@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/http/surface_query.d.ts

@@ -4,49 +4,48 @@
  * Usable in tests, the adversarial auth runner, and future surface explorer UI.
  * Replaces duplicated inline `.filter()` patterns.
  *
- * TODO @surface-explorer Used by test utilities (test_auth_surface, adversarial_input,
- * surface_invariants) and SurfaceExplorer.svelte (surface_auth_summary, format_route_key).
- * Several query functions (filter_authenticated_routes, filter_keeper_routes,
- * routes_by_auth_type, filter_routes_by_prefix) are pre-built for richer surface
- * explorer features and consumer test suites — leverage more as the surface UI matures.
+ * Categorical filters (`filter_authenticated_routes`, `filter_role_routes`,
+ * `filter_keeper_routes`) group the new flat-record `RouteAuth` shape into
+ * the legacy categorical buckets (`'authenticated'`, `'role'`, `'keeper'`)
+ * for adversarial test runners and the surface explorer. The buckets are
+ * derived views over the four axes (`account`, `actor`, `roles`,
+ * `credential_types`) — see `http/auth_shape.ts` for the canonical shape.
  *
  * @module
  */
 import type { AppSurface, AppSurfaceRoute } from './surface.js';
 /** Filter routes that require any form of authentication. */
 export declare const filter_protected_routes: (surface: AppSurface) => Array<AppSurfaceRoute>;
-/** Filter routes that are publicly accessible (no auth). */
+/** Filter routes that are publicly accessible (no auth surface at all). */
 export declare const filter_public_routes: (surface: AppSurface) => Array<AppSurfaceRoute>;
-/** Filter all role-guarded routes (any role). */
-export declare const filter_role_routes: (surface: AppSurface) => Array<AppSurfaceRoute & {
-    auth: {
-        type: "role";
-        role: string;
-    };
-}>;
-/** Filter routes that require basic authentication (no specific role). */
-export declare const filter_authenticated_routes: (surface: AppSurface) => Array<AppSurfaceRoute & {
-    auth: {
-        type: "authenticated";
-    };
-}>;
-/** Filter routes that require keeper credentials. */
-export declare const filter_keeper_routes: (surface: AppSurface) => Array<AppSurfaceRoute & {
-    auth: {
-        type: "keeper";
-    };
-}>;
-/** Filter routes that require a specific named role. */
-export declare const filter_routes_for_role: (surface: AppSurface, role: string) => Array<AppSurfaceRoute & {
-    auth: {
-        type: "role";
-        role: string;
-    };
-}>;
+/** Filter all role-guarded routes (any role declared on `auth.roles`). */
+export declare const filter_role_routes: (surface: AppSurface) => Array<AppSurfaceRoute>;
 /**
- * Group routes by auth type.
+ * Filter routes that require basic authentication only — `account === 'required'`
+ * with no role / credential gate.
+ */
+export declare const filter_authenticated_routes: (surface: AppSurface) => Array<AppSurfaceRoute>;
+/** Filter routes that require keeper credentials (`daemon_token`). */
+export declare const filter_keeper_routes: (surface: AppSurface) => Array<AppSurfaceRoute>;
+/** Filter routes whose `auth.roles` includes the named role. */
+export declare const filter_routes_for_role: (surface: AppSurface, role: string) => Array<AppSurfaceRoute>;
+/**
+ * Categorize a `RouteAuth` into one of the legacy auth buckets.
  *
- * @returns a map from auth type string to route arrays, with role routes keyed as `'role:name'`
+ * Returns:
+ * - `'none'` for fully public routes (account === 'none' && actor === 'none')
+ * - `'keeper'` when `credential_types` includes `'daemon_token'`
+ * - `'role:<name>'` for each role declared on `auth.roles` (multi-role specs
+ *   are emitted multiple times; callers that need single-bucket grouping
+ *   should pre-collapse)
+ * - `'authenticated'` for `account === 'required'` without role / credential gate
+ * - `'optional'` when either axis is `'optional'` and no other bucket fits
+ * - `'other'` as a last-resort bucket for shapes that don't match above
+ */
+export type RouteAuthCategory = 'none' | 'authenticated' | 'optional' | 'keeper' | `role:${string}` | 'other';
+/**
+ * Group routes by auth category (see `RouteAuthCategory`). Multi-role specs
+ * appear under each of their role buckets.
  */
 export declare const routes_by_auth_type: (surface: AppSurface) => Map<string, Array<AppSurfaceRoute>>;
 /** Filter routes whose path starts with `prefix`. */
@@ -66,12 +65,17 @@ export declare const format_route_key: (route: AppSurfaceRoute) => string;
 /**
  * Summarize route auth distribution across the surface.
  *
- * @returns counts by auth type, with role counts broken out by role name
+ * Categorical view over the four-axis flat record. Multi-role specs
+ * contribute one count per role they admit.
+ *
+ * @returns counts by auth category, with role counts broken out by role name
  */
 export declare const surface_auth_summary: (surface: AppSurface) => {
     none: number;
     authenticated: number;
+    optional: number;
     role: Map<string, number>;
     keeper: number;
+    other: number;
 };
 //# sourceMappingURL=surface_query.d.ts.map

package/dist/http/surface_query.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"surface_query.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/surface_query.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,cAAc,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,uBAAuB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEtD,4DAA4D;AAC5D,eAAO,MAAM,oBAAoB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC3B,CAAC;AAEtD,iDAAiD;AACjD,eAAO,MAAM,kBAAkB,GAC9B,SAAS,UAAU,KACjB,KAAK,CAAC,eAAe,GAAG;IAAC,IAAI,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAC,CAAA;CAAC,CAG7D,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,2BAA2B,GACvC,SAAS,UAAU,KACjB,KAAK,CAAC,eAAe,GAAG;IAAC,IAAI,EAAE;QAAC,IAAI,EAAE,eAAe,CAAA;KAAC,CAAA;CAAC,CAGxD,CAAC;AAEH,qDAAqD;AACrD,eAAO,MAAM,oBAAoB,GAChC,SAAS,UAAU,KACjB,KAAK,CAAC,eAAe,GAAG;IAAC,IAAI,EAAE;QAAC,IAAI,EAAE,QAAQ,CAAA;KAAC,CAAA;CAAC,CAGjD,CAAC;AAEH,wDAAwD;AACxD,eAAO,MAAM,sBAAsB,GAClC,SAAS,UAAU,EACnB,MAAM,MAAM,KACV,KAAK,CAAC,eAAe,GAAG;IAAC,IAAI,EAAE;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAC,CAAA;CAAC,CAI7D,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,UAAU,KAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAY3F,CAAC;AAEF,qDAAqD;AACrD,eAAO,MAAM,uBAAuB,GACnC,SAAS,UAAU,EACnB,QAAQ,MAAM,KACZ,KAAK,CAAC,eAAe,CAA4D,CAAC;AAErF,uDAAuD;AACvD,eAAO,MAAM,wBAAwB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEvD,wDAAwD;AACxD,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAExD,uDAAuD;AACvD,eAAO,MAAM,wBAAwB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEvD,mEAAmE;AACnE,eAAO,MAAM,sBAAsB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CACtC,CAAC;AAE7C,gDAAgD;AAChD,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEzD,iEAAiE;AACjE,eAAO,MAAM,gBAAgB,GAAI,OAAO,eAAe,KAAG,MAAyC,CAAC;AAEpG;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAChC,SAAS,UAAU,KACjB;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAwBjF,CAAC"}
+{"version":3,"file":"surface_query.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/surface_query.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,cAAc,CAAC;AAQ9D,6DAA6D;AAC7D,eAAO,MAAM,uBAAuB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC7B,CAAC;AAEvD,2EAA2E;AAC3E,eAAO,MAAM,oBAAoB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC3B,CAAC;AAEtD,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC3B,CAAC;AAEpD;;;GAGG;AACH,eAAO,MAAM,2BAA2B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CACrB,CAAC;AAEnE,sEAAsE;AACtE,eAAO,MAAM,oBAAoB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC3B,CAAC;AAEtD,gEAAgE;AAChE,eAAO,MAAM,sBAAsB,GAAI,SAAS,UAAU,EAAE,MAAM,MAAM,KAAG,KAAK,CAAC,eAAe,CAC5B,CAAC;AAErE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,iBAAiB,GAC1B,MAAM,GACN,eAAe,GACf,UAAU,GACV,QAAQ,GACR,QAAQ,MAAM,EAAE,GAChB,OAAO,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,UAAU,KAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAmC3F,CAAC;AAEF,qDAAqD;AACrD,eAAO,MAAM,uBAAuB,GACnC,SAAS,UAAU,EACnB,QAAQ,MAAM,KACZ,KAAK,CAAC,eAAe,CAA4D,CAAC;AAErF,uDAAuD;AACvD,eAAO,MAAM,wBAAwB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEvD,wDAAwD;AACxD,eAAO,MAAM,yBAAyB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAExD,uDAAuD;AACvD,eAAO,MAAM,wBAAwB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEvD,mEAAmE;AACnE,eAAO,MAAM,sBAAsB,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CACtC,CAAC;AAE7C,gDAAgD;AAChD,eAAO,MAAM,0BAA0B,GAAI,SAAS,UAAU,KAAG,KAAK,CAAC,eAAe,CAC9B,CAAC;AAEzD,iEAAiE;AACjE,eAAO,MAAM,gBAAgB,GAAI,OAAO,eAAe,KAAG,MAAyC,CAAC;AAEpG;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,GAChC,SAAS,UAAU,KACjB;IACF,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CAqCd,CAAC"}

package/dist/http/surface_query.js

@@ -4,41 +4,69 @@
  * Usable in tests, the adversarial auth runner, and future surface explorer UI.
  * Replaces duplicated inline `.filter()` patterns.
  *
- * TODO @surface-explorer Used by test utilities (test_auth_surface, adversarial_input,
- * surface_invariants) and SurfaceExplorer.svelte (surface_auth_summary, format_route_key).
- * Several query functions (filter_authenticated_routes, filter_keeper_routes,
- * routes_by_auth_type, filter_routes_by_prefix) are pre-built for richer surface
- * explorer features and consumer test suites — leverage more as the surface UI matures.
+ * Categorical filters (`filter_authenticated_routes`, `filter_role_routes`,
+ * `filter_keeper_routes`) group the new flat-record `RouteAuth` shape into
+ * the legacy categorical buckets (`'authenticated'`, `'role'`, `'keeper'`)
+ * for adversarial test runners and the surface explorer. The buckets are
+ * derived views over the four axes (`account`, `actor`, `roles`,
+ * `credential_types`) — see `http/auth_shape.ts` for the canonical shape.
  *
  * @module
  */
+import { is_keeper_auth, is_plain_authenticated_auth, is_public_auth, is_role_auth, } from './auth_shape.js';
 /** Filter routes that require any form of authentication. */
-export const filter_protected_routes = (surface) => surface.routes.filter((r) => r.auth.type !== 'none');
-/** Filter routes that are publicly accessible (no auth). */
-export const filter_public_routes = (surface) => surface.routes.filter((r) => r.auth.type === 'none');
-/** Filter all role-guarded routes (any role). */
-export const filter_role_routes = (surface) => surface.routes.filter((r) => r.auth.type === 'role');
-/** Filter routes that require basic authentication (no specific role). */
-export const filter_authenticated_routes = (surface) => surface.routes.filter((r) => r.auth.type === 'authenticated');
-/** Filter routes that require keeper credentials. */
-export const filter_keeper_routes = (surface) => surface.routes.filter((r) => r.auth.type === 'keeper');
-/** Filter routes that require a specific named role. */
-export const filter_routes_for_role = (surface, role) => surface.routes.filter((r) => r.auth.type === 'role' && r.auth.role === role);
+export const filter_protected_routes = (surface) => surface.routes.filter((r) => !is_public_auth(r.auth));
+/** Filter routes that are publicly accessible (no auth surface at all). */
+export const filter_public_routes = (surface) => surface.routes.filter((r) => is_public_auth(r.auth));
+/** Filter all role-guarded routes (any role declared on `auth.roles`). */
+export const filter_role_routes = (surface) => surface.routes.filter((r) => is_role_auth(r.auth));
 /**
- * Group routes by auth type.
- *
- * @returns a map from auth type string to route arrays, with role routes keyed as `'role:name'`
+ * Filter routes that require basic authentication only — `account === 'required'`
+ * with no role / credential gate.
+ */
+export const filter_authenticated_routes = (surface) => surface.routes.filter((r) => is_plain_authenticated_auth(r.auth));
+/** Filter routes that require keeper credentials (`daemon_token`). */
+export const filter_keeper_routes = (surface) => surface.routes.filter((r) => is_keeper_auth(r.auth));
+/** Filter routes whose `auth.roles` includes the named role. */
+export const filter_routes_for_role = (surface, role) => surface.routes.filter((r) => r.auth.roles?.includes(role) ?? false);
+/**
+ * Group routes by auth category (see `RouteAuthCategory`). Multi-role specs
+ * appear under each of their role buckets.
  */
 export const routes_by_auth_type = (surface) => {
     const groups = new Map();
-    for (const r of surface.routes) {
-        const key = r.auth.type === 'role' ? `role:${r.auth.role}` : r.auth.type;
+    const push = (key, r) => {
         let group = groups.get(key);
         if (!group) {
             group = [];
             groups.set(key, group);
         }
         group.push(r);
+    };
+    for (const r of surface.routes) {
+        const auth = r.auth;
+        if (is_public_auth(auth)) {
+            push('none', r);
+            continue;
+        }
+        if (is_keeper_auth(auth)) {
+            push('keeper', r);
+            continue;
+        }
+        if (is_role_auth(auth)) {
+            for (const role of auth.roles)
+                push(`role:${role}`, r);
+            continue;
+        }
+        if (is_plain_authenticated_auth(auth)) {
+            push('authenticated', r);
+            continue;
+        }
+        if (auth.account === 'optional' || auth.actor === 'optional') {
+            push('optional', r);
+            continue;
+        }
+        push('other', r);
     }
     return groups;
 };
@@ -59,28 +87,43 @@ export const format_route_key = (route) => `${route.method} ${route.path}`;
 /**
  * Summarize route auth distribution across the surface.
  *
- * @returns counts by auth type, with role counts broken out by role name
+ * Categorical view over the four-axis flat record. Multi-role specs
+ * contribute one count per role they admit.
+ *
+ * @returns counts by auth category, with role counts broken out by role name
  */
 export const surface_auth_summary = (surface) => {
     let none = 0;
     let authenticated = 0;
+    let optional = 0;
     const role = new Map();
     let keeper = 0;
+    let other = 0;
     for (const r of surface.routes) {
-        switch (r.auth.type) {
-            case 'none':
-                none++;
-                break;
-            case 'authenticated':
-                authenticated++;
-                break;
-            case 'role':
-                role.set(r.auth.role, (role.get(r.auth.role) ?? 0) + 1);
-                break;
-            case 'keeper':
-                keeper++;
-                break;
+        const auth = r.auth;
+        if (is_public_auth(auth)) {
+            none++;
+            continue;
+        }
+        if (is_keeper_auth(auth)) {
+            keeper++;
+            continue;
+        }
+        if (is_role_auth(auth)) {
+            for (const r_name of auth.roles) {
+                role.set(r_name, (role.get(r_name) ?? 0) + 1);
+            }
+            continue;
+        }
+        if (is_plain_authenticated_auth(auth)) {
+            authenticated++;
+            continue;
+        }
+        if (auth.account === 'optional' || auth.actor === 'optional') {
+            optional++;
+            continue;
         }
+        other++;
     }
-    return { none, authenticated, role, keeper };
+    return { none, authenticated, optional, role, keeper, other };
 };

package/dist/primitive_schemas.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Reusable validator-schema primitives — `Username`, `UsernameProvided`,
+ * `Email`. Lives at the top level (not inside `auth/` or `http/`) because
+ * these shapes don't depend on or imply any domain — accounts hold a
+ * username and email, but invites, password resets, future cell-sharing,
+ * and other surfaces all reach for the same primitives without going
+ * through auth.
+ *
+ * Split out from `auth/account_schema.ts` so the auth module shrinks to
+ * entity types + client-safe JSON shapes (its real responsibility) and
+ * non-auth consumers can import these primitives without dragging the
+ * auth domain along. Future cross-domain primitives (phone, url, slug)
+ * land here too.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/** Minimum username length (must have start + middle + end characters). */
+export declare const USERNAME_LENGTH_MIN = 3;
+/** Maximum username length (matches GitHub's limit). */
+export declare const USERNAME_LENGTH_MAX = 39;
+/** Maximum length for username input on login/lookup — more permissive than `USERNAME_LENGTH_MAX` for forward-compatibility if the creation limit is raised. */
+export declare const USERNAME_PROVIDED_LENGTH_MAX = 255;
+/** Username for account creation — starts with letter, alphanumeric/dash/underscore middle, ends with alphanumeric. No @ or . allowed. */
+export declare const Username: z.ZodString;
+export type Username = z.infer<typeof Username>;
+/** Username submitted for login or lookup — minimal validation for forward-compatibility if format rules change. */
+export declare const UsernameProvided: z.ZodString;
+export type UsernameProvided = z.infer<typeof UsernameProvided>;
+/**
+ * Email validation. Lives here rather than `@fuzdev/fuz_util` because every
+ * current consumer pairs it with `Username` (signup, invites, audit log) —
+ * keeping the two together avoids a cross-package import for the
+ * identity-primitive bundle. Promote to fuz_util if a non-identity consumer
+ * surfaces.
+ */
+export declare const Email: z.ZodEmail;
+export type Email = z.infer<typeof Email>;
+//# sourceMappingURL=primitive_schemas.d.ts.map

package/dist/primitive_schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"primitive_schemas.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/primitive_schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,2EAA2E;AAC3E,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,wDAAwD;AACxD,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,gKAAgK;AAChK,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD,0IAA0I;AAC1I,eAAO,MAAM,QAAQ,aAIyB,CAAC;AAC/C,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,oHAAoH;AACpH,eAAO,MAAM,gBAAgB,aAAsD,CAAC;AACpF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;GAMG;AACH,eAAO,MAAM,KAAK,YAAY,CAAC;AAC/B,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,CAAC"}

package/dist/primitive_schemas.js

@@ -0,0 +1,40 @@
+/**
+ * Reusable validator-schema primitives — `Username`, `UsernameProvided`,
+ * `Email`. Lives at the top level (not inside `auth/` or `http/`) because
+ * these shapes don't depend on or imply any domain — accounts hold a
+ * username and email, but invites, password resets, future cell-sharing,
+ * and other surfaces all reach for the same primitives without going
+ * through auth.
+ *
+ * Split out from `auth/account_schema.ts` so the auth module shrinks to
+ * entity types + client-safe JSON shapes (its real responsibility) and
+ * non-auth consumers can import these primitives without dragging the
+ * auth domain along. Future cross-domain primitives (phone, url, slug)
+ * land here too.
+ *
+ * @module
+ */
+import { z } from 'zod';
+// TODO consider `.brand()` on Username and Email for compile-time safety
+/** Minimum username length (must have start + middle + end characters). */
+export const USERNAME_LENGTH_MIN = 3;
+/** Maximum username length (matches GitHub's limit). */
+export const USERNAME_LENGTH_MAX = 39;
+/** Maximum length for username input on login/lookup — more permissive than `USERNAME_LENGTH_MAX` for forward-compatibility if the creation limit is raised. */
+export const USERNAME_PROVIDED_LENGTH_MAX = 255;
+/** Username for account creation — starts with letter, alphanumeric/dash/underscore middle, ends with alphanumeric. No @ or . allowed. */
+export const Username = z
+    .string()
+    .min(USERNAME_LENGTH_MIN)
+    .max(USERNAME_LENGTH_MAX)
+    .regex(/^[a-zA-Z][0-9a-zA-Z_-]*[0-9a-zA-Z]$/);
+/** Username submitted for login or lookup — minimal validation for forward-compatibility if format rules change. */
+export const UsernameProvided = z.string().min(1).max(USERNAME_PROVIDED_LENGTH_MAX);
+/**
+ * Email validation. Lives here rather than `@fuzdev/fuz_util` because every
+ * current consumer pairs it with `Username` (signup, invites, audit log) —
+ * keeping the two together avoids a cross-package import for the
+ * identity-primitive bundle. Promote to fuz_util if a non-identity consumer
+ * surfaces.
+ */
+export const Email = z.email();

package/dist/realtime/sse_auth_guard.d.ts

@@ -19,9 +19,9 @@ export declare const AUDIT_LOG_CHANNEL = "audit_log";
 /**
  * Audit event types that trigger SSE stream disconnection.
  *
- * `permit_revoke` requires the revoked role to match the guard's `required_role`
+ * `role_grant_revoke` requires the revoked role to match the guard's `required_role`
  * (or is skipped entirely when `required_role` is `null` — useful for streams
- * not gated by any specific permit).
+ * not gated by any specific role_grant).
  * `session_revoke_all` and `password_change` close every stream for the target account.
  * `session_revoke` closes only the stream tied to the specific revoked session
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
@@ -32,7 +32,7 @@ export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
  * Create an audit event handler that closes SSE streams on auth changes.
  *
  * Closes streams when:
- * - `permit_revoke` fires for the `required_role` targeting a connected subscriber
+ * - `role_grant_revoke` fires for the `required_role` targeting a connected subscriber
  * - `session_revoke_all` targets a connected subscriber (consistent invalidation)
  * - `password_change` targets a connected subscriber (sessions revoked implicitly)
  *
@@ -41,8 +41,8 @@ export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
  *
  * @param registry - the subscriber registry to guard
  * @param required_role - the role that grants access to the SSE endpoint,
- *   or `null` to skip `permit_revoke` handling entirely (for streams not gated
- *   by a specific permit)
+ *   or `null` to skip `role_grant_revoke` handling entirely (for streams not gated
+ *   by a specific role_grant)
  * @param log - logger for disconnect events
  * @returns an `on_audit_event` callback
  */

package/dist/realtime/sse_auth_guard.js

@@ -17,16 +17,16 @@ export const AUDIT_LOG_CHANNEL = 'audit_log';
 /**
  * Audit event types that trigger SSE stream disconnection.
  *
- * `permit_revoke` requires the revoked role to match the guard's `required_role`
+ * `role_grant_revoke` requires the revoked role to match the guard's `required_role`
  * (or is skipped entirely when `required_role` is `null` — useful for streams
- * not gated by any specific permit).
+ * not gated by any specific role_grant).
  * `session_revoke_all` and `password_change` close every stream for the target account.
  * `session_revoke` closes only the stream tied to the specific revoked session
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
  */
 export const DISCONNECT_EVENT_TYPES = new Set([
-    'permit_revoke', // role revoked — user lost access
+    'role_grant_revoke', // role revoked — user lost access
     'session_revoke', // single session revoked — close only that stream
     'session_revoke_all', // all sessions invalidated — user should be kicked
     'password_change', // password changed — all sessions revoked implicitly
@@ -35,7 +35,7 @@ export const DISCONNECT_EVENT_TYPES = new Set([
  * Create an audit event handler that closes SSE streams on auth changes.
  *
  * Closes streams when:
- * - `permit_revoke` fires for the `required_role` targeting a connected subscriber
+ * - `role_grant_revoke` fires for the `required_role` targeting a connected subscriber
  * - `session_revoke_all` targets a connected subscriber (consistent invalidation)
  * - `password_change` targets a connected subscriber (sessions revoked implicitly)
  *
@@ -44,8 +44,8 @@ export const DISCONNECT_EVENT_TYPES = new Set([
  *
  * @param registry - the subscriber registry to guard
  * @param required_role - the role that grants access to the SSE endpoint,
- *   or `null` to skip `permit_revoke` handling entirely (for streams not gated
- *   by a specific permit)
+ *   or `null` to skip `role_grant_revoke` handling entirely (for streams not gated
+ *   by a specific role_grant)
  * @param log - logger for disconnect events
  * @returns an `on_audit_event` callback
  */
@@ -73,9 +73,9 @@ export const create_sse_auth_guard = (registry, required_role, log) => {
             }
             return;
         }
-        // permit_revoke requires matching the specific role. `null` means the
-        // stream isn't gated by a specific permit, so permit_revoke is a no-op.
-        if (event.event_type === 'permit_revoke') {
+        // role_grant_revoke requires matching the specific role. `null` means the
+        // stream isn't gated by a specific role_grant, so role_grant_revoke is a no-op.
+        if (event.event_type === 'role_grant_revoke') {
             if (required_role === null)
                 return;
             if (event.metadata?.role !== required_role)

package/dist/runtime/mock.d.ts

@@ -58,7 +58,7 @@ export interface MockRuntime extends RuntimeDeps {
  *
  * @example
  * ```ts
- * const runtime = create_mock_runtime(['apply', 'tx.ts']);
+ * const runtime = create_mock_runtime(['apply', 'zap.ts']);
  * runtime.mock_env.set('HOME', '/home/test');
  * runtime.mock_fs.set('/home/test/.app/config.json', '{}');
  *

package/dist/runtime/mock.js

@@ -18,7 +18,7 @@
  *
  * @example
  * ```ts
- * const runtime = create_mock_runtime(['apply', 'tx.ts']);
+ * const runtime = create_mock_runtime(['apply', 'zap.ts']);
  * runtime.mock_env.set('HOME', '/home/test');
  * runtime.mock_fs.set('/home/test/.app/config.json', '{}');
  *

package/dist/server/app_backend.d.ts

@@ -55,17 +55,19 @@ export interface CreateAppBackendOptions {
     /** Structured logger instance. Omit for default (`new Logger('server')`). */
     log?: Logger;
     /**
-     * Called after each audit log INSERT succeeds.
-     * Use to broadcast audit events via SSE. Flows through `AppDeps`
-     * to all route factories automatically. Defaults to a noop.
+     * Initial subscriber appended to `AppDeps.audit.on_event_chain`.
+     * Use to broadcast audit events via SSE / WS. Additional subscribers
+     * (e.g. the factory-managed audit-log SSE) are appended at server
+     * assembly via `audit.on_event_chain.push(listener)` — no shallow-copy
+     * of `AppDeps` required.
      */
     on_audit_event?: (event: AuditLogEvent) => void;
     /**
      * Audit-log config for consumer event-type extensions. Built once at
-     * startup via `create_audit_log_config({extra_events})` and threaded
-     * through `AppDeps.audit_log_config` to every fuz_app emit site so
-     * consumer handlers cannot silently fall back to the builtin config.
-     * Omit to use `BUILTIN_AUDIT_LOG_CONFIG` (no extra events).
+     * startup via `create_audit_log_config({extra_events})` and captured
+     * inside `AppDeps.audit` so consumer handlers cannot silently fall
+     * back to the builtin config. Omit to use `BUILTIN_AUDIT_LOG_CONFIG`
+     * (no extra events).
      */
     audit_log_config?: AuditLogConfig;
     /**
@@ -74,9 +76,10 @@ export interface CreateAppBackendOptions {
      * (`namespace`, `name`, `sequence`); order is append-only so forward-only
      * guarantees hold per-namespace.
      *
-     * The reserved `'fuz_auth'` namespace is rejected at startup. Omit for no
-     * extra namespaces. This is the only place to splice consumer migrations
-     * — DB init belongs to the backend lifecycle, not server assembly.
+     * Names in `RESERVED_MIGRATION_NAMESPACES` (currently `['fuz_auth']`) are
+     * rejected at startup. Omit for no extra namespaces. This is the only
+     * place to splice consumer migrations — DB init belongs to the backend
+     * lifecycle, not server assembly.
      */
     migration_namespaces?: ReadonlyArray<MigrationNamespace>;
 }
@@ -89,7 +92,7 @@ export interface CreateAppBackendOptions {
  *
  * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
  * @returns app backend with deps, database metadata, and combined migration results
- * @throws Error if `migration_namespaces` contains the reserved `'fuz_auth'` namespace
+ * @throws Error if `migration_namespaces` contains a namespace in `RESERVED_MIGRATION_NAMESPACES`
  */
 export declare const create_app_backend: (options: CreateAppBackendOptions) => Promise<AppBackend>;
 //# sourceMappingURL=app_backend.d.ts.map

package/dist/server/app_backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAE/C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/E,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAiB,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAI/F;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,oIAAoI;IACpI,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,iEAAiE;IACjE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,iFAAiF;IACjF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC;;;;;;;;;OASG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;CACzD;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,GAAU,SAAS,uBAAuB,KAAG,OAAO,CAAC,UAAU,CAoC7F,CAAC"}
+{"version":3,"file":"app_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAE/C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAE/E,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAiB,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAI/F;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,oIAAoI;IACpI,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,iEAAiE;IACjE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,iFAAiF;IACjF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC;;;;;;;;;;OAUG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;CACzD;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,GAAU,SAAS,uBAAuB,KAAG,OAAO,CAAC,UAAU,CAuC7F,CAAC"}

package/dist/server/app_backend.js

@@ -11,8 +11,9 @@
  * @module
  */
 import { Logger } from '@fuzdev/fuz_util/log.js';
+import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS, AUTH_MIGRATION_NAMESPACE } from '../auth/migrations.js';
+import { AUTH_MIGRATION_NS, RESERVED_MIGRATION_NAMESPACES } from '../auth/migrations.js';
 import { create_db } from '../db/create_db.js';
 /**
  * Initialize the backend: database + auth migrations + deps.
@@ -23,18 +24,16 @@ import { create_db } from '../db/create_db.js';
  *
  * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
  * @returns app backend with deps, database metadata, and combined migration results
- * @throws Error if `migration_namespaces` contains the reserved `'fuz_auth'` namespace
+ * @throws Error if `migration_namespaces` contains a namespace in `RESERVED_MIGRATION_NAMESPACES`
  */
 export const create_app_backend = async (options) => {
     const { database_url, keyring, password, stat, read_text_file, delete_file } = options;
     const log = options.log ?? new Logger('server');
-    const on_audit_event = options.on_audit_event ?? (() => { }); // eslint-disable-line @typescript-eslint/no-empty-function
-    const { audit_log_config } = options;
     const { db, close, db_type, db_name } = await create_db(database_url);
     if (options.migration_namespaces?.length) {
         for (const ns of options.migration_namespaces) {
-            if (ns.namespace === AUTH_MIGRATION_NAMESPACE) {
-                throw new Error(`Migration namespace "${AUTH_MIGRATION_NAMESPACE}" is reserved by fuz_app — choose a different namespace`);
+            if (RESERVED_MIGRATION_NAMESPACES.includes(ns.namespace)) {
+                throw new Error(`Migration namespace "${ns.namespace}" is reserved by fuz_app — choose a different namespace`);
             }
         }
     }
@@ -42,6 +41,12 @@ export const create_app_backend = async (options) => {
         AUTH_MIGRATION_NS,
         ...(options.migration_namespaces ?? []),
     ]);
+    const audit = create_audit_emitter({
+        db,
+        log,
+        on_audit_event: options.on_audit_event,
+        audit_log_config: options.audit_log_config,
+    });
     return {
         db_type,
         db_name,
@@ -55,8 +60,7 @@ export const create_app_backend = async (options) => {
             read_text_file,
             delete_file,
             log,
-            on_audit_event,
-            audit_log_config,
+            audit,
         },
     };
 };

package/dist/server/app_server.d.ts

@@ -133,10 +133,11 @@ export interface AppServerOptions {
     /**
      * Enable factory-managed audit log SSE.
      *
-     * When truthy, creates an `AuditLogSse` instance internally, wires `on_audit_event`
-     * on the backend deps (composing with any existing callback), and auto-includes
-     * `AUDIT_LOG_EVENT_SPECS` in the surface. The result is exposed on `AppServerContext`
-     * (for route factories) and `AppServer` (for the caller).
+     * When truthy, creates an `AuditLogSse` instance internally, appends the SSE
+     * listener to `backend.deps.audit.on_event_chain` (composing with the
+     * consumer's `on_audit_event` callback rather than rebuilding `AppDeps`), and
+     * auto-includes `AUDIT_LOG_EVENT_SPECS` in the surface. The result is exposed
+     * on `AppServerContext` (for route factories) and `AppServer` (for the caller).
      *
      * Pass `true` for defaults (admin role), or `{role: 'custom'}` for a custom role.
      * Omit to wire audit SSE manually.
@@ -229,9 +230,8 @@ export declare const DEFAULT_MAX_BODY_SIZE: number;
  * static serving. Database migrations belong to the backend lifecycle —
  * pass `migration_namespaces` to `create_app_backend`.
  *
- * When `audit_log_sse` is set, shallow-copies `backend.deps` with a composed
- * `on_audit_event` that fans out to the SSE registry and the original
- * callback — `backend.deps` itself is not mutated.
+ * When `audit_log_sse` is set, the SSE registry's listener is appended to
+ * `backend.deps.audit.on_event_chain` — no shallow-copy of `AppDeps`.
  *
  * @returns assembled Hono app, backend, surface build, and bootstrap status
  */

package/dist/server/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,IAAI,EAAE,KAAK,OAAO,EAAC,MAAM,MAAM,CAAC;AAGxC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAEN,KAAK,cAAc,EAEnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAC;AAEhE,OAAO,EAKN,KAAK,WAAW,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,oBAAoB,CAAC;AAE5B,OAAO,EAA2B,KAAK,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAE9E,OAAO,EAEN,KAAK,cAAc,EAEnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAGN,KAAK,eAAe,EACpB,MAAM,6BAA6B,CAAC;AAOrC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2DAA2D;IAC3D,OAAO,EAAE,UAAU,CAAC;IACpB,6CAA6C;IAC7C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,sCAAsC;IACtC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,EAAE;QACN,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;KACtD,CAAC;IAEF;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACrC;;;;;OAKG;IACH,0BAA0B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,2DAA2D;IAC3D,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IAEtC,yEAAyE;IACzE,SAAS,CAAC,EAAE;QACX,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,mEAAmE;QACnE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;WAGG;QACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9E,CAAC;IAEF;;;OAGG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAE/E;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,IAAI,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAEvC,gFAAgF;IAChF,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAE/B;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAEjG,gHAAgH;IAChH,UAAU,EAAE,CAAC,CAAC,SAAS,CAAC;IAExB,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,cAAc,CAAC,EAAE;QAChB,YAAY,EAAE,kBAAkB,CAAC;QACjC,YAAY,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAEhC;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAExE,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yEAAyE;IACzE,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IACpC,iFAAiF;IACjF,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,kFAAkF;IAClF,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,uGAAuG;IACvG,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,0GAA0G;IAC1G,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,SAAS;IACzB,GAAG,EAAE,IAAI,CAAC;IACV,wEAAwE;IACxE,YAAY,EAAE,cAAc,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oGAAoG;IACpG,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9B,mEAAmE;IACnE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED,gDAAgD;AAChD,eAAO,MAAM,qBAAqB,QAAc,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,iBAAiB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,SAAS,CA4QpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,IAAI,EAAE,KAAK,OAAO,EAAC,MAAM,MAAM,CAAC;AAGxC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAEN,KAAK,cAAc,EAEnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAC;AAEhE,OAAO,EAKN,KAAK,WAAW,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,oBAAoB,CAAC;AAE5B,OAAO,EAA2B,KAAK,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAE9E,OAAO,EAEN,KAAK,cAAc,EAEnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAGN,KAAK,eAAe,EACpB,MAAM,6BAA6B,CAAC;AASrC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2DAA2D;IAC3D,OAAO,EAAE,UAAU,CAAC;IACpB,6CAA6C;IAC7C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,sCAAsC;IACtC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,EAAE;QACN,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;KACtD,CAAC;IAEF;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACrC;;;;;OAKG;IACH,0BAA0B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,2DAA2D;IAC3D,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IAEtC,yEAAyE;IACzE,SAAS,CAAC,EAAE;QACX,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,mEAAmE;QACnE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;WAGG;QACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9E,CAAC;IAEF;;;OAGG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAE/E;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,IAAI,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAEvC,gFAAgF;IAChF,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAE/B;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAEjG,gHAAgH;IAChH,UAAU,EAAE,CAAC,CAAC,SAAS,CAAC;IAExB,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,cAAc,CAAC,EAAE;QAChB,YAAY,EAAE,kBAAkB,CAAC;QACjC,YAAY,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAEhC;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAExE,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yEAAyE;IACzE,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IACpC,iFAAiF;IACjF,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,kFAAkF;IAClF,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,uGAAuG;IACvG,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,0GAA0G;IAC1G,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,SAAS;IACzB,GAAG,EAAE,IAAI,CAAC;IACV,wEAAwE;IACxE,YAAY,EAAE,cAAc,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oGAAoG;IACpG,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9B,mEAAmE;IACnE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED,gDAAgD;AAChD,eAAO,MAAM,qBAAqB,QAAc,CAAC;AAEjD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iBAAiB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,SAAS,CAmRpF,CAAC"}