npm - @fuzdev/fuz_app - Versions diffs - 0.54.0 → 0.56.0 - Mend

@fuzdev/fuz_app 0.54.0 → 0.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (348) hide show

package/dist/actions/CLAUDE.md +214 -103
package/dist/actions/action_bridge.d.ts +8 -5
package/dist/actions/action_bridge.d.ts.map +1 -1
package/dist/actions/action_bridge.js +1 -11
package/dist/actions/action_codegen.d.ts +32 -0
package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/actions/action_codegen.js +35 -15
package/dist/actions/action_registry.d.ts.map +1 -1
package/dist/actions/action_registry.js +5 -2
package/dist/actions/action_rpc.d.ts +141 -22
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +106 -187
package/dist/actions/action_spec.d.ts +55 -16
package/dist/actions/action_spec.d.ts.map +1 -1
package/dist/actions/action_spec.js +16 -11
package/dist/actions/action_types.d.ts +28 -60
package/dist/actions/action_types.d.ts.map +1 -1
package/dist/actions/action_types.js +13 -5
package/dist/actions/broadcast_api.d.ts +2 -2
package/dist/actions/broadcast_api.js +2 -2
package/dist/actions/compile_action_registry.d.ts +50 -0
package/dist/actions/compile_action_registry.d.ts.map +1 -0
package/dist/actions/compile_action_registry.js +69 -0
package/dist/actions/heartbeat.d.ts +8 -4
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -4
package/dist/actions/perform_action.d.ts +145 -0
package/dist/actions/perform_action.d.ts.map +1 -0
package/dist/actions/perform_action.js +258 -0
package/dist/actions/register_action_ws.d.ts +46 -40
package/dist/actions/register_action_ws.d.ts.map +1 -1
package/dist/actions/register_action_ws.js +101 -159
package/dist/actions/register_ws_endpoint.d.ts +15 -10
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +54 -7
package/dist/actions/transports.d.ts.map +1 -1
package/dist/actions/transports.js +0 -4
package/dist/actions/transports_ws_auth_guard.d.ts +1 -1
package/dist/actions/transports_ws_auth_guard.js +1 -1
package/dist/actions/transports_ws_backend.d.ts +1 -1
package/dist/actions/transports_ws_backend.js +1 -1
package/dist/auth/CLAUDE.md +794 -410
package/dist/auth/account_action_specs.d.ts +28 -7
package/dist/auth/account_action_specs.d.ts.map +1 -1
package/dist/auth/account_action_specs.js +7 -7
package/dist/auth/account_actions.d.ts +7 -13
package/dist/auth/account_actions.d.ts.map +1 -1
package/dist/auth/account_actions.js +26 -35
package/dist/auth/account_queries.d.ts +52 -16
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +87 -38
package/dist/auth/account_routes.d.ts +9 -11
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +118 -46
package/dist/auth/account_schema.d.ts +46 -35
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +21 -28
package/dist/auth/admin_action_specs.d.ts +100 -32
package/dist/auth/admin_action_specs.d.ts.map +1 -1
package/dist/auth/admin_action_specs.js +64 -33
package/dist/auth/admin_actions.d.ts +13 -19
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +37 -41
package/dist/auth/audit_emitter.d.ts +160 -0
package/dist/auth/audit_emitter.d.ts.map +1 -0
package/dist/auth/audit_emitter.js +83 -0
package/dist/auth/audit_log_queries.d.ts +17 -48
package/dist/auth/audit_log_queries.d.ts.map +1 -1
package/dist/auth/audit_log_queries.js +20 -56
package/dist/auth/audit_log_routes.d.ts +1 -1
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +7 -3
package/dist/auth/audit_log_schema.d.ts +92 -32
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +75 -46
package/dist/auth/auth_guard_resolver.d.ts +44 -0
package/dist/auth/auth_guard_resolver.d.ts.map +1 -0
package/dist/auth/auth_guard_resolver.js +56 -0
package/dist/auth/bearer_auth.d.ts +9 -7
package/dist/auth/bearer_auth.d.ts.map +1 -1
package/dist/auth/bearer_auth.js +13 -21
package/dist/auth/bootstrap_account.d.ts +7 -7
package/dist/auth/bootstrap_account.d.ts.map +1 -1
package/dist/auth/bootstrap_account.js +7 -7
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +11 -10
package/dist/auth/cleanup.d.ts +20 -26
package/dist/auth/cleanup.d.ts.map +1 -1
package/dist/auth/cleanup.js +33 -42
package/dist/auth/credential_type_schema.d.ts +115 -0
package/dist/auth/credential_type_schema.d.ts.map +1 -0
package/dist/auth/credential_type_schema.js +127 -0
package/dist/auth/daemon_token_middleware.d.ts +23 -11
package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
package/dist/auth/daemon_token_middleware.js +28 -22
package/dist/auth/ddl.d.ts +2 -2
package/dist/auth/ddl.d.ts.map +1 -1
package/dist/auth/ddl.js +6 -6
package/dist/auth/deps.d.ts +7 -18
package/dist/auth/deps.d.ts.map +1 -1
package/dist/auth/grant_path_schema.d.ts +117 -0
package/dist/auth/grant_path_schema.d.ts.map +1 -0
package/dist/auth/grant_path_schema.js +137 -0
package/dist/auth/invite_queries.d.ts +12 -1
package/dist/auth/invite_queries.d.ts.map +1 -1
package/dist/auth/invite_queries.js +12 -1
package/dist/auth/invite_schema.d.ts +1 -1
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +1 -1
package/dist/auth/middleware.d.ts.map +1 -1
package/dist/auth/middleware.js +9 -4
package/dist/auth/migrations.d.ts +37 -14
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +79 -32
package/dist/auth/request_context.d.ts +331 -61
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +378 -95
package/dist/auth/{permit_offer_action_specs.d.ts → role_grant_offer_action_specs.d.ts} +163 -94
package/dist/auth/role_grant_offer_action_specs.d.ts.map +1 -0
package/dist/auth/role_grant_offer_action_specs.js +262 -0
package/dist/auth/role_grant_offer_actions.d.ts +104 -0
package/dist/auth/role_grant_offer_actions.d.ts.map +1 -0
package/dist/auth/role_grant_offer_actions.js +473 -0
package/dist/auth/{permit_offer_notifications.d.ts → role_grant_offer_notifications.d.ts} +90 -70
package/dist/auth/role_grant_offer_notifications.d.ts.map +1 -0
package/dist/auth/role_grant_offer_notifications.js +182 -0
package/dist/auth/role_grant_offer_queries.d.ts +242 -0
package/dist/auth/role_grant_offer_queries.d.ts.map +1 -0
package/dist/auth/role_grant_offer_queries.js +533 -0
package/dist/auth/role_grant_offer_schema.d.ts +150 -0
package/dist/auth/role_grant_offer_schema.d.ts.map +1 -0
package/dist/auth/{permit_offer_schema.js → role_grant_offer_schema.js} +60 -36
package/dist/auth/role_grant_queries.d.ts +231 -0
package/dist/auth/role_grant_queries.d.ts.map +1 -0
package/dist/auth/role_grant_queries.js +320 -0
package/dist/auth/role_schema.d.ts +150 -40
package/dist/auth/role_schema.d.ts.map +1 -1
package/dist/auth/role_schema.js +144 -45
package/dist/auth/scope_kind_schema.d.ts +96 -0
package/dist/auth/scope_kind_schema.d.ts.map +1 -0
package/dist/auth/scope_kind_schema.js +94 -0
package/dist/auth/self_service_role_action_specs.d.ts +6 -1
package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
package/dist/auth/self_service_role_action_specs.js +3 -1
package/dist/auth/self_service_role_actions.d.ts +34 -27
package/dist/auth/self_service_role_actions.d.ts.map +1 -1
package/dist/auth/self_service_role_actions.js +68 -48
package/dist/auth/session_cookie.d.ts +43 -6
package/dist/auth/session_cookie.d.ts.map +1 -1
package/dist/auth/session_cookie.js +31 -5
package/dist/auth/session_middleware.d.ts +37 -3
package/dist/auth/session_middleware.d.ts.map +1 -1
package/dist/auth/session_middleware.js +33 -7
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +48 -19
package/dist/auth/standard_action_specs.d.ts +2 -2
package/dist/auth/standard_action_specs.js +4 -4
package/dist/auth/standard_rpc_actions.d.ts +23 -19
package/dist/auth/standard_rpc_actions.d.ts.map +1 -1
package/dist/auth/standard_rpc_actions.js +12 -12
package/dist/db/migrate.d.ts +12 -8
package/dist/db/migrate.d.ts.map +1 -1
package/dist/db/migrate.js +10 -7
package/dist/dev/setup.d.ts +2 -2
package/dist/dev/setup.d.ts.map +1 -1
package/dist/dev/setup.js +9 -7
package/dist/env/load.d.ts +1 -1
package/dist/env/load.js +1 -1
package/dist/hono_context.d.ts +64 -5
package/dist/hono_context.d.ts.map +1 -1
package/dist/hono_context.js +38 -2
package/dist/http/CLAUDE.md +264 -87
package/dist/http/auth_shape.d.ts +191 -0
package/dist/http/auth_shape.d.ts.map +1 -0
package/dist/http/auth_shape.js +237 -0
package/dist/http/common_routes.js +3 -3
package/dist/http/db_routes.d.ts +4 -0
package/dist/http/db_routes.d.ts.map +1 -1
package/dist/http/db_routes.js +44 -7
package/dist/http/error_schemas.d.ts +132 -19
package/dist/http/error_schemas.d.ts.map +1 -1
package/dist/http/error_schemas.js +132 -40
package/dist/http/jsonrpc_errors.d.ts +27 -2
package/dist/http/jsonrpc_errors.d.ts.map +1 -1
package/dist/http/jsonrpc_errors.js +26 -2
package/dist/http/pending_effects.d.ts +71 -18
package/dist/http/pending_effects.d.ts.map +1 -1
package/dist/http/pending_effects.js +87 -18
package/dist/http/proxy.d.ts +52 -5
package/dist/http/proxy.d.ts.map +1 -1
package/dist/http/proxy.js +92 -14
package/dist/http/route_spec.d.ts +113 -41
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +130 -52
package/dist/http/schema_helpers.d.ts +3 -2
package/dist/http/schema_helpers.d.ts.map +1 -1
package/dist/http/schema_helpers.js +9 -2
package/dist/http/surface.d.ts +2 -1
package/dist/http/surface.d.ts.map +1 -1
package/dist/http/surface.js +1 -2
package/dist/http/surface_query.d.ts +39 -35
package/dist/http/surface_query.d.ts.map +1 -1
package/dist/http/surface_query.js +79 -36
package/dist/primitive_schemas.d.ts +39 -0
package/dist/primitive_schemas.d.ts.map +1 -0
package/dist/primitive_schemas.js +40 -0
package/dist/realtime/sse_auth_guard.d.ts +5 -5
package/dist/realtime/sse_auth_guard.js +9 -9
package/dist/runtime/mock.d.ts +1 -1
package/dist/runtime/mock.js +1 -1
package/dist/server/app_backend.d.ts +14 -11
package/dist/server/app_backend.d.ts.map +1 -1
package/dist/server/app_backend.js +12 -8
package/dist/server/app_server.d.ts +7 -7
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +36 -31
package/dist/server/validate_nginx.d.ts +1 -1
package/dist/server/validate_nginx.js +1 -1
package/dist/testing/CLAUDE.md +73 -55
package/dist/testing/admin_integration.d.ts +5 -6
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +100 -96
package/dist/testing/adversarial_headers.js +1 -1
package/dist/testing/app_server.d.ts +11 -14
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +18 -17
package/dist/testing/assertions.d.ts.map +1 -1
package/dist/testing/assertions.js +2 -1
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +15 -9
package/dist/testing/audit_completeness.d.ts +2 -2
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +53 -39
package/dist/testing/auth_apps.d.ts +5 -4
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +28 -22
package/dist/testing/data_exposure.d.ts.map +1 -1
package/dist/testing/data_exposure.js +5 -5
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +4 -4
package/dist/testing/db_entities.d.ts +22 -0
package/dist/testing/db_entities.d.ts.map +1 -0
package/dist/testing/db_entities.js +28 -0
package/dist/testing/entities.d.ts +10 -8
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +22 -18
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +13 -14
package/dist/testing/integration_helpers.d.ts +8 -6
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +29 -23
package/dist/testing/middleware.d.ts +15 -11
package/dist/testing/middleware.d.ts.map +1 -1
package/dist/testing/middleware.js +75 -32
package/dist/testing/rpc_attack_surface.d.ts.map +1 -1
package/dist/testing/rpc_attack_surface.js +40 -24
package/dist/testing/rpc_helpers.d.ts.map +1 -1
package/dist/testing/rpc_helpers.js +3 -1
package/dist/testing/rpc_round_trip.d.ts +1 -1
package/dist/testing/rpc_round_trip.d.ts.map +1 -1
package/dist/testing/rpc_round_trip.js +14 -13
package/dist/testing/sse_round_trip.d.ts +3 -4
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +7 -11
package/dist/testing/standard.d.ts +1 -1
package/dist/testing/stubs.d.ts +25 -0
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +43 -2
package/dist/testing/surface_invariants.d.ts +2 -2
package/dist/testing/ws_round_trip.d.ts +12 -13
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +24 -12
package/dist/ui/AdminAccounts.svelte +23 -20
package/dist/ui/AdminOverview.svelte +15 -13
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/{AdminPermitHistory.svelte → AdminRoleGrantHistory.svelte} +12 -12
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts +4 -0
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +1 -1
package/dist/ui/CLAUDE.md +65 -59
package/dist/ui/{PermitOfferForm.svelte → RoleGrantOfferForm.svelte} +37 -22
package/dist/ui/RoleGrantOfferForm.svelte.d.ts +20 -0
package/dist/ui/RoleGrantOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferHistory.svelte → RoleGrantOfferHistory.svelte} +12 -12
package/dist/ui/{PermitOfferHistory.svelte.d.ts → RoleGrantOfferHistory.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferInbox.svelte → RoleGrantOfferInbox.svelte} +14 -14
package/dist/ui/{PermitOfferInbox.svelte.d.ts → RoleGrantOfferInbox.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +1 -1
package/dist/ui/SurfaceExplorer.svelte +35 -15
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.d.ts +2 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +2 -3
package/dist/ui/admin_accounts_state.svelte.d.ts +25 -18
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +28 -17
package/dist/ui/admin_rpc_adapters.d.ts +20 -20
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -1
package/dist/ui/admin_rpc_adapters.js +17 -17
package/dist/ui/admin_sessions_state.svelte.d.ts +2 -2
package/dist/ui/admin_sessions_state.svelte.js +2 -2
package/dist/ui/audit_log_state.svelte.d.ts +7 -7
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +6 -6
package/dist/ui/auth_state.svelte.d.ts +3 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +6 -6
package/dist/ui/format_scope.d.ts +2 -2
package/dist/ui/format_scope.js +2 -2
package/dist/ui/{permit_offers_state.svelte.d.ts → role_grant_offers_state.svelte.d.ts} +39 -31
package/dist/ui/role_grant_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/{permit_offers_state.svelte.js → role_grant_offers_state.svelte.js} +25 -19
package/dist/ui/ui_format.js +2 -2
package/package.json +3 -3
package/dist/auth/permit_offer_action_specs.d.ts.map +0 -1
package/dist/auth/permit_offer_action_specs.js +0 -227
package/dist/auth/permit_offer_actions.d.ts +0 -110
package/dist/auth/permit_offer_actions.d.ts.map +0 -1
package/dist/auth/permit_offer_actions.js +0 -452
package/dist/auth/permit_offer_notifications.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.js +0 -182
package/dist/auth/permit_offer_queries.d.ts +0 -183
package/dist/auth/permit_offer_queries.d.ts.map +0 -1
package/dist/auth/permit_offer_queries.js +0 -408
package/dist/auth/permit_offer_schema.d.ts +0 -103
package/dist/auth/permit_offer_schema.d.ts.map +0 -1
package/dist/auth/permit_queries.d.ts +0 -210
package/dist/auth/permit_queries.d.ts.map +0 -1
package/dist/auth/permit_queries.js +0 -294
package/dist/auth/require_keeper.d.ts +0 -20
package/dist/auth/require_keeper.d.ts.map +0 -1
package/dist/auth/require_keeper.js +0 -35
package/dist/auth/route_guards.d.ts +0 -21
package/dist/auth/route_guards.d.ts.map +0 -1
package/dist/auth/route_guards.js +0 -32
package/dist/auth/session_lifecycle.d.ts +0 -37
package/dist/auth/session_lifecycle.d.ts.map +0 -1
package/dist/auth/session_lifecycle.js +0 -29
package/dist/ui/AdminPermitHistory.svelte.d.ts +0 -4
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferForm.svelte.d.ts +0 -14
package/dist/ui/PermitOfferForm.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +0 -1
package/dist/ui/permit_offers_state.svelte.d.ts.map +0 -1

package/dist/auth/credential_type_schema.d.ts ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * Credential-type registry — how a request was authenticated.
+ *
+ * Three builtins: `session` (cookie-based), `api_token` (HTTP Bearer
+ * token), `daemon_token` (filesystem proof for the keeper account).
+ * Open-string registry on top so consumers can declare additional
+ * credential types (e.g. `'sso_assertion'`, `'agent_token'`) without an
+ * upstream release. `RoleSpec.required_credential_types` references
+ * entries from this registry; v1 keeps the field informative-only
+ * (consumed by `auth/middleware.ts` and the dispatcher). Mirrors the
+ * open-registry pattern used for `RoleName`, `ScopeKindName`,
+ * `GrantPathName`, and `AuditEventTypeName`.
+ *
+ * The Hono-side wire-validated `CredentialType` Zod enum (in
+ * `hono_context.ts`) is the closed-set narrow type middleware sets on
+ * the context; the constants below are the source of truth for those
+ * three string values. Future builtin credential types added here
+ * propagate to the wire enum by editing the import list.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Letter (lowercase a-z) start and end (or single letter), with letters
+ * and underscores in between. Mirrors `RoleName`, `ScopeKindName`,
+ * `GrantPathName`. Rejects empty strings, leading or trailing
+ * underscores, uppercase, and digits.
+ */
+export declare const CREDENTIAL_TYPE_NAME_REGEX: RegExp;
+/** Zod schema for valid credential-type name strings. */
+export declare const CredentialTypeName: z.ZodString;
+export type CredentialTypeName = z.infer<typeof CredentialTypeName>;
+/** Cookie-based session credential. */
+export declare const CREDENTIAL_TYPE_SESSION = "session";
+/**
+ * HTTP `Authorization: Bearer` API token credential. The wire literal
+ * `'api_token'` aligns with the `api_token` storage table name; the
+ * constant is named `_API_TOKEN` (not `_BEARER`) to keep wire and
+ * storage nomenclature in lockstep.
+ */
+export declare const CREDENTIAL_TYPE_API_TOKEN = "api_token";
+/** Daemon-token credential — filesystem proof for the keeper account. */
+export declare const CREDENTIAL_TYPE_DAEMON_TOKEN = "daemon_token";
+/** The builtin credential-type names as a const tuple. */
+export declare const BUILTIN_CREDENTIAL_TYPES: readonly ["session", "api_token", "daemon_token"];
+/** Zod enum for builtin credential types only. */
+export declare const BuiltinCredentialType: z.ZodEnum<{
+    daemon_token: "daemon_token";
+    session: "session";
+    api_token: "api_token";
+}>;
+export type BuiltinCredentialType = z.infer<typeof BuiltinCredentialType>;
+/**
+ * Per-credential-type metadata. `description` is admin-UI-facing copy
+ * (mirrors `RoleSpec.description` and `ScopeKindMeta.description`).
+ * Open shape so v2 can extend without a breaking change.
+ */
+export interface CredentialTypeMeta {
+    description?: string;
+}
+/**
+ * Builtin credential-type metadata. Not overridable by consumers.
+ *
+ * Typed `ReadonlyMap` for the contract — but JS Maps don't honor
+ * `Object.freeze` for `.set` / `.delete` / `.clear` (they mutate
+ * internal slots, not own properties), so freeze adds no runtime guard
+ * here. Read once at startup by `create_credential_type_schema`;
+ * runtime mutation has no effect on already-built schemas.
+ */
+export declare const BUILTIN_CREDENTIAL_TYPE_META: ReadonlyMap<string, CredentialTypeMeta>;
+/** The result of `create_credential_type_schema` — a Zod schema and metadata map. */
+export interface CredentialTypeSchemaResult {
+    /**
+     * Zod schema that validates credential-type name strings against the
+     * registered set (builtins + consumer-declared). Use at I/O
+     * boundaries (admin UIs, codegen) and as the construction-time check
+     * inside `create_role_schema` for every
+     * `RoleSpec.required_credential_types` entry.
+     */
+    CredentialType: z.ZodType<string>;
+    /**
+     * Map of every registered credential-type to its metadata. Keyed by
+     * name. Read at startup by admin / codegen surfaces.
+     */
+    credential_types: ReadonlyMap<string, CredentialTypeMeta>;
+}
+/**
+ * Create a credential-type schema from the builtin set plus optional
+ * consumer-declared additions.
+ *
+ * Builtins (`session`, `api_token`, `daemon_token`) are always present;
+ * consumer entries that collide with a builtin name throw at
+ * construction. Pass the result into `create_role_schema`'s optional
+ * `credential_types` parameter so each role's
+ * `required_credential_types` entries are validated against this set
+ * at construction time.
+ *
+ * @param consumer_types - optional consumer-declared credential-type set with optional metadata
+ * @returns `{CredentialType, credential_types}` — Zod schema and metadata map
+ *
+ * @throws Error if any `consumer_types` key fails the `CredentialTypeName` regex, collides with a builtin name, or appears more than once
+ *
+ * @example
+ * ```ts
+ * // simple — builtins only
+ * const {CredentialType, credential_types} = create_credential_type_schema();
+ *
+ * // with consumer extensions
+ * const {CredentialType} = create_credential_type_schema({
+ *   sso_assertion: {description: 'OIDC SSO assertion bound to an IdP-asserted account.'},
+ * });
+ * ```
+ */
+export declare const create_credential_type_schema: (consumer_types?: Record<string, CredentialTypeMeta>) => CredentialTypeSchemaResult;
+//# sourceMappingURL=credential_type_schema.d.ts.map

package/dist/auth/credential_type_schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credential_type_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/credential_type_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB;;;;;GAKG;AACH,eAAO,MAAM,0BAA0B,QAAgC,CAAC;AAExE,yDAAyD;AACzD,eAAO,MAAM,kBAAkB,aAK7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,uCAAuC;AACvC,eAAO,MAAM,uBAAuB,YAAY,CAAC;AAEjD;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,cAAc,CAAC;AAErD,yEAAyE;AACzE,eAAO,MAAM,4BAA4B,iBAAiB,CAAC;AAE3D,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,mDAI3B,CAAC;AAEX,kDAAkD;AAClD,eAAO,MAAM,qBAAqB;;;;EAAmC,CAAC;AACtE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,MAAM,EAAE,kBAAkB,CAa/E,CAAC;AAEH,qFAAqF;AACrF,MAAM,WAAW,0BAA0B;IAC1C;;;;;;OAMG;IACH,cAAc,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClC;;;OAGG;IACH,gBAAgB,EAAE,WAAW,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,eAAO,MAAM,6BAA6B,GACzC,iBAAgB,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAM,KACrD,0BA2BF,CAAC"}

package/dist/auth/credential_type_schema.js ADDED Viewed

@@ -0,0 +1,127 @@
+/**
+ * Credential-type registry — how a request was authenticated.
+ *
+ * Three builtins: `session` (cookie-based), `api_token` (HTTP Bearer
+ * token), `daemon_token` (filesystem proof for the keeper account).
+ * Open-string registry on top so consumers can declare additional
+ * credential types (e.g. `'sso_assertion'`, `'agent_token'`) without an
+ * upstream release. `RoleSpec.required_credential_types` references
+ * entries from this registry; v1 keeps the field informative-only
+ * (consumed by `auth/middleware.ts` and the dispatcher). Mirrors the
+ * open-registry pattern used for `RoleName`, `ScopeKindName`,
+ * `GrantPathName`, and `AuditEventTypeName`.
+ *
+ * The Hono-side wire-validated `CredentialType` Zod enum (in
+ * `hono_context.ts`) is the closed-set narrow type middleware sets on
+ * the context; the constants below are the source of truth for those
+ * three string values. Future builtin credential types added here
+ * propagate to the wire enum by editing the import list.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Letter (lowercase a-z) start and end (or single letter), with letters
+ * and underscores in between. Mirrors `RoleName`, `ScopeKindName`,
+ * `GrantPathName`. Rejects empty strings, leading or trailing
+ * underscores, uppercase, and digits.
+ */
+export const CREDENTIAL_TYPE_NAME_REGEX = /^[a-z][a-z_]*[a-z]$|^[a-z]$/;
+/** Zod schema for valid credential-type name strings. */
+export const CredentialTypeName = z
+    .string()
+    .regex(CREDENTIAL_TYPE_NAME_REGEX, 'Credential-type names must be lowercase letters and underscores (a-z_), no leading/trailing underscore');
+// Builtin credential types — provided by fuz_app, always available.
+/** Cookie-based session credential. */
+export const CREDENTIAL_TYPE_SESSION = 'session';
+/**
+ * HTTP `Authorization: Bearer` API token credential. The wire literal
+ * `'api_token'` aligns with the `api_token` storage table name; the
+ * constant is named `_API_TOKEN` (not `_BEARER`) to keep wire and
+ * storage nomenclature in lockstep.
+ */
+export const CREDENTIAL_TYPE_API_TOKEN = 'api_token';
+/** Daemon-token credential — filesystem proof for the keeper account. */
+export const CREDENTIAL_TYPE_DAEMON_TOKEN = 'daemon_token';
+/** The builtin credential-type names as a const tuple. */
+export const BUILTIN_CREDENTIAL_TYPES = [
+    CREDENTIAL_TYPE_SESSION,
+    CREDENTIAL_TYPE_API_TOKEN,
+    CREDENTIAL_TYPE_DAEMON_TOKEN,
+];
+/** Zod enum for builtin credential types only. */
+export const BuiltinCredentialType = z.enum(BUILTIN_CREDENTIAL_TYPES);
+/**
+ * Builtin credential-type metadata. Not overridable by consumers.
+ *
+ * Typed `ReadonlyMap` for the contract — but JS Maps don't honor
+ * `Object.freeze` for `.set` / `.delete` / `.clear` (they mutate
+ * internal slots, not own properties), so freeze adds no runtime guard
+ * here. Read once at startup by `create_credential_type_schema`;
+ * runtime mutation has no effect on already-built schemas.
+ */
+export const BUILTIN_CREDENTIAL_TYPE_META = new Map([
+    [
+        CREDENTIAL_TYPE_SESSION,
+        { description: 'Cookie-based session credential, signed and validated server-side.' },
+    ],
+    [
+        CREDENTIAL_TYPE_API_TOKEN,
+        { description: 'HTTP Authorization: Bearer API token credential, hashed at rest.' },
+    ],
+    [
+        CREDENTIAL_TYPE_DAEMON_TOKEN,
+        { description: 'Filesystem-proof daemon-token credential, scoped to the keeper account.' },
+    ],
+]);
+/**
+ * Create a credential-type schema from the builtin set plus optional
+ * consumer-declared additions.
+ *
+ * Builtins (`session`, `api_token`, `daemon_token`) are always present;
+ * consumer entries that collide with a builtin name throw at
+ * construction. Pass the result into `create_role_schema`'s optional
+ * `credential_types` parameter so each role's
+ * `required_credential_types` entries are validated against this set
+ * at construction time.
+ *
+ * @param consumer_types - optional consumer-declared credential-type set with optional metadata
+ * @returns `{CredentialType, credential_types}` — Zod schema and metadata map
+ *
+ * @throws Error if any `consumer_types` key fails the `CredentialTypeName` regex, collides with a builtin name, or appears more than once
+ *
+ * @example
+ * ```ts
+ * // simple — builtins only
+ * const {CredentialType, credential_types} = create_credential_type_schema();
+ *
+ * // with consumer extensions
+ * const {CredentialType} = create_credential_type_schema({
+ *   sso_assertion: {description: 'OIDC SSO assertion bound to an IdP-asserted account.'},
+ * });
+ * ```
+ */
+export const create_credential_type_schema = (consumer_types = {}) => {
+    const consumer_names = Object.keys(consumer_types);
+    const seen = new Set();
+    for (const name of consumer_names) {
+        const parsed = CredentialTypeName.safeParse(name);
+        if (!parsed.success) {
+            throw new Error(`Invalid credential-type name "${name}": ${parsed.error.issues[0].message}`);
+        }
+        if (BUILTIN_CREDENTIAL_TYPE_META.has(name)) {
+            throw new Error(`Consumer credential-type "${name}" collides with builtin credential-type`);
+        }
+        if (seen.has(name)) {
+            throw new Error(`Duplicate credential-type name "${name}"`);
+        }
+        seen.add(name);
+    }
+    const all_names = [...BUILTIN_CREDENTIAL_TYPES, ...consumer_names];
+    const CredentialType = z.enum(all_names);
+    const credential_types = new Map(BUILTIN_CREDENTIAL_TYPE_META);
+    for (const name of consumer_names) {
+        credential_types.set(name, consumer_types[name]);
+    }
+    return { CredentialType, credential_types };
+};

package/dist/auth/daemon_token_middleware.d.ts CHANGED Viewed

@@ -41,10 +41,16 @@ export declare const get_daemon_token_path: (runtime: Pick<EnvDeps, "env_get">,
  */
 export declare const write_daemon_token: (runtime: DaemonTokenWriteDeps, token_path: string, token: string) => Promise<void>;
 /**
- * Resolve the keeper account ID by querying for the account with an active keeper permit.
+ * Resolve the keeper account ID by querying for the account with an active
+ * keeper role_grant.
  *
- * There is exactly one keeper account (the bootstrap account). Runs once at
- * server startup — the result is cached in `DaemonTokenState.keeper_account_id`.
+ * There is exactly one keeper account (the bootstrap account). Runs once
+ * at server startup — the result is cached in
+ * `DaemonTokenState.keeper_account_id`. The acting actor is resolved
+ * per-request by the dispatcher's authorization phase (which runs
+ * `resolve_acting_actor` against this account id), so multi-actor keeper
+ * accounts surface `actor_required` if a daemon caller doesn't pass an
+ * explicit `acting`.
  *
  * @param deps - query dependencies
  * @returns the keeper account ID, or `null` if no keeper exists yet (pre-bootstrap)
@@ -83,15 +89,21 @@ export declare const start_daemon_token_rotation: (runtime: DaemonTokenWriteDeps
  * Create middleware that authenticates via daemon token.
  *
  * Checks the `X-Daemon-Token` header. Behavior:
- * - No header: pass through (don't touch existing context)
- * - Header present + valid: build `RequestContext` from keeper account,
- *   set `credential_type: 'daemon_token'` (overrides any existing session/bearer context)
- * - Header present + invalid: return 401 (fail-closed, no downgrade)
- * - Header present + valid but `keeper_account_id` is null: return 503
+ * - No header: pass through (don't touch existing context).
+ * - Header present + Zod-invalid: return 401 (fail-closed).
+ * - Header present + invalid value: return 401 (fail-closed, no downgrade).
+ * - Header present + valid + `keeper_account_id` null: return 503.
+ * - Header present + valid + ok: set `c.var.auth_account_id =
+ *   state.keeper_account_id`, `CREDENTIAL_TYPE_KEY = 'daemon_token'`
+ *   (overrides any existing session / bearer identity).
+ *
+ * Acting-actor resolution + `RequestContext` construction are deferred
+ * to the dispatcher's authorization phase. Multi-actor keeper accounts
+ * surface `actor_required` from there if a daemon caller doesn't pass
+ * an explicit `acting` value.
  *
  * @param state - the daemon token runtime state
- * @param deps - query dependencies (pool-level db for middleware)
- * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
+ * @mutates Hono context - sets `ACCOUNT_ID_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
  */
-export declare const create_daemon_token_middleware: (state: DaemonTokenState, deps: QueryDeps) => MiddlewareHandler;
+export declare const create_daemon_token_middleware: (state: DaemonTokenState, _deps: QueryDeps) => MiddlewareHandler;
 //# sourceMappingURL=daemon_token_middleware.d.ts.map

package/dist/auth/daemon_token_middleware.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;~~AAWrF~~,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF~~;;;;;;;;GAQG~~;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF~~;;;;;;;;;;;;;GAaG~~;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,~~MAAM~~,SAAS,~~KACb~~,~~iBAqCF~~,CAAC"}
1	+ {"version":3,"file":"daemon_token_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/daemon_token_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,OAAO,EAAC,MAAM,oBAAoB,CAAC;AASrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,8DAA8D;AAC9D,eAAO,MAAM,4BAA4B,QAAS,CAAC;AAEnD,iDAAiD;AACjD,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,GAC1D,IAAI,CAAC,WAAW,EAAE,OAAO,GAAG,iBAAiB,GAAG,QAAQ,CAAC,GAAG;IAC3D,6FAA6F;IAC7F,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,SAAS,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EACjC,MAAM,MAAM,KACV,MAAM,GAAG,IAGX,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAC9B,SAAS,oBAAoB,EAC7B,YAAY,MAAM,EAClB,OAAO,MAAM,KACX,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,yBAAyB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAEtF,CAAC;AAEF,yCAAyC;AACzC,MAAM,WAAW,0BAA0B;IAC1C,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,gDAAgD;AAChD,MAAM,WAAW,mBAAmB;IACnC,2EAA2E;IAC3E,KAAK,EAAE,gBAAgB,CAAC;IACxB,kGAAkG;IAClG,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,oBAAoB,GAAG,YAAY,EAC5C,MAAM,SAAS,EACf,SAAS,0BAA0B,EACnC,KAAK,MAAM,KACT,OAAO,CAAC,mBAAmB,CAwD7B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,8BAA8B,GAC1C,OAAO,gBAAgB,EACvB,OAAO,SAAS,KACd,iBA+BF,CAAC"}

package/dist/auth/daemon_token_middleware.js CHANGED Viewed

@@ -12,10 +12,9 @@
 import {} from '../runtime/deps.js';
 import { write_file_atomic } from '../runtime/fs.js';
 import { get_app_dir } from '../cli/config.js';
-import { REQUEST_CONTEXT_KEY, build_request_context } from './request_context.js';
-import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
-import { ERROR_INVALID_DAEMON_TOKEN, ERROR_KEEPER_ACCOUNT_NOT_CONFIGURED, ERROR_KEEPER_ACCOUNT_NOT_FOUND, } from '../http/error_schemas.js';
-import { query_permit_find_account_id_for_role } from './permit_queries.js';
+import { ACCOUNT_ID_KEY, AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { ERROR_INVALID_DAEMON_TOKEN, ERROR_KEEPER_ACCOUNT_NOT_CONFIGURED, } from '../http/error_schemas.js';
+import { query_role_grant_find_account_id_for_role } from './role_grant_queries.js';
 import { ROLE_KEEPER } from './role_schema.js';
 import { DaemonToken, DAEMON_TOKEN_HEADER, generate_daemon_token, validate_daemon_token, } from './daemon_token.js';
 /** Default rotation interval in milliseconds (30 seconds). */
@@ -48,16 +47,22 @@ export const write_daemon_token = async (runtime, token_path, token) => {
     }
 };
 /**
- * Resolve the keeper account ID by querying for the account with an active keeper permit.
+ * Resolve the keeper account ID by querying for the account with an active
+ * keeper role_grant.
  *
- * There is exactly one keeper account (the bootstrap account). Runs once at
- * server startup — the result is cached in `DaemonTokenState.keeper_account_id`.
+ * There is exactly one keeper account (the bootstrap account). Runs once
+ * at server startup — the result is cached in
+ * `DaemonTokenState.keeper_account_id`. The acting actor is resolved
+ * per-request by the dispatcher's authorization phase (which runs
+ * `resolve_acting_actor` against this account id), so multi-actor keeper
+ * accounts surface `actor_required` if a daemon caller doesn't pass an
+ * explicit `acting`.
  *
  * @param deps - query dependencies
  * @returns the keeper account ID, or `null` if no keeper exists yet (pre-bootstrap)
  */
 export const resolve_keeper_account_id = async (deps) => {
-    return query_permit_find_account_id_for_role(deps, ROLE_KEEPER);
+    return query_role_grant_find_account_id_for_role(deps, ROLE_KEEPER);
 };
 /**
  * Start daemon token rotation.
@@ -129,17 +134,23 @@ export const start_daemon_token_rotation = async (runtime, deps, options, log) =
  * Create middleware that authenticates via daemon token.
  *
  * Checks the `X-Daemon-Token` header. Behavior:
- * - No header: pass through (don't touch existing context)
- * - Header present + valid: build `RequestContext` from keeper account,
- *   set `credential_type: 'daemon_token'` (overrides any existing session/bearer context)
- * - Header present + invalid: return 401 (fail-closed, no downgrade)
- * - Header present + valid but `keeper_account_id` is null: return 503
+ * - No header: pass through (don't touch existing context).
+ * - Header present + Zod-invalid: return 401 (fail-closed).
+ * - Header present + invalid value: return 401 (fail-closed, no downgrade).
+ * - Header present + valid + `keeper_account_id` null: return 503.
+ * - Header present + valid + ok: set `c.var.auth_account_id =
+ *   state.keeper_account_id`, `CREDENTIAL_TYPE_KEY = 'daemon_token'`
+ *   (overrides any existing session / bearer identity).
+ *
+ * Acting-actor resolution + `RequestContext` construction are deferred
+ * to the dispatcher's authorization phase. Multi-actor keeper accounts
+ * surface `actor_required` from there if a daemon caller doesn't pass
+ * an explicit `acting` value.
  *
  * @param state - the daemon token runtime state
- * @param deps - query dependencies (pool-level db for middleware)
- * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
+ * @mutates Hono context - sets `ACCOUNT_ID_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on a valid token
  */
-export const create_daemon_token_middleware = (state, deps) => {
+export const create_daemon_token_middleware = (state, _deps) => {
     return async (c, next) => {
         const token_header = c.req.header(DAEMON_TOKEN_HEADER);
         if (!token_header) {
@@ -159,12 +170,7 @@ export const create_daemon_token_middleware = (state, deps) => {
         if (!state.keeper_account_id) {
             return c.json({ error: ERROR_KEEPER_ACCOUNT_NOT_CONFIGURED }, 503);
         }
-        // build request context from the keeper account (overrides any existing session/bearer context)
-        const ctx = await build_request_context(deps, state.keeper_account_id);
-        if (!ctx) {
-            return c.json({ error: ERROR_KEEPER_ACCOUNT_NOT_FOUND }, 500);
-        }
-        c.set(REQUEST_CONTEXT_KEY, ctx);
+        c.set(ACCOUNT_ID_KEY, state.keeper_account_id);
         c.set(CREDENTIAL_TYPE_KEY, 'daemon_token');
         c.set(AUTH_API_TOKEN_ID_KEY, null);
         await next();

package/dist/auth/ddl.d.ts CHANGED Viewed

@@ -9,8 +9,8 @@
 export declare const ACCOUNT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS account (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  username TEXT UNIQUE NOT NULL,\n  email TEXT,\n  email_verified BOOLEAN NOT NULL DEFAULT false,\n  password_hash TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  created_by UUID,\n  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_by UUID\n)";
 export declare const ACTOR_SCHEMA = "\nCREATE TABLE IF NOT EXISTS actor (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_at TIMESTAMPTZ,\n  updated_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
 export declare const ACTOR_INDEX = "\nCREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)";
-export declare const PERMIT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS permit (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ,\n  revoked_at TIMESTAMPTZ,\n  revoked_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n  granted_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
-export declare const PERMIT_INDEXES: string[];
+export declare const ROLE_GRANT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS role_grant (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ,\n  revoked_at TIMESTAMPTZ,\n  revoked_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n  granted_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
+export declare const ROLE_GRANT_INDEXES: string[];
 export declare const AUTH_SESSION_SCHEMA = "\nCREATE TABLE IF NOT EXISTS auth_session (\n  id TEXT PRIMARY KEY,\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ NOT NULL,\n  last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)";
 export declare const AUTH_SESSION_INDEXES: string[];
 export declare const API_TOKEN_SCHEMA = "\nCREATE TABLE IF NOT EXISTS api_token (\n  id TEXT PRIMARY KEY,\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  token_hash TEXT NOT NULL,\n  expires_at TIMESTAMPTZ,\n  last_used_at TIMESTAMPTZ,\n  last_used_ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)";

package/dist/auth/ddl.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,eAAO,MAAM,cAAc,8WAWzB,CAAC;AAEH,eAAO,MAAM,YAAY,mUAQvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE,eAAO,MAAM,~~aAAa~~,~~uZAUxB~~,CAAC;AAEH,eAAO,MAAM,~~cAAc~~,~~UAI1B~~,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}
1	+ {"version":3,"file":"ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,eAAO,MAAM,cAAc,8WAWzB,CAAC;AAEH,eAAO,MAAM,YAAY,mUAQvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE,eAAO,MAAM,iBAAiB,2ZAU5B,CAAC;AAEH,eAAO,MAAM,kBAAkB,UAI9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}

package/dist/auth/ddl.js CHANGED Viewed

@@ -29,8 +29,8 @@ CREATE TABLE IF NOT EXISTS actor (
 )`;
 export const ACTOR_INDEX = `
 CREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)`;
-export const PERMIT_SCHEMA = `
-CREATE TABLE IF NOT EXISTS permit (
+export const ROLE_GRANT_SCHEMA = `
+CREATE TABLE IF NOT EXISTS role_grant (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
   actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,
   role TEXT NOT NULL,
@@ -40,10 +40,10 @@ CREATE TABLE IF NOT EXISTS permit (
   revoked_by UUID REFERENCES actor(id) ON DELETE SET NULL,
   granted_by UUID REFERENCES actor(id) ON DELETE SET NULL
 )`;
-export const PERMIT_INDEXES = [
-    `CREATE INDEX IF NOT EXISTS idx_permit_actor ON permit(actor_id)`,
-    `CREATE UNIQUE INDEX IF NOT EXISTS permit_actor_role_active_unique
-    ON permit (actor_id, role) WHERE revoked_at IS NULL`,
+export const ROLE_GRANT_INDEXES = [
+    `CREATE INDEX IF NOT EXISTS idx_role_grant_actor ON role_grant(actor_id)`,
+    `CREATE UNIQUE INDEX IF NOT EXISTS role_grant_actor_role_active_unique
+    ON role_grant (actor_id, role) WHERE revoked_at IS NULL`,
 ];
 export const AUTH_SESSION_SCHEMA = `
 CREATE TABLE IF NOT EXISTS auth_session (

package/dist/auth/deps.d.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import type { Keyring } from './keyring.js';
 import type { PasswordHashDeps } from './password.js';
 import type { Db } from '../db/db.js';
 import type { StatResult } from '../runtime/deps.js';
-import type { AuditLogConfig, AuditLogEvent } from './audit_log_schema.js';
+import type { AuditEmitter } from './audit_emitter.js';
 /**
  * Stateless capabilities bundle for fuz_app backends.
  *
@@ -35,24 +35,13 @@ export interface AppDeps {
     /** Structured logger instance. */
     log: Logger;
     /**
-     * Called after each audit log INSERT succeeds.
-     * Use to broadcast audit events via SSE. Flows automatically to all
-     * route factories that receive `deps` or `RouteFactoryDeps`.
-     * Defaults to a noop when not wired to SSE.
+     * Bound audit emitter. Closes over the pool, the `on_audit_event`
+     * subscriber chain, and the optional `AuditLogConfig`. Built once at
+     * backend assembly via `create_audit_emitter` so handlers can never
+     * accidentally write audits against the request transaction — there
+     * is no pool slot on the handler context.
      */
-    on_audit_event: (event: AuditLogEvent) => void;
-    /**
-     * Audit-log config for `audit_log_fire_and_forget` and `query_audit_log`.
-     * Built once at startup via `create_audit_log_config({extra_events})` to
-     * register consumer event types. Optional — defaults to
-     * `BUILTIN_AUDIT_LOG_CONFIG` when absent.
-     *
-     * Threaded through `AppDeps` (instead of a per-call positional arg) so
-     * consumer handlers cannot silently fall back to the builtin config by
-     * forgetting to pass theirs — the deps bundle carries it everywhere
-     * fuz_app emits an audit event.
-     */
-    audit_log_config?: AuditLogConfig;
+    audit: AuditEmitter;
 }
 /**
  * Capabilities for route spec factories.

package/dist/auth/deps.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"deps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAC,~~cAAc~~,~~EAAE,aAAa,~~EAAC,MAAM,~~uBAAuB~~,CAAC;~~AAEzE~~;;;;;GAKG;AACH,MAAM,WAAW,OAAO;IACvB,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,yBAAyB;IACzB,EAAE,EAAE,EAAE,CAAC;IACP,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ~~;;;;;OAKG~~;IACH,~~cAAc,EAAE,CAAC,~~KAAK,EAAE,~~aAAa~~,~~KAAK,IAAI,~~CAAC;~~IAC/C;;;;;;;;;;OAUG~~;~~IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;~~AAED;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC"}
1	+ {"version":3,"file":"deps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,oBAAoB,CAAC;AAErD;;;;;GAKG;AACH,MAAM,WAAW,OAAO;IACvB,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,yBAAyB;IACzB,EAAE,EAAE,EAAE,CAAC;IACP,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,KAAK,EAAE,YAAY,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC"}

package/dist/auth/grant_path_schema.d.ts ADDED Viewed

@@ -0,0 +1,117 @@
+/**
+ * Grant-path registry — the surfaces through which a role can be
+ * granted to an actor.
+ *
+ * Four builtins:
+ *
+ * - `admin` — granted by an admin via `role_grant_offer_create` (subject to
+ *   the consumer's `authorize` callback) or admin-side direct grant.
+ * - `self_service` — toggled by the holder themselves via
+ *   `self_service_role_set` (allowlisted by `eligible_roles`).
+ * - `system` — granted by system code paths (signup, automation, etc.)
+ *   that don't fit either of the above.
+ * - `bootstrap` — granted exactly once during the bootstrap flow
+ *   (`keeper`, `admin` on a fresh install).
+ *
+ * Open registry on top so consumers can declare additional paths
+ * (e.g. `'invite_only'`, `'sso_assertion'`) without an upstream release.
+ * `RoleSpec.grant_paths` references entries from this registry; the
+ * default for `admin_actions.grantable_roles` is `grant_paths.includes('admin')`,
+ * the default for `self_service_role_actions` eligibility is
+ * `grant_paths.includes('self_service')`. Mirrors the open-registry
+ * pattern used for `RoleName`, `ScopeKindName`, `CredentialTypeName`,
+ * and `AuditEventTypeName`.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Letter (lowercase a-z) start and end (or single letter), with letters
+ * and underscores in between. Mirrors `RoleName`, `ScopeKindName`,
+ * `CredentialTypeName`. Rejects empty strings, leading or trailing
+ * underscores, uppercase, and digits.
+ */
+export declare const GRANT_PATH_NAME_REGEX: RegExp;
+/** Zod schema for valid grant-path name strings. */
+export declare const GrantPathName: z.ZodString;
+export type GrantPathName = z.infer<typeof GrantPathName>;
+/** Admin-mediated grant — `role_grant_offer_create` plus admin-direct flows. */
+export declare const GRANT_PATH_ADMIN = "admin";
+/** Self-service grant — caller toggles their own role_grant via `self_service_role_set`. */
+export declare const GRANT_PATH_SELF_SERVICE = "self_service";
+/** System-mediated grant — signup hooks, automation, internal service flows. */
+export declare const GRANT_PATH_SYSTEM = "system";
+/** Bootstrap grant — one-shot flow during the keep's first-run bootstrap. */
+export declare const GRANT_PATH_BOOTSTRAP = "bootstrap";
+/** The builtin grant-path names as a const tuple. */
+export declare const BUILTIN_GRANT_PATHS: readonly ["admin", "self_service", "system", "bootstrap"];
+/** Zod enum for builtin grant paths only. */
+export declare const BuiltinGrantPath: z.ZodEnum<{
+    admin: "admin";
+    self_service: "self_service";
+    system: "system";
+    bootstrap: "bootstrap";
+}>;
+export type BuiltinGrantPath = z.infer<typeof BuiltinGrantPath>;
+/**
+ * Per-grant-path metadata. `description` is admin-UI-facing copy
+ * (mirrors `RoleSpec.description` and `ScopeKindMeta.description`).
+ * Open shape so v2 can extend without a breaking change.
+ */
+export interface GrantPathMeta {
+    description?: string;
+}
+/**
+ * Builtin grant-path metadata. Not overridable by consumers.
+ *
+ * Typed `ReadonlyMap` for the contract — but JS Maps don't honor
+ * `Object.freeze` for `.set` / `.delete` / `.clear` (they mutate
+ * internal slots, not own properties), so freeze adds no runtime guard
+ * here. Read once at startup by `create_grant_path_schema`; runtime
+ * mutation has no effect on already-built schemas.
+ */
+export declare const BUILTIN_GRANT_PATH_META: ReadonlyMap<string, GrantPathMeta>;
+/** The result of `create_grant_path_schema` — a Zod schema and metadata map. */
+export interface GrantPathSchemaResult {
+    /**
+     * Zod schema that validates grant-path name strings against the
+     * registered set (builtins + consumer-declared). Use at I/O
+     * boundaries (admin UIs, codegen) and as the construction-time check
+     * inside `create_role_schema` for every `RoleSpec.grant_paths`
+     * entry.
+     */
+    GrantPath: z.ZodType<string>;
+    /**
+     * Map of every registered grant-path to its metadata. Keyed by
+     * name. Read at startup by admin / codegen surfaces.
+     */
+    grant_paths: ReadonlyMap<string, GrantPathMeta>;
+}
+/**
+ * Create a grant-path schema from the builtin set plus optional
+ * consumer-declared additions.
+ *
+ * Builtins (`admin`, `self_service`, `system`, `bootstrap`) are always
+ * present; consumer entries that collide with a builtin name throw at
+ * construction. Pass the result into `create_role_schema`'s optional
+ * `grant_paths` parameter so each role's `grant_paths` entries are
+ * validated against this set at construction time.
+ *
+ * @param consumer_paths - optional consumer-declared grant-path set with optional metadata
+ * @returns `{GrantPath, grant_paths}` — Zod schema and metadata map
+ *
+ * @throws Error if any `consumer_paths` key fails the `GrantPathName` regex, collides with a builtin name, or appears more than once
+ *
+ * @example
+ * ```ts
+ * // simple — builtins only
+ * const {GrantPath, grant_paths} = create_grant_path_schema();
+ *
+ * // with consumer extensions
+ * const {GrantPath} = create_grant_path_schema({
+ *   invite_only: {description: 'Granted by claiming a consumer-issued invite.'},
+ * });
+ * ```
+ */
+export declare const create_grant_path_schema: (consumer_paths?: Record<string, GrantPathMeta>) => GrantPathSchemaResult;
+//# sourceMappingURL=grant_path_schema.d.ts.map

package/dist/auth/grant_path_schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"grant_path_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/grant_path_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,QAAgC,CAAC;AAEnE,oDAAoD;AACpD,eAAO,MAAM,aAAa,aAKxB,CAAC;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAI1D,gFAAgF;AAChF,eAAO,MAAM,gBAAgB,UAAU,CAAC;AAExC,4FAA4F;AAC5F,eAAO,MAAM,uBAAuB,iBAAiB,CAAC;AAEtD,gFAAgF;AAChF,eAAO,MAAM,iBAAiB,WAAW,CAAC;AAE1C,6EAA6E;AAC7E,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAEhD,qDAAqD;AACrD,eAAO,MAAM,mBAAmB,2DAKtB,CAAC;AAEX,6CAA6C;AAC7C,eAAO,MAAM,gBAAgB;;;;;EAA8B,CAAC;AAC5D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,MAAM,EAAE,aAAa,CAuBrE,CAAC;AAEH,gFAAgF;AAChF,MAAM,WAAW,qBAAqB;IACrC;;;;;;OAMG;IACH,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7B;;;OAGG;IACH,WAAW,EAAE,WAAW,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,wBAAwB,GACpC,iBAAgB,MAAM,CAAC,MAAM,EAAE,aAAa,CAAM,KAChD,qBA2BF,CAAC"}