npm - @fuzdev/fuz_app - Versions diffs - 0.51.0 → 0.52.0 - Mend

@fuzdev/fuz_app 0.51.0 → 0.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (320) hide show

package/dist/actions/CLAUDE.md +14 -1
package/dist/actions/action_bridge.d.ts +3 -1
package/dist/actions/action_bridge.d.ts.map +1 -1
package/dist/actions/action_bridge.js +3 -1
package/dist/actions/action_codegen.d.ts +18 -8
package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/actions/action_codegen.js +18 -8
package/dist/actions/action_event.d.ts +44 -1
package/dist/actions/action_event.d.ts.map +1 -1
package/dist/actions/action_event.js +44 -1
package/dist/actions/action_event_helpers.d.ts +26 -0
package/dist/actions/action_event_helpers.d.ts.map +1 -1
package/dist/actions/action_event_helpers.js +26 -1
package/dist/actions/action_peer.d.ts +17 -0
package/dist/actions/action_peer.d.ts.map +1 -1
package/dist/actions/action_peer.js +8 -0
package/dist/actions/action_registry.d.ts +1 -1
package/dist/actions/action_registry.js +1 -1
package/dist/actions/action_rpc.d.ts +4 -0
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +4 -0
package/dist/actions/action_spec.d.ts +22 -2
package/dist/actions/action_spec.d.ts.map +1 -1
package/dist/actions/action_spec.js +16 -2
package/dist/actions/register_action_ws.d.ts +3 -0
package/dist/actions/register_action_ws.d.ts.map +1 -1
package/dist/actions/register_action_ws.js +3 -0
package/dist/actions/register_ws_endpoint.d.ts +3 -0
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +3 -0
package/dist/actions/request_tracker.svelte.d.ts +14 -1
package/dist/actions/request_tracker.svelte.d.ts.map +1 -1
package/dist/actions/request_tracker.svelte.js +14 -1
package/dist/actions/socket.svelte.d.ts +35 -15
package/dist/actions/socket.svelte.d.ts.map +1 -1
package/dist/actions/socket.svelte.js +33 -13
package/dist/actions/transports.d.ts +12 -3
package/dist/actions/transports.d.ts.map +1 -1
package/dist/actions/transports.js +16 -7
package/dist/actions/transports_http.d.ts +7 -0
package/dist/actions/transports_http.d.ts.map +1 -1
package/dist/actions/transports_http.js +7 -0
package/dist/actions/transports_ws.d.ts +13 -0
package/dist/actions/transports_ws.d.ts.map +1 -1
package/dist/actions/transports_ws.js +13 -0
package/dist/actions/transports_ws_auth_guard.d.ts +6 -2
package/dist/actions/transports_ws_auth_guard.d.ts.map +1 -1
package/dist/actions/transports_ws_auth_guard.js +6 -2
package/dist/actions/transports_ws_backend.d.ts +14 -1
package/dist/actions/transports_ws_backend.d.ts.map +1 -1
package/dist/actions/transports_ws_backend.js +14 -1
package/dist/auth/CLAUDE.md +40 -4
package/dist/auth/account_queries.d.ts +10 -0
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +10 -0
package/dist/auth/admin_actions.d.ts +1 -0
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +1 -0
package/dist/auth/api_token_queries.d.ts +7 -0
package/dist/auth/api_token_queries.d.ts.map +1 -1
package/dist/auth/api_token_queries.js +7 -0
package/dist/auth/app_settings_queries.d.ts +4 -0
package/dist/auth/app_settings_queries.d.ts.map +1 -1
package/dist/auth/app_settings_queries.js +4 -0
package/dist/auth/audit_log_queries.d.ts +6 -0
package/dist/auth/audit_log_queries.d.ts.map +1 -1
package/dist/auth/audit_log_queries.js +6 -0
package/dist/auth/audit_log_schema.d.ts +2 -0
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +134 -55
package/dist/auth/bearer_auth.d.ts +2 -0
package/dist/auth/bearer_auth.d.ts.map +1 -1
package/dist/auth/bearer_auth.js +2 -0
package/dist/auth/bootstrap_account.d.ts +3 -0
package/dist/auth/bootstrap_account.d.ts.map +1 -1
package/dist/auth/bootstrap_account.js +3 -0
package/dist/auth/cleanup.d.ts +6 -0
package/dist/auth/cleanup.d.ts.map +1 -1
package/dist/auth/cleanup.js +6 -0
package/dist/auth/daemon_token_middleware.d.ts +4 -0
package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
package/dist/auth/daemon_token_middleware.js +4 -0
package/dist/auth/invite_queries.d.ts +4 -0
package/dist/auth/invite_queries.d.ts.map +1 -1
package/dist/auth/invite_queries.js +4 -0
package/dist/auth/permit_offer_action_specs.d.ts +5 -0
package/dist/auth/permit_offer_action_specs.d.ts.map +1 -1
package/dist/auth/permit_offer_action_specs.js +10 -0
package/dist/auth/permit_offer_queries.d.ts +19 -0
package/dist/auth/permit_offer_queries.d.ts.map +1 -1
package/dist/auth/permit_offer_queries.js +19 -0
package/dist/auth/permit_queries.d.ts +8 -0
package/dist/auth/permit_queries.d.ts.map +1 -1
package/dist/auth/permit_queries.js +8 -0
package/dist/auth/request_context.d.ts +1 -0
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +1 -0
package/dist/auth/role_schema.d.ts +2 -0
package/dist/auth/role_schema.d.ts.map +1 -1
package/dist/auth/role_schema.js +2 -0
package/dist/auth/self_service_role_actions.d.ts +1 -0
package/dist/auth/self_service_role_actions.d.ts.map +1 -1
package/dist/auth/self_service_role_actions.js +1 -0
package/dist/auth/session_lifecycle.d.ts +3 -0
package/dist/auth/session_lifecycle.d.ts.map +1 -1
package/dist/auth/session_lifecycle.js +3 -0
package/dist/auth/session_middleware.d.ts +5 -0
package/dist/auth/session_middleware.d.ts.map +1 -1
package/dist/auth/session_middleware.js +5 -0
package/dist/auth/session_queries.d.ts +9 -0
package/dist/auth/session_queries.d.ts.map +1 -1
package/dist/auth/session_queries.js +9 -0
package/dist/cli/config.d.ts +2 -0
package/dist/cli/config.d.ts.map +1 -1
package/dist/cli/config.js +2 -0
package/dist/cli/daemon.d.ts +6 -1
package/dist/cli/daemon.d.ts.map +1 -1
package/dist/cli/daemon.js +6 -1
package/dist/db/assert_row.d.ts +2 -1
package/dist/db/assert_row.d.ts.map +1 -1
package/dist/db/assert_row.js +2 -1
package/dist/db/create_db.d.ts +3 -0
package/dist/db/create_db.d.ts.map +1 -1
package/dist/db/create_db.js +3 -0
package/dist/db/db.d.ts +19 -4
package/dist/db/db.d.ts.map +1 -1
package/dist/db/db.js +18 -3
package/dist/db/db_pg.d.ts +2 -1
package/dist/db/db_pg.d.ts.map +1 -1
package/dist/db/db_pg.js +5 -3
package/dist/db/db_pglite.d.ts +3 -2
package/dist/db/db_pglite.d.ts.map +1 -1
package/dist/db/db_pglite.js +3 -2
package/dist/db/migrate.d.ts +8 -4
package/dist/db/migrate.d.ts.map +1 -1
package/dist/db/migrate.js +6 -2
package/dist/db/sql_identifier.d.ts +2 -1
package/dist/db/sql_identifier.d.ts.map +1 -1
package/dist/db/sql_identifier.js +2 -1
package/dist/db/status.d.ts +4 -1
package/dist/db/status.d.ts.map +1 -1
package/dist/db/status.js +5 -2
package/dist/dev/setup.d.ts +18 -2
package/dist/dev/setup.d.ts.map +1 -1
package/dist/dev/setup.js +18 -2
package/dist/env/dotenv.d.ts +2 -1
package/dist/env/dotenv.d.ts.map +1 -1
package/dist/env/dotenv.js +2 -1
package/dist/env/load.d.ts +1 -1
package/dist/env/load.js +1 -1
package/dist/env/resolve.d.ts +1 -1
package/dist/env/resolve.js +1 -1
package/dist/env/update_env_variable.d.ts +2 -0
package/dist/env/update_env_variable.d.ts.map +1 -1
package/dist/env/update_env_variable.js +2 -0
package/dist/http/pending_effects.d.ts +4 -0
package/dist/http/pending_effects.d.ts.map +1 -1
package/dist/http/pending_effects.js +4 -0
package/dist/http/proxy.d.ts +3 -0
package/dist/http/proxy.d.ts.map +1 -1
package/dist/http/proxy.js +3 -0
package/dist/http/route_spec.d.ts +1 -0
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +7 -0
package/dist/rate_limiter.d.ts +14 -1
package/dist/rate_limiter.d.ts.map +1 -1
package/dist/rate_limiter.js +14 -1
package/dist/realtime/sse.d.ts +7 -1
package/dist/realtime/sse.d.ts.map +1 -1
package/dist/realtime/sse.js +3 -1
package/dist/realtime/sse_auth_guard.d.ts +21 -21
package/dist/realtime/sse_auth_guard.d.ts.map +1 -1
package/dist/realtime/sse_auth_guard.js +24 -24
package/dist/realtime/subscriber_registry.d.ts +4 -2
package/dist/realtime/subscriber_registry.d.ts.map +1 -1
package/dist/realtime/subscriber_registry.js +4 -2
package/dist/runtime/fs.d.ts +5 -0
package/dist/runtime/fs.d.ts.map +1 -1
package/dist/runtime/fs.js +5 -0
package/dist/runtime/mock.d.ts +6 -0
package/dist/runtime/mock.d.ts.map +1 -1
package/dist/runtime/mock.js +6 -0
package/dist/server/app_backend.d.ts +1 -0
package/dist/server/app_backend.d.ts.map +1 -1
package/dist/server/app_backend.js +1 -0
package/dist/server/app_server.d.ts +4 -0
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +4 -0
package/dist/server/validate_nginx.d.ts +3 -0
package/dist/server/validate_nginx.d.ts.map +1 -1
package/dist/testing/admin_integration.d.ts +5 -0
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +5 -0
package/dist/testing/adversarial_headers.d.ts +5 -3
package/dist/testing/adversarial_headers.d.ts.map +1 -1
package/dist/testing/adversarial_headers.js +5 -3
package/dist/testing/adversarial_input.d.ts +4 -0
package/dist/testing/adversarial_input.d.ts.map +1 -1
package/dist/testing/adversarial_input.js +4 -0
package/dist/testing/app_server.d.ts +3 -0
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +11 -0
package/dist/testing/assertions.d.ts +23 -7
package/dist/testing/assertions.d.ts.map +1 -1
package/dist/testing/assertions.js +23 -7
package/dist/testing/audit_completeness.d.ts +4 -0
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +4 -0
package/dist/testing/auth_apps.d.ts +3 -0
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +3 -0
package/dist/testing/db.d.ts +9 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +9 -1
package/dist/testing/error_coverage.d.ts +9 -0
package/dist/testing/error_coverage.d.ts.map +1 -1
package/dist/testing/error_coverage.js +9 -0
package/dist/testing/integration.d.ts +4 -0
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +4 -0
package/dist/testing/integration_helpers.d.ts +10 -4
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +10 -4
package/dist/testing/middleware.d.ts +5 -0
package/dist/testing/middleware.d.ts.map +1 -1
package/dist/testing/middleware.js +5 -0
package/dist/testing/rate_limiting.d.ts +3 -0
package/dist/testing/rate_limiting.d.ts.map +1 -1
package/dist/testing/rate_limiting.js +3 -0
package/dist/testing/rpc_helpers.d.ts +21 -8
package/dist/testing/rpc_helpers.d.ts.map +1 -1
package/dist/testing/rpc_helpers.js +21 -8
package/dist/testing/schema_generators.d.ts +7 -2
package/dist/testing/schema_generators.d.ts.map +1 -1
package/dist/testing/schema_generators.js +7 -2
package/dist/testing/sse_round_trip.d.ts +3 -0
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +3 -0
package/dist/testing/stubs.d.ts +7 -0
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +7 -0
package/dist/testing/surface_invariants.d.ts +14 -0
package/dist/testing/surface_invariants.d.ts.map +1 -1
package/dist/testing/surface_invariants.js +14 -0
package/dist/testing/ws_round_trip.d.ts +13 -1
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/ui/AccountSessions.svelte +9 -0
package/dist/ui/AccountSessions.svelte.d.ts.map +1 -1
package/dist/ui/AdminAccounts.svelte +10 -0
package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -1
package/dist/ui/AdminAuditLog.svelte +10 -0
package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -1
package/dist/ui/AdminInvites.svelte +9 -0
package/dist/ui/AdminInvites.svelte.d.ts.map +1 -1
package/dist/ui/AdminOverview.svelte +10 -0
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/AdminPermitHistory.svelte +9 -0
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -1
package/dist/ui/AdminSessions.svelte +10 -0
package/dist/ui/AdminSessions.svelte.d.ts.map +1 -1
package/dist/ui/AdminSettings.svelte +9 -0
package/dist/ui/AdminSettings.svelte.d.ts.map +1 -1
package/dist/ui/AdminSurface.svelte +9 -0
package/dist/ui/AdminSurface.svelte.d.ts.map +1 -1
package/dist/ui/AppShell.svelte +24 -0
package/dist/ui/AppShell.svelte.d.ts +23 -0
package/dist/ui/AppShell.svelte.d.ts.map +1 -1
package/dist/ui/BootstrapForm.svelte +17 -0
package/dist/ui/BootstrapForm.svelte.d.ts +4 -0
package/dist/ui/BootstrapForm.svelte.d.ts.map +1 -1
package/dist/ui/ColumnLayout.svelte +11 -0
package/dist/ui/ColumnLayout.svelte.d.ts +10 -0
package/dist/ui/ColumnLayout.svelte.d.ts.map +1 -1
package/dist/ui/Datatable.svelte +18 -0
package/dist/ui/Datatable.svelte.d.ts +17 -0
package/dist/ui/Datatable.svelte.d.ts.map +1 -1
package/dist/ui/LoginForm.svelte +18 -0
package/dist/ui/LoginForm.svelte.d.ts +9 -0
package/dist/ui/LoginForm.svelte.d.ts.map +1 -1
package/dist/ui/LogoutButton.svelte +9 -0
package/dist/ui/LogoutButton.svelte.d.ts +8 -0
package/dist/ui/LogoutButton.svelte.d.ts.map +1 -1
package/dist/ui/MenuLink.svelte +10 -0
package/dist/ui/MenuLink.svelte.d.ts +9 -0
package/dist/ui/MenuLink.svelte.d.ts.map +1 -1
package/dist/ui/OpenSignupToggle.svelte +9 -0
package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -1
package/dist/ui/SignupForm.svelte +16 -0
package/dist/ui/SignupForm.svelte.d.ts +4 -0
package/dist/ui/SignupForm.svelte.d.ts.map +1 -1
package/dist/ui/SurfaceExplorer.svelte +9 -0
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.d.ts +6 -1
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +6 -1
package/dist/ui/auth_state.svelte.d.ts +16 -4
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +16 -4
package/dist/ui/form_state.svelte.d.ts +9 -0
package/dist/ui/form_state.svelte.d.ts.map +1 -1
package/dist/ui/form_state.svelte.js +9 -0
package/dist/ui/loadable.svelte.d.ts +6 -1
package/dist/ui/loadable.svelte.d.ts.map +1 -1
package/dist/ui/loadable.svelte.js +6 -1
package/dist/ui/permit_offers_state.svelte.d.ts +2 -0
package/dist/ui/permit_offers_state.svelte.d.ts.map +1 -1
package/dist/ui/permit_offers_state.svelte.js +2 -0
package/dist/ui/popover.svelte.d.ts +17 -4
package/dist/ui/popover.svelte.d.ts.map +1 -1
package/dist/ui/popover.svelte.js +17 -4
package/dist/ui/position_helpers.d.ts +1 -0
package/dist/ui/position_helpers.d.ts.map +1 -1
package/dist/ui/position_helpers.js +1 -0
package/dist/ui/sidebar_state.svelte.d.ts +22 -9
package/dist/ui/sidebar_state.svelte.d.ts.map +1 -1
package/dist/ui/sidebar_state.svelte.js +17 -2
package/dist/ui/table_state.svelte.d.ts +14 -0
package/dist/ui/table_state.svelte.d.ts.map +1 -1
package/dist/ui/table_state.svelte.js +14 -0
package/package.json +1 -1

package/dist/auth/app_settings_queries.js CHANGED Viewed

@@ -10,6 +10,7 @@
  *
  * @param deps - query dependencies
  * @returns the app settings row
+ * @throws Error if the singleton `app_settings` row is missing (migration drift — should not occur in practice)
  */
 export const query_app_settings_load = async (deps) => {
     const row = await deps.db.query_one(`SELECT open_signup, updated_at, updated_by FROM app_settings WHERE id = 1`);
@@ -23,6 +24,7 @@ export const query_app_settings_load = async (deps) => {
  *
  * @param deps - query dependencies
  * @returns the app settings with `updated_by_username`
+ * @throws Error if the singleton `app_settings` row is missing
  */
 export const query_app_settings_load_with_username = async (deps) => {
     const row = await deps.db.query_one(`SELECT s.open_signup, s.updated_at, s.updated_by, act.name AS updated_by_username
@@ -41,6 +43,8 @@ export const query_app_settings_load_with_username = async (deps) => {
  * @param open_signup - new value for the open_signup toggle
  * @param actor_id - the actor making the change
  * @returns the updated app settings row
+ * @mutates `app_settings` row - sets `open_signup`, `updated_at`, and `updated_by`
+ * @throws Error if the singleton `app_settings` row is missing
  */
 export const query_app_settings_update = async (deps, open_signup, actor_id) => {
     const row = await deps.db.query_one(`UPDATE app_settings SET open_signup = $1, updated_at = NOW(), updated_by = $2 WHERE id = 1 RETURNING open_signup, updated_at, updated_by`, [open_signup, actor_id]);

package/dist/auth/audit_log_queries.d.ts CHANGED Viewed

@@ -36,6 +36,9 @@ export declare const reset_audit_unknown_event_type_failures: () => void;
  * @param input - the audit event to record
  * @param config - audit-log config. Defaults to `BUILTIN_AUDIT_LOG_CONFIG`.
  * @returns the inserted audit log row
+ * @mutates `audit_log` table - inserts the new row
+ * @mutates drift counters - bumps `audit_unknown_event_type_failures` and/or `audit_metadata_validation_failures` on mismatch
+ * @throws Error if the INSERT does not return a row (failed `assert_row` invariant)
  */
 export declare const query_audit_log: <T extends string>(deps: QueryDeps, input: AuditLogInput<T>, config?: AuditLogConfig) => Promise<AuditLogEvent>;
 /**
@@ -77,6 +80,7 @@ export declare const query_audit_log_list_permit_history: (deps: QueryDeps, limi
  * @param deps - query dependencies
  * @param before - delete entries created before this date
  * @returns the number of entries deleted
+ * @mutates `audit_log` table - deletes every row with `created_at < before`
  */
 export declare const query_audit_log_cleanup_before: (deps: QueryDeps, before: Date) => Promise<number>;
 /**
@@ -102,6 +106,8 @@ export type AuditLogFireAndForgetDeps = Pick<AppDeps, 'log' | 'on_audit_event' |
  * @param input - the audit event to record
  * @param deps - logger, `on_audit_event` callback, and optional `audit_log_config`
  * @returns the settled promise (callers may ignore it)
+ * @mutates `audit_log` table - inserts a row via `background_db` (independent of the request transaction)
+ * @mutates `route.pending_effects` - pushes the in-flight settled promise for test flushing
  */
 export declare const audit_log_fire_and_forget: <T extends string>(route: Pick<RouteContext, "background_db" | "pending_effects">, input: AuditLogInput<T>, deps: AuditLogFireAndForgetDeps) => Promise<void>;
 //# sourceMappingURL=audit_log_queries.d.ts.map

package/dist/auth/audit_log_queries.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit_log_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,WAAW,CAAC;AACvC,OAAO,EAGN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,8BAA8B,EACnC,KAAK,sBAAsB,EAC3B,MAAM,uBAAuB,CAAC;AAa/B,iFAAiF;AACjF,eAAO,MAAM,sCAAsC,QAAO,MACvB,CAAC;AAEpC,0CAA0C;AAC1C,eAAO,MAAM,wCAAwC,QAAO,IAE3D,CAAC;AAYF,gFAAgF;AAChF,eAAO,MAAM,qCAAqC,QAAO,MACvB,CAAC;AAEnC,0CAA0C;AAC1C,eAAO,MAAM,uCAAuC,QAAO,IAE1D,CAAC;AAEF~~;;;;;;;;;;;;;GAaG~~;AACH,eAAO,MAAM,eAAe,GAAU,CAAC,SAAS,MAAM,EACrD,MAAM,SAAS,EACf,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,SAAQ,cAAyC,KAC/C,OAAO,CAAC,aAAa,CAmCvB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAwC9B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CA8C/C,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAA+B,KAC7B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAO9B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,cAA+B,EAC/B,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAYvC,CAAC;AAEF~~;;;;;;GAMG~~;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,QAAQ,IAAI,KACV,OAAO,CAAC,MAAM,CAMhB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,OAAO,EACP,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAEF~~;;;;;;;;;;;GAWG~~;AACH,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EACzD,OAAO,IAAI,CAAC,YAAY,EAAE,eAAe,GAAG,iBAAiB,CAAC,EAC9D,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,MAAM,yBAAyB,KAC7B,OAAO,CAAC,IAAI,CAed,CAAC"}
1	+ {"version":3,"file":"audit_log_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,WAAW,CAAC;AACvC,OAAO,EAGN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,8BAA8B,EACnC,KAAK,sBAAsB,EAC3B,MAAM,uBAAuB,CAAC;AAa/B,iFAAiF;AACjF,eAAO,MAAM,sCAAsC,QAAO,MACvB,CAAC;AAEpC,0CAA0C;AAC1C,eAAO,MAAM,wCAAwC,QAAO,IAE3D,CAAC;AAYF,gFAAgF;AAChF,eAAO,MAAM,qCAAqC,QAAO,MACvB,CAAC;AAEnC,0CAA0C;AAC1C,eAAO,MAAM,uCAAuC,QAAO,IAE1D,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,eAAe,GAAU,CAAC,SAAS,MAAM,EACrD,MAAM,SAAS,EACf,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,SAAQ,cAAyC,KAC/C,OAAO,CAAC,aAAa,CAmCvB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAwC9B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CA8C/C,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAA+B,KAC7B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAO9B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,cAA+B,EAC/B,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAYvC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,QAAQ,IAAI,KACV,OAAO,CAAC,MAAM,CAMhB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,OAAO,EACP,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EACzD,OAAO,IAAI,CAAC,YAAY,EAAE,eAAe,GAAG,iBAAiB,CAAC,EAC9D,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,MAAM,yBAAyB,KAC7B,OAAO,CAAC,IAAI,CAed,CAAC"}

package/dist/auth/audit_log_queries.js CHANGED Viewed

@@ -57,6 +57,9 @@ export const reset_audit_unknown_event_type_failures = () => {
  * @param input - the audit event to record
  * @param config - audit-log config. Defaults to `BUILTIN_AUDIT_LOG_CONFIG`.
  * @returns the inserted audit log row
+ * @mutates `audit_log` table - inserts the new row
+ * @mutates drift counters - bumps `audit_unknown_event_type_failures` and/or `audit_metadata_validation_failures` on mismatch
+ * @throws Error if the INSERT does not return a row (failed `assert_row` invariant)
  */
 export const query_audit_log = async (deps, input, config = BUILTIN_AUDIT_LOG_CONFIG) => {
     if (!config.event_types.includes(input.event_type)) {
@@ -204,6 +207,7 @@ export const query_audit_log_list_permit_history = async (deps, limit = AUDIT_LO
  * @param deps - query dependencies
  * @param before - delete entries created before this date
  * @returns the number of entries deleted
+ * @mutates `audit_log` table - deletes every row with `created_at < before`
  */
 export const query_audit_log_cleanup_before = async (deps, before) => {
     const rows = await deps.db.query(`DELETE FROM audit_log WHERE created_at < $1 RETURNING id`, [before.toISOString()]);
@@ -220,6 +224,8 @@ export const query_audit_log_cleanup_before = async (deps, before) => {
  * @param input - the audit event to record
  * @param deps - logger, `on_audit_event` callback, and optional `audit_log_config`
  * @returns the settled promise (callers may ignore it)
+ * @mutates `audit_log` table - inserts a row via `background_db` (independent of the request transaction)
+ * @mutates `route.pending_effects` - pushes the in-flight settled promise for test flushing
  */
 export const audit_log_fire_and_forget = (route, input, deps) => {
     const { log, on_audit_event, audit_log_config = BUILTIN_AUDIT_LOG_CONFIG } = deps;

package/dist/auth/audit_log_schema.d.ts CHANGED Viewed

@@ -255,6 +255,8 @@ export interface CreateAuditLogConfigOptions {
  * Call once at startup; pass the result to consumer-emitted
  * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
  * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ *
+ * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */
 export declare const create_audit_log_config: (options?: CreateAuditLogConfigOptions) => AuditLogConfig;
 /** Default page size for audit log listings. */

package/dist/auth/audit_log_schema.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,6YAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~EAsGW~~,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED~~;;;;;;;;;GASG~~;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}
1	+ {"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,6YAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2LW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}

package/dist/auth/audit_log_schema.js CHANGED Viewed

@@ -60,32 +60,71 @@ export const AuditOutcome = z.enum(['success', 'failure']);
  * freeze isn't a security boundary.
  */
 export const AUDIT_METADATA_SCHEMAS = Object.freeze({
-    login: z.looseObject({ username: z.string() }).nullable(),
+    login: z
+        .looseObject({
+        username: z.string().meta({ description: 'Username submitted with the login attempt.' }),
+    })
+        .nullable(),
     logout: z.null(),
-    bootstrap: z.looseObject({ error: z.string() }).nullable(),
+    bootstrap: z
+        .looseObject({
+        error: z.string().meta({ description: 'Error message for a failed bootstrap attempt.' }),
+    })
+        .nullable(),
     signup: z.looseObject({
-        username: z.string(),
-        invite_id: Uuid.optional(),
-        open_signup: z.boolean().optional(),
+        username: z.string().meta({ description: 'Username chosen at signup.' }),
+        invite_id: Uuid.optional().meta({
+            description: 'Invite consumed by this signup, when one was matched.',
+        }),
+        open_signup: z.boolean().optional().meta({
+            description: 'True when the signup occurred via the `open_signup` setting (no invite required).',
+        }),
+    }),
+    password_change: z
+        .looseObject({
+        sessions_revoked: z
+            .number()
+            .meta({ description: 'Number of sessions revoked as a side effect of the password change.' }),
+    })
+        .nullable(),
+    session_revoke: z.looseObject({
+        session_id: z.string().meta({ description: 'Blake3 hash identifying the revoked session row.' }),
     }),
-    password_change: z.looseObject({ sessions_revoked: z.number() }).nullable(),
-    session_revoke: z.looseObject({ session_id: z.string() }),
     session_revoke_all: z.looseObject({
         // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
         // account not found); `reason` carries the failure category, and
         // `attempted_account_id` preserves the probed id (the `target_account_id`
         // column is null in that case because it's a FK to `account`).
-        count: z.number().optional(),
-        reason: z.string().optional(),
-        attempted_account_id: Uuid.optional(),
+        count: z.number().optional().meta({
+            description: 'Number of sessions revoked. Omitted on `outcome=failure` because no revocation was attempted.',
+        }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
+        attempted_account_id: Uuid.optional().meta({
+            description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
+        }),
+    }),
+    token_create: z.looseObject({
+        token_id: z.string().meta({ description: 'Public id of the created API token (`tok_…`).' }),
+        name: z.string().meta({ description: 'Operator-supplied label for the token.' }),
+    }),
+    token_revoke: z.looseObject({
+        token_id: z.string().meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
     }),
-    token_create: z.looseObject({ token_id: z.string(), name: z.string() }),
-    token_revoke: z.looseObject({ token_id: z.string() }),
     token_revoke_all: z.looseObject({
         // Same shape as `session_revoke_all` for failures.
-        count: z.number().optional(),
-        reason: z.string().optional(),
-        attempted_account_id: Uuid.optional(),
+        count: z.number().optional().meta({
+            description: 'Number of tokens revoked. Omitted on `outcome=failure` because no revocation was attempted.',
+        }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
+        attempted_account_id: Uuid.optional().meta({
+            description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
+        }),
     }),
     // `permit_id` is optional on `permit_grant` because failed grants
     // (e.g. `web_grantable` denied) never produce a permit row.
@@ -94,72 +133,110 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     // riding on `z.looseObject` permissiveness so the field is part of
     // the documented schema surface.
     permit_grant: z.looseObject({
-        role: z.string(),
-        permit_id: Uuid.optional(),
-        scope_id: Uuid.nullish(),
-        source_offer_id: Uuid.optional(),
-        self_service: z.boolean().optional(),
+        role: z.string().meta({ description: 'Role being granted.' }),
+        permit_id: Uuid.optional().meta({
+            description: 'Id of the resulting permit row. Omitted when the grant failed (e.g. `web_grantable` denial).',
+        }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the granted permit; null for global permits.',
+        }),
+        source_offer_id: Uuid.optional().meta({
+            description: 'Offer this grant resolved, when the grant originated from an accepted offer.',
+        }),
+        self_service: z.boolean().optional().meta({
+            description: 'True when the grant came from the self-service role toggle.',
+        }),
     }),
     permit_revoke: z.looseObject({
-        role: z.string(),
-        permit_id: Uuid,
-        scope_id: Uuid.nullish(),
-        reason: z.string().optional(),
-        self_service: z.boolean().optional(),
+        role: z.string().meta({ description: 'Role being revoked.' }),
+        permit_id: Uuid.meta({ description: 'Id of the revoked permit row.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the revoked permit; null for global permits.',
+        }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Optional admin-supplied or self-service reason text.' }),
+        self_service: z.boolean().optional().meta({
+            description: 'True when the revoke came from the self-service role toggle.',
+        }),
     }),
     // `offer_id` is optional because failed creates (e.g. `web_grantable`
     // denied, `authorize` callback denied) never produce an offer row.
     permit_offer_create: z.looseObject({
-        offer_id: Uuid.optional(),
-        role: z.string(),
-        scope_id: Uuid.nullish(),
-        to_account_id: Uuid,
+        offer_id: Uuid.optional().meta({
+            description: 'Id of the created offer row. Omitted when the create failed before insert.',
+        }),
+        role: z.string().meta({ description: 'Role being offered.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the offered role; null for global offers.',
+        }),
+        to_account_id: Uuid.meta({ description: 'Account the offer is directed to.' }),
     }),
     // `permit_grant` is emitted alongside on accept — two events per accept by
     // design: offer-lifecycle audit + permit-lifecycle audit.
     permit_offer_accept: z.looseObject({
-        offer_id: Uuid,
-        permit_id: Uuid,
-        role: z.string(),
-        scope_id: Uuid.nullish(),
+        offer_id: Uuid.meta({ description: 'Id of the accepted offer.' }),
+        permit_id: Uuid.meta({ description: 'Id of the resulting permit row.' }),
+        role: z.string().meta({ description: 'Role granted by the offer.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the resulting permit; null for global permits.',
+        }),
     }),
     permit_offer_decline: z.looseObject({
-        offer_id: Uuid,
-        role: z.string(),
-        scope_id: Uuid.nullish(),
-        reason: z.string().optional(),
+        offer_id: Uuid.meta({ description: 'Id of the declined offer.' }),
+        role: z.string().meta({ description: 'Role that was offered.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the offered role; null for global offers.',
+        }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Optional decline reason text from the recipient.' }),
     }),
     permit_offer_retract: z.looseObject({
-        offer_id: Uuid,
-        role: z.string(),
-        scope_id: Uuid.nullish(),
+        offer_id: Uuid.meta({ description: 'Id of the retracted offer.' }),
+        role: z.string().meta({ description: 'Role that was offered.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the offered role; null for global offers.',
+        }),
     }),
     permit_offer_expire: z.looseObject({
-        offer_id: Uuid,
-        role: z.string(),
-        scope_id: Uuid.nullish(),
+        offer_id: Uuid.meta({ description: 'Id of the expired offer.' }),
+        role: z.string().meta({ description: 'Role that was offered.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the offered role; null for global offers.',
+        }),
     }),
     // Emitted when an offer is obsoleted by an external event. `reason`
     // distinguishes the trigger; `cause_id` points to the accepted offer
     // (for `sibling_accepted`), the revoked permit (for `permit_revoked`),
     // or the destroyed parent scope row (for `scope_destroyed`).
     permit_offer_supersede: z.looseObject({
-        offer_id: Uuid,
-        role: z.string(),
-        scope_id: Uuid.nullish(),
-        reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']),
-        cause_id: Uuid,
+        offer_id: Uuid.meta({ description: 'Id of the superseded offer.' }),
+        role: z.string().meta({ description: 'Role that was offered.' }),
+        scope_id: Uuid.nullish().meta({
+            description: 'Scope of the offered role; null for global offers.',
+        }),
+        reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']).meta({
+            description: 'Trigger that obsoleted the offer: a sibling offer was accepted, the resulting permit was revoked, or the parent scope row was destroyed.',
+        }),
+        cause_id: Uuid.meta({
+            description: 'Row that caused the supersede: accepted offer (`sibling_accepted`), revoked permit (`permit_revoked`), or destroyed parent scope row (`scope_destroyed`).',
+        }),
     }),
     invite_create: z.looseObject({
-        invite_id: Uuid,
-        email: z.string().nullable(),
-        username: z.string().nullable(),
+        invite_id: Uuid.meta({ description: 'Id of the created invite.' }),
+        email: z.string().nullable().meta({ description: 'Invited email address; null when not set.' }),
+        username: z.string().nullable().meta({ description: 'Invited username; null when not set.' }),
+    }),
+    invite_delete: z.looseObject({
+        invite_id: Uuid.meta({ description: 'Id of the deleted invite.' }),
     }),
-    invite_delete: z.looseObject({ invite_id: Uuid }),
     app_settings_update: z.looseObject({
-        setting: z.string(),
-        old_value: z.unknown(),
-        new_value: z.unknown(),
+        setting: z.string().meta({ description: 'Name of the setting that changed.' }),
+        old_value: z.unknown().meta({ description: 'Setting value before the update.' }),
+        new_value: z.unknown().meta({ description: 'Setting value after the update.' }),
     }),
 });
 /**
@@ -184,6 +261,8 @@ export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
  * Call once at startup; pass the result to consumer-emitted
  * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
  * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ *
+ * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */
 export const create_audit_log_config = (options) => {
     const extras = options?.extra_events;

package/dist/auth/bearer_auth.d.ts CHANGED Viewed

@@ -37,6 +37,8 @@ import { type RateLimiter } from '../rate_limiter.js';
  * @param deps - query dependencies (pool-level db for middleware)
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
  * @param log - the logger instance
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
+ * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
  */
 export declare const create_bearer_auth_middleware: (deps: QueryDeps, ip_rate_limiter: RateLimiter | null, log: Logger) => MiddlewareHandler;
 //# sourceMappingURL=bearer_auth.d.ts.map

package/dist/auth/bearer_auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF~~;;;;;;;;;;;;;;;;;;;;;;;GAuBG~~;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}
1	+ {"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}

package/dist/auth/bearer_auth.js CHANGED Viewed

@@ -38,6 +38,8 @@ import { rate_limit_exceeded_response } from '../rate_limiter.js';
  * @param deps - query dependencies (pool-level db for middleware)
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
  * @param log - the logger instance
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
+ * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
  */
 export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
     return async (c, next) => {

package/dist/auth/bootstrap_account.d.ts CHANGED Viewed

@@ -77,6 +77,9 @@ export interface BootstrapAccountDeps {
  * @param provided_token - the bootstrap token from the user
  * @param input - username and password
  * @returns the created account, actor, and permits — or a bootstrap failure
+ * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
+ * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
+ * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
  */
 export declare const bootstrap_account: (deps: BootstrapAccountDeps, provided_token: string, input: BootstrapAccountInput) => Promise<BootstrapAccountResult>;
 //# sourceMappingURL=bootstrap_account.d.ts.map

package/dist/auth/bootstrap_account.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAGhE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IACzC,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED~~;;;;;;;;;;;;;;;;;GAiBG~~;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
1	+ {"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAGhE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IACzC,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}

package/dist/auth/bootstrap_account.js CHANGED Viewed

@@ -28,6 +28,9 @@ import { query_grant_permit } from './permit_queries.js';
  * @param provided_token - the bootstrap token from the user
  * @param input - username and password
  * @returns the created account, actor, and permits — or a bootstrap failure
+ * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
+ * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
+ * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
  */
 export const bootstrap_account = async (deps, provided_token, input) => {
     const { db, token_path, read_text_file, delete_file, password, log } = deps;

package/dist/auth/cleanup.d.ts CHANGED Viewed

@@ -55,6 +55,8 @@ export interface AuthCleanupResult {
  * expiry, and accepted rows are the provenance for the resulting permit
  * (deleting expired rows would not threaten that, but keeping them uniform
  * with the retention policy for terminal rows is simpler).
+ *
+ * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
  */
 export declare const cleanup_expired_permit_offers: (deps: AuthCleanupDeps) => Promise<number>;
 /**
@@ -66,6 +68,10 @@ export declare const cleanup_expired_permit_offers: (deps: AuthCleanupDeps) => P
  * re-thrown so the caller's scheduler can log/alert; use the per-task
  * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
  * directly if you need finer error isolation.
+ *
+ * @mutates `auth_session` table - deletes expired sessions
+ * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
+ * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
  */
 export declare const run_auth_cleanup: (deps: AuthCleanupDeps) => Promise<AuthCleanupResult>;
 //# sourceMappingURL=cleanup.d.ts.map

package/dist/auth/cleanup.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED~~;;;;;;;;;GASG~~;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF~~;;;;;;;;;GASG~~;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
1	+ {"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}

package/dist/auth/cleanup.js CHANGED Viewed

@@ -30,6 +30,8 @@ import { query_audit_log } from './audit_log_queries.js';
  * expiry, and accepted rows are the provenance for the resulting permit
  * (deleting expired rows would not threaten that, but keeping them uniform
  * with the retention policy for terminal rows is simpler).
+ *
+ * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
  */
 export const cleanup_expired_permit_offers = async (deps) => {
     const expired = await query_permit_offer_sweep_expired(deps);
@@ -72,6 +74,10 @@ export const cleanup_expired_permit_offers = async (deps) => {
  * re-thrown so the caller's scheduler can log/alert; use the per-task
  * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
  * directly if you need finer error isolation.
+ *
+ * @mutates `auth_session` table - deletes expired sessions
+ * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
+ * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
  */
 export const run_auth_cleanup = async (deps) => {
     const expired_sessions = await query_session_cleanup_expired(deps);

package/dist/auth/daemon_token_middleware.d.ts CHANGED Viewed

@@ -37,6 +37,7 @@ export declare const get_daemon_token_path: (runtime: Pick<EnvDeps, "env_get">,
  * @param runtime - runtime with file write capabilities
  * @param token_path - path to write the token
  * @param token - the raw token string
+ * @mutates filesystem - writes `token_path` atomically and `chmod 0600` when supported
  */
 export declare const write_daemon_token: (runtime: DaemonTokenWriteDeps, token_path: string, token: string) => Promise<void>;
 /**
@@ -74,6 +75,8 @@ export interface DaemonTokenRotation {
  * @param options - rotation configuration
  * @param log - the logger instance
  * @returns rotation state and stop function
+ * @mutates filesystem - writes the token file on each rotation; `stop` removes it
+ * @throws Error if `$HOME` is not set so the daemon token path cannot be resolved
  */
 export declare const start_daemon_token_rotation: (runtime: DaemonTokenWriteDeps & FsRemoveDeps, deps: QueryDeps, options: DaemonTokenRotationOptions, log: Logger) => Promise<DaemonTokenRotation>;
 /**
@@ -88,6 +91,7 @@ export declare const start_daemon_token_rotation: (runtime: DaemonTokenWriteDeps
  *
  * @param state - the daemon token runtime state
  * @param deps - query dependencies (pool-level db for middleware)
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
  */
 export declare const create_daemon_token_middleware: (state: DaemonTokenState, deps: QueryDeps) => MiddlewareHandler;
 //# sourceMappingURL=daemon_token_middleware.d.ts.map

package/dist/auth/daemon_token_middleware.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF~~;;;;;;;;GAQG~~;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED~~;;;;;;;;;;;GAWG~~;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF~~;;;;;;;;;;;;GAYG~~;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAqCF,CAAC"}
1	+ {"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAWrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,MAAM,SAAS,KACb,iBAqCF,CAAC"}

package/dist/auth/daemon_token_middleware.js CHANGED Viewed

@@ -39,6 +39,7 @@ export const get_daemon_token_path = (runtime, name) => {
  * @param runtime - runtime with file write capabilities
  * @param token_path - path to write the token
  * @param token - the raw token string
+ * @mutates filesystem - writes `token_path` atomically and `chmod 0600` when supported
  */
 export const write_daemon_token = async (runtime, token_path, token) => {
     await write_file_atomic(runtime, token_path, token + '\n');
@@ -69,6 +70,8 @@ export const resolve_keeper_account_id = async (deps) => {
  * @param options - rotation configuration
  * @param log - the logger instance
  * @returns rotation state and stop function
+ * @mutates filesystem - writes the token file on each rotation; `stop` removes it
+ * @throws Error if `$HOME` is not set so the daemon token path cannot be resolved
  */
 export const start_daemon_token_rotation = async (runtime, deps, options, log) => {
     const { app_name, rotation_interval_ms = DEFAULT_ROTATION_INTERVAL_MS } = options;
@@ -134,6 +137,7 @@ export const start_daemon_token_rotation = async (runtime, deps, options, log) =
  *
  * @param state - the daemon token runtime state
  * @param deps - query dependencies (pool-level db for middleware)
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
  */
 export const create_daemon_token_middleware = (state, deps) => {
     return async (c, next) => {

package/dist/auth/invite_queries.d.ts CHANGED Viewed

@@ -14,6 +14,8 @@ import type { Invite, CreateInviteInput, InviteWithUsernamesJson } from './invit
  * @param deps - query dependencies
  * @param input - the invite fields
  * @returns the created invite
+ * @mutates `invite` table - inserts the new row
+ * @throws Error if the INSERT does not return a row (failed `assert_row` invariant)
  */
 export declare const query_create_invite: (deps: QueryDeps, input: CreateInviteInput) => Promise<Invite>;
 /**
@@ -44,6 +46,7 @@ export declare const query_invite_find_unclaimed_match: (deps: QueryDeps, email:
  * @param invite_id - the invite to claim
  * @param account_id - the account claiming the invite
  * @returns true if the invite was claimed, false if already claimed or not found
+ * @mutates `invite` row - sets `claimed_by` and `claimed_at` when still unclaimed
  */
 export declare const query_invite_claim: (deps: QueryDeps, invite_id: string, account_id: string) => Promise<boolean>;
 /**
@@ -63,6 +66,7 @@ export declare const query_invite_list_all_with_usernames: (deps: QueryDeps) =>
  * @param deps - query dependencies
  * @param id - the invite id
  * @returns true if deleted, false if not found or already claimed
+ * @mutates `invite` table - deletes the row when still unclaimed
  */
 export declare const query_invite_delete_unclaimed: (deps: QueryDeps, id: string) => Promise<boolean>;
 //# sourceMappingURL=invite_queries.d.ts.map

package/dist/auth/invite_queries.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"invite_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAE,iBAAiB,EAAE,uBAAuB,EAAC,MAAM,oBAAoB,CAAC;AAE3F~~;;;;;;GAMG~~;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,OAAO,iBAAiB,KACtB,OAAO,CAAC,MAAM,CAQhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,OAAO,MAAM,GAAG,IAAI,EACpB,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAe5B,CAAC;AAEF~~;;;;;;;GAOG~~;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAElF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAUxC,CAAC;AAEF~~;;;;;;GAMG~~;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,CAMjB,CAAC"}
1	+ {"version":3,"file":"invite_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/invite_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAE,iBAAiB,EAAE,uBAAuB,EAAC,MAAM,oBAAoB,CAAC;AAE3F;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,OAAO,iBAAiB,KACtB,OAAO,CAAC,MAAM,CAQhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAK5B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,OAAO,MAAM,GAAG,IAAI,EACpB,UAAU,MAAM,KACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAe5B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAElF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAUxC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,CAMjB,CAAC"}

package/dist/auth/invite_queries.js CHANGED Viewed

@@ -13,6 +13,8 @@ import { assert_row } from '../db/assert_row.js';
  * @param deps - query dependencies
  * @param input - the invite fields
  * @returns the created invite
+ * @mutates `invite` table - inserts the new row
+ * @throws Error if the INSERT does not return a row (failed `assert_row` invariant)
  */
 export const query_create_invite = async (deps, input) => {
     const row = await deps.db.query_one(`INSERT INTO invite (email, username, created_by)
@@ -64,6 +66,7 @@ export const query_invite_find_unclaimed_match = async (deps, email, username) =
  * @param invite_id - the invite to claim
  * @param account_id - the account claiming the invite
  * @returns true if the invite was claimed, false if already claimed or not found
+ * @mutates `invite` row - sets `claimed_by` and `claimed_at` when still unclaimed
  */
 export const query_invite_claim = async (deps, invite_id, account_id) => {
     const rows = await deps.db.query(`UPDATE invite SET claimed_by = $1, claimed_at = NOW()
@@ -98,6 +101,7 @@ export const query_invite_list_all_with_usernames = async (deps) => {
  * @param deps - query dependencies
  * @param id - the invite id
  * @returns true if deleted, false if not found or already claimed
+ * @mutates `invite` table - deletes the row when still unclaimed
  */
 export const query_invite_delete_unclaimed = async (deps, id) => {
     const rows = await deps.db.query(`DELETE FROM invite WHERE id = $1 AND claimed_at IS NULL RETURNING id`, [id]);