@fuzdev/fuz_app 0.55.0 → 0.56.0

package/dist/auth/audit_log_schema.js

@@ -10,6 +10,7 @@ import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
 import { AuthSessionJson } from './account_schema.js';
+import { Email } from '../primitive_schemas.js';
 import { ApiTokenId } from './api_token.js';
 /**
  * All tracked auth event types. Frozen to convert accidental in-process
@@ -28,14 +29,14 @@ export const AUDIT_EVENT_TYPES = Object.freeze([
     'token_create',
     'token_revoke',
     'token_revoke_all',
-    'permit_grant',
-    'permit_revoke',
-    'permit_offer_create',
-    'permit_offer_accept',
-    'permit_offer_decline',
-    'permit_offer_retract',
-    'permit_offer_expire',
-    'permit_offer_supersede',
+    'role_grant_create',
+    'role_grant_revoke',
+    'role_grant_offer_create',
+    'role_grant_offer_accept',
+    'role_grant_offer_decline',
+    'role_grant_offer_retract',
+    'role_grant_offer_expire',
+    'role_grant_offer_supersede',
     'invite_create',
     'invite_delete',
     'app_settings_update',
@@ -74,19 +75,31 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     })
         .nullable(),
     signup: z.looseObject({
-        username: z.string().meta({ description: 'Username chosen at signup.' }),
+        username: z.string().meta({ description: 'Username submitted at signup.' }),
         invite_id: Uuid.optional().meta({
-            description: 'Invite consumed by this signup, when one was matched.',
+            description: 'Invite consumed by this signup. Set on success and on `race_lost` / `signup_conflict` failure rows when an invite was matched at attempt time.',
         }),
         open_signup: z.boolean().optional().meta({
-            description: 'True when the signup occurred via the `open_signup` setting (no invite required).',
+            description: 'True when the signup occurred via the `open_signup` setting (no invite required). Set on success rows under `open_signup` and on failure rows when the attempt was made under `open_signup`.',
+        }),
+        reason: z.string().optional().meta({
+            description: 'Failure category: `no_match` (no unclaimed invite matched), `race_lost` (invite was claimed between find and claim), `signup_conflict` (username/email already exists). Set only on `outcome=failure`.',
+        }),
+        email: Email.optional().meta({
+            description: 'Email submitted at signup — recorded on failure rows for forensic correlation. Omitted on success rows because the email is already tied to the resulting account.',
         }),
     }),
     password_change: z
         .looseObject({
-        sessions_revoked: z
-            .number()
-            .meta({ description: 'Number of sessions revoked as a side effect of the password change.' }),
+        sessions_revoked: z.number().optional().meta({
+            description: 'Number of sessions revoked as a side effect of the password change. Present on `outcome=success`.',
+        }),
+        tokens_revoked: z.number().optional().meta({
+            description: 'Number of API tokens revoked as a side effect of the password change. Present on `outcome=success`.',
+        }),
+        reason: z.enum(['concurrent_change']).optional().meta({
+            description: 'Failure category. `concurrent_change` indicates another password change committed first against the same starting hash (verify-write race loser). Absent for typed-wrong-password failures.',
+        }),
     })
         .nullable(),
     session_revoke: z.looseObject({
@@ -128,19 +141,19 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
         }),
     }),
-    // `permit_id` is optional on `permit_grant` because failed grants
-    // (e.g. `web_grantable` denied) never produce a permit row.
+    // `role_grant_id` is optional on `role_grant_create` because failed grants
+    // (e.g. admin-grant-path denied) never produce a role_grant row.
     // `self_service: true` is set by the self-service role toggle in
     // `self_service_role_actions.ts` — declared explicitly rather than
     // riding on `z.looseObject` permissiveness so the field is part of
     // the documented schema surface.
-    permit_grant: z.looseObject({
+    role_grant_create: z.looseObject({
         role: z.string().meta({ description: 'Role being granted.' }),
-        permit_id: Uuid.optional().meta({
-            description: 'Id of the resulting permit row. Omitted when the grant failed (e.g. `web_grantable` denial).',
+        role_grant_id: Uuid.optional().meta({
+            description: 'Id of the resulting role_grant row. Omitted when the grant failed (e.g. admin-grant-path denial).',
         }),
         scope_id: Uuid.nullish().meta({
-            description: 'Scope of the granted permit; null for global permits.',
+            description: 'Scope of the granted role_grant; null for global role_grants.',
         }),
         source_offer_id: Uuid.optional().meta({
             description: 'Offer this grant resolved, when the grant originated from an accepted offer.',
@@ -149,11 +162,11 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             description: 'True when the grant came from the self-service role toggle.',
         }),
     }),
-    permit_revoke: z.looseObject({
+    role_grant_revoke: z.looseObject({
         role: z.string().meta({ description: 'Role being revoked.' }),
-        permit_id: Uuid.meta({ description: 'Id of the revoked permit row.' }),
+        role_grant_id: Uuid.meta({ description: 'Id of the revoked role_grant row.' }),
         scope_id: Uuid.nullish().meta({
-            description: 'Scope of the revoked permit; null for global permits.',
+            description: 'Scope of the revoked role_grant; null for global role_grants.',
         }),
         reason: z
             .string()
@@ -163,9 +176,9 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             description: 'True when the revoke came from the self-service role toggle.',
         }),
     }),
-    // `offer_id` is optional because failed creates (e.g. `web_grantable`
+    // `offer_id` is optional because failed creates (e.g. admin-grant-path
     // denied, `authorize` callback denied) never produce an offer row.
-    permit_offer_create: z.looseObject({
+    role_grant_offer_create: z.looseObject({
         offer_id: Uuid.optional().meta({
             description: 'Id of the created offer row. Omitted when the create failed before insert.',
         }),
@@ -175,17 +188,17 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
         }),
         to_account_id: Uuid.meta({ description: 'Account the offer is directed to.' }),
     }),
-    // `permit_grant` is emitted alongside on accept — two events per accept by
-    // design: offer-lifecycle audit + permit-lifecycle audit.
-    permit_offer_accept: z.looseObject({
+    // `role_grant_create` is emitted alongside on accept — two events per accept by
+    // design: offer-lifecycle audit + role-grant-lifecycle audit.
+    role_grant_offer_accept: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the accepted offer.' }),
-        permit_id: Uuid.meta({ description: 'Id of the resulting permit row.' }),
+        role_grant_id: Uuid.meta({ description: 'Id of the resulting role_grant row.' }),
         role: z.string().meta({ description: 'Role granted by the offer.' }),
         scope_id: Uuid.nullish().meta({
-            description: 'Scope of the resulting permit; null for global permits.',
+            description: 'Scope of the resulting role_grant; null for global role_grants.',
         }),
     }),
-    permit_offer_decline: z.looseObject({
+    role_grant_offer_decline: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the declined offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
@@ -196,14 +209,14 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             .optional()
             .meta({ description: 'Optional decline reason text from the recipient.' }),
     }),
-    permit_offer_retract: z.looseObject({
+    role_grant_offer_retract: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the retracted offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
             description: 'Scope of the offered role; null for global offers.',
         }),
     }),
-    permit_offer_expire: z.looseObject({
+    role_grant_offer_expire: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the expired offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
@@ -212,19 +225,19 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     }),
     // Emitted when an offer is obsoleted by an external event. `reason`
     // distinguishes the trigger; `cause_id` points to the accepted offer
-    // (for `sibling_accepted`), the revoked permit (for `permit_revoked`),
+    // (for `sibling_accepted`), the revoked role_grant (for `role_grant_revoked`),
     // or the destroyed parent scope row (for `scope_destroyed`).
-    permit_offer_supersede: z.looseObject({
+    role_grant_offer_supersede: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the superseded offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
             description: 'Scope of the offered role; null for global offers.',
         }),
-        reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']).meta({
-            description: 'Trigger that obsoleted the offer: a sibling offer was accepted, the resulting permit was revoked, or the parent scope row was destroyed.',
+        reason: z.enum(['sibling_accepted', 'role_grant_revoked', 'scope_destroyed']).meta({
+            description: 'Trigger that obsoleted the offer: a sibling offer was accepted, the resulting role_grant was revoked, or the parent scope row was destroyed.',
         }),
         cause_id: Uuid.meta({
-            description: 'Row that caused the supersede: accepted offer (`sibling_accepted`), revoked permit (`permit_revoked`), or destroyed parent scope row (`scope_destroyed`).',
+            description: 'Row that caused the supersede: accepted offer (`sibling_accepted`), revoked role_grant (`role_grant_revoked`), or destroyed parent scope row (`scope_destroyed`).',
         }),
     }),
     invite_create: z.looseObject({
@@ -260,9 +273,9 @@ export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to consumer-emitted
- * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
- * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ * Call once at startup; pass the result to `create_app_backend` (which
+ * threads it into `AppDeps.audit`). Builtin handlers omit the
+ * `audit_log_config` slot and pick up `BUILTIN_AUDIT_LOG_CONFIG`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */
@@ -323,8 +336,8 @@ export const AuditLogEventWithUsernamesJson = AuditLogEventJson.extend({
     username: z.string().nullable(),
     target_username: z.string().nullable(),
 });
-/** Zod schema for permit history events with resolved usernames. */
-export const PermitHistoryEventJson = AuditLogEventJson.extend({
+/** Zod schema for role_grant history events with resolved usernames. */
+export const RoleGrantHistoryEventJson = AuditLogEventJson.extend({
     username: z.string().nullable(),
     target_username: z.string().nullable(),
 });

package/dist/auth/auth_guard_resolver.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Auth guard resolver for the route spec system.
+ *
+ * Maps the four-axis `RouteAuth` (`account` / `actor` / `roles` /
+ * `credential_types`) to two-phase middleware sets that
+ * `apply_route_specs` weaves into the per-route pipeline:
+ *
+ * - `pre_validation` runs before input validation. `require_auth` lands
+ *   here whenever `auth.account === 'required'` or `auth.actor ===
+ *   'required'` (per registry-time invariant 3, `actor: 'required'`
+ *   today implies a credential — accountless actors are out of scope
+ *   for v1). Pre-validation 401 fires before any body parsing so
+ *   unauthenticated callers never see route-shape information from
+ *   parse failures.
+ * - `post_authorization` runs after the dispatcher's authorization
+ *   phase has populated `RequestContext`. `require_role(roles)` fires
+ *   whenever `auth.roles?.length`. `require_credential_types(types)`
+ *   fires whenever `auth.credential_types?.length`.
+ *
+ * Public routes (`auth.account === 'none' && auth.actor === 'none'`)
+ * yield empty guard arrays. `'optional'` axes contribute no
+ * pre-validation 401; the authorization phase sets `RequestContext`
+ * to whatever the credential supports and the post-authorization
+ * gates decide whether the actor's role_grants / credential type match.
+ *
+ * @module
+ */
+import type { AuthGuardResolver } from '../http/route_spec.js';
+/**
+ * Standard auth guard resolver for fuz_app.
+ *
+ * Reads each axis of the four-axis `RouteAuth` shape and emits the
+ * corresponding middleware:
+ *
+ * - `account === 'required'` or `actor === 'required'` → pre-validation `require_auth`
+ * - `roles?.length` → post-authorization `require_role(roles)` (multi-role any-of)
+ * - `credential_types?.length` → post-authorization `require_credential_types(types)`
+ *
+ * Multiple post-authorization guards run in declaration order: credential
+ * type check first (since failing it implies the request can never
+ * resolve a usable identity), role check second.
+ */
+export declare const fuz_auth_guard_resolver: AuthGuardResolver;
+//# sourceMappingURL=auth_guard_resolver.d.ts.map

package/dist/auth/auth_guard_resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_guard_resolver.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/auth_guard_resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,uBAAuB,CAAC;AAE7D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB,EAAE,iBAerC,CAAC"}

package/dist/auth/auth_guard_resolver.js

@@ -0,0 +1,56 @@
+/**
+ * Auth guard resolver for the route spec system.
+ *
+ * Maps the four-axis `RouteAuth` (`account` / `actor` / `roles` /
+ * `credential_types`) to two-phase middleware sets that
+ * `apply_route_specs` weaves into the per-route pipeline:
+ *
+ * - `pre_validation` runs before input validation. `require_auth` lands
+ *   here whenever `auth.account === 'required'` or `auth.actor ===
+ *   'required'` (per registry-time invariant 3, `actor: 'required'`
+ *   today implies a credential — accountless actors are out of scope
+ *   for v1). Pre-validation 401 fires before any body parsing so
+ *   unauthenticated callers never see route-shape information from
+ *   parse failures.
+ * - `post_authorization` runs after the dispatcher's authorization
+ *   phase has populated `RequestContext`. `require_role(roles)` fires
+ *   whenever `auth.roles?.length`. `require_credential_types(types)`
+ *   fires whenever `auth.credential_types?.length`.
+ *
+ * Public routes (`auth.account === 'none' && auth.actor === 'none'`)
+ * yield empty guard arrays. `'optional'` axes contribute no
+ * pre-validation 401; the authorization phase sets `RequestContext`
+ * to whatever the credential supports and the post-authorization
+ * gates decide whether the actor's role_grants / credential type match.
+ *
+ * @module
+ */
+import { require_auth, require_credential_types, require_role } from './request_context.js';
+/**
+ * Standard auth guard resolver for fuz_app.
+ *
+ * Reads each axis of the four-axis `RouteAuth` shape and emits the
+ * corresponding middleware:
+ *
+ * - `account === 'required'` or `actor === 'required'` → pre-validation `require_auth`
+ * - `roles?.length` → post-authorization `require_role(roles)` (multi-role any-of)
+ * - `credential_types?.length` → post-authorization `require_credential_types(types)`
+ *
+ * Multiple post-authorization guards run in declaration order: credential
+ * type check first (since failing it implies the request can never
+ * resolve a usable identity), role check second.
+ */
+export const fuz_auth_guard_resolver = (auth) => {
+    const pre_validation = [];
+    const post_authorization = [];
+    if (auth.account === 'required' || auth.actor === 'required') {
+        pre_validation.push(require_auth);
+    }
+    if (auth.credential_types?.length) {
+        post_authorization.push(require_credential_types(auth.credential_types));
+    }
+    if (auth.roles?.length) {
+        post_authorization.push(require_role(auth.roles));
+    }
+    return { pre_validation, post_authorization };
+};

package/dist/auth/bootstrap_account.d.ts

@@ -9,7 +9,7 @@
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { PasswordHashDeps } from './password.js';
 import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING } from '../http/error_schemas.js';
-import type { Account, Actor, Permit } from './account_schema.js';
+import type { Account, Actor, RoleGrant } from './account_schema.js';
 import type { Db } from '../db/db.js';
 /** Input for the bootstrap account creation. */
 export interface BootstrapAccountInput {
@@ -21,9 +21,9 @@ export interface BootstrapAccountSuccess {
     ok: true;
     account: Account;
     actor: Actor;
-    permits: {
-        keeper: Permit;
-        admin: Permit;
+    role_grants: {
+        keeper: RoleGrant;
+        admin: RoleGrant;
     };
     /** Whether the bootstrap token file was successfully deleted after account creation. */
     token_file_deleted: boolean;
@@ -70,15 +70,15 @@ export interface BootstrapAccountDeps {
  * 2. Hash the password (CPU-intensive, before transaction)
  * 3. Acquire the bootstrap lock atomically (inside transaction)
  * 4. Create account + actor
- * 5. Grant keeper and admin permits (no expiry, `granted_by = null`)
+ * 5. Grant keeper and admin role_grants (no expiry, `granted_by = null`)
  * 6. Delete the token file (after commit, reported via `token_file_deleted`)
  *
  * @param deps - database, token path, filesystem callbacks, and password hashing
  * @param provided_token - the bootstrap token from the user
  * @param input - username and password
- * @returns the created account, actor, and permits — or a bootstrap failure
+ * @returns the created account, actor, and role_grants — or a bootstrap failure
  * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
- * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
+ * @mutates `account` / `actor` / `role_grant` tables - inserts the bootstrap account, actor, and the keeper + admin role_grants
  * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
  */
 export declare const bootstrap_account: (deps: BootstrapAccountDeps, provided_token: string, input: BootstrapAccountInput) => Promise<BootstrapAccountResult>;

package/dist/auth/bootstrap_account.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAGhE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IACzC,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
+{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,WAAW,EAAE;QAAC,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAC,CAAC;IACnD,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}

package/dist/auth/bootstrap_account.js

@@ -10,7 +10,7 @@ import { timingSafeEqual } from 'node:crypto';
 import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, } from '../http/error_schemas.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from './role_schema.js';
 import { query_create_account_with_actor, query_account_has_any } from './account_queries.js';
-import { query_grant_permit } from './permit_queries.js';
+import { query_create_role_grant } from './role_grant_queries.js';
 /**
  * Bootstrap the first account with keeper and admin privileges.
  *
@@ -21,15 +21,15 @@ import { query_grant_permit } from './permit_queries.js';
  * 2. Hash the password (CPU-intensive, before transaction)
  * 3. Acquire the bootstrap lock atomically (inside transaction)
  * 4. Create account + actor
- * 5. Grant keeper and admin permits (no expiry, `granted_by = null`)
+ * 5. Grant keeper and admin role_grants (no expiry, `granted_by = null`)
  * 6. Delete the token file (after commit, reported via `token_file_deleted`)
  *
  * @param deps - database, token path, filesystem callbacks, and password hashing
  * @param provided_token - the bootstrap token from the user
  * @param input - username and password
- * @returns the created account, actor, and permits — or a bootstrap failure
+ * @returns the created account, actor, and role_grants — or a bootstrap failure
  * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
- * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
+ * @mutates `account` / `actor` / `role_grant` tables - inserts the bootstrap account, actor, and the keeper + admin role_grants
  * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
  */
 export const bootstrap_account = async (deps, provided_token, input) => {
@@ -66,13 +66,13 @@ export const bootstrap_account = async (deps, provided_token, input) => {
             username: input.username,
             password_hash,
         });
-        const keeper_permit = await query_grant_permit(tx_deps, {
+        const keeper_role_grant = await query_create_role_grant(tx_deps, {
             actor_id: actor.id,
             role: ROLE_KEEPER,
             granted_by: null,
             expires_at: null,
         });
-        const admin_permit = await query_grant_permit(tx_deps, {
+        const admin_role_grant = await query_create_role_grant(tx_deps, {
             actor_id: actor.id,
             role: ROLE_ADMIN,
             granted_by: null,
@@ -82,7 +82,7 @@ export const bootstrap_account = async (deps, provided_token, input) => {
             ok: true,
             account,
             actor,
-            permits: { keeper: keeper_permit, admin: admin_permit },
+            role_grants: { keeper: keeper_role_grant, admin: admin_role_grant },
         };
     });
     if (!tx_result.ok)

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAanD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAuHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAYnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAiHjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -7,15 +7,14 @@
  * @module
  */
 import { z } from 'zod';
-import { create_session_and_set_cookie } from './session_lifecycle.js';
+import { create_session_and_set_cookie } from './session_middleware.js';
 import { bootstrap_account } from './bootstrap_account.js';
-import { Username } from './account_schema.js';
+import { Username } from '../primitive_schemas.js';
 import { Password } from './password.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
 import { ERROR_BOOTSTRAP_NOT_CONFIGURED, ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
 export const BootstrapInput = z.strictObject({
@@ -74,7 +73,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/bootstrap',
-            auth: { type: 'none' },
+            auth: { account: 'none', actor: 'none' },
             description: 'Create initial keeper account (one-shot)',
             transaction: false, // bootstrap_account manages its own transaction
             input: BootstrapInput,
@@ -107,8 +106,10 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 if (token_path === null) {
                     return c.json({ error: ERROR_BOOTSTRAP_NOT_CONFIGURED }, 404);
                 }
+                // `transaction: false` makes `route.db` the pool. `bootstrap_account`
+                // manages its own transaction internally.
                 const result = await bootstrap_account({
-                    db: route.background_db,
+                    db: route.db,
                     token_path,
                     read_text_file: deps.read_text_file,
                     delete_file: deps.delete_file,
@@ -118,12 +119,12 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 if (!result.ok) {
                     if (ip_rate_limiter && ip)
                         ip_rate_limiter.record(ip);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'bootstrap',
                         outcome: 'failure',
                         ip: get_client_ip(c),
                         metadata: { error: result.error },
-                    }, deps);
+                    });
                     return c.json({ error: result.error }, result.status);
                 }
                 // Successful bootstrap — update state immediately
@@ -132,7 +133,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 bootstrap_status.available = false;
                 await create_session_and_set_cookie({
                     keyring,
-                    deps: { db: route.background_db },
+                    deps: { db: route.db },
                     c,
                     account_id: result.account.id,
                     session_options,
@@ -145,12 +146,12 @@ export const create_bootstrap_route_specs = (deps, options) => {
                         deps.log.error(`on_bootstrap callback failed: ${err instanceof Error ? err.message : String(err)}`);
                     }
                 }
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'bootstrap',
                     actor_id: result.actor.id,
                     account_id: result.account.id,
                     ip: get_client_ip(c),
-                }, deps);
+                });
                 // CRITICAL: If token file deletion failed, throw to force operator attention.
                 // All success work (session, on_bootstrap, audit) has completed above.
                 // The error response alerts the operator to delete the token file manually.

package/dist/auth/cleanup.d.ts

@@ -1,17 +1,17 @@
 /**
- * Periodic auth cleanup — sweeps expired sessions and permit offers.
+ * Periodic auth cleanup — sweeps expired sessions and role_grant offers.
  *
  * Single entry point for consumers scheduling auth maintenance. Internally
  * runs every known sweep and emits the corresponding audit events so
  * consumer code only manages cadence, not per-task wiring.
  *
  * The per-task primitives remain exported from their home modules
- * (`query_session_cleanup_expired`, `query_permit_offer_sweep_expired`);
- * `cleanup_expired_permit_offers` here wraps the latter with the required
- * `permit_offer_expire` audit emission and is the piece most likely to be
+ * (`query_session_cleanup_expired`, `query_role_grant_offer_sweep_expired`);
+ * `cleanup_expired_role_grant_offers` here wraps the latter with the required
+ * `role_grant_offer_expire` audit emission and is the piece most likely to be
  * reused in a consumer's bespoke scheduler.
  *
- * Idempotency: the audit log has no tombstone on `permit_offer_expire`, so
+ * Idempotency: the audit log has no tombstone on `role_grant_offer_expire`, so
  * concurrent sweep runs double-audit. The expected deployment pattern is a
  * single scheduled invocation per instance — matching
  * `query_session_cleanup_expired`.
@@ -20,57 +20,51 @@
  */
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { QueryDeps } from '../db/query_deps.js';
-import type { AuditLogConfig, AuditLogEvent } from './audit_log_schema.js';
+import type { AuditEmitter } from './audit_emitter.js';
 /** Dependencies for the cleanup helpers. */
 export interface AuthCleanupDeps extends QueryDeps {
     log: Logger;
     /**
-     * Called after each audit event INSERT succeeds. Typically the same
-     * callback wired into `AppDeps.on_audit_event` (SSE broadcast). Omit
-     * to skip broadcast — the audit rows still land in the DB.
+     * Bound audit emitter. `cleanup_expired_role_grant_offers` writes via
+     * `audit.emit_pool` (the captured pool + config + listener chain), so
+     * one slot covers both row persistence and SSE/WS fan-out. Required —
+     * production wiring always has a bound emitter on `AppDeps.audit`, and
+     * tests that need a no-op pass `create_test_audit_emitter()`.
      */
-    on_audit_event?: ((event: AuditLogEvent) => void) | null;
-    /**
-     * Audit-log config. Only the builtin `permit_offer_expire` event type is
-     * emitted here, so omitting this is safe — the field exists so consumers
-     * threading the same `AppDeps` bundle to scheduled cleanup keep using
-     * their registered config (and consumer extensions to the
-     * `permit_offer_expire` metadata schema get validated).
-     */
-    audit_log_config?: AuditLogConfig;
+    audit: AuditEmitter;
 }
 /** Result of `run_auth_cleanup`. */
 export interface AuthCleanupResult {
     /** Number of expired session rows deleted. */
     expired_sessions: number;
-    /** Number of expired permit offer rows audit-stamped. */
+    /** Number of expired role_grant offer rows audit-stamped. */
     expired_offers: number;
 }
 /**
- * Sweep expired permit offers and emit one `permit_offer_expire` audit
+ * Sweep expired role_grant offers and emit one `role_grant_offer_expire` audit
  * event per row.
  *
  * Returns the count of offers audit-stamped. The offer rows themselves are
  * preserved — offers carry audit value for the history view even after
- * expiry, and accepted rows are the provenance for the resulting permit
+ * expiry, and accepted rows are the provenance for the resulting role_grant
  * (deleting expired rows would not threaten that, but keeping them uniform
  * with the retention policy for terminal rows is simpler).
  *
- * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
+ * @mutates `audit_log` table - inserts one `role_grant_offer_expire` row per swept offer
  */
-export declare const cleanup_expired_permit_offers: (deps: AuthCleanupDeps) => Promise<number>;
+export declare const cleanup_expired_role_grant_offers: (deps: AuthCleanupDeps) => Promise<number>;
 /**
- * Run every auth cleanup sweep — expired sessions and expired permit
+ * Run every auth cleanup sweep — expired sessions and expired role_grant
  * offers — and return the counts.
  *
  * Consumers call this from a scheduled task (setInterval, cron, etc.)
  * alongside their own domain cleanup. Errors from individual sweeps are
  * re-thrown so the caller's scheduler can log/alert; use the per-task
- * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
+ * helpers (`query_session_cleanup_expired`, `cleanup_expired_role_grant_offers`)
  * directly if you need finer error isolation.
  *
  * @mutates `auth_session` table - deletes expired sessions
- * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
+ * @mutates `audit_log` table - emits `role_grant_offer_expire` rows for expired offers
  * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
  */
 export declare const run_auth_cleanup: (deps: AuthCleanupDeps) => Promise<AuthCleanupResult>;

package/dist/auth/cleanup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAsCzF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
+{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,oBAAoB,CAAC;AAErD,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,KAAK,EAAE,YAAY,CAAC;CACpB;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAuB7F,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}