@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/http/route_spec.d.ts

@@ -18,46 +18,82 @@ import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { Db } from '../db/db.js';
 import { type RouteErrorSchemas, type RateLimitKey } from './error_schemas.js';
 import type { MiddlewareSpec } from './middleware_spec.js';
+import { type RouteAuth } from './auth_shape.js';
 /**
- * Auth requirement for a route — `none`, `authenticated`, a specific role, or `keeper`.
+ * Two-phase auth guard set returned by `AuthGuardResolver`.
  *
- * `{type: 'none'}` means the route is open to all clients — including non-browser
- * callers (CLI, API tokens, scripts). No session or auth middleware guards are applied.
+ * `pre_validation` runs before input validation — 401 checks live here
+ * so unauthenticated callers never see route-shape information from
+ * input parsing failures. `post_authorization` runs after the
+ * authorization phase has populated `RequestContext` — role / keeper
+ * checks live here because they read `c.var.request_context.role_grants`.
  */
-export type RouteAuth = {
-    type: 'none';
-} | {
-    type: 'authenticated';
-} | {
-    type: 'role';
-    role: string;
-} | {
-    type: 'keeper';
-};
+export interface AuthGuards {
+    pre_validation: Array<MiddlewareHandler>;
+    post_authorization: Array<MiddlewareHandler>;
+}
 /**
  * Resolves a `RouteAuth` to middleware guard handlers.
  *
  * Injected into `apply_route_specs` to decouple route registration
  * from auth-specific middleware. See `fuz_auth_guard_resolver` in
- * `auth/route_guards.ts` for the standard implementation.
+ * `auth/auth_guard_resolver.ts` for the standard implementation.
+ */
+export type AuthGuardResolver = (auth: RouteAuth) => AuthGuards;
+/**
+ * Per-route authorization phase. Runs after pre-validation auth guards
+ * AND input validation; resolves the acting actor (when `auth.actor !== 'none'`)
+ * by reading `c.var.validated_input.acting` and sets the request context on
+ * the Hono context. Per-route order in `apply_route_specs`: params → query
+ * → pre-validation auth (401) → input validation (400) → authorization
+ * phase → post-authorization auth (403) → handler.
+ *
+ * Returns a `Response` to short-circuit (resolution failure → 400 / 500),
+ * or `void` to continue. The http framework stays auth-agnostic — fuz_app
+ * provides the implementation via `create_fuz_authorization_handler` in
+ * `auth/request_context.ts`.
  */
-export type AuthGuardResolver = (auth: RouteAuth) => Array<MiddlewareHandler>;
+export type AuthorizationHandler = (c: Context, spec: RouteSpec) => Promise<Response | void>;
 /** HTTP methods supported by route specs. */
 export type RouteMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH';
 /**
  * Per-request deps provided by the framework to route handlers.
+ *
+ * Audit writes and other rollback-resilient fire-and-forget calls run
+ * through `AppDeps.audit.emit(ctx, input)` (see `auth/audit_emitter.ts`),
+ * which captures the pool inside its closure — handlers can never
+ * accidentally write audits against the request transaction.
+ *
+ * Routes whose body manages its own transaction (signup, bootstrap)
+ * declare `transaction: false` on the spec, which makes `route.db` the
+ * pool — they reach for it directly.
  */
 export interface RouteContext {
-    /** Transaction-scoped for mutations, pool-level for reads. */
+    /**
+     * Transaction-scoped when `RouteSpec.transaction` is true (the default
+     * for non-GET); pool-level otherwise.
+     */
     db: Db;
-    /** Always pool-level — for fire-and-forget effects that must outlive the transaction. */
-    background_db: Db;
-    /** Fire-and-forget side effects — push here for post-response flushing. */
+    /**
+     * Eager fire-and-forget queue — push the in-flight `Promise<void>` for
+     * pool writes already running (audit emits, session touch, api-token
+     * usage tracking). The flush middleware drains via
+     * `flush_pending_effects` after the handler returns.
+     */
     pending_effects: Array<Promise<void>>;
+    /**
+     * Deferred post-commit thunks — do not push directly; reach for
+     * `emit_after_commit(ctx, fn)` from `pending_effects.ts`. The flush
+     * middleware invokes each thunk after the handler (and any wrapping
+     * `db.transaction`) returns, closing the microtask-ordering window
+     * that an eager `Promise.resolve().then(fn)` leaves open inside the
+     * transaction.
+     */
+    post_commit_effects: Array<() => void | Promise<void>>;
 }
 /**
  * Route handler function — receives the Hono context and a `RouteContext`
- * with per-request deps (db, background_db, pending_effects).
+ * with per-request deps (db, pending_effects).
  *
  * TypeScript allows fewer params, so handlers that don't need `route`
  * can use `(c) => ...` without changes.
@@ -121,27 +157,39 @@ export interface RouteSpec {
 /**
  * Get validated input from the Hono context.
  *
- * Call after the input validation middleware has run. The type parameter
- * should match the route's `input` schema.
+ * Call after the input validation middleware has run. Pass the route's
+ * `input` Zod schema to infer the typed shape directly:
+ *
+ * ```ts
+ * const input = get_route_input(c, my_route_spec.input);
+ * ```
+ *
+ * Or pass an explicit type argument when the schema isn't in scope:
+ *
+ * ```ts
+ * const input = get_route_input<MyInput>(c);
+ * ```
  */
-export declare const get_route_input: <T>(c: Context) => T;
+export declare function get_route_input<S extends z.ZodType>(c: Context, schema: S): z.infer<S>;
+export declare function get_route_input<T = unknown>(c: Context): T;
 /**
  * Get validated URL path params from the Hono context.
  *
- * Call after the params validation middleware has run. The type parameter
- * should match the route's `params` schema.
- *
- * TODO derive `T` from the route spec so the type parameter isn't manually
- * specified — same applies to `get_route_input` / `get_route_query`.
+ * Call after the params validation middleware has run. Pass the route's
+ * `params` schema to infer the typed shape, or supply an explicit type
+ * argument. See `get_route_input` for the two call shapes.
  */
-export declare const get_route_params: <T>(c: Context) => T;
+export declare function get_route_params<S extends z.ZodType>(c: Context, schema: S): z.infer<S>;
+export declare function get_route_params<T = unknown>(c: Context): T;
 /**
  * Get validated URL query params from the Hono context.
  *
- * Call after the query validation middleware has run. The type parameter
- * should match the route's `query` schema.
+ * Call after the query validation middleware has run. Pass the route's
+ * `query` schema to infer the typed shape, or supply an explicit type
+ * argument. See `get_route_input` for the two call shapes.
  */
-export declare const get_route_query: <T>(c: Context) => T;
+export declare function get_route_query<S extends z.ZodType>(c: Context, schema: S): z.infer<S>;
+export declare function get_route_query<T = unknown>(c: Context): T;
 /**
  * Apply named middleware specs to a Hono app.
  *
@@ -153,20 +201,44 @@ export declare const apply_middleware_specs: (app: Hono, specs: Array<Middleware
  *
  * For each spec: resolves auth to guards via the provided resolver,
  * adds input validation middleware (for routes with non-null input schemas),
- * wraps handler with DEV-only output and error validation, wraps with error
- * catch layer (catches `ThrownJsonrpcError` and generic errors), and registers the route.
+ * runs the optional authorization phase to resolve the acting actor + build
+ * the request context, wraps handler with DEV-only output and error
+ * validation, wraps with error catch layer (catches `ThrownJsonrpcError`
+ * and generic errors), and registers the route.
+ *
+ * Per-route middleware order: params → query → pre-validation auth
+ * guards (401) → input validation (400) → authorization phase →
+ * post-authorization auth guards (403) → handler. The 401 check runs
+ * before any body parsing so unauthenticated callers never see
+ * route-shape information from parse failures. Input validation runs
+ * before the authorization phase (validate first, authorize after) so
+ * the authorization phase reads `c.var.validated_input.acting` as a
+ * typed Zod field instead of pre-parsing the raw body. Role /
+ * credential-type denials still surface 403 last; trade-off is that
+ * authenticated-but-unauthorized callers can distinguish 400
+ * (validation) from 403 (authorization), a defense-in-depth concession
+ * deemed acceptable because the route surface is public via
+ * spec/codegen JSON.
  *
  * Each handler receives a `RouteContext` with:
- * - `db`: transaction-scoped (for non-GET) or pool-level (for GET)
- * - `background_db`: always pool-level
- * - `pending_effects`: fire-and-forget effect queue
- *
- * @param resolve_auth_guards - maps `RouteAuth` to middleware — use `fuz_auth_guard_resolver` from `auth/route_guards.ts`
+ * - `db`: transaction-scoped when `RouteSpec.transaction` is true; pool-level otherwise
+ * - `pending_effects`: eager fire-and-forget pool-write queue
+ * - `post_commit_effects`: deferred-thunk queue (push via `emit_after_commit`)
+ *
+ * Also enforces registry-time invariant 2 from the auth-shape design:
+ * `auth.actor !== 'none' ⟺ input or query declares acting?: ActingActor`.
+ * REST is bi-located (GETs declare `acting` on `query`, mutations on
+ * `input`), so the check passes both slots; the action-dispatcher
+ * registries (`compile_action_registry`) share the same helper with
+ * `input` only — `ActionSpec` has no `query` shape.
+ *
+ * @param resolve_auth_guards - maps `RouteAuth` to middleware — use `fuz_auth_guard_resolver` from `auth/auth_guard_resolver.ts`
+ * @param authorize - optional authorization phase; runs after input validation
  * @param db - used for transaction wrapping and `RouteContext`
  * @mutates `app`
- * @throws Error if two specs share the same `method` + `path` (each combination must be unique)
+ * @throws Error if two specs share the same `method` + `path` (each combination must be unique), or if any spec violates the actor-acting biconditional
  */
-export declare const apply_route_specs: (app: Hono, specs: Array<RouteSpec>, resolve_auth_guards: AuthGuardResolver, log: Logger, db: Db) => void;
+export declare const apply_route_specs: (app: Hono, specs: Array<RouteSpec>, resolve_auth_guards: AuthGuardResolver, log: Logger, db: Db, authorize?: AuthorizationHandler) => void;
 /**
  * Prepend a prefix to all route spec paths.
  *

package/dist/http/route_spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route_spec.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/route_spec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAW,IAAI,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACpE,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EACN,KAAK,iBAAiB,EACtB,KAAK,YAAY,EAKjB,MAAM,oBAAoB,CAAC;AAQ5B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AAEzD;;;;;GAKG;AACH,MAAM,MAAM,SAAS,GAClB;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GACd;IAAC,IAAI,EAAE,eAAe,CAAA;CAAC,GACvB;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAC5B;IAAC,IAAI,EAAE,QAAQ,CAAA;CAAC,CAAC;AAEpB;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,KAAK,CAAC,iBAAiB,CAAC,CAAC;AAE9E,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,8DAA8D;IAC9D,EAAE,EAAE,EAAE,CAAC;IACP,yFAAyF;IACzF,aAAa,EAAE,EAAE,CAAC;IAClB,2EAA2E;IAC3E,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACtC;AAED;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAE7F;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,YAAY,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,mEAAmE;IACnE,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,oCAAoC;IACpC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;IAClB;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B;;;;;;;;OAQG;IACH,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;GAKG;AACH,eAAO,MAAM,eAAe,GAAI,CAAC,EAAE,GAAG,OAAO,KAAG,CAE/C,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,GAAI,CAAC,EAAE,GAAG,OAAO,KAAG,CAEhD,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,eAAe,GAAI,CAAC,EAAE,GAAG,OAAO,KAAG,CAE/C,CAAC;AA8IF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAAI,KAAK,IAAI,EAAE,OAAO,KAAK,CAAC,cAAc,CAAC,KAAG,IAIhF,CAAC;AAgCF;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,KAAK,IAAI,EACT,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,qBAAqB,iBAAiB,EACtC,KAAK,MAAM,EACX,IAAI,EAAE,KACJ,IAsCF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,QAAQ,MAAM,EAAE,OAAO,KAAK,CAAC,SAAS,CAAC,KAAG,KAAK,CAAC,SAAS,CAK3F,CAAC"}
+{"version":3,"file":"route_spec.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/route_spec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAW,IAAI,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACpE,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EACN,KAAK,iBAAiB,EACtB,KAAK,YAAY,EAKjB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAyC,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAEvF;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU;IAC1B,cAAc,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACzC,kBAAkB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC;CAC7C;AAED;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,UAAU,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,KAAK,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAE7F,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;AAEtE;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,YAAY;IAC5B;;;OAGG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;;;OAOG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACvD;AAED;;;;;;GAMG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAE7F;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,MAAM,EAAE,WAAW,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,OAAO,EAAE,YAAY,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,mEAAmE;IACnE,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,oCAAoC;IACpC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;IAClB;;;;;;OAMG;IACH,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B;;;;;;;;OAQG;IACH,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACxF,wBAAgB,eAAe,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAK5D;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzF,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAK7D;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACxF,wBAAgB,eAAe,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;AAoJ5D;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAAI,KAAK,IAAI,EAAE,OAAO,KAAK,CAAC,cAAc,CAAC,KAAG,IAIhF,CAAC;AAkFF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,eAAO,MAAM,iBAAiB,GAC7B,KAAK,IAAI,EACT,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,qBAAqB,iBAAiB,EACtC,KAAK,MAAM,EACX,IAAI,EAAE,EACN,YAAY,oBAAoB,KAC9B,IAgEF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,QAAQ,MAAM,EAAE,OAAO,KAAK,CAAC,SAAS,CAAC,KAAG,KAAK,CAAC,SAAS,CAK3F,CAAC"}

package/dist/http/route_spec.js

@@ -14,38 +14,18 @@
  */
 import { DEV } from 'esm-env';
 import { ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, ERROR_INVALID_ROUTE_PARAMS, ERROR_INVALID_QUERY_PARAMS, } from './error_schemas.js';
-import { ThrownJsonrpcError, JSONRPC_ERROR_CODES, jsonrpc_error_code_to_http_status, } from './jsonrpc_errors.js';
+import { ThrownJsonrpcError, jsonrpc_error_code_to_http_status, jsonrpc_error_code_to_name, } from './jsonrpc_errors.js';
 import { is_null_schema, merge_error_schemas } from './schema_helpers.js';
-/**
- * Get validated input from the Hono context.
- *
- * Call after the input validation middleware has run. The type parameter
- * should match the route's `input` schema.
- */
-export const get_route_input = (c) => {
+import { assert_route_auth_acting_biconditional } from './auth_shape.js';
+export function get_route_input(c, _schema) {
     return c.get('validated_input');
-};
-/**
- * Get validated URL path params from the Hono context.
- *
- * Call after the params validation middleware has run. The type parameter
- * should match the route's `params` schema.
- *
- * TODO derive `T` from the route spec so the type parameter isn't manually
- * specified — same applies to `get_route_input` / `get_route_query`.
- */
-export const get_route_params = (c) => {
+}
+export function get_route_params(c, _schema) {
     return c.get('validated_params');
-};
-/**
- * Get validated URL query params from the Hono context.
- *
- * Call after the query validation middleware has run. The type parameter
- * should match the route's `query` schema.
- */
-export const get_route_query = (c) => {
+}
+export function get_route_query(c, _schema) {
     return c.get('validated_query');
-};
+}
 /**
  * Create input validation middleware for a route spec.
  *
@@ -53,7 +33,10 @@ export const get_route_query = (c) => {
  * validated elsewhere, e.g. from `?params=` query string in RPC handlers)
  * and for null-input routes (no body expected). For other routes with input
  * schemas, returns a middleware that parses and validates the JSON body,
- * storing the result on the context as `validated_input`.
+ * storing the result on the context as `validated_input`. Input validation
+ * runs before the authorization phase, so the authorization phase reads
+ * `c.var.validated_input.acting` directly — no separate body pre-parse /
+ * cache machinery is needed.
  *
  * @mutates `c.var.validated_input` - set to the parsed and validated body on success
  */
@@ -192,10 +175,29 @@ export const apply_middleware_specs = (app, specs) => {
 /**
  * Wrap a handler with error catch logic.
  *
- * Catches `ThrownJsonrpcError` and maps to HTTP status + JSON-RPC error response.
- * Catches generic `Error` and maps to `internal_error` (-32603 → 500), including
- * the error message in DEV only. Existing handlers that return `c.json()` directly
- * are unaffected — the catch layer only activates when something is thrown.
+ * Catches `ThrownJsonrpcError` and maps it to a flat REST `ApiError` body
+ * (`{error: <reason>, message?, ...rest_data}`) at the matching HTTP status.
+ * Catches generic `Error` and maps to `{error: 'internal_error', message?}`
+ * at 500 (`message` populated only in DEV). Existing handlers that return
+ * `c.json()` directly are unaffected — the catch layer only activates when
+ * something is thrown.
+ *
+ * The flat shape matches what middleware and direct handler emissions
+ * produce (e.g. `c.json({error: ERROR_FOO}, status)`,
+ * `c.json(failure.body, status)` from the dispatcher's authorization phase),
+ * so REST callers see one error envelope across every emit site. The
+ * `<reason>` string comes from `err.data.reason` when set (consumer-supplied
+ * canonical reason code) or from `jsonrpc_error_code_to_name(err.code)`
+ * (the JSON-RPC error name — `'not_found'`, `'forbidden'`, etc.). Other
+ * `data` fields flatten alongside `error` so diagnostic data is visible
+ * to clients without descending an envelope.
+ *
+ * The JSON-RPC code is intentionally **not** carried on the REST body —
+ * REST callers key on HTTP status + `error` reason, and the JSON-RPC code
+ * is recoverable via `http_status_to_jsonrpc_error_code(status)` on the
+ * rare consumer that wants it. Keeping the shape transport-shaped (REST
+ * emits ApiError; JSON-RPC dispatcher emits the JSON-RPC envelope) avoids
+ * a hybrid envelope that has to be normalized on the way out.
  */
 const wrap_error_catch = (handler, log) => {
     return async (c, next) => {
@@ -205,37 +207,94 @@ const wrap_error_catch = (handler, log) => {
         catch (err) {
             if (err instanceof ThrownJsonrpcError) {
                 const status = jsonrpc_error_code_to_http_status(err.code);
-                const error = { code: err.code, message: err.message };
-                if (err.data !== undefined)
-                    error.data = err.data;
-                return c.json({ error }, status);
+                return c.json(build_rest_error_body(err), status);
             }
             // generic error — internal_error
             log.error('Unhandled handler error', err);
-            const message = DEV && err instanceof Error ? err.message : 'internal server error';
-            return c.json({ error: { code: JSONRPC_ERROR_CODES.internal_error, message } }, 500);
+            const body = { error: 'internal_error' };
+            if (DEV && err instanceof Error)
+                body.message = err.message;
+            return c.json(body, 500);
         }
     };
 };
+/**
+ * Build the REST body for a thrown `ThrownJsonrpcError`. Splits out
+ * for unit-test directness and keeps the catch handler readable.
+ *
+ * Reason resolution order:
+ * 1. `err.data.reason` (consumer-supplied canonical reason — overrides code-derived name)
+ * 2. `jsonrpc_error_code_to_name(err.code)` (e.g. -32003 → `'not_found'`)
+ *
+ * Remaining `err.data` fields (everything except `reason`) flatten under
+ * the body. Non-object `data` is dropped — we don't want a primitive
+ * `data` to overwrite the structured shape.
+ */
+const build_rest_error_body = (err) => {
+    let reason;
+    const rest = {};
+    if (err.data !== null &&
+        typeof err.data === 'object' &&
+        !Array.isArray(err.data) &&
+        typeof err.data.reason === 'string') {
+        const { reason: data_reason, ...other } = err.data;
+        reason = data_reason;
+        Object.assign(rest, other);
+    }
+    else {
+        reason = jsonrpc_error_code_to_name(err.code);
+        if (err.data !== null && typeof err.data === 'object' && !Array.isArray(err.data)) {
+            Object.assign(rest, err.data);
+        }
+    }
+    const body = { error: reason, ...rest };
+    if (err.message && err.message !== reason)
+        body.message = err.message;
+    return body;
+};
 /**
  * Apply route specs to a Hono app.
  *
  * For each spec: resolves auth to guards via the provided resolver,
  * adds input validation middleware (for routes with non-null input schemas),
- * wraps handler with DEV-only output and error validation, wraps with error
- * catch layer (catches `ThrownJsonrpcError` and generic errors), and registers the route.
+ * runs the optional authorization phase to resolve the acting actor + build
+ * the request context, wraps handler with DEV-only output and error
+ * validation, wraps with error catch layer (catches `ThrownJsonrpcError`
+ * and generic errors), and registers the route.
+ *
+ * Per-route middleware order: params → query → pre-validation auth
+ * guards (401) → input validation (400) → authorization phase →
+ * post-authorization auth guards (403) → handler. The 401 check runs
+ * before any body parsing so unauthenticated callers never see
+ * route-shape information from parse failures. Input validation runs
+ * before the authorization phase (validate first, authorize after) so
+ * the authorization phase reads `c.var.validated_input.acting` as a
+ * typed Zod field instead of pre-parsing the raw body. Role /
+ * credential-type denials still surface 403 last; trade-off is that
+ * authenticated-but-unauthorized callers can distinguish 400
+ * (validation) from 403 (authorization), a defense-in-depth concession
+ * deemed acceptable because the route surface is public via
+ * spec/codegen JSON.
  *
  * Each handler receives a `RouteContext` with:
- * - `db`: transaction-scoped (for non-GET) or pool-level (for GET)
- * - `background_db`: always pool-level
- * - `pending_effects`: fire-and-forget effect queue
+ * - `db`: transaction-scoped when `RouteSpec.transaction` is true; pool-level otherwise
+ * - `pending_effects`: eager fire-and-forget pool-write queue
+ * - `post_commit_effects`: deferred-thunk queue (push via `emit_after_commit`)
+ *
+ * Also enforces registry-time invariant 2 from the auth-shape design:
+ * `auth.actor !== 'none' ⟺ input or query declares acting?: ActingActor`.
+ * REST is bi-located (GETs declare `acting` on `query`, mutations on
+ * `input`), so the check passes both slots; the action-dispatcher
+ * registries (`compile_action_registry`) share the same helper with
+ * `input` only — `ActionSpec` has no `query` shape.
  *
- * @param resolve_auth_guards - maps `RouteAuth` to middleware — use `fuz_auth_guard_resolver` from `auth/route_guards.ts`
+ * @param resolve_auth_guards - maps `RouteAuth` to middleware — use `fuz_auth_guard_resolver` from `auth/auth_guard_resolver.ts`
+ * @param authorize - optional authorization phase; runs after input validation
  * @param db - used for transaction wrapping and `RouteContext`
  * @mutates `app`
- * @throws Error if two specs share the same `method` + `path` (each combination must be unique)
+ * @throws Error if two specs share the same `method` + `path` (each combination must be unique), or if any spec violates the actor-acting biconditional
  */
-export const apply_route_specs = (app, specs, resolve_auth_guards, log, db) => {
+export const apply_route_specs = (app, specs, resolve_auth_guards, log, db, authorize) => {
     const registered = new Set();
     for (const spec of specs) {
         const route_key = `${spec.method} ${spec.path}`;
@@ -243,22 +302,41 @@ export const apply_route_specs = (app, specs, resolve_auth_guards, log, db) => {
             throw new Error(`Duplicate route: ${route_key} — each method+path combination must be unique`);
         }
         registered.add(route_key);
-        const guards = resolve_auth_guards(spec.auth);
+        assert_route_auth_acting_biconditional(spec.auth, { input: spec.input, query: spec.query }, `Route "${route_key}"`);
+        const { pre_validation: pre_validation_guards, post_authorization: post_authorization_guards } = resolve_auth_guards(spec.auth);
         const params_validation = create_params_validation(spec.params);
         const query_validation = create_query_validation(spec.query);
         const input_validation = create_input_validation(spec.input, spec.method);
-        const merged_errors = merge_error_schemas(spec);
+        const merged_errors = merge_error_schemas(spec, null);
+        const authorization = authorize
+            ? [
+                async (c, next) => {
+                    const response = await authorize(c, spec);
+                    if (response)
+                        return response;
+                    await next();
+                },
+            ]
+            : [];
         // Step 1: adapt RouteHandler → Handler (construct RouteContext, call spec.handler)
         const use_transaction = spec.transaction ?? spec.method !== 'GET';
         const inner = spec.handler;
         let handler = use_transaction
-            ? (c) => db.transaction(async (tx) => inner(c, { db: tx, background_db: db, pending_effects: c.var.pending_effects }))
-            : (c) => inner(c, { db, background_db: db, pending_effects: c.var.pending_effects });
+            ? (c) => db.transaction(async (tx) => inner(c, {
+                db: tx,
+                pending_effects: c.var.pending_effects,
+                post_commit_effects: c.var.post_commit_effects,
+            }))
+            : (c) => inner(c, {
+                db,
+                pending_effects: c.var.pending_effects,
+                post_commit_effects: c.var.post_commit_effects,
+            });
         // Step 2: output validation
         handler = wrap_output_validation(handler, spec.output, merged_errors, log);
         // Step 3: error catch layer
         handler = wrap_error_catch(handler, log);
-        app.on(spec.method, [spec.path], ...guards, ...params_validation, ...query_validation, ...input_validation, handler);
+        app.on(spec.method, [spec.path], ...params_validation, ...query_validation, ...pre_validation_guards, ...input_validation, ...authorization, ...post_authorization_guards, handler);
     }
 };
 /**

package/dist/http/schema_helpers.d.ts

@@ -8,7 +8,7 @@
  * @module
  */
 import { z } from 'zod';
-import type { RouteAuth } from './route_spec.js';
+import type { RouteAuth } from './auth_shape.js';
 import { type RateLimitKey, type RouteErrorSchemas } from './error_schemas.js';
 /**
  * Check if a schema is exactly `z.null()`.
@@ -45,7 +45,7 @@ export declare const schema_to_surface: (schema: z.ZodType) => unknown;
  *
  * Supports Hono-style patterns:
  * - `/api/*` matches `/api/anything`
- * - `/api/tx/*` matches `/api/tx/runs` but not `/api/account/login`
+ * - `/api/zap/*` matches `/api/zap/runs` but not `/api/account/login`
  * - Exact match: `/health` matches `/health`
  */
 export declare const middleware_applies: (mw_path: string, route_path: string) => boolean;
@@ -56,6 +56,7 @@ export declare const middleware_applies: (mw_path: string, route_path: string) =
  * Later layers override earlier ones for the same status code.
  *
  * @param spec - the route spec (needs `auth`, `input`, `params`, `rate_limit`, `errors`)
+ * @param middleware_errors - errors contributed by middleware whose path matches the route
  * @returns merged error schemas, or `null` if empty
  */
 export declare const merge_error_schemas: (spec: {

package/dist/http/schema_helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/schema_helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAuB,KAAK,YAAY,EAAE,KAAK,iBAAiB,EAAC,MAAM,oBAAoB,CAAC;AAEnG;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OACe,CAAC;AAE5E;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAQrD,CAAC;AAoBF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,EAAE,YAAY,MAAM,KAAG,OAQxE,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM;IACL,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC3B,EACD,oBAAoB,iBAAiB,GAAG,IAAI,KAC1C,iBAAiB,GAAG,IAUtB,CAAC"}
+{"version":3,"file":"schema_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/schema_helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAuB,KAAK,YAAY,EAAE,KAAK,iBAAiB,EAAC,MAAM,oBAAoB,CAAC;AAEnG;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OACe,CAAC;AAE5E;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAQrD,CAAC;AAoBF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,EAAE,YAAY,MAAM,KAAG,OAQxE,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM;IACL,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC3B,EACD,oBAAoB,iBAAiB,GAAG,IAAI,KAC1C,iBAAiB,GAAG,IAUtB,CAAC"}

package/dist/http/schema_helpers.js

@@ -74,7 +74,7 @@ const strip_json_schema_noise = (value) => {
  *
  * Supports Hono-style patterns:
  * - `/api/*` matches `/api/anything`
- * - `/api/tx/*` matches `/api/tx/runs` but not `/api/account/login`
+ * - `/api/zap/*` matches `/api/zap/runs` but not `/api/account/login`
  * - Exact match: `/health` matches `/health`
  */
 export const middleware_applies = (mw_path, route_path) => {
@@ -95,10 +95,17 @@ export const middleware_applies = (mw_path, route_path) => {
  * Later layers override earlier ones for the same status code.
  *
  * @param spec - the route spec (needs `auth`, `input`, `params`, `rate_limit`, `errors`)
+ * @param middleware_errors - errors contributed by middleware whose path matches the route
  * @returns merged error schemas, or `null` if empty
  */
 export const merge_error_schemas = (spec, middleware_errors) => {
-    const derived = derive_error_schemas(spec.auth, !is_null_schema(spec.input), !!spec.params, !!spec.query, spec.rate_limit);
+    const derived = derive_error_schemas({
+        auth: spec.auth,
+        has_input: !is_null_schema(spec.input),
+        has_params: !!spec.params,
+        has_query: !!spec.query,
+        rate_limit: spec.rate_limit,
+    });
     const merged = { ...derived, ...middleware_errors, ...spec.errors };
     return Object.keys(merged).length > 0 ? merged : null;
 };

package/dist/http/surface.d.ts

@@ -9,7 +9,8 @@
 import { z } from 'zod';
 import type { EventSpec } from '../realtime/sse.js';
 import type { MiddlewareSpec } from './middleware_spec.js';
-import type { RouteAuth, RouteSpec } from './route_spec.js';
+import type { RouteSpec } from './route_spec.js';
+import type { RouteAuth } from './auth_shape.js';
 import type { RateLimitKey, RouteErrorSchemas } from './error_schemas.js';
 import type { RpcAction } from '../actions/action_rpc.js';
 import type { Sensitivity } from '../sensitivity.js';

package/dist/http/surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/surface.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACzD,OAAO,KAAK,EAAC,SAAS,EAAE,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EAAC,YAAY,EAAE,iBAAiB,EAAC,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AASxD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,mBAAmB,CAAC;AAKnD,mEAAmE;AACnE,MAAM,WAAW,eAAe;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,qBAAqB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,WAAW,EAAE,OAAO,CAAC;IACrB,uEAAuE;IACvE,WAAW,EAAE,OAAO,CAAC;IACrB,oFAAoF;IACpF,cAAc,EAAE,YAAY,GAAG,IAAI,CAAC;IACpC,uFAAuF;IACvF,aAAa,EAAE,OAAO,CAAC;IACvB,8FAA8F;IAC9F,YAAY,EAAE,OAAO,CAAC;IACtB,wFAAwF;IACxF,YAAY,EAAE,OAAO,CAAC;IACtB,iEAAiE;IACjE,aAAa,EAAE,OAAO,CAAC;IACvB,mGAAmG;IACnG,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC9C;AAED,wEAAwE;AACxE,MAAM,WAAW,oBAAoB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,mGAAmG;IACnG,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC9C;AAED,sEAAsE;AACtE,MAAM,WAAW,aAAa;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAChC,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,MAAM,WAAW,eAAe;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;CACvB;AAED,2FAA2F;AAC3F,MAAM,WAAW,mBAAmB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,qFAAqF;IACrF,YAAY,EAAE,OAAO,CAAC;IACtB,uDAAuD;IACvD,aAAa,EAAE,OAAO,CAAC;IACvB,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,cAAc,EAAE,YAAY,GAAG,IAAI,CAAC;CACpC;AAED,2EAA2E;AAC3E,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,mBAAmB,CAAC,CAAC;CACpC;AAED,uFAAuF;AACvF,MAAM,WAAW,oBAAoB;IACpC,KAAK,EAAE,SAAS,GAAG,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,oDAAoD;AACpD,MAAM,WAAW,UAAU;IAC1B,UAAU,EAAE,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC/B,aAAa,EAAE,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAC5C,GAAG,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IAC1B,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC/B,WAAW,EAAE,KAAK,CAAC,oBAAoB,CAAC,CAAC;CACzC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACxC,aAAa,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CACtC;AAED,yDAAyD;AACzD,MAAM,WAAW,eAAe;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAC1B;AAED,0CAA0C;AAC1C,MAAM,WAAW,yBAAyB;IACzC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACxC,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACzB,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CACvC;AAID;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,GACrC,YAAY,KAAK,CAAC,cAAc,CAAC,EACjC,YAAY,MAAM,KAChB,iBAAiB,GAAG,IAQtB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,GAAI,QAAQ,CAAC,CAAC,SAAS,KAAG,KAAK,CAAC,aAAa,CAe9E,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAAI,aAAa,KAAK,CAAC,SAAS,CAAC,KAAG,KAAK,CAAC,eAAe,CAOtF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,GAAI,SAAS,yBAAyB,KAAG,UAyFzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,GAAI,SAAS,yBAAyB,KAAG,cAQ5E,CAAC"}
+{"version":3,"file":"surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/surface.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACzD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAC,YAAY,EAAE,iBAAiB,EAAC,MAAM,oBAAoB,CAAC;AACxE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAQxD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,mBAAmB,CAAC;AAKnD,mEAAmE;AACnE,MAAM,WAAW,eAAe;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,qBAAqB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,WAAW,EAAE,OAAO,CAAC;IACrB,uEAAuE;IACvE,WAAW,EAAE,OAAO,CAAC;IACrB,oFAAoF;IACpF,cAAc,EAAE,YAAY,GAAG,IAAI,CAAC;IACpC,uFAAuF;IACvF,aAAa,EAAE,OAAO,CAAC;IACvB,8FAA8F;IAC9F,YAAY,EAAE,OAAO,CAAC;IACtB,wFAAwF;IACxF,YAAY,EAAE,OAAO,CAAC;IACtB,iEAAiE;IACjE,aAAa,EAAE,OAAO,CAAC;IACvB,mGAAmG;IACnG,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC9C;AAED,wEAAwE;AACxE,MAAM,WAAW,oBAAoB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,mGAAmG;IACnG,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC9C;AAED,sEAAsE;AACtE,MAAM,WAAW,aAAa;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAChC,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,MAAM,WAAW,eAAe;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;CACvB;AAED,2FAA2F;AAC3F,MAAM,WAAW,mBAAmB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;IAChB,qFAAqF;IACrF,YAAY,EAAE,OAAO,CAAC;IACtB,uDAAuD;IACvD,aAAa,EAAE,OAAO,CAAC;IACvB,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,gFAAgF;IAChF,cAAc,EAAE,YAAY,GAAG,IAAI,CAAC;CACpC;AAED,2EAA2E;AAC3E,MAAM,WAAW,qBAAqB;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,mBAAmB,CAAC,CAAC;CACpC;AAED,uFAAuF;AACvF,MAAM,WAAW,oBAAoB;IACpC,KAAK,EAAE,SAAS,GAAG,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,oDAAoD;AACpD,MAAM,WAAW,UAAU;IAC1B,UAAU,EAAE,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC/B,aAAa,EAAE,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAC5C,GAAG,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IAC1B,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC/B,WAAW,EAAE,KAAK,CAAC,oBAAoB,CAAC,CAAC;CACzC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,UAAU,CAAC;IACpB,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACxC,aAAa,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CACtC;AAED,yDAAyD;AACzD,MAAM,WAAW,eAAe;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAC1B;AAED,0CAA0C;AAC1C,MAAM,WAAW,yBAAyB;IACzC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC9B,gBAAgB,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACxC,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACzB,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CACvC;AAID;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,GACrC,YAAY,KAAK,CAAC,cAAc,CAAC,EACjC,YAAY,MAAM,KAChB,iBAAiB,GAAG,IAQtB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,GAAI,QAAQ,CAAC,CAAC,SAAS,KAAG,KAAK,CAAC,aAAa,CAe9E,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAAI,aAAa,KAAK,CAAC,SAAS,CAAC,KAAG,KAAK,CAAC,eAAe,CAOtF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,GAAI,SAAS,yBAAyB,KAAG,UAyFzE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,uBAAuB,GAAI,SAAS,yBAAyB,KAAG,cAQ5E,CAAC"}

package/dist/http/surface.js

@@ -7,7 +7,6 @@
  * @module
  */
 import { z } from 'zod';
-import { map_action_auth } from '../actions/action_bridge.js';
 import { schema_to_surface, middleware_applies, merge_error_schemas, is_null_schema, is_strict_object_schema, } from './schema_helpers.js';
 // --- Surface generation ---
 /**
@@ -133,7 +132,7 @@ export const generate_app_surface = (options) => {
                 path: ep.path,
                 methods: ep.actions.map((a) => ({
                     name: a.spec.method,
-                    auth: map_action_auth(a.spec.auth),
+                    auth: a.spec.auth,
                     input_schema: schema_to_surface(a.spec.input),
                     output_schema: schema_to_surface(a.spec.output),
                     side_effects: a.spec.side_effects,