@fuzdev/fuz_app 0.50.0 → 0.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (374) hide show
  1. package/dist/actions/CLAUDE.md +16 -3
  2. package/dist/actions/action_bridge.d.ts +3 -1
  3. package/dist/actions/action_bridge.d.ts.map +1 -1
  4. package/dist/actions/action_bridge.js +3 -1
  5. package/dist/actions/action_codegen.d.ts +44 -13
  6. package/dist/actions/action_codegen.d.ts.map +1 -1
  7. package/dist/actions/action_codegen.js +58 -20
  8. package/dist/actions/action_event.d.ts +44 -1
  9. package/dist/actions/action_event.d.ts.map +1 -1
  10. package/dist/actions/action_event.js +44 -1
  11. package/dist/actions/action_event_helpers.d.ts +26 -0
  12. package/dist/actions/action_event_helpers.d.ts.map +1 -1
  13. package/dist/actions/action_event_helpers.js +26 -1
  14. package/dist/actions/action_peer.d.ts +17 -0
  15. package/dist/actions/action_peer.d.ts.map +1 -1
  16. package/dist/actions/action_peer.js +8 -0
  17. package/dist/actions/action_registry.d.ts +2 -2
  18. package/dist/actions/action_registry.js +2 -2
  19. package/dist/actions/action_rpc.d.ts +4 -0
  20. package/dist/actions/action_rpc.d.ts.map +1 -1
  21. package/dist/actions/action_rpc.js +4 -0
  22. package/dist/actions/action_spec.d.ts +23 -3
  23. package/dist/actions/action_spec.d.ts.map +1 -1
  24. package/dist/actions/action_spec.js +17 -3
  25. package/dist/actions/action_types.d.ts +2 -2
  26. package/dist/actions/action_types.js +2 -2
  27. package/dist/actions/cancel.d.ts +2 -2
  28. package/dist/actions/cancel.js +2 -2
  29. package/dist/actions/heartbeat.d.ts +2 -2
  30. package/dist/actions/heartbeat.js +2 -2
  31. package/dist/actions/protocol.d.ts +1 -1
  32. package/dist/actions/protocol.js +1 -1
  33. package/dist/actions/register_action_ws.d.ts +4 -1
  34. package/dist/actions/register_action_ws.d.ts.map +1 -1
  35. package/dist/actions/register_action_ws.js +4 -1
  36. package/dist/actions/register_ws_endpoint.d.ts +3 -0
  37. package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
  38. package/dist/actions/register_ws_endpoint.js +3 -0
  39. package/dist/actions/request_tracker.svelte.d.ts +14 -1
  40. package/dist/actions/request_tracker.svelte.d.ts.map +1 -1
  41. package/dist/actions/request_tracker.svelte.js +14 -1
  42. package/dist/actions/socket.svelte.d.ts +35 -15
  43. package/dist/actions/socket.svelte.d.ts.map +1 -1
  44. package/dist/actions/socket.svelte.js +33 -13
  45. package/dist/actions/transports.d.ts +12 -3
  46. package/dist/actions/transports.d.ts.map +1 -1
  47. package/dist/actions/transports.js +16 -7
  48. package/dist/actions/transports_http.d.ts +7 -0
  49. package/dist/actions/transports_http.d.ts.map +1 -1
  50. package/dist/actions/transports_http.js +7 -0
  51. package/dist/actions/transports_ws.d.ts +13 -0
  52. package/dist/actions/transports_ws.d.ts.map +1 -1
  53. package/dist/actions/transports_ws.js +13 -0
  54. package/dist/actions/transports_ws_auth_guard.d.ts +6 -2
  55. package/dist/actions/transports_ws_auth_guard.d.ts.map +1 -1
  56. package/dist/actions/transports_ws_auth_guard.js +6 -2
  57. package/dist/actions/transports_ws_backend.d.ts +14 -1
  58. package/dist/actions/transports_ws_backend.d.ts.map +1 -1
  59. package/dist/actions/transports_ws_backend.js +14 -1
  60. package/dist/auth/CLAUDE.md +40 -4
  61. package/dist/auth/account_queries.d.ts +10 -0
  62. package/dist/auth/account_queries.d.ts.map +1 -1
  63. package/dist/auth/account_queries.js +10 -0
  64. package/dist/auth/account_routes.d.ts +3 -3
  65. package/dist/auth/account_routes.js +3 -3
  66. package/dist/auth/account_schema.d.ts +1 -1
  67. package/dist/auth/account_schema.js +1 -1
  68. package/dist/auth/admin_actions.d.ts +1 -0
  69. package/dist/auth/admin_actions.d.ts.map +1 -1
  70. package/dist/auth/admin_actions.js +1 -0
  71. package/dist/auth/api_token.d.ts +1 -1
  72. package/dist/auth/api_token.js +1 -1
  73. package/dist/auth/api_token_queries.d.ts +7 -0
  74. package/dist/auth/api_token_queries.d.ts.map +1 -1
  75. package/dist/auth/api_token_queries.js +7 -0
  76. package/dist/auth/app_settings_queries.d.ts +4 -0
  77. package/dist/auth/app_settings_queries.d.ts.map +1 -1
  78. package/dist/auth/app_settings_queries.js +4 -0
  79. package/dist/auth/audit_log_queries.d.ts +6 -0
  80. package/dist/auth/audit_log_queries.d.ts.map +1 -1
  81. package/dist/auth/audit_log_queries.js +6 -0
  82. package/dist/auth/audit_log_routes.d.ts +1 -1
  83. package/dist/auth/audit_log_routes.js +1 -1
  84. package/dist/auth/audit_log_schema.d.ts +3 -1
  85. package/dist/auth/audit_log_schema.d.ts.map +1 -1
  86. package/dist/auth/audit_log_schema.js +134 -55
  87. package/dist/auth/bearer_auth.d.ts +2 -0
  88. package/dist/auth/bearer_auth.d.ts.map +1 -1
  89. package/dist/auth/bearer_auth.js +2 -0
  90. package/dist/auth/bootstrap_account.d.ts +3 -0
  91. package/dist/auth/bootstrap_account.d.ts.map +1 -1
  92. package/dist/auth/bootstrap_account.js +3 -0
  93. package/dist/auth/cleanup.d.ts +6 -0
  94. package/dist/auth/cleanup.d.ts.map +1 -1
  95. package/dist/auth/cleanup.js +6 -0
  96. package/dist/auth/daemon_token.d.ts +1 -1
  97. package/dist/auth/daemon_token.js +1 -1
  98. package/dist/auth/daemon_token_middleware.d.ts +5 -1
  99. package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
  100. package/dist/auth/daemon_token_middleware.js +5 -1
  101. package/dist/auth/ddl.d.ts +1 -1
  102. package/dist/auth/ddl.js +1 -1
  103. package/dist/auth/invite_queries.d.ts +4 -0
  104. package/dist/auth/invite_queries.d.ts.map +1 -1
  105. package/dist/auth/invite_queries.js +4 -0
  106. package/dist/auth/password.d.ts +1 -1
  107. package/dist/auth/password.js +1 -1
  108. package/dist/auth/permit_offer_action_specs.d.ts +5 -0
  109. package/dist/auth/permit_offer_action_specs.d.ts.map +1 -1
  110. package/dist/auth/permit_offer_action_specs.js +10 -0
  111. package/dist/auth/permit_offer_queries.d.ts +19 -0
  112. package/dist/auth/permit_offer_queries.d.ts.map +1 -1
  113. package/dist/auth/permit_offer_queries.js +19 -0
  114. package/dist/auth/permit_queries.d.ts +8 -0
  115. package/dist/auth/permit_queries.d.ts.map +1 -1
  116. package/dist/auth/permit_queries.js +8 -0
  117. package/dist/auth/request_context.d.ts +1 -0
  118. package/dist/auth/request_context.d.ts.map +1 -1
  119. package/dist/auth/request_context.js +1 -0
  120. package/dist/auth/role_schema.d.ts +2 -0
  121. package/dist/auth/role_schema.d.ts.map +1 -1
  122. package/dist/auth/role_schema.js +2 -0
  123. package/dist/auth/route_guards.d.ts +1 -1
  124. package/dist/auth/route_guards.js +1 -1
  125. package/dist/auth/self_service_role_action_specs.d.ts +1 -1
  126. package/dist/auth/self_service_role_action_specs.js +1 -1
  127. package/dist/auth/self_service_role_actions.d.ts +2 -1
  128. package/dist/auth/self_service_role_actions.d.ts.map +1 -1
  129. package/dist/auth/self_service_role_actions.js +2 -1
  130. package/dist/auth/session_lifecycle.d.ts +3 -0
  131. package/dist/auth/session_lifecycle.d.ts.map +1 -1
  132. package/dist/auth/session_lifecycle.js +3 -0
  133. package/dist/auth/session_middleware.d.ts +5 -0
  134. package/dist/auth/session_middleware.d.ts.map +1 -1
  135. package/dist/auth/session_middleware.js +5 -0
  136. package/dist/auth/session_queries.d.ts +10 -1
  137. package/dist/auth/session_queries.d.ts.map +1 -1
  138. package/dist/auth/session_queries.js +10 -1
  139. package/dist/auth/signup_routes.d.ts +1 -1
  140. package/dist/auth/signup_routes.js +1 -1
  141. package/dist/cli/config.d.ts +2 -0
  142. package/dist/cli/config.d.ts.map +1 -1
  143. package/dist/cli/config.js +2 -0
  144. package/dist/cli/daemon.d.ts +6 -1
  145. package/dist/cli/daemon.d.ts.map +1 -1
  146. package/dist/cli/daemon.js +6 -1
  147. package/dist/cli/util.d.ts +1 -1
  148. package/dist/cli/util.js +1 -1
  149. package/dist/db/assert_row.d.ts +2 -1
  150. package/dist/db/assert_row.d.ts.map +1 -1
  151. package/dist/db/assert_row.js +2 -1
  152. package/dist/db/create_db.d.ts +5 -2
  153. package/dist/db/create_db.d.ts.map +1 -1
  154. package/dist/db/create_db.js +5 -2
  155. package/dist/db/db.d.ts +22 -7
  156. package/dist/db/db.d.ts.map +1 -1
  157. package/dist/db/db.js +21 -6
  158. package/dist/db/db_pg.d.ts +2 -1
  159. package/dist/db/db_pg.d.ts.map +1 -1
  160. package/dist/db/db_pg.js +5 -3
  161. package/dist/db/db_pglite.d.ts +3 -2
  162. package/dist/db/db_pglite.d.ts.map +1 -1
  163. package/dist/db/db_pglite.js +3 -2
  164. package/dist/db/migrate.d.ts +8 -4
  165. package/dist/db/migrate.d.ts.map +1 -1
  166. package/dist/db/migrate.js +6 -2
  167. package/dist/db/sql_identifier.d.ts +2 -1
  168. package/dist/db/sql_identifier.d.ts.map +1 -1
  169. package/dist/db/sql_identifier.js +2 -1
  170. package/dist/db/status.d.ts +4 -1
  171. package/dist/db/status.d.ts.map +1 -1
  172. package/dist/db/status.js +5 -2
  173. package/dist/dev/setup.d.ts +18 -2
  174. package/dist/dev/setup.d.ts.map +1 -1
  175. package/dist/dev/setup.js +18 -2
  176. package/dist/env/dotenv.d.ts +2 -1
  177. package/dist/env/dotenv.d.ts.map +1 -1
  178. package/dist/env/dotenv.js +2 -1
  179. package/dist/env/load.d.ts +1 -1
  180. package/dist/env/load.js +1 -1
  181. package/dist/env/resolve.d.ts +1 -1
  182. package/dist/env/resolve.js +1 -1
  183. package/dist/env/update_env_variable.d.ts +2 -0
  184. package/dist/env/update_env_variable.d.ts.map +1 -1
  185. package/dist/env/update_env_variable.js +2 -0
  186. package/dist/hono_context.d.ts +1 -1
  187. package/dist/hono_context.js +1 -1
  188. package/dist/http/jsonrpc_errors.d.ts +2 -2
  189. package/dist/http/jsonrpc_errors.js +2 -2
  190. package/dist/http/jsonrpc_helpers.d.ts +2 -2
  191. package/dist/http/jsonrpc_helpers.js +2 -2
  192. package/dist/http/middleware_spec.d.ts +1 -1
  193. package/dist/http/middleware_spec.js +1 -1
  194. package/dist/http/origin.d.ts +1 -1
  195. package/dist/http/origin.js +1 -1
  196. package/dist/http/pending_effects.d.ts +4 -0
  197. package/dist/http/pending_effects.d.ts.map +1 -1
  198. package/dist/http/pending_effects.js +4 -0
  199. package/dist/http/proxy.d.ts +3 -0
  200. package/dist/http/proxy.d.ts.map +1 -1
  201. package/dist/http/proxy.js +3 -0
  202. package/dist/http/route_spec.d.ts +1 -0
  203. package/dist/http/route_spec.d.ts.map +1 -1
  204. package/dist/http/route_spec.js +7 -0
  205. package/dist/http/schema_helpers.d.ts +1 -1
  206. package/dist/http/schema_helpers.js +1 -1
  207. package/dist/http/surface.d.ts +1 -1
  208. package/dist/http/surface.js +1 -1
  209. package/dist/rate_limiter.d.ts +14 -1
  210. package/dist/rate_limiter.d.ts.map +1 -1
  211. package/dist/rate_limiter.js +14 -1
  212. package/dist/realtime/sse.d.ts +7 -1
  213. package/dist/realtime/sse.d.ts.map +1 -1
  214. package/dist/realtime/sse.js +3 -1
  215. package/dist/realtime/sse_auth_guard.d.ts +21 -21
  216. package/dist/realtime/sse_auth_guard.d.ts.map +1 -1
  217. package/dist/realtime/sse_auth_guard.js +24 -24
  218. package/dist/realtime/subscriber_registry.d.ts +4 -2
  219. package/dist/realtime/subscriber_registry.d.ts.map +1 -1
  220. package/dist/realtime/subscriber_registry.js +4 -2
  221. package/dist/runtime/deno.d.ts +1 -1
  222. package/dist/runtime/deno.js +1 -1
  223. package/dist/runtime/fs.d.ts +5 -0
  224. package/dist/runtime/fs.d.ts.map +1 -1
  225. package/dist/runtime/fs.js +5 -0
  226. package/dist/runtime/mock.d.ts +6 -0
  227. package/dist/runtime/mock.d.ts.map +1 -1
  228. package/dist/runtime/mock.js +6 -0
  229. package/dist/runtime/node.d.ts +1 -1
  230. package/dist/runtime/node.js +1 -1
  231. package/dist/server/app_backend.d.ts +1 -0
  232. package/dist/server/app_backend.d.ts.map +1 -1
  233. package/dist/server/app_backend.js +1 -0
  234. package/dist/server/app_server.d.ts +4 -0
  235. package/dist/server/app_server.d.ts.map +1 -1
  236. package/dist/server/app_server.js +4 -0
  237. package/dist/server/validate_nginx.d.ts +3 -0
  238. package/dist/server/validate_nginx.d.ts.map +1 -1
  239. package/dist/testing/admin_integration.d.ts +5 -0
  240. package/dist/testing/admin_integration.d.ts.map +1 -1
  241. package/dist/testing/admin_integration.js +5 -0
  242. package/dist/testing/adversarial_headers.d.ts +5 -3
  243. package/dist/testing/adversarial_headers.d.ts.map +1 -1
  244. package/dist/testing/adversarial_headers.js +5 -3
  245. package/dist/testing/adversarial_input.d.ts +4 -0
  246. package/dist/testing/adversarial_input.d.ts.map +1 -1
  247. package/dist/testing/adversarial_input.js +4 -0
  248. package/dist/testing/app_server.d.ts +3 -0
  249. package/dist/testing/app_server.d.ts.map +1 -1
  250. package/dist/testing/app_server.js +11 -0
  251. package/dist/testing/assertions.d.ts +23 -7
  252. package/dist/testing/assertions.d.ts.map +1 -1
  253. package/dist/testing/assertions.js +23 -7
  254. package/dist/testing/audit_completeness.d.ts +4 -0
  255. package/dist/testing/audit_completeness.d.ts.map +1 -1
  256. package/dist/testing/audit_completeness.js +4 -0
  257. package/dist/testing/auth_apps.d.ts +3 -0
  258. package/dist/testing/auth_apps.d.ts.map +1 -1
  259. package/dist/testing/auth_apps.js +3 -0
  260. package/dist/testing/db.d.ts +9 -1
  261. package/dist/testing/db.d.ts.map +1 -1
  262. package/dist/testing/db.js +9 -1
  263. package/dist/testing/error_coverage.d.ts +9 -0
  264. package/dist/testing/error_coverage.d.ts.map +1 -1
  265. package/dist/testing/error_coverage.js +9 -0
  266. package/dist/testing/integration.d.ts +4 -0
  267. package/dist/testing/integration.d.ts.map +1 -1
  268. package/dist/testing/integration.js +4 -0
  269. package/dist/testing/integration_helpers.d.ts +10 -4
  270. package/dist/testing/integration_helpers.d.ts.map +1 -1
  271. package/dist/testing/integration_helpers.js +10 -4
  272. package/dist/testing/middleware.d.ts +5 -0
  273. package/dist/testing/middleware.d.ts.map +1 -1
  274. package/dist/testing/middleware.js +5 -0
  275. package/dist/testing/rate_limiting.d.ts +3 -0
  276. package/dist/testing/rate_limiting.d.ts.map +1 -1
  277. package/dist/testing/rate_limiting.js +3 -0
  278. package/dist/testing/rpc_attack_surface.js +1 -1
  279. package/dist/testing/rpc_helpers.d.ts +21 -8
  280. package/dist/testing/rpc_helpers.d.ts.map +1 -1
  281. package/dist/testing/rpc_helpers.js +22 -9
  282. package/dist/testing/schema_generators.d.ts +7 -2
  283. package/dist/testing/schema_generators.d.ts.map +1 -1
  284. package/dist/testing/schema_generators.js +7 -2
  285. package/dist/testing/sse_round_trip.d.ts +3 -0
  286. package/dist/testing/sse_round_trip.d.ts.map +1 -1
  287. package/dist/testing/sse_round_trip.js +3 -0
  288. package/dist/testing/stubs.d.ts +7 -0
  289. package/dist/testing/stubs.d.ts.map +1 -1
  290. package/dist/testing/stubs.js +7 -0
  291. package/dist/testing/surface_invariants.d.ts +14 -0
  292. package/dist/testing/surface_invariants.d.ts.map +1 -1
  293. package/dist/testing/surface_invariants.js +14 -0
  294. package/dist/testing/ws_round_trip.d.ts +13 -1
  295. package/dist/testing/ws_round_trip.d.ts.map +1 -1
  296. package/dist/testing/ws_round_trip.js +1 -1
  297. package/dist/ui/AccountSessions.svelte +9 -0
  298. package/dist/ui/AccountSessions.svelte.d.ts.map +1 -1
  299. package/dist/ui/AdminAccounts.svelte +10 -0
  300. package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -1
  301. package/dist/ui/AdminAuditLog.svelte +10 -0
  302. package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -1
  303. package/dist/ui/AdminInvites.svelte +9 -0
  304. package/dist/ui/AdminInvites.svelte.d.ts.map +1 -1
  305. package/dist/ui/AdminOverview.svelte +10 -0
  306. package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
  307. package/dist/ui/AdminPermitHistory.svelte +9 -0
  308. package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -1
  309. package/dist/ui/AdminSessions.svelte +10 -0
  310. package/dist/ui/AdminSessions.svelte.d.ts.map +1 -1
  311. package/dist/ui/AdminSettings.svelte +9 -0
  312. package/dist/ui/AdminSettings.svelte.d.ts.map +1 -1
  313. package/dist/ui/AdminSurface.svelte +9 -0
  314. package/dist/ui/AdminSurface.svelte.d.ts.map +1 -1
  315. package/dist/ui/AppShell.svelte +24 -0
  316. package/dist/ui/AppShell.svelte.d.ts +23 -0
  317. package/dist/ui/AppShell.svelte.d.ts.map +1 -1
  318. package/dist/ui/BootstrapForm.svelte +17 -0
  319. package/dist/ui/BootstrapForm.svelte.d.ts +4 -0
  320. package/dist/ui/BootstrapForm.svelte.d.ts.map +1 -1
  321. package/dist/ui/ColumnLayout.svelte +11 -0
  322. package/dist/ui/ColumnLayout.svelte.d.ts +10 -0
  323. package/dist/ui/ColumnLayout.svelte.d.ts.map +1 -1
  324. package/dist/ui/Datatable.svelte +18 -0
  325. package/dist/ui/Datatable.svelte.d.ts +17 -0
  326. package/dist/ui/Datatable.svelte.d.ts.map +1 -1
  327. package/dist/ui/LoginForm.svelte +18 -0
  328. package/dist/ui/LoginForm.svelte.d.ts +9 -0
  329. package/dist/ui/LoginForm.svelte.d.ts.map +1 -1
  330. package/dist/ui/LogoutButton.svelte +9 -0
  331. package/dist/ui/LogoutButton.svelte.d.ts +8 -0
  332. package/dist/ui/LogoutButton.svelte.d.ts.map +1 -1
  333. package/dist/ui/MenuLink.svelte +10 -0
  334. package/dist/ui/MenuLink.svelte.d.ts +9 -0
  335. package/dist/ui/MenuLink.svelte.d.ts.map +1 -1
  336. package/dist/ui/OpenSignupToggle.svelte +9 -0
  337. package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -1
  338. package/dist/ui/SignupForm.svelte +16 -0
  339. package/dist/ui/SignupForm.svelte.d.ts +4 -0
  340. package/dist/ui/SignupForm.svelte.d.ts.map +1 -1
  341. package/dist/ui/SurfaceExplorer.svelte +9 -0
  342. package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
  343. package/dist/ui/account_sessions_state.svelte.d.ts +2 -2
  344. package/dist/ui/account_sessions_state.svelte.js +1 -1
  345. package/dist/ui/admin_rpc_adapters.d.ts +1 -1
  346. package/dist/ui/admin_rpc_adapters.js +1 -1
  347. package/dist/ui/audit_log_state.svelte.d.ts +6 -1
  348. package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
  349. package/dist/ui/audit_log_state.svelte.js +6 -1
  350. package/dist/ui/auth_state.svelte.d.ts +16 -4
  351. package/dist/ui/auth_state.svelte.d.ts.map +1 -1
  352. package/dist/ui/auth_state.svelte.js +16 -4
  353. package/dist/ui/form_state.svelte.d.ts +9 -0
  354. package/dist/ui/form_state.svelte.d.ts.map +1 -1
  355. package/dist/ui/form_state.svelte.js +9 -0
  356. package/dist/ui/loadable.svelte.d.ts +6 -1
  357. package/dist/ui/loadable.svelte.d.ts.map +1 -1
  358. package/dist/ui/loadable.svelte.js +6 -1
  359. package/dist/ui/permit_offers_state.svelte.d.ts +2 -0
  360. package/dist/ui/permit_offers_state.svelte.d.ts.map +1 -1
  361. package/dist/ui/permit_offers_state.svelte.js +2 -0
  362. package/dist/ui/popover.svelte.d.ts +17 -4
  363. package/dist/ui/popover.svelte.d.ts.map +1 -1
  364. package/dist/ui/popover.svelte.js +17 -4
  365. package/dist/ui/position_helpers.d.ts +1 -0
  366. package/dist/ui/position_helpers.d.ts.map +1 -1
  367. package/dist/ui/position_helpers.js +1 -0
  368. package/dist/ui/sidebar_state.svelte.d.ts +22 -9
  369. package/dist/ui/sidebar_state.svelte.d.ts.map +1 -1
  370. package/dist/ui/sidebar_state.svelte.js +17 -2
  371. package/dist/ui/table_state.svelte.d.ts +14 -0
  372. package/dist/ui/table_state.svelte.d.ts.map +1 -1
  373. package/dist/ui/table_state.svelte.js +14 -0
  374. package/package.json +1 -1
package/dist/auth/audit_log_schema.js CHANGED
@@ -60,32 +60,71 @@ export const AuditOutcome = z.enum(['success', 'failure']);
60
60
  * freeze isn't a security boundary.
61
61
  */
62
62
  export const AUDIT_METADATA_SCHEMAS = Object.freeze({
63
- login: z.looseObject({ username: z.string() }).nullable(),
63
+ login: z
64
+ .looseObject({
65
+ username: z.string().meta({ description: 'Username submitted with the login attempt.' }),
66
+ })
67
+ .nullable(),
64
68
  logout: z.null(),
65
- bootstrap: z.looseObject({ error: z.string() }).nullable(),
69
+ bootstrap: z
70
+ .looseObject({
71
+ error: z.string().meta({ description: 'Error message for a failed bootstrap attempt.' }),
72
+ })
73
+ .nullable(),
66
74
  signup: z.looseObject({
67
- username: z.string(),
68
- invite_id: Uuid.optional(),
69
- open_signup: z.boolean().optional(),
75
+ username: z.string().meta({ description: 'Username chosen at signup.' }),
76
+ invite_id: Uuid.optional().meta({
77
+ description: 'Invite consumed by this signup, when one was matched.',
78
+ }),
79
+ open_signup: z.boolean().optional().meta({
80
+ description: 'True when the signup occurred via the `open_signup` setting (no invite required).',
81
+ }),
82
+ }),
83
+ password_change: z
84
+ .looseObject({
85
+ sessions_revoked: z
86
+ .number()
87
+ .meta({ description: 'Number of sessions revoked as a side effect of the password change.' }),
88
+ })
89
+ .nullable(),
90
+ session_revoke: z.looseObject({
91
+ session_id: z.string().meta({ description: 'Blake3 hash identifying the revoked session row.' }),
70
92
  }),
71
- password_change: z.looseObject({ sessions_revoked: z.number() }).nullable(),
72
- session_revoke: z.looseObject({ session_id: z.string() }),
73
93
  session_revoke_all: z.looseObject({
74
94
  // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
75
95
  // account not found); `reason` carries the failure category, and
76
96
  // `attempted_account_id` preserves the probed id (the `target_account_id`
77
97
  // column is null in that case because it's a FK to `account`).
78
- count: z.number().optional(),
79
- reason: z.string().optional(),
80
- attempted_account_id: Uuid.optional(),
98
+ count: z.number().optional().meta({
99
+ description: 'Number of sessions revoked. Omitted on `outcome=failure` because no revocation was attempted.',
100
+ }),
101
+ reason: z
102
+ .string()
103
+ .optional()
104
+ .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
105
+ attempted_account_id: Uuid.optional().meta({
106
+ description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
107
+ }),
108
+ }),
109
+ token_create: z.looseObject({
110
+ token_id: z.string().meta({ description: 'Public id of the created API token (`tok_…`).' }),
111
+ name: z.string().meta({ description: 'Operator-supplied label for the token.' }),
112
+ }),
113
+ token_revoke: z.looseObject({
114
+ token_id: z.string().meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
81
115
  }),
82
- token_create: z.looseObject({ token_id: z.string(), name: z.string() }),
83
- token_revoke: z.looseObject({ token_id: z.string() }),
84
116
  token_revoke_all: z.looseObject({
85
117
  // Same shape as `session_revoke_all` for failures.
86
- count: z.number().optional(),
87
- reason: z.string().optional(),
88
- attempted_account_id: Uuid.optional(),
118
+ count: z.number().optional().meta({
119
+ description: 'Number of tokens revoked. Omitted on `outcome=failure` because no revocation was attempted.',
120
+ }),
121
+ reason: z
122
+ .string()
123
+ .optional()
124
+ .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
125
+ attempted_account_id: Uuid.optional().meta({
126
+ description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
127
+ }),
89
128
  }),
90
129
  // `permit_id` is optional on `permit_grant` because failed grants
91
130
  // (e.g. `web_grantable` denied) never produce a permit row.
@@ -94,72 +133,110 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
94
133
  // riding on `z.looseObject` permissiveness so the field is part of
95
134
  // the documented schema surface.
96
135
  permit_grant: z.looseObject({
97
- role: z.string(),
98
- permit_id: Uuid.optional(),
99
- scope_id: Uuid.nullish(),
100
- source_offer_id: Uuid.optional(),
101
- self_service: z.boolean().optional(),
136
+ role: z.string().meta({ description: 'Role being granted.' }),
137
+ permit_id: Uuid.optional().meta({
138
+ description: 'Id of the resulting permit row. Omitted when the grant failed (e.g. `web_grantable` denial).',
139
+ }),
140
+ scope_id: Uuid.nullish().meta({
141
+ description: 'Scope of the granted permit; null for global permits.',
142
+ }),
143
+ source_offer_id: Uuid.optional().meta({
144
+ description: 'Offer this grant resolved, when the grant originated from an accepted offer.',
145
+ }),
146
+ self_service: z.boolean().optional().meta({
147
+ description: 'True when the grant came from the self-service role toggle.',
148
+ }),
102
149
  }),
103
150
  permit_revoke: z.looseObject({
104
- role: z.string(),
105
- permit_id: Uuid,
106
- scope_id: Uuid.nullish(),
107
- reason: z.string().optional(),
108
- self_service: z.boolean().optional(),
151
+ role: z.string().meta({ description: 'Role being revoked.' }),
152
+ permit_id: Uuid.meta({ description: 'Id of the revoked permit row.' }),
153
+ scope_id: Uuid.nullish().meta({
154
+ description: 'Scope of the revoked permit; null for global permits.',
155
+ }),
156
+ reason: z
157
+ .string()
158
+ .optional()
159
+ .meta({ description: 'Optional admin-supplied or self-service reason text.' }),
160
+ self_service: z.boolean().optional().meta({
161
+ description: 'True when the revoke came from the self-service role toggle.',
162
+ }),
109
163
  }),
110
164
  // `offer_id` is optional because failed creates (e.g. `web_grantable`
111
165
  // denied, `authorize` callback denied) never produce an offer row.
112
166
  permit_offer_create: z.looseObject({
113
- offer_id: Uuid.optional(),
114
- role: z.string(),
115
- scope_id: Uuid.nullish(),
116
- to_account_id: Uuid,
167
+ offer_id: Uuid.optional().meta({
168
+ description: 'Id of the created offer row. Omitted when the create failed before insert.',
169
+ }),
170
+ role: z.string().meta({ description: 'Role being offered.' }),
171
+ scope_id: Uuid.nullish().meta({
172
+ description: 'Scope of the offered role; null for global offers.',
173
+ }),
174
+ to_account_id: Uuid.meta({ description: 'Account the offer is directed to.' }),
117
175
  }),
118
176
  // `permit_grant` is emitted alongside on accept — two events per accept by
119
177
  // design: offer-lifecycle audit + permit-lifecycle audit.
120
178
  permit_offer_accept: z.looseObject({
121
- offer_id: Uuid,
122
- permit_id: Uuid,
123
- role: z.string(),
124
- scope_id: Uuid.nullish(),
179
+ offer_id: Uuid.meta({ description: 'Id of the accepted offer.' }),
180
+ permit_id: Uuid.meta({ description: 'Id of the resulting permit row.' }),
181
+ role: z.string().meta({ description: 'Role granted by the offer.' }),
182
+ scope_id: Uuid.nullish().meta({
183
+ description: 'Scope of the resulting permit; null for global permits.',
184
+ }),
125
185
  }),
126
186
  permit_offer_decline: z.looseObject({
127
- offer_id: Uuid,
128
- role: z.string(),
129
- scope_id: Uuid.nullish(),
130
- reason: z.string().optional(),
187
+ offer_id: Uuid.meta({ description: 'Id of the declined offer.' }),
188
+ role: z.string().meta({ description: 'Role that was offered.' }),
189
+ scope_id: Uuid.nullish().meta({
190
+ description: 'Scope of the offered role; null for global offers.',
191
+ }),
192
+ reason: z
193
+ .string()
194
+ .optional()
195
+ .meta({ description: 'Optional decline reason text from the recipient.' }),
131
196
  }),
132
197
  permit_offer_retract: z.looseObject({
133
- offer_id: Uuid,
134
- role: z.string(),
135
- scope_id: Uuid.nullish(),
198
+ offer_id: Uuid.meta({ description: 'Id of the retracted offer.' }),
199
+ role: z.string().meta({ description: 'Role that was offered.' }),
200
+ scope_id: Uuid.nullish().meta({
201
+ description: 'Scope of the offered role; null for global offers.',
202
+ }),
136
203
  }),
137
204
  permit_offer_expire: z.looseObject({
138
- offer_id: Uuid,
139
- role: z.string(),
140
- scope_id: Uuid.nullish(),
205
+ offer_id: Uuid.meta({ description: 'Id of the expired offer.' }),
206
+ role: z.string().meta({ description: 'Role that was offered.' }),
207
+ scope_id: Uuid.nullish().meta({
208
+ description: 'Scope of the offered role; null for global offers.',
209
+ }),
141
210
  }),
142
211
  // Emitted when an offer is obsoleted by an external event. `reason`
143
212
  // distinguishes the trigger; `cause_id` points to the accepted offer
144
213
  // (for `sibling_accepted`), the revoked permit (for `permit_revoked`),
145
214
  // or the destroyed parent scope row (for `scope_destroyed`).
146
215
  permit_offer_supersede: z.looseObject({
147
- offer_id: Uuid,
148
- role: z.string(),
149
- scope_id: Uuid.nullish(),
150
- reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']),
151
- cause_id: Uuid,
216
+ offer_id: Uuid.meta({ description: 'Id of the superseded offer.' }),
217
+ role: z.string().meta({ description: 'Role that was offered.' }),
218
+ scope_id: Uuid.nullish().meta({
219
+ description: 'Scope of the offered role; null for global offers.',
220
+ }),
221
+ reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']).meta({
222
+ description: 'Trigger that obsoleted the offer: a sibling offer was accepted, the resulting permit was revoked, or the parent scope row was destroyed.',
223
+ }),
224
+ cause_id: Uuid.meta({
225
+ description: 'Row that caused the supersede: accepted offer (`sibling_accepted`), revoked permit (`permit_revoked`), or destroyed parent scope row (`scope_destroyed`).',
226
+ }),
152
227
  }),
153
228
  invite_create: z.looseObject({
154
- invite_id: Uuid,
155
- email: z.string().nullable(),
156
- username: z.string().nullable(),
229
+ invite_id: Uuid.meta({ description: 'Id of the created invite.' }),
230
+ email: z.string().nullable().meta({ description: 'Invited email address; null when not set.' }),
231
+ username: z.string().nullable().meta({ description: 'Invited username; null when not set.' }),
232
+ }),
233
+ invite_delete: z.looseObject({
234
+ invite_id: Uuid.meta({ description: 'Id of the deleted invite.' }),
157
235
  }),
158
- invite_delete: z.looseObject({ invite_id: Uuid }),
159
236
  app_settings_update: z.looseObject({
160
- setting: z.string(),
161
- old_value: z.unknown(),
162
- new_value: z.unknown(),
237
+ setting: z.string().meta({ description: 'Name of the setting that changed.' }),
238
+ old_value: z.unknown().meta({ description: 'Setting value before the update.' }),
239
+ new_value: z.unknown().meta({ description: 'Setting value after the update.' }),
163
240
  }),
164
241
  });
165
242
  /**
@@ -184,6 +261,8 @@ export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
184
261
  * Call once at startup; pass the result to consumer-emitted
185
262
  * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
186
263
  * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
264
+ *
265
+ * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
187
266
  */
188
267
  export const create_audit_log_config = (options) => {
189
268
  const extras = options?.extra_events;
package/dist/auth/bearer_auth.d.ts CHANGED
@@ -37,6 +37,8 @@ import { type RateLimiter } from '../rate_limiter.js';
37
37
  * @param deps - query dependencies (pool-level db for middleware)
38
38
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
39
39
  * @param log - the logger instance
40
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
41
+ * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
40
42
  */
41
43
  export declare const create_bearer_auth_middleware: (deps: QueryDeps, ip_rate_limiter: RateLimiter | null, log: Logger) => MiddlewareHandler;
42
44
  //# sourceMappingURL=bearer_auth.d.ts.map
package/dist/auth/bearer_auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}
1
+ {"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}
package/dist/auth/bearer_auth.js CHANGED
@@ -38,6 +38,8 @@ import { rate_limit_exceeded_response } from '../rate_limiter.js';
38
38
  * @param deps - query dependencies (pool-level db for middleware)
39
39
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
40
40
  * @param log - the logger instance
41
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
42
+ * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
41
43
  */
42
44
  export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
43
45
  return async (c, next) => {
package/dist/auth/bootstrap_account.d.ts CHANGED
@@ -77,6 +77,9 @@ export interface BootstrapAccountDeps {
77
77
  * @param provided_token - the bootstrap token from the user
78
78
  * @param input - username and password
79
79
  * @returns the created account, actor, and permits — or a bootstrap failure
80
+ * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
81
+ * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
82
+ * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
80
83
  */
81
84
  export declare const bootstrap_account: (deps: BootstrapAccountDeps, provided_token: string, input: BootstrapAccountInput) => Promise<BootstrapAccountResult>;
82
85
  //# sourceMappingURL=bootstrap_account.d.ts.map
package/dist/auth/bootstrap_account.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAGhE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IACzC,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
1
+ {"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAGhE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IACzC,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
package/dist/auth/bootstrap_account.js CHANGED
@@ -28,6 +28,9 @@ import { query_grant_permit } from './permit_queries.js';
28
28
  * @param provided_token - the bootstrap token from the user
29
29
  * @param input - username and password
30
30
  * @returns the created account, actor, and permits — or a bootstrap failure
31
+ * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
32
+ * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
33
+ * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
31
34
  */
32
35
  export const bootstrap_account = async (deps, provided_token, input) => {
33
36
  const { db, token_path, read_text_file, delete_file, password, log } = deps;
package/dist/auth/cleanup.d.ts CHANGED
@@ -55,6 +55,8 @@ export interface AuthCleanupResult {
55
55
  * expiry, and accepted rows are the provenance for the resulting permit
56
56
  * (deleting expired rows would not threaten that, but keeping them uniform
57
57
  * with the retention policy for terminal rows is simpler).
58
+ *
59
+ * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
58
60
  */
59
61
  export declare const cleanup_expired_permit_offers: (deps: AuthCleanupDeps) => Promise<number>;
60
62
  /**
@@ -66,6 +68,10 @@ export declare const cleanup_expired_permit_offers: (deps: AuthCleanupDeps) => P
66
68
  * re-thrown so the caller's scheduler can log/alert; use the per-task
67
69
  * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
68
70
  * directly if you need finer error isolation.
71
+ *
72
+ * @mutates `auth_session` table - deletes expired sessions
73
+ * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
74
+ * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
69
75
  */
70
76
  export declare const run_auth_cleanup: (deps: AuthCleanupDeps) => Promise<AuthCleanupResult>;
71
77
  //# sourceMappingURL=cleanup.d.ts.map
package/dist/auth/cleanup.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
1
+ {"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
package/dist/auth/cleanup.js CHANGED
@@ -30,6 +30,8 @@ import { query_audit_log } from './audit_log_queries.js';
30
30
  * expiry, and accepted rows are the provenance for the resulting permit
31
31
  * (deleting expired rows would not threaten that, but keeping them uniform
32
32
  * with the retention policy for terminal rows is simpler).
33
+ *
34
+ * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
33
35
  */
34
36
  export const cleanup_expired_permit_offers = async (deps) => {
35
37
  const expired = await query_permit_offer_sweep_expired(deps);
@@ -72,6 +74,10 @@ export const cleanup_expired_permit_offers = async (deps) => {
72
74
  * re-thrown so the caller's scheduler can log/alert; use the per-task
73
75
  * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
74
76
  * directly if you need finer error isolation.
77
+ *
78
+ * @mutates `auth_session` table - deletes expired sessions
79
+ * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
80
+ * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
75
81
  */
76
82
  export const run_auth_cleanup = async (deps) => {
77
83
  const expired_sessions = await query_session_cleanup_expired(deps);
package/dist/auth/daemon_token.d.ts CHANGED
@@ -3,7 +3,7 @@
3
3
  *
4
4
  * Pure auth operations with no I/O or state management.
5
5
  * The middleware, rotation, and persistence logic lives in
6
- * `daemon_token_middleware.ts`.
6
+ * `auth/daemon_token_middleware.ts`.
7
7
  *
8
8
  * @module
9
9
  */
package/dist/auth/daemon_token.js CHANGED
@@ -3,7 +3,7 @@
3
3
  *
4
4
  * Pure auth operations with no I/O or state management.
5
5
  * The middleware, rotation, and persistence logic lives in
6
- * `daemon_token_middleware.ts`.
6
+ * `auth/daemon_token_middleware.ts`.
7
7
  *
8
8
  * @module
9
9
  */
package/dist/auth/daemon_token_middleware.d.ts CHANGED
@@ -4,7 +4,7 @@
4
4
  * Manages the lifecycle of filesystem-resident daemon tokens: writing to disk,
5
5
  * rotation on an interval, and HTTP middleware for authentication.
6
6
  *
7
- * Pure token primitives (schema, generation, validation) live in `daemon_token.ts`.
7
+ * Pure token primitives (schema, generation, validation) live in `auth/daemon_token.ts`.
8
8
  * See docs/identity.md for design rationale.
9
9
  *
10
10
  * @module
@@ -37,6 +37,7 @@ export declare const get_daemon_token_path: (runtime: Pick<EnvDeps, "env_get">,
37
37
  * @param runtime - runtime with file write capabilities
38
38
  * @param token_path - path to write the token
39
39
  * @param token - the raw token string
40
+ * @mutates filesystem - writes `token_path` atomically and `chmod 0600` when supported
40
41
  */
41
42
  export declare const write_daemon_token: (runtime: DaemonTokenWriteDeps, token_path: string, token: string) => Promise<void>;
42
43
  /**
@@ -74,6 +75,8 @@ export interface DaemonTokenRotation {
74
75
  * @param options - rotation configuration
75
76
  * @param log - the logger instance
76
77
  * @returns rotation state and stop function
78
+ * @mutates filesystem - writes the token file on each rotation; `stop` removes it
79
+ * @throws Error if `$HOME` is not set so the daemon token path cannot be resolved
77
80
  */
78
81
  export declare const start_daemon_token_rotation: (runtime: DaemonTokenWriteDeps & FsRemoveDeps, deps: QueryDeps, options: DaemonTokenRotationOptions, log: Logger) => Promise<DaemonTokenRotation>;
79
82
  /**
@@ -88,6 +91,7 @@ export declare const start_daemon_token_rotation: (runtime: DaemonTokenWriteDeps
88
91
  *
89
92
  * @param state - the daemon token runtime state
90
93
  * @param deps - query dependencies (pool-level db for middleware)
94
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
91
95
  */
92
96
  export declare const create_daemon_token_middleware: (state: DaemonTokenState, deps: QueryDeps) => MiddlewareHandler;
93
97
  //# sourceMappingURL=daemon_token_middleware.d.ts.map
package/dist/auth/daemon_token_middleware.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAqCF,CAAC"}
1
+ {"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAqCF,CAAC"}
package/dist/auth/daemon_token_middleware.js CHANGED
@@ -4,7 +4,7 @@
4
4
  * Manages the lifecycle of filesystem-resident daemon tokens: writing to disk,
5
5
  * rotation on an interval, and HTTP middleware for authentication.
6
6
  *
7
- * Pure token primitives (schema, generation, validation) live in `daemon_token.ts`.
7
+ * Pure token primitives (schema, generation, validation) live in `auth/daemon_token.ts`.
8
8
  * See docs/identity.md for design rationale.
9
9
  *
10
10
  * @module
@@ -39,6 +39,7 @@ export const get_daemon_token_path = (runtime, name) => {
39
39
  * @param runtime - runtime with file write capabilities
40
40
  * @param token_path - path to write the token
41
41
  * @param token - the raw token string
42
+ * @mutates filesystem - writes `token_path` atomically and `chmod 0600` when supported
42
43
  */
43
44
  export const write_daemon_token = async (runtime, token_path, token) => {
44
45
  await write_file_atomic(runtime, token_path, token + '\n');
@@ -69,6 +70,8 @@ export const resolve_keeper_account_id = async (deps) => {
69
70
  * @param options - rotation configuration
70
71
  * @param log - the logger instance
71
72
  * @returns rotation state and stop function
73
+ * @mutates filesystem - writes the token file on each rotation; `stop` removes it
74
+ * @throws Error if `$HOME` is not set so the daemon token path cannot be resolved
72
75
  */
73
76
  export const start_daemon_token_rotation = async (runtime, deps, options, log) => {
74
77
  const { app_name, rotation_interval_ms = DEFAULT_ROTATION_INTERVAL_MS } = options;
@@ -134,6 +137,7 @@ export const start_daemon_token_rotation = async (runtime, deps, options, log) =
134
137
  *
135
138
  * @param state - the daemon token runtime state
136
139
  * @param deps - query dependencies (pool-level db for middleware)
140
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
137
141
  */
138
142
  export const create_daemon_token_middleware = (state, deps) => {
139
143
  return async (c, next) => {
package/dist/auth/ddl.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * Auth table DDL — CREATE TABLE, index, and seed statements.
3
3
  *
4
- * Consumed by `migrations.ts`. Separated from `account_schema.ts`
4
+ * Consumed by `auth/migrations.ts`. Separated from `auth/account_schema.ts`
5
5
  * to isolate DDL concerns from runtime types.
6
6
  *
7
7
  * @module
package/dist/auth/ddl.js CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * Auth table DDL — CREATE TABLE, index, and seed statements.
3
3
  *
4
- * Consumed by `migrations.ts`. Separated from `account_schema.ts`
4
+ * Consumed by `auth/migrations.ts`. Separated from `auth/account_schema.ts`
5
5
  * to isolate DDL concerns from runtime types.
6
6
  *
7
7
  * @module
package/dist/auth/invite_queries.d.ts CHANGED
@@ -14,6 +14,8 @@ import type { Invite, CreateInviteInput, InviteWithUsernamesJson } from './invit
14
14
  * @param deps - query dependencies
15
15
  * @param input - the invite fields
16
16
  * @returns the created invite
17
+ * @mutates `invite` table - inserts the new row
18
+ * @throws Error if the INSERT does not return a row (failed `assert_row` invariant)
17
19
  */
18
20
  export declare const query_create_invite: (deps: QueryDeps, input: CreateInviteInput) => Promise<Invite>;
19
21
  /**
@@ -44,6 +46,7 @@ export declare const query_invite_find_unclaimed_match: (deps: QueryDeps, email:
44
46
  * @param invite_id - the invite to claim
45
47
  * @param account_id - the account claiming the invite
46
48
  * @returns true if the invite was claimed, false if already claimed or not found
49
+ * @mutates `invite` row - sets `claimed_by` and `claimed_at` when still unclaimed
47
50
  */
48
51
  export declare const query_invite_claim: (deps: QueryDeps, invite_id: string, account_id: string) => Promise<boolean>;
49
52
  /**
@@ -63,6 +66,7 @@ export declare const query_invite_list_all_with_usernames: (deps: QueryDeps) =>
63
66
  * @param deps - query dependencies
64
67
  * @param id - the invite id
65
68
  * @returns true if deleted, false if not found or already claimed
69
+ * @mutates `invite` table - deletes the row when still unclaimed
66
70
  */
67
71
  export declare const query_invite_delete_unclaimed: (deps: QueryDeps, id: string) => Promise<boolean>;
68
72
  //# sourceMappingURL=invite_queries.d.ts.map
package/dist/auth/invite_queries.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"invite_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAE,iBAAiB,EAAE,uBAAuB,EAAC,MAAM,oBAAoB,CAAC;AAE3F;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,OAAO,iBAAiB,KACtB,OAAO,CAAC,MAAM,CAQhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,OAAO,MAAM,GAAG,IAAI,EACpB,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAe5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAElF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAUxC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,CAMjB,CAAC"}
1
+ {"version":3,"file":"invite_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAE,iBAAiB,EAAE,uBAAuB,EAAC,MAAM,oBAAoB,CAAC;AAE3F;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,OAAO,iBAAiB,KACtB,OAAO,CAAC,MAAM,CAQhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,OAAO,MAAM,GAAG,IAAI,EACpB,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAe5B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAElF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAUxC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,CAMjB,CAAC"}
package/dist/auth/invite_queries.js CHANGED
@@ -13,6 +13,8 @@ import { assert_row } from '../db/assert_row.js';
13
13
  * @param deps - query dependencies
14
14
  * @param input - the invite fields
15
15
  * @returns the created invite
16
+ * @mutates `invite` table - inserts the new row
17
+ * @throws Error if the INSERT does not return a row (failed `assert_row` invariant)
16
18
  */
17
19
  export const query_create_invite = async (deps, input) => {
18
20
  const row = await deps.db.query_one(`INSERT INTO invite (email, username, created_by)
@@ -64,6 +66,7 @@ export const query_invite_find_unclaimed_match = async (deps, email, username) =
64
66
  * @param invite_id - the invite to claim
65
67
  * @param account_id - the account claiming the invite
66
68
  * @returns true if the invite was claimed, false if already claimed or not found
69
+ * @mutates `invite` row - sets `claimed_by` and `claimed_at` when still unclaimed
67
70
  */
68
71
  export const query_invite_claim = async (deps, invite_id, account_id) => {
69
72
  const rows = await deps.db.query(`UPDATE invite SET claimed_by = $1, claimed_at = NOW()
@@ -98,6 +101,7 @@ export const query_invite_list_all_with_usernames = async (deps) => {
98
101
  * @param deps - query dependencies
99
102
  * @param id - the invite id
100
103
  * @returns true if deleted, false if not found or already claimed
104
+ * @mutates `invite` table - deletes the row when still unclaimed
101
105
  */
102
106
  export const query_invite_delete_unclaimed = async (deps, id) => {
103
107
  const rows = await deps.db.query(`DELETE FROM invite WHERE id = $1 AND claimed_at IS NULL RETURNING id`, [id]);
package/dist/auth/password.d.ts CHANGED
@@ -2,7 +2,7 @@
2
2
  * Password hashing type definitions.
3
3
  *
4
4
  * Defines the `PasswordHashDeps` injectable interface and `PASSWORD_LENGTH_MIN`.
5
- * Concrete Argon2id implementation lives in `password_argon2.ts`.
5
+ * Concrete Argon2id implementation lives in `auth/password_argon2.ts`.
6
6
  *
7
7
  * @module
8
8
  */
package/dist/auth/password.js CHANGED
@@ -2,7 +2,7 @@
2
2
  * Password hashing type definitions.
3
3
  *
4
4
  * Defines the `PasswordHashDeps` injectable interface and `PASSWORD_LENGTH_MIN`.
5
- * Concrete Argon2id implementation lives in `password_argon2.ts`.
5
+ * Concrete Argon2id implementation lives in `auth/password_argon2.ts`.
6
6
  *
7
7
  * @module
8
8
  */
package/dist/auth/permit_offer_action_specs.d.ts CHANGED
@@ -209,6 +209,7 @@ export declare const permit_offer_create_action_spec: {
209
209
  }, z.core.$strict>;
210
210
  async: true;
211
211
  description: string;
212
+ error_reasons: ("offer_self_target" | "offer_role_not_grantable" | "offer_not_authorized")[];
212
213
  };
213
214
  export declare const permit_offer_accept_action_spec: {
214
215
  method: string;
@@ -241,6 +242,7 @@ export declare const permit_offer_accept_action_spec: {
241
242
  }, z.core.$strict>;
242
243
  async: true;
243
244
  description: string;
245
+ error_reasons: ("offer_terminal" | "offer_expired" | "offer_not_found")[];
244
246
  };
245
247
  export declare const permit_offer_decline_action_spec: {
246
248
  method: string;
@@ -257,6 +259,7 @@ export declare const permit_offer_decline_action_spec: {
257
259
  }, z.core.$strict>;
258
260
  async: true;
259
261
  description: string;
262
+ error_reasons: ("offer_terminal" | "offer_not_found")[];
260
263
  };
261
264
  export declare const permit_offer_retract_action_spec: {
262
265
  method: string;
@@ -272,6 +275,7 @@ export declare const permit_offer_retract_action_spec: {
272
275
  }, z.core.$strict>;
273
276
  async: true;
274
277
  description: string;
278
+ error_reasons: ("offer_terminal" | "offer_not_found")[];
275
279
  };
276
280
  export declare const permit_offer_list_action_spec: {
277
281
  method: string;
@@ -354,6 +358,7 @@ export declare const permit_revoke_action_spec: {
354
358
  }, z.core.$strict>;
355
359
  async: true;
356
360
  description: string;
361
+ error_reasons: ("account_not_found" | "role_not_web_grantable" | "permit_not_found")[];
357
362
  };
358
363
  /**
359
364
  * All permit-offer action specs — a codegen-ready registry. Consumers spread
package/dist/auth/permit_offer_action_specs.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permit_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAKzE,gEAAgE;AAChE,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AACpE,kEAAkE;AAClE,eAAO,MAAM,oBAAoB,EAAG,gBAAyB,CAAC;AAC9D,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAC5D,wGAAwG;AACxG,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAChE,qGAAqG;AACrG,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,gKAAgK;AAChK,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAI1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;kBAWjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,mGAAmG;AACnG,eAAO,MAAM,oBAAoB;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;kBAUlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;kBAIlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kEAAkE;AAClE,eAAO,MAAM,mBAAmB;;kBAAwC,CAAC;AACzE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AACxF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,yCAAyC;AACzC,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AAC3F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWL,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,EAAE,KAAK,CAAC,yBAAyB,CAQ1E,CAAC"}
1
+ {"version":3,"file":"permit_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,gEAAgE;AAChE,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AACpE,kEAAkE;AAClE,eAAO,MAAM,oBAAoB,EAAG,gBAAyB,CAAC;AAC9D,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAC5D,wGAAwG;AACxG,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAChE,qGAAqG;AACrG,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,gKAAgK;AAChK,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAI1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;kBAWjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,mGAAmG;AACnG,eAAO,MAAM,oBAAoB;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;kBAUlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;kBAIlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kEAAkE;AAClE,eAAO,MAAM,mBAAmB;;kBAAwC,CAAC;AACzE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AACxF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,yCAAyC;AACzC,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AAC3F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgBP,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAYP,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWL,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;CAYD,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,EAAE,KAAK,CAAC,yBAAyB,CAQ1E,CAAC"}