package/dist/auth/standard_action_specs.d.ts

@@ -1,7 +1,7 @@
 /**
  * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
  *
- * `create_standard_rpc_actions` (in `./standard_rpc_actions.js`) bundles three
+ * `create_standard_rpc_actions` (in `auth/standard_rpc_actions.ts`) bundles three
  * action registries into one mounted RPC surface: admin + permit_offer +
  * account. Frontends mounting that surface need the matching spec list to
  * feed `create_rpc_client` so the typed Proxy knows about every standard

package/dist/auth/standard_action_specs.js

@@ -1,7 +1,7 @@
 /**
  * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
  *
- * `create_standard_rpc_actions` (in `./standard_rpc_actions.js`) bundles three
+ * `create_standard_rpc_actions` (in `auth/standard_rpc_actions.ts`) bundles three
  * action registries into one mounted RPC surface: admin + permit_offer +
  * account. Frontends mounting that surface need the matching spec list to
  * feed `create_rpc_client` so the typed Proxy knows about every standard

package/dist/cli/util.d.ts

@@ -1,7 +1,7 @@
 /**
  * CLI utilities for colors, confirmation, and command delegation.
  *
- * For structured CLI logging, see `create_cli_logger` in `logger.ts`.
+ * For structured CLI logging, see `create_cli_logger` in `cli/logger.ts`.
  *
  * @module
  */

package/dist/cli/util.js

@@ -1,7 +1,7 @@
 /**
  * CLI utilities for colors, confirmation, and command delegation.
  *
- * For structured CLI logging, see `create_cli_logger` in `logger.ts`.
+ * For structured CLI logging, see `create_cli_logger` in `cli/logger.ts`.
  *
  * @module
  */

package/dist/db/create_db.d.ts

@@ -8,7 +8,7 @@
  *
  * Both `pg` and `@electric-sql/pglite` are optional peer dependencies,
  * dynamically imported only when needed. For direct driver construction
- * without auto-detection, use `db_pg.ts` or `db_pglite.ts`.
+ * without auto-detection, use `db/db_pg.ts` or `db/db_pglite.ts`.
  *
  * @module
  */
@@ -29,7 +29,7 @@ export interface CreateDbResult {
  * know which driver is in use.
  *
  * For direct driver construction without URL routing, import
- * `create_pg_db` from `db_pg.ts` or `create_pglite_db` from `db_pglite.ts`.
+ * `create_pg_db` from `db/db_pg.ts` or `create_pglite_db` from `db/db_pglite.ts`.
  *
  * @param database_url - connection URL (`postgres://`, `postgresql://`, `file://`, or `memory://`)
  * @returns database instance, close callback, type, and display name