@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/signup_routes.js

@@ -8,16 +8,15 @@
  * @module
  */
 import { z } from 'zod';
-import { create_session_and_set_cookie } from './session_lifecycle.js';
+import { create_session_and_set_cookie } from './session_middleware.js';
 import { query_create_account_with_actor } from './account_queries.js';
-import { query_invite_find_unclaimed_match, query_invite_claim } from './invite_queries.js';
-import { Username, Email } from './account_schema.js';
+import { query_invite_find_unclaimed_match, query_invite_claim_unscoped } from './invite_queries.js';
+import { Username, Email } from '../primitive_schemas.js';
 import { Password } from './password.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
 import { ERROR_NO_MATCHING_INVITE, ERROR_SIGNUP_CONFLICT, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
 import { is_pg_unique_violation } from '../db/pg_error.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
@@ -44,7 +43,7 @@ export const create_signup_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/signup',
-            auth: { type: 'none' },
+            auth: { account: 'none', actor: 'none' },
             description: 'Create account (invite-gated or open signup)',
             transaction: false, // manages its own transaction for TOCTOU safety
             input: SignupInput,
@@ -75,24 +74,41 @@ export const create_signup_route_specs = (deps, options) => {
                         return rate_limit_exceeded_response(c, check.retry_after);
                     }
                 }
-                // Check for matching invite (unless open signup is enabled)
+                // Check for matching invite (unless open signup is enabled).
+                // `transaction: false` makes `route.db` the pool, which is
+                // what the pre-tx invite lookup wants.
                 let invite;
                 if (!app_settings.open_signup) {
-                    invite = await query_invite_find_unclaimed_match({ db: route.background_db }, email ?? null, username);
-                    if (!invite) {
-                        if (ip_rate_limiter && ip)
-                            ip_rate_limiter.record(ip);
-                        if (signup_account_rate_limiter)
-                            signup_account_rate_limiter.record(account_key);
-                        return c.json({ error: ERROR_NO_MATCHING_INVITE }, 403);
-                    }
+                    invite = await query_invite_find_unclaimed_match({ db: route.db }, email ?? null, username);
+                }
+                const emit_failure_audit = (reason) => {
+                    deps.audit.emit(route, {
+                        event_type: 'signup',
+                        outcome: 'failure',
+                        ip: get_client_ip(c),
+                        metadata: {
+                            username,
+                            reason,
+                            ...(invite && { invite_id: invite.id }),
+                            ...(email != null && { email }),
+                            ...(app_settings.open_signup && { open_signup: true }),
+                        },
+                    });
+                };
+                if (!app_settings.open_signup && !invite) {
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (signup_account_rate_limiter)
+                        signup_account_rate_limiter.record(account_key);
+                    emit_failure_audit('no_match');
+                    return c.json({ error: ERROR_NO_MATCHING_INVITE }, 403);
                 }
                 // Create account, optionally claim invite, and create session atomically.
                 // Username/email uniqueness enforced by DB unique constraints.
                 const password_hash = await password.hash_password(pw);
                 let result;
                 try {
-                    result = await route.background_db.transaction(async (tx) => {
+                    result = await route.db.transaction(async (tx) => {
                         const tx_deps = { db: tx };
                         const { account } = await query_create_account_with_actor(tx_deps, {
                             username,
@@ -100,9 +116,20 @@ export const create_signup_route_specs = (deps, options) => {
                             email,
                         });
                         if (invite) {
-                            const claimed = await query_invite_claim(tx_deps, invite.id, account.id);
+                            const claimed = await query_invite_claim_unscoped(tx_deps, invite.id, account.id);
                             if (!claimed) {
-                                // Race: invite was claimed between the find and this claim
+                                // Race: invite was claimed between the find and this claim.
+                                //
+                                // SECURITY NOTE: this branch is largely shadowed by the account
+                                // unique constraints. Because `query_invite_find_unclaimed_match`
+                                // returns at most one invite for the (username, email) tuple, two
+                                // concurrent signups satisfying the same find share the same
+                                // username and/or email — and the case-insensitive partial uniques
+                                // on `account.username` / `account.email` (`ACCOUNT_USERNAME_CI_INDEX`
+                                // / `ACCOUNT_EMAIL_INDEX`) fire on the second `query_create_account_with_actor`
+                                // before the claim runs. The audit emit is kept for defense-in-depth
+                                // in case those constraints are loosened or the find query starts
+                                // returning multiple invites for a single signup tuple.
                                 throw new SignupConflictError(ERROR_NO_MATCHING_INVITE);
                             }
                         }
@@ -122,6 +149,7 @@ export const create_signup_route_specs = (deps, options) => {
                             ip_rate_limiter.record(ip);
                         if (signup_account_rate_limiter)
                             signup_account_rate_limiter.record(account_key);
+                        emit_failure_audit('race_lost');
                         return c.json({ error: e.error }, 403);
                     }
                     // Unique constraint violation: username or email already exists.
@@ -130,6 +158,7 @@ export const create_signup_route_specs = (deps, options) => {
                             ip_rate_limiter.record(ip);
                         if (signup_account_rate_limiter)
                             signup_account_rate_limiter.record(account_key);
+                        emit_failure_audit('signup_conflict');
                         return c.json({ error: ERROR_SIGNUP_CONFLICT }, 409);
                     }
                     throw e;
@@ -139,12 +168,12 @@ export const create_signup_route_specs = (deps, options) => {
                     ip_rate_limiter.reset(ip);
                 if (signup_account_rate_limiter)
                     signup_account_rate_limiter.reset(account_key);
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'signup',
                     account_id: result.id,
                     ip: get_client_ip(c),
                     metadata: invite ? { invite_id: invite.id, username } : { open_signup: true, username },
-                }, deps);
+                });
                 return c.json({ ok: true });
             },
         },

package/dist/auth/standard_action_specs.d.ts

@@ -2,7 +2,7 @@
  * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
  *
  * `create_standard_rpc_actions` (in `auth/standard_rpc_actions.ts`) bundles three
- * action registries into one mounted RPC surface: admin + permit_offer +
+ * action registries into one mounted RPC surface: admin + role_grant_offer +
  * account. Frontends mounting that surface need the matching spec list to
  * feed `create_rpc_client` so the typed Proxy knows about every standard
  * method.
@@ -22,7 +22,7 @@
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /**
  * Combined spec registry for the standard RPC surface (admin +
- * permit_offer + account). Symmetric with `create_standard_rpc_actions`.
+ * role_grant_offer + account). Symmetric with `create_standard_rpc_actions`.
  *
  * Spec count is the sum of the three sub-registries. Adding a method to
  * any sub-registry surfaces here automatically.

package/dist/auth/standard_action_specs.js

@@ -2,7 +2,7 @@
  * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
  *
  * `create_standard_rpc_actions` (in `auth/standard_rpc_actions.ts`) bundles three
- * action registries into one mounted RPC surface: admin + permit_offer +
+ * action registries into one mounted RPC surface: admin + role_grant_offer +
  * account. Frontends mounting that surface need the matching spec list to
  * feed `create_rpc_client` so the typed Proxy knows about every standard
  * method.
@@ -20,17 +20,17 @@
  * @module
  */
 import { all_admin_action_specs } from './admin_action_specs.js';
-import { all_permit_offer_action_specs } from './permit_offer_action_specs.js';
+import { all_role_grant_offer_action_specs } from './role_grant_offer_action_specs.js';
 import { all_account_action_specs } from './account_action_specs.js';
 /**
  * Combined spec registry for the standard RPC surface (admin +
- * permit_offer + account). Symmetric with `create_standard_rpc_actions`.
+ * role_grant_offer + account). Symmetric with `create_standard_rpc_actions`.
  *
  * Spec count is the sum of the three sub-registries. Adding a method to
  * any sub-registry surfaces here automatically.
  */
 export const all_standard_action_specs = [
     ...all_admin_action_specs,
-    ...all_permit_offer_action_specs,
+    ...all_role_grant_offer_action_specs,
     ...all_account_action_specs,
 ];

package/dist/auth/standard_rpc_actions.d.ts

@@ -1,16 +1,16 @@
 /**
- * Combined admin + permit-offer + account RPC actions for fuz_app consumers.
+ * Combined admin + role-grant-offer + account RPC actions for fuz_app consumers.
  *
  * The canonical "standard" RPC surface: every stock fuz_app RPC action a
  * typical web consumer wants on one endpoint. Consumers that want a
  * narrower surface drop down to the per-domain factories directly
- * (`create_admin_actions` / `create_permit_offer_actions` /
+ * (`create_admin_actions` / `create_role_grant_offer_actions` /
  * `create_account_actions`).
  *
- * Option routing: shared `roles` flows to both admin and permit-offer;
+ * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
- * to permit-offer only; `max_tokens` goes to account only;
- * `notification_sender` reaches permit-offer transparently (admin + account
+ * to role-grant-offer only; `max_tokens` goes to account only;
+ * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *
  * Paired with `create_admin_rpc_adapters` on the UI side.
@@ -18,39 +18,43 @@
  * @module
  */
 import { type AdminActionOptions } from './admin_actions.js';
-import { type PermitOfferActionDeps, type PermitOfferActionOptions } from './permit_offer_actions.js';
+import { type RoleGrantOfferActionOptions } from './role_grant_offer_actions.js';
 import { type AccountActionOptions } from './account_actions.js';
+import type { RouteFactoryDeps } from './deps.js';
+import type { NotificationSender } from './role_grant_offer_notifications.js';
 import type { RpcAction } from '../actions/action_rpc.js';
 /**
  * Options for `create_standard_rpc_actions`.
  *
  * Composes `AdminActionOptions` (`roles`, `app_settings`),
- * `PermitOfferActionOptions` (`roles`, `default_ttl_ms`, `authorize`), and
+ * `RoleGrantOfferActionOptions` (`roles`, `default_ttl_ms`, `authorize`), and
  * `AccountActionOptions` (`max_tokens`). `roles` is shared between admin
- * and permit-offer — the caller supplies it once and the helper threads
+ * and role-grant-offer — the caller supplies it once and the helper threads
  * the same reference to both.
  */
-export interface StandardRpcActionsOptions extends AdminActionOptions, PermitOfferActionOptions, AccountActionOptions {
+export interface StandardRpcActionsOptions extends AdminActionOptions, RoleGrantOfferActionOptions, AccountActionOptions {
 }
 /**
  * Dependencies for `create_standard_rpc_actions`.
  *
- * Same shape as `PermitOfferActionDeps` — `log`, `on_audit_event`, and an
- * optional `notification_sender` for permit-offer WS fan-out. Admin and
- * account factories only read `log` + `on_audit_event`; the extra field
- * is harmless.
+ * Stack-standard `RouteFactoryDeps` slice (`log`, `audit`) plus an optional
+ * `notification_sender` consumed only by the role-grant-offer sub-factory
+ * for WS fan-out. Admin and account sub-factories ignore
+ * `notification_sender`.
  */
-export type StandardRpcActionsDeps = PermitOfferActionDeps;
+export interface StandardRpcActionsDeps extends Pick<RouteFactoryDeps, 'log' | 'audit'> {
+    notification_sender?: NotificationSender | null;
+}
 /**
- * Build the combined admin + permit-offer + account RPC action set.
+ * Build the combined admin + role-grant-offer + account RPC action set.
  *
  * Spreads `create_admin_actions(deps, {roles, app_settings})`,
- * `create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
+ * `create_role_grant_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
- * option flows to admin + permit-offer.
+ * option flows to admin + role-grant-offer.
  *
- * @param deps - `StandardRpcActionsDeps` (`log`, `on_audit_event`, optional `audit_log_config` from `AppDeps`; optional `notification_sender` for WS fan-out)
- * @param options - role schema, optional app-settings ref, permit-offer config, account config
+ * @param deps - `StandardRpcActionsDeps` (`log`, `audit` from `RouteFactoryDeps`; optional `notification_sender` for WS fan-out)
+ * @param options - role schema, optional app-settings ref, role-grant-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */
 export declare const create_standard_rpc_actions: (deps: StandardRpcActionsDeps, options?: StandardRpcActionsOptions) => Array<RpcAction>;

package/dist/auth/standard_rpc_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,qBAAqB,EAC1B,KAAK,wBAAwB,EAC7B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,wBAAwB,EAAE,oBAAoB;CAAG;AAE9E;;;;;;;GAOG;AACH,MAAM,MAAM,sBAAsB,GAAG,qBAAqB,CAAC;AAE3D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}
+{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,2BAA2B,EAChC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,2BAA2B,EAAE,oBAAoB;CAAG;AAEjF;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAuB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC;IACtF,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}

package/dist/auth/standard_rpc_actions.js

@@ -1,16 +1,16 @@
 /**
- * Combined admin + permit-offer + account RPC actions for fuz_app consumers.
+ * Combined admin + role-grant-offer + account RPC actions for fuz_app consumers.
  *
  * The canonical "standard" RPC surface: every stock fuz_app RPC action a
  * typical web consumer wants on one endpoint. Consumers that want a
  * narrower surface drop down to the per-domain factories directly
- * (`create_admin_actions` / `create_permit_offer_actions` /
+ * (`create_admin_actions` / `create_role_grant_offer_actions` /
  * `create_account_actions`).
  *
- * Option routing: shared `roles` flows to both admin and permit-offer;
+ * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
- * to permit-offer only; `max_tokens` goes to account only;
- * `notification_sender` reaches permit-offer transparently (admin + account
+ * to role-grant-offer only; `max_tokens` goes to account only;
+ * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *
  * Paired with `create_admin_rpc_adapters` on the UI side.
@@ -18,22 +18,22 @@
  * @module
  */
 import { create_admin_actions } from './admin_actions.js';
-import { create_permit_offer_actions, } from './permit_offer_actions.js';
+import { create_role_grant_offer_actions, } from './role_grant_offer_actions.js';
 import { create_account_actions } from './account_actions.js';
 /**
- * Build the combined admin + permit-offer + account RPC action set.
+ * Build the combined admin + role-grant-offer + account RPC action set.
  *
  * Spreads `create_admin_actions(deps, {roles, app_settings})`,
- * `create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
+ * `create_role_grant_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
- * option flows to admin + permit-offer.
+ * option flows to admin + role-grant-offer.
  *
- * @param deps - `StandardRpcActionsDeps` (`log`, `on_audit_event`, optional `audit_log_config` from `AppDeps`; optional `notification_sender` for WS fan-out)
- * @param options - role schema, optional app-settings ref, permit-offer config, account config
+ * @param deps - `StandardRpcActionsDeps` (`log`, `audit` from `RouteFactoryDeps`; optional `notification_sender` for WS fan-out)
+ * @param options - role schema, optional app-settings ref, role-grant-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */
 export const create_standard_rpc_actions = (deps, options = {}) => [
     ...create_admin_actions(deps, options),
-    ...create_permit_offer_actions(deps, options),
+    ...create_role_grant_offer_actions(deps, options),
     ...create_account_actions(deps, options),
 ];

package/dist/db/migrate.d.ts

@@ -6,12 +6,15 @@
  * `(namespace, name, sequence, applied_at)` — and the runner verifies the
  * applied list is a name-prefix of the code's migration array at boot.
  *
- * **Append-only after first publish**: once a fuz_app version containing a
- * given migration is published (`npm publish` / `jsr publish`), that
- * migration's name and position are frozen. Never edit, rename, or reorder
- * after publish — append only. Pre-publish, anything goes; the cliff is the
- * publish event. Edits to a published migration's body slip past the runner
- * (no content hashing) and are caught by schema-snapshot tests in consumers.
+ * **Schema is not stabilized yet — append-only is NOT the rule.** While
+ * fuz_app is pre-stable, migration bodies, names, and positions can change
+ * freely between versions; consumers upgrading across a schema change are
+ * expected to drop and re-bootstrap their dev/test databases (production
+ * deployments are not yet a supported use case). Once the schema is
+ * declared stable a hard append-only-after-publish rule will apply and the
+ * cliff will be called out in that release's notes; until then, body edits
+ * to a published migration slip past the runner (no content hashing) by
+ * design — they're the recommended way to evolve the schema.
  *
  * **Chain-level transactions**: All pending migrations in a namespace run in
  * a single transaction. Any failure rolls back every migration in that run —
@@ -21,7 +24,7 @@
  * **Chain idempotency, not migration idempotency**: the chain-tx wraps every
  * migration replayed in a single boot, so an individual migration may
  * temporarily produce intermediate state that a later migration reverses
- * (e.g. v0's `PERMIT_INDEXES` recreates an index that v1 drops; chain-tx
+ * (e.g. v0's `ROLE_GRANT_INDEXES` recreates an index that v1 drops; chain-tx
  * hides this from observers). What matters is that the *committed end state*
  * matches; the in-tx steps may not be individually idempotent against an
  * arbitrary mid-chain target.
@@ -53,7 +56,8 @@ export interface Migration {
 /**
  * A named group of ordered migrations.
  *
- * Array index = position in the chain. Append-only after publish.
+ * Array index = position in the chain. Pre-stable: bodies, names, and
+ * positions can change between versions (consumers re-bootstrap on upgrade).
  */
 export interface MigrationNamespace {
     namespace: string;

package/dist/db/migrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrate.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,SAAS,CAAC;AAEhC;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAC7B;AAED,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,aAAa,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,MAAM,kBAAkB,GAC3B,sBAAsB,GACtB,sBAAsB,GACtB,mBAAmB,GACnB,kBAAkB,GAClB,2BAA2B,GAC3B,4BAA4B,GAC5B,sCAAsC,CAAC;AAE1C,8DAA8D;AAC9D,MAAM,WAAW,qBAAqB;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,KAAK,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;;;GAIG;AACH,qBAAa,cAAe,SAAQ,KAAK;IACxC,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;gBAEnC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB;CAQtF;AA6ED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,cAAc,GAC1B,IAAI,EAAE,EACN,YAAY,KAAK,CAAC,kBAAkB,CAAC,KACnC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAuFhC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,eAAO,MAAM,QAAQ,GACpB,IAAI,EAAE,EACN,IAAI,kBAAkB,EACtB,OAAO,aAAa,CAAC,MAAM,CAAC,KAC1B,OAAO,CAAC,IAAI,CA+Dd,CAAC"}
+{"version":3,"file":"migrate.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,SAAS,CAAC;AAEhC;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAC7B;AAED,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,aAAa,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,MAAM,kBAAkB,GAC3B,sBAAsB,GACtB,sBAAsB,GACtB,mBAAmB,GACnB,kBAAkB,GAClB,2BAA2B,GAC3B,4BAA4B,GAC5B,sCAAsC,CAAC;AAE1C,8DAA8D;AAC9D,MAAM,WAAW,qBAAqB;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,KAAK,CAAC,EAAE,OAAO,CAAC;CAChB;AAED;;;;GAIG;AACH,qBAAa,cAAe,SAAQ,KAAK;IACxC,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;gBAEnC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB;CAQtF;AA6ED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,cAAc,GAC1B,IAAI,EAAE,EACN,YAAY,KAAK,CAAC,kBAAkB,CAAC,KACnC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAuFhC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,eAAO,MAAM,QAAQ,GACpB,IAAI,EAAE,EACN,IAAI,kBAAkB,EACtB,OAAO,aAAa,CAAC,MAAM,CAAC,KAC1B,OAAO,CAAC,IAAI,CA+Dd,CAAC"}

package/dist/db/migrate.js

@@ -6,12 +6,15 @@
  * `(namespace, name, sequence, applied_at)` — and the runner verifies the
  * applied list is a name-prefix of the code's migration array at boot.
  *
- * **Append-only after first publish**: once a fuz_app version containing a
- * given migration is published (`npm publish` / `jsr publish`), that
- * migration's name and position are frozen. Never edit, rename, or reorder
- * after publish — append only. Pre-publish, anything goes; the cliff is the
- * publish event. Edits to a published migration's body slip past the runner
- * (no content hashing) and are caught by schema-snapshot tests in consumers.
+ * **Schema is not stabilized yet — append-only is NOT the rule.** While
+ * fuz_app is pre-stable, migration bodies, names, and positions can change
+ * freely between versions; consumers upgrading across a schema change are
+ * expected to drop and re-bootstrap their dev/test databases (production
+ * deployments are not yet a supported use case). Once the schema is
+ * declared stable a hard append-only-after-publish rule will apply and the
+ * cliff will be called out in that release's notes; until then, body edits
+ * to a published migration slip past the runner (no content hashing) by
+ * design — they're the recommended way to evolve the schema.
  *
  * **Chain-level transactions**: All pending migrations in a namespace run in
  * a single transaction. Any failure rolls back every migration in that run —
@@ -21,7 +24,7 @@
  * **Chain idempotency, not migration idempotency**: the chain-tx wraps every
  * migration replayed in a single boot, so an individual migration may
  * temporarily produce intermediate state that a later migration reverses
- * (e.g. v0's `PERMIT_INDEXES` recreates an index that v1 drops; chain-tx
+ * (e.g. v0's `ROLE_GRANT_INDEXES` recreates an index that v1 drops; chain-tx
  * hides this from observers). What matters is that the *committed end state*
  * matches; the in-tx steps may not be individually idempotent against an
  * arbitrary mid-chain target.

package/dist/dev/setup.d.ts

@@ -173,7 +173,7 @@ export interface SeedDevAccountInput {
     username: string;
     /** Account password. Policy is bypassed — any non-empty string is accepted. */
     password: string;
-    /** Roles to grant via permit (idempotent). */
+    /** Roles to grant via role_grant (idempotent). */
     roles?: ReadonlyArray<string>;
 }
 /** Result of `seed_dev_account`. */
@@ -197,7 +197,7 @@ export interface SeedDevAccountDeps extends QueryDeps {
  *
  * Intended for `scripts/dev_setup.ts` — do not call in production.
  *
- * @mutates database - inserts an account/actor pair when missing and grants any requested role permits
+ * @mutates database - inserts an account/actor pair when missing and grants any requested role role_grants
  * @throws Error if an existing account is found without an associated actor row
  */
 export declare const seed_dev_account: (deps: SeedDevAccountDeps, input: SeedDevAccountInput, options?: {

package/dist/dev/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/dev/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACX,WAAW,EACX,aAAa,EACb,OAAO,EACP,UAAU,EACV,YAAY,EACZ,WAAW,EACX,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAQnD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC1B,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC5B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,2CAA2C;AAC3C,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF,kCAAkC;AAClC,MAAM,WAAW,cAAc;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;CACb;AAED,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAChC,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,aAAa;IAC7B,+CAA+C;IAC/C,KAAK,EAAE,OAAO,CAAC;IACf,wEAAwE;IACxE,OAAO,EAAE,OAAO,CAAC;IACjB,0CAA0C;IAC1C,OAAO,EAAE,UAAU,GAAG,QAAQ,GAAG,MAAM,CAAC;CACxC;AAED,oCAAoC;AACpC,MAAM,WAAW,eAAe;IAC/B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;IACrD,qEAAqE;IACrE,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,2CAA2C;AAC3C,MAAM,WAAW,0BAA0B;IAC1C,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,qCAAqC;AACrC,MAAM,WAAW,qBAAqB;IACrC,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,iDAAiD;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAID;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,MAAM,GAAG,IAQpD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAAU,MAAM,WAAW,KAAG,OAAO,CAAC,MAAM,CAI3E,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY,GACxB,MAAM,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,gBAAgB,CAAC,EACjD,UAAU,MAAM,EAChB,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,SAAS,CAU5B,CAAC;AAIF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,EAC5C,UAAU,MAAM,EAChB,cAAc,MAAM,EACpB,UAAU,eAAe,KACvB,OAAO,CAAC,cAAc,CAiDxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,EACtD,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CA0B1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,GAAG,OAAO,EACrE,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CAoB1B,CAAC;AAIF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,GAC3B,MAAM,WAAW,EACjB,SAAS,MAAM,EACf,UAAU,qBAAqB,KAC7B,OAAO,CAAC,aAAa,CAgBvB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,WAAW,GAAG,UAAU,GAAG,YAAY,EAC7C,cAAc,MAAM,EACpB,UAAU,oBAAoB,KAC5B,OAAO,CAAC,aAAa,CA8CvB,CAAC;AAIF,mCAAmC;AACnC,MAAM,WAAW,mBAAmB;IACnC,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,OAAO,EAAE,OAAO,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACpD,oEAAoE;IACpE,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,gBAAgB,GAC5B,MAAM,kBAAkB,EACxB,OAAO,mBAAmB,EAC1B,UAAU;IAAC,GAAG,CAAC,EAAE,WAAW,CAAA;CAAC,KAC3B,OAAO,CAAC,oBAAoB,CAsC9B,CAAC"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/dev/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACX,WAAW,EACX,aAAa,EACb,OAAO,EACP,UAAU,EACV,YAAY,EACZ,WAAW,EACX,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAQnD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC1B,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC5B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,2CAA2C;AAC3C,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF,kCAAkC;AAClC,MAAM,WAAW,cAAc;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;CACb;AAED,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAChC,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,aAAa;IAC7B,+CAA+C;IAC/C,KAAK,EAAE,OAAO,CAAC;IACf,wEAAwE;IACxE,OAAO,EAAE,OAAO,CAAC;IACjB,0CAA0C;IAC1C,OAAO,EAAE,UAAU,GAAG,QAAQ,GAAG,MAAM,CAAC;CACxC;AAED,oCAAoC;AACpC,MAAM,WAAW,eAAe;IAC/B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;IACrD,qEAAqE;IACrE,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,2CAA2C;AAC3C,MAAM,WAAW,0BAA0B;IAC1C,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,qCAAqC;AACrC,MAAM,WAAW,qBAAqB;IACrC,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,iDAAiD;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAID;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,MAAM,GAAG,IAQpD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAAU,MAAM,WAAW,KAAG,OAAO,CAAC,MAAM,CAI3E,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY,GACxB,MAAM,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,gBAAgB,CAAC,EACjD,UAAU,MAAM,EAChB,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,SAAS,CAU5B,CAAC;AAIF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,EAC5C,UAAU,MAAM,EAChB,cAAc,MAAM,EACpB,UAAU,eAAe,KACvB,OAAO,CAAC,cAAc,CAiDxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,EACtD,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CA0B1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,GAAG,OAAO,EACrE,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CAoB1B,CAAC;AAIF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,GAC3B,MAAM,WAAW,EACjB,SAAS,MAAM,EACf,UAAU,qBAAqB,KAC7B,OAAO,CAAC,aAAa,CAgBvB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,WAAW,GAAG,UAAU,GAAG,YAAY,EAC7C,cAAc,MAAM,EACpB,UAAU,oBAAoB,KAC5B,OAAO,CAAC,aAAa,CA8CvB,CAAC;AAIF,mCAAmC;AACnC,MAAM,WAAW,mBAAmB;IACnC,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,OAAO,EAAE,OAAO,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACpD,oEAAoE;IACpE,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,gBAAgB,GAC5B,MAAM,kBAAkB,EACxB,OAAO,mBAAmB,EAC1B,UAAU;IAAC,GAAG,CAAC,EAAE,WAAW,CAAA;CAAC,KAC3B,OAAO,CAAC,oBAAoB,CAwC9B,CAAC"}

package/dist/dev/setup.js

@@ -8,8 +8,8 @@
  *
  * @module
  */
-import { query_account_by_username, query_actor_by_account, query_create_account_with_actor, } from '../auth/account_queries.js';
-import { query_grant_permit } from '../auth/permit_queries.js';
+import { query_account_by_username, query_actors_by_account, query_create_account_with_actor, } from '../auth/account_queries.js';
+import { query_create_role_grant } from '../auth/role_grant_queries.js';
 /** Default logger using bracket format. */
 export const default_setup_logger = {
     ok: (msg) => console.log(`  [ok] ${msg}`),
@@ -284,7 +284,7 @@ export const reset_database = async (deps, database_url, options) => {
  *
  * Intended for `scripts/dev_setup.ts` — do not call in production.
  *
- * @mutates database - inserts an account/actor pair when missing and grants any requested role permits
+ * @mutates database - inserts an account/actor pair when missing and grants any requested role role_grants
  * @throws Error if an existing account is found without an associated actor row
  */
 export const seed_dev_account = async (deps, input, options) => {
@@ -292,13 +292,15 @@ export const seed_dev_account = async (deps, input, options) => {
     const query_deps = { db: deps.db };
     const existing = await query_account_by_username(query_deps, input.username);
     if (existing) {
-        const actor = await query_actor_by_account(query_deps, existing.id);
-        if (!actor) {
+        const actors = await query_actors_by_account(query_deps, existing.id);
+        if (actors.length === 0) {
             log.error(`dev account '${input.username}' exists but has no actor`);
             throw new Error(`dev account '${input.username}' has no actor`);
         }
+        // Dev seed is single-actor by construction; pick the first.
+        const actor = actors[0];
         for (const role of input.roles ?? []) {
-            await query_grant_permit(query_deps, {
+            await query_create_role_grant(query_deps, {
                 actor_id: actor.id,
                 role,
                 granted_by: null,
@@ -314,7 +316,7 @@ export const seed_dev_account = async (deps, input, options) => {
         password_hash,
     });
     for (const role of input.roles ?? []) {
-        await query_grant_permit(query_deps, {
+        await query_create_role_grant(query_deps, {
             actor_id: actor.id,
             role,
             granted_by: null,

package/dist/env/load.d.ts

@@ -35,7 +35,7 @@ export declare class EnvValidationError extends Error {
  * `error.all_undefined` before calling this.
  *
  * @param error - the env validation error
- * @param label - optional prefix for log lines (e.g., 'tx daemon', 'env')
+ * @param label - optional prefix for log lines (e.g., 'zap daemon', 'env')
  */
 export declare const log_env_validation_error: (error: EnvValidationError, label?: string) => void;
 /**

package/dist/env/load.js

@@ -42,7 +42,7 @@ export class EnvValidationError extends Error {
  * `error.all_undefined` before calling this.
  *
  * @param error - the env validation error
- * @param label - optional prefix for log lines (e.g., 'tx daemon', 'env')
+ * @param label - optional prefix for log lines (e.g., 'zap daemon', 'env')
  */
 export const log_env_validation_error = (error, label) => {
     const prefix = label ? `[${label}] ` : '';

package/dist/hono_context.d.ts

@@ -12,19 +12,50 @@
  */
 import { z } from 'zod';
 import type { RequestContext } from './auth/request_context.js';
-/** The credential types that can authenticate a request. */
+/**
+ * The credential types that can authenticate a request — the closed set
+ * of fuz_app builtins. The open registry on top
+ * (`create_credential_type_schema(consumer_types)`) is consulted at
+ * registry time by `create_role_schema` for `RoleSpec.required_credential_types`
+ * validation; the wire-validated `CredentialType` enum here stays
+ * narrow because middleware only ever sets one of the three builtins.
+ */
 export declare const CREDENTIAL_TYPES: readonly ["session", "api_token", "daemon_token"];
 /** Credential type — how a request was authenticated. */
 export declare const CredentialType: z.ZodEnum<{
+    daemon_token: "daemon_token";
     session: "session";
     api_token: "api_token";
-    daemon_token: "daemon_token";
 }>;
 export type CredentialType = z.infer<typeof CredentialType>;
 /** Hono context variable name for the credential type. */
 export declare const CREDENTIAL_TYPE_KEY = "credential_type";
 /** Hono context variable name for the authenticated API token id. */
 export declare const AUTH_API_TOKEN_ID_KEY = "auth_api_token_id";
+/**
+ * Hono context variable name for the authenticated account id.
+ *
+ * Set by the auth middleware (session, bearer, or daemon token) on a valid
+ * credential. `null` for unauthenticated requests. The route-spec wrapper /
+ * RPC dispatcher's authorization phase reads this when resolving the acting
+ * actor; account-grain auth guards (`require_auth`) and account-grain handlers
+ * read it directly.
+ */
+export declare const ACCOUNT_ID_KEY = "auth_account_id";
+/**
+ * Hono context variable name for the test-harness pre-baked context flag.
+ *
+ * Test harnesses (`create_test_app_from_specs`, `create_fake_hono_context`,
+ * the WS round-trip `connect()` helper, plus per-test middleware that
+ * pre-populates `REQUEST_CONTEXT_KEY`) set this to `true` so
+ * `apply_authorization_phase` skips its DB-backed actor resolution and
+ * trusts the supplied `RequestContext`. Production middleware never sets
+ * this key — only test code does. The flag is the explicit escape hatch
+ * that replaced the implicit "is `REQUEST_CONTEXT_KEY` already set?" probe,
+ * so that future production code consulting `REQUEST_CONTEXT_KEY` cannot
+ * silently bypass the live build.
+ */
+export declare const TEST_CONTEXT_PRESET_KEY = "test_context_preset";
 declare module 'hono' {
     interface ContextVariableMap {
         /** Resolved client IP, set by the trusted proxy middleware. */
@@ -36,6 +67,13 @@ declare module 'hono' {
         validated_query: unknown;
         /** How the request was authenticated (`'session'`, `'api_token'`, or `'daemon_token'`). */
         credential_type: CredentialType | null;
+        /**
+         * Authenticated account id. Set by the session / bearer / daemon-token
+         * middleware on a valid credential; `null` for unauthenticated requests.
+         * The dispatcher's authorization phase resolves the acting actor against
+         * this id; `require_auth` 401s when it is `null`.
+         */
+        auth_account_id: string | null;
         /**
          * blake3 hash of the authenticated session token, or `null` for non-session
          * credentials. Set by `create_request_context_middleware`. Used to scope
@@ -52,11 +90,32 @@ declare module 'hono' {
          */
         auth_api_token_id: string | null;
         /**
-         * Pending fire-and-forget effects for this request (audit logs, usage tracking, etc.).
-         * Initialized by `create_app_server`. In test mode (`await_pending_effects: true`),
-         * all effects are awaited before the response returns.
+         * Eager fire-and-forget pool writes for this request — audit emits,
+         * session-touch UPDATE, api-token usage tracking. Producers push the
+         * in-flight `Promise<void>` directly. The flush middleware drains via
+         * `flush_pending_effects` after the handler returns. Initialized by
+         * `create_app_server`. In test mode (`await_pending_effects: true`),
+         * every promise resolves before the response returns.
          */
         pending_effects: Array<Promise<void>>;
+        /**
+         * Post-commit thunks pushed via `emit_after_commit(ctx, fn)`. The
+         * flush middleware invokes each thunk after the handler returns —
+         * never inline — so notifications (WS sends, etc.) cannot fire
+         * mid-transaction. Producers do not push raw thunks directly. The
+         * flush owns per-thunk `try/catch` + `log.error` so a directly-pushed
+         * thunk (tests included) cannot escape the safety net.
+         * Initialized by `create_app_server`. In test mode
+         * (`await_pending_effects: true`), every thunk completes before the
+         * response returns.
+         */
+        post_commit_effects: Array<() => void | Promise<void>>;
+        /**
+         * Set to `true` by test harnesses that pre-populate `request_context`
+         * to bypass the dispatcher's DB-backed actor resolution. Read by
+         * `apply_authorization_phase`. Production middleware never sets this.
+         */
+        test_context_preset: boolean;
     }
 }
 //# sourceMappingURL=hono_context.d.ts.map

package/dist/hono_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KACtC;CACD"}
+{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAO9D;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,mDAInB,CAAC;AAEX,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAE7D,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;;;;WAOG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC;;;;;;;;;;WAUG;QACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD;;;;WAIG;QACH,mBAAmB,EAAE,OAAO,CAAC;KAC7B;CACD"}