npm - @fuzdev/fuz_app - Versions diffs - 0.55.0 → 0.56.0 - Mend

@fuzdev/fuz_app 0.55.0 → 0.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (331) hide show

package/dist/actions/CLAUDE.md +211 -155
package/dist/actions/action_bridge.d.ts +8 -5
package/dist/actions/action_bridge.d.ts.map +1 -1
package/dist/actions/action_bridge.js +1 -11
package/dist/actions/action_codegen.d.ts +19 -0
package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/actions/action_codegen.js +20 -14
package/dist/actions/action_registry.d.ts.map +1 -1
package/dist/actions/action_registry.js +5 -2
package/dist/actions/action_rpc.d.ts +110 -44
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +92 -287
package/dist/actions/action_spec.d.ts +55 -16
package/dist/actions/action_spec.d.ts.map +1 -1
package/dist/actions/action_spec.js +16 -11
package/dist/actions/action_types.d.ts +28 -60
package/dist/actions/action_types.d.ts.map +1 -1
package/dist/actions/action_types.js +13 -5
package/dist/actions/broadcast_api.d.ts +2 -2
package/dist/actions/broadcast_api.js +2 -2
package/dist/actions/compile_action_registry.d.ts +50 -0
package/dist/actions/compile_action_registry.d.ts.map +1 -0
package/dist/actions/compile_action_registry.js +69 -0
package/dist/actions/heartbeat.d.ts +8 -4
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -4
package/dist/actions/perform_action.d.ts +145 -0
package/dist/actions/perform_action.d.ts.map +1 -0
package/dist/actions/perform_action.js +258 -0
package/dist/actions/register_action_ws.d.ts +44 -38
package/dist/actions/register_action_ws.d.ts.map +1 -1
package/dist/actions/register_action_ws.js +101 -159
package/dist/actions/register_ws_endpoint.d.ts +2 -10
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +32 -10
package/dist/actions/transports_ws_auth_guard.d.ts +1 -1
package/dist/actions/transports_ws_auth_guard.js +1 -1
package/dist/actions/transports_ws_backend.d.ts +1 -1
package/dist/actions/transports_ws_backend.js +1 -1
package/dist/auth/CLAUDE.md +673 -442
package/dist/auth/account_action_specs.d.ts +28 -7
package/dist/auth/account_action_specs.d.ts.map +1 -1
package/dist/auth/account_action_specs.js +7 -7
package/dist/auth/account_actions.d.ts +8 -14
package/dist/auth/account_actions.d.ts.map +1 -1
package/dist/auth/account_actions.js +26 -32
package/dist/auth/account_queries.d.ts +46 -13
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +73 -33
package/dist/auth/account_routes.d.ts +4 -3
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +58 -33
package/dist/auth/account_schema.d.ts +46 -54
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +21 -48
package/dist/auth/admin_action_specs.d.ts +55 -21
package/dist/auth/admin_action_specs.d.ts.map +1 -1
package/dist/auth/admin_action_specs.js +42 -26
package/dist/auth/admin_actions.d.ts +14 -21
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +47 -44
package/dist/auth/audit_emitter.d.ts +160 -0
package/dist/auth/audit_emitter.d.ts.map +1 -0
package/dist/auth/audit_emitter.js +83 -0
package/dist/auth/audit_log_queries.d.ts +17 -87
package/dist/auth/audit_log_queries.d.ts.map +1 -1
package/dist/auth/audit_log_queries.js +17 -96
package/dist/auth/audit_log_routes.d.ts +1 -1
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +7 -3
package/dist/auth/audit_log_schema.d.ts +48 -42
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +56 -43
package/dist/auth/auth_guard_resolver.d.ts +44 -0
package/dist/auth/auth_guard_resolver.d.ts.map +1 -0
package/dist/auth/auth_guard_resolver.js +56 -0
package/dist/auth/bootstrap_account.d.ts +7 -7
package/dist/auth/bootstrap_account.d.ts.map +1 -1
package/dist/auth/bootstrap_account.js +7 -7
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +11 -10
package/dist/auth/cleanup.d.ts +20 -26
package/dist/auth/cleanup.d.ts.map +1 -1
package/dist/auth/cleanup.js +33 -47
package/dist/auth/credential_type_schema.d.ts +115 -0
package/dist/auth/credential_type_schema.d.ts.map +1 -0
package/dist/auth/credential_type_schema.js +127 -0
package/dist/auth/daemon_token_middleware.d.ts +1 -1
package/dist/auth/daemon_token_middleware.js +3 -3
package/dist/auth/ddl.d.ts +2 -2
package/dist/auth/ddl.d.ts.map +1 -1
package/dist/auth/ddl.js +6 -6
package/dist/auth/deps.d.ts +7 -32
package/dist/auth/deps.d.ts.map +1 -1
package/dist/auth/grant_path_schema.d.ts +117 -0
package/dist/auth/grant_path_schema.d.ts.map +1 -0
package/dist/auth/grant_path_schema.js +137 -0
package/dist/auth/invite_queries.d.ts +12 -1
package/dist/auth/invite_queries.d.ts.map +1 -1
package/dist/auth/invite_queries.js +12 -1
package/dist/auth/invite_schema.d.ts +1 -1
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +1 -1
package/dist/auth/middleware.d.ts.map +1 -1
package/dist/auth/middleware.js +5 -2
package/dist/auth/migrations.d.ts +22 -7
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +64 -25
package/dist/auth/request_context.d.ts +157 -170
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +224 -268
package/dist/auth/{permit_offer_action_specs.d.ts → role_grant_offer_action_specs.d.ts} +130 -100
package/dist/auth/role_grant_offer_action_specs.d.ts.map +1 -0
package/dist/auth/role_grant_offer_action_specs.js +262 -0
package/dist/auth/role_grant_offer_actions.d.ts +104 -0
package/dist/auth/role_grant_offer_actions.d.ts.map +1 -0
package/dist/auth/{permit_offer_actions.js → role_grant_offer_actions.js} +153 -140
package/dist/auth/{permit_offer_notifications.d.ts → role_grant_offer_notifications.d.ts} +80 -70
package/dist/auth/role_grant_offer_notifications.d.ts.map +1 -0
package/dist/auth/role_grant_offer_notifications.js +182 -0
package/dist/auth/{permit_offer_queries.d.ts → role_grant_offer_queries.d.ts} +64 -64
package/dist/auth/role_grant_offer_queries.d.ts.map +1 -0
package/dist/auth/{permit_offer_queries.js → role_grant_offer_queries.js} +136 -123
package/dist/auth/role_grant_offer_schema.d.ts +150 -0
package/dist/auth/role_grant_offer_schema.d.ts.map +1 -0
package/dist/auth/{permit_offer_schema.js → role_grant_offer_schema.js} +55 -36
package/dist/auth/role_grant_queries.d.ts +231 -0
package/dist/auth/role_grant_queries.d.ts.map +1 -0
package/dist/auth/role_grant_queries.js +320 -0
package/dist/auth/role_schema.d.ts +150 -40
package/dist/auth/role_schema.d.ts.map +1 -1
package/dist/auth/role_schema.js +144 -45
package/dist/auth/scope_kind_schema.d.ts +96 -0
package/dist/auth/scope_kind_schema.d.ts.map +1 -0
package/dist/auth/scope_kind_schema.js +94 -0
package/dist/auth/self_service_role_action_specs.d.ts +4 -1
package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
package/dist/auth/self_service_role_action_specs.js +2 -2
package/dist/auth/self_service_role_actions.d.ts +35 -29
package/dist/auth/self_service_role_actions.d.ts.map +1 -1
package/dist/auth/self_service_role_actions.js +58 -48
package/dist/auth/session_cookie.d.ts +43 -6
package/dist/auth/session_cookie.d.ts.map +1 -1
package/dist/auth/session_cookie.js +31 -5
package/dist/auth/session_middleware.d.ts +37 -3
package/dist/auth/session_middleware.d.ts.map +1 -1
package/dist/auth/session_middleware.js +33 -7
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +48 -19
package/dist/auth/standard_action_specs.d.ts +2 -2
package/dist/auth/standard_action_specs.js +4 -4
package/dist/auth/standard_rpc_actions.d.ts +23 -19
package/dist/auth/standard_rpc_actions.d.ts.map +1 -1
package/dist/auth/standard_rpc_actions.js +12 -12
package/dist/db/migrate.d.ts +1 -1
package/dist/db/migrate.js +1 -1
package/dist/dev/setup.d.ts +2 -2
package/dist/dev/setup.d.ts.map +1 -1
package/dist/dev/setup.js +4 -4
package/dist/env/load.d.ts +1 -1
package/dist/env/load.js +1 -1
package/dist/hono_context.d.ts +27 -45
package/dist/hono_context.d.ts.map +1 -1
package/dist/hono_context.js +14 -28
package/dist/http/CLAUDE.md +235 -121
package/dist/http/auth_shape.d.ts +191 -0
package/dist/http/auth_shape.d.ts.map +1 -0
package/dist/http/auth_shape.js +237 -0
package/dist/http/common_routes.js +3 -3
package/dist/http/db_routes.d.ts +4 -0
package/dist/http/db_routes.d.ts.map +1 -1
package/dist/http/db_routes.js +44 -7
package/dist/http/error_schemas.d.ts +56 -34
package/dist/http/error_schemas.d.ts.map +1 -1
package/dist/http/error_schemas.js +63 -28
package/dist/http/pending_effects.d.ts +71 -18
package/dist/http/pending_effects.d.ts.map +1 -1
package/dist/http/pending_effects.js +87 -18
package/dist/http/proxy.d.ts +52 -5
package/dist/http/proxy.d.ts.map +1 -1
package/dist/http/proxy.js +92 -14
package/dist/http/route_spec.d.ts +89 -75
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +54 -72
package/dist/http/schema_helpers.d.ts +3 -14
package/dist/http/schema_helpers.d.ts.map +1 -1
package/dist/http/schema_helpers.js +2 -14
package/dist/http/surface.d.ts +2 -10
package/dist/http/surface.d.ts.map +1 -1
package/dist/http/surface.js +3 -4
package/dist/http/surface_query.d.ts +39 -35
package/dist/http/surface_query.d.ts.map +1 -1
package/dist/http/surface_query.js +79 -36
package/dist/primitive_schemas.d.ts +39 -0
package/dist/primitive_schemas.d.ts.map +1 -0
package/dist/primitive_schemas.js +40 -0
package/dist/realtime/sse_auth_guard.d.ts +5 -5
package/dist/realtime/sse_auth_guard.js +9 -9
package/dist/runtime/mock.d.ts +1 -1
package/dist/runtime/mock.js +1 -1
package/dist/server/app_backend.d.ts +14 -11
package/dist/server/app_backend.d.ts.map +1 -1
package/dist/server/app_backend.js +12 -8
package/dist/server/app_server.d.ts +7 -7
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +35 -40
package/dist/server/validate_nginx.d.ts +1 -1
package/dist/server/validate_nginx.js +1 -1
package/dist/testing/CLAUDE.md +50 -38
package/dist/testing/admin_integration.d.ts +5 -6
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +87 -85
package/dist/testing/app_server.d.ts +11 -14
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +16 -15
package/dist/testing/assertions.d.ts.map +1 -1
package/dist/testing/assertions.js +2 -1
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +15 -9
package/dist/testing/audit_completeness.d.ts +2 -2
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +36 -36
package/dist/testing/auth_apps.d.ts +5 -4
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +22 -19
package/dist/testing/data_exposure.d.ts.map +1 -1
package/dist/testing/data_exposure.js +5 -5
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +4 -4
package/dist/testing/db_entities.d.ts +22 -0
package/dist/testing/db_entities.d.ts.map +1 -0
package/dist/testing/db_entities.js +28 -0
package/dist/testing/entities.d.ts +8 -7
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +21 -18
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +13 -14
package/dist/testing/integration_helpers.d.ts +4 -4
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +20 -18
package/dist/testing/middleware.d.ts +4 -4
package/dist/testing/middleware.d.ts.map +1 -1
package/dist/testing/middleware.js +12 -11
package/dist/testing/rpc_attack_surface.d.ts.map +1 -1
package/dist/testing/rpc_attack_surface.js +40 -24
package/dist/testing/rpc_round_trip.d.ts +1 -1
package/dist/testing/rpc_round_trip.d.ts.map +1 -1
package/dist/testing/rpc_round_trip.js +14 -13
package/dist/testing/sse_round_trip.d.ts +3 -4
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +7 -11
package/dist/testing/standard.d.ts +1 -1
package/dist/testing/stubs.d.ts +25 -0
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +43 -2
package/dist/testing/surface_invariants.d.ts +2 -2
package/dist/testing/ws_round_trip.d.ts +12 -13
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +19 -11
package/dist/ui/AdminAccounts.svelte +23 -20
package/dist/ui/AdminOverview.svelte +15 -13
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/{AdminPermitHistory.svelte → AdminRoleGrantHistory.svelte} +12 -12
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts +4 -0
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +1 -1
package/dist/ui/CLAUDE.md +60 -60
package/dist/ui/{PermitOfferForm.svelte → RoleGrantOfferForm.svelte} +27 -26
package/dist/ui/{PermitOfferForm.svelte.d.ts → RoleGrantOfferForm.svelte.d.ts} +7 -7
package/dist/ui/RoleGrantOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferHistory.svelte → RoleGrantOfferHistory.svelte} +12 -12
package/dist/ui/{PermitOfferHistory.svelte.d.ts → RoleGrantOfferHistory.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferInbox.svelte → RoleGrantOfferInbox.svelte} +14 -14
package/dist/ui/{PermitOfferInbox.svelte.d.ts → RoleGrantOfferInbox.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +1 -1
package/dist/ui/SurfaceExplorer.svelte +35 -15
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.d.ts +2 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +2 -3
package/dist/ui/admin_accounts_state.svelte.d.ts +18 -18
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +16 -16
package/dist/ui/admin_rpc_adapters.d.ts +20 -20
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -1
package/dist/ui/admin_rpc_adapters.js +17 -17
package/dist/ui/admin_sessions_state.svelte.d.ts +2 -2
package/dist/ui/admin_sessions_state.svelte.js +2 -2
package/dist/ui/audit_log_state.svelte.d.ts +7 -7
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +6 -6
package/dist/ui/auth_state.svelte.d.ts +3 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +6 -6
package/dist/ui/format_scope.d.ts +2 -2
package/dist/ui/format_scope.js +2 -2
package/dist/ui/{permit_offers_state.svelte.d.ts → role_grant_offers_state.svelte.d.ts} +30 -30
package/dist/ui/role_grant_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/{permit_offers_state.svelte.js → role_grant_offers_state.svelte.js} +18 -18
package/dist/ui/ui_format.js +2 -2
package/package.json +3 -3
package/dist/auth/permit_offer_action_specs.d.ts.map +0 -1
package/dist/auth/permit_offer_action_specs.js +0 -258
package/dist/auth/permit_offer_actions.d.ts +0 -110
package/dist/auth/permit_offer_actions.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.js +0 -182
package/dist/auth/permit_offer_queries.d.ts.map +0 -1
package/dist/auth/permit_offer_schema.d.ts +0 -125
package/dist/auth/permit_offer_schema.d.ts.map +0 -1
package/dist/auth/permit_queries.d.ts +0 -222
package/dist/auth/permit_queries.d.ts.map +0 -1
package/dist/auth/permit_queries.js +0 -305
package/dist/auth/require_keeper.d.ts +0 -20
package/dist/auth/require_keeper.d.ts.map +0 -1
package/dist/auth/require_keeper.js +0 -35
package/dist/auth/route_guards.d.ts +0 -27
package/dist/auth/route_guards.d.ts.map +0 -1
package/dist/auth/route_guards.js +0 -38
package/dist/auth/session_lifecycle.d.ts +0 -37
package/dist/auth/session_lifecycle.d.ts.map +0 -1
package/dist/auth/session_lifecycle.js +0 -29
package/dist/ui/AdminPermitHistory.svelte.d.ts +0 -4
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferForm.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +0 -1
package/dist/ui/permit_offers_state.svelte.d.ts.map +0 -1

package/dist/testing/integration.js CHANGED Viewed

@@ -26,6 +26,7 @@ import { RateLimiter } from '../rate_limiter.js';
 import { run_migrations } from '../db/migrate.js';
 import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERROR_COVERAGE, } from './error_coverage.js';
 import { ApiError, ERROR_FORBIDDEN_ORIGIN } from '../http/error_schemas.js';
+import { is_public_auth } from '../http/auth_shape.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 import { invite_create_action_spec } from '../auth/admin_action_specs.js';
 /**
@@ -93,7 +94,7 @@ export const describe_standard_integration_tests = (options) => {
                 // dilute the coverage percentage; admin-role routes are scoped
                 // to the admin suite instead.
                 const auth_routes = captured_route_specs.filter((s) => {
-                    if (s.auth.type === 'role' && s.auth.role === 'admin')
+                    if (s.auth.roles?.includes('admin') ?? false)
                         return false;
                     const rest_suffixes = ['/login', '/logout', '/password', '/signup', '/bootstrap'];
                     if (rest_suffixes.some((suffix) => s.path.endsWith(suffix)))
@@ -645,7 +646,7 @@ export const describe_standard_integration_tests = (options) => {
                 const test_app = await create_test_app(build_test_app_options(options, get_db()));
                 // admin routes are optional in the base suite — admin-specific coverage
                 // lives in describe_standard_admin_integration_tests
-                const admin_route = test_app.route_specs.find((s) => s.auth.type === 'role' && s.auth.role === 'admin');
+                const admin_route = test_app.route_specs.find((s) => s.auth.roles?.includes('admin') ?? false);
                 if (!admin_route)
                     return;
                 const res = await test_app.app.request(admin_route.path, {
@@ -788,11 +789,9 @@ export const describe_standard_integration_tests = (options) => {
         // --- 9. Response body validation ---
         describe('response body validation', () => {
             // `assert_response_matches_spec` validates REST `RouteSpec` outputs.
-            // The account REST routes that used to cover this (/verify, /sessions,
-            // /tokens, /tokens/create) moved to RPC in the 2026-04-23 migration,
-            // so we exercise the remaining REST endpoints (/login, /logout,
-            // /password) against their declared schemas. RPC output validation is
-            // covered by `describe_rpc_round_trip_tests`.
+            // Session/token CRUD lives on the RPC surface; only /login, /logout,
+            // /password remain as REST routes whose responses we exercise here.
+            // RPC output validation is covered by `describe_rpc_round_trip_tests`.
             test('POST /login 401 response matches declared error schema', async () => {
                 const test_app = await create_test_app(build_test_app_options(options, get_db()));
                 const login_route = find_auth_route(test_app.route_specs, '/login', 'POST');
@@ -1091,12 +1090,12 @@ export const describe_standard_integration_tests = (options) => {
         describe('signup invite edge cases', () => {
             test('signup with non-matching email cannot claim another email invite', async () => {
                 const test_app = await create_test_app(build_test_app_options(options, get_db()));
-                const signup_route = test_app.route_specs.find((s) => s.method === 'POST' && s.path.endsWith('/signup') && s.auth.type === 'none');
+                const signup_route = test_app.route_specs.find((s) => s.method === 'POST' && s.path.endsWith('/signup') && is_public_auth(s.auth));
                 if (!signup_route)
                     return; // signup is optional
-                // `invite_create` became RPC-only in the 2026-04-23 migration.
-                // Consumers that don't wire admin RPC actions can't exercise invites;
-                // skip the test rather than fail.
+                // `invite_create` lives on the RPC surface; consumers that don't
+                // wire admin RPC actions can't exercise invites — skip the test
+                // rather than fail.
                 if (!find_rpc_action(rpc_endpoints_for_setup, invite_create_action_spec.method))
                     return;
                 // Create an admin to manage invites
@@ -1137,11 +1136,11 @@ export const describe_standard_integration_tests = (options) => {
             test('no-invite and conflict failure responses are structurally identical', async () => {
                 const test_app = await create_test_app(build_test_app_options(options, get_db()));
                 // Find signup route (POST ending in /signup, public)
-                const signup_route = test_app.route_specs.find((s) => s.method === 'POST' && s.path.endsWith('/signup') && s.auth.type === 'none');
+                const signup_route = test_app.route_specs.find((s) => s.method === 'POST' && s.path.endsWith('/signup') && is_public_auth(s.auth));
                 if (!signup_route)
                     return; // signup is optional
-                // `invite_create` became RPC-only in the 2026-04-23 migration.
-                // Consumers that don't wire admin RPC actions can't exercise invites.
+                // `invite_create` lives on the RPC surface; consumers that don't
+                // wire admin RPC actions can't exercise invites.
                 if (!find_rpc_action(rpc_endpoints_for_setup, invite_create_action_spec.method))
                     return;
                 // We need admin access — create an admin account

package/dist/testing/integration_helpers.d.ts CHANGED Viewed

@@ -12,10 +12,10 @@ import type { TestApp, TestAccount } from './app_server.js';
  */
 export declare const find_route_spec: (specs: Array<RouteSpec>, method: string, path: string) => RouteSpec | undefined;
 /**
- * REST auth route suffixes still on the account/bootstrap surface after the
- * 2026-04-22 RPC migration. `find_auth_route` rejects any other suffix at
- * runtime — session/token CRUD, admin operations, and permit flows live on
- * the RPC surface and should be reached via `rpc_call`.
+ * REST auth route suffixes on the account/bootstrap surface — the only
+ * routes still REST. `find_auth_route` rejects any other suffix at runtime;
+ * session/token CRUD, admin operations, and role_grant flows live on the RPC
+ * surface and should be reached via `rpc_call`.
  */
 export declare const REST_AUTH_ROUTE_SUFFIXES: readonly ["/login", "/logout", "/password", "/verify", "/signup", "/bootstrap"];
 export type RestAuthRouteSuffix = (typeof REST_AUTH_ROUTE_SUFFIXES)[number];

package/dist/testing/integration_helpers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"integration_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAU7B,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,uBAAuB,CAAC;~~AAElE~~,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE3F,OAAO,KAAK,EAAC,OAAO,EAAE,WAAW,EAAC,MAAM,iBAAiB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,MAAM,EACd,MAAM,MAAM,KACV,SAAS,GAAG,SAad,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,iFAO3B,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,mBAAmB,EAC3B,QAAQ,WAAW,KACjB,SAAS,GAAG,SAOd,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GACxC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,QAAQ,MAAM,EACd,MAAM,MAAM,EACZ,UAAU,QAAQ,KAChB,OAAO,CAAC,IAAI,CAmDd,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GACtC,SAAS,OAAO,EAChB,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,OAAO,CAAC,MAAM,CAGhB,CAAC;AAgCF;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,GAAI,MAAM,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,KAAK,CAAC,MAAM,CAQvF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GAAI,MAAM,OAAO,EAAE,SAAS,MAAM,KAAG,IAoB7E,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oCAAoC,GAChD,UAAU,QAAQ,EAClB,MAAM;IAAC,WAAW,EAAE,MAAM,CAAA;CAAC,KACzB,IAUF,CAAC;AAIF,oEAAoE;AACpE,eAAO,MAAM,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAmC,CAAC;AAEhG,0EAA0E;AAC1E,eAAO,MAAM,0BAA0B,EAAE,aAAa,CAAC,MAAM,CAAgC,CAAC;AAE9F;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,OAAO,KAAG,GAAG,CAAC,MAAM,CAetE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,OAAO,EACb,WAAW,aAAa,CAAC,MAAM,CAAC,EAChC,SAAS,MAAM,KACb,IAKF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,UAAU,OAAO,EACjB,gBAAgB,WAAW,EAC3B,eAAe,WAAW,KACxB,MAAM,CAAC,MAAM,EAAE,MAAM,~~CAcvB~~,CAAC"}
1	+ {"version":3,"file":"integration_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration_helpers.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAU7B,OAAO,KAAK,EAAC,SAAS,EAAE,WAAW,EAAC,MAAM,uBAAuB,CAAC;AAGlE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE3F,OAAO,KAAK,EAAC,OAAO,EAAE,WAAW,EAAC,MAAM,iBAAiB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,MAAM,EACd,MAAM,MAAM,KACV,SAAS,GAAG,SAad,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,iFAO3B,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,wBAAwB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,GAC3B,OAAO,KAAK,CAAC,SAAS,CAAC,EACvB,QAAQ,mBAAmB,EAC3B,QAAQ,WAAW,KACjB,SAAS,GAAG,SAOd,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GACxC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,QAAQ,MAAM,EACd,MAAM,MAAM,EACZ,UAAU,QAAQ,KAChB,OAAO,CAAC,IAAI,CAmDd,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B,GACtC,SAAS,OAAO,EAChB,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,OAAO,CAAC,MAAM,CAGhB,CAAC;AAgCF;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,GAAI,MAAM,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,KAAK,CAAC,MAAM,CAQvF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,4BAA4B,GAAI,MAAM,OAAO,EAAE,SAAS,MAAM,KAAG,IAoB7E,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oCAAoC,GAChD,UAAU,QAAQ,EAClB,MAAM;IAAC,WAAW,EAAE,MAAM,CAAA;CAAC,KACzB,IAUF,CAAC;AAIF,oEAAoE;AACpE,eAAO,MAAM,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAmC,CAAC;AAEhG,0EAA0E;AAC1E,eAAO,MAAM,0BAA0B,EAAE,aAAa,CAAC,MAAM,CAAgC,CAAC;AAE9F;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,OAAO,KAAG,GAAG,CAAC,MAAM,CAetE,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,OAAO,EACb,WAAW,aAAa,CAAC,MAAM,CAAC,EAChC,SAAS,MAAM,KACb,IAKF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,UAAU,OAAO,EACjB,gBAAgB,WAAW,EAC3B,eAAe,WAAW,KACxB,MAAM,CAAC,MAAM,EAAE,MAAM,CAevB,CAAC"}

package/dist/testing/integration_helpers.js CHANGED Viewed

@@ -6,6 +6,7 @@ import './assert_dev_env.js';
  */
 import { assert } from 'vitest';
 import { is_null_schema, merge_error_schemas } from '../http/schema_helpers.js';
+import { is_public_auth } from '../http/auth_shape.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { ROLE_ADMIN } from '../auth/role_schema.js';
 /**
@@ -32,10 +33,10 @@ export const find_route_spec = (specs, method, path) => {
     });
 };
 /**
- * REST auth route suffixes still on the account/bootstrap surface after the
- * 2026-04-22 RPC migration. `find_auth_route` rejects any other suffix at
- * runtime — session/token CRUD, admin operations, and permit flows live on
- * the RPC surface and should be reached via `rpc_call`.
+ * REST auth route suffixes on the account/bootstrap surface — the only
+ * routes still REST. `find_auth_route` rejects any other suffix at runtime;
+ * session/token CRUD, admin operations, and role_grant flows live on the RPC
+ * surface and should be reached via `rpc_call`.
  */
 export const REST_AUTH_ROUTE_SUFFIXES = [
     '/login',
@@ -133,9 +134,9 @@ export const create_expired_test_cookie = async (keyring, session_options) => {
 const KNOWN_SAFE_ERROR_FIELDS = new Set([
     'error',
     'issues',
-    'required_role',
+    'required_roles',
+    'required_credential_types',
     'retry_after',
-    'credential_type',
     'has_references',
     'ok',
 ]);
@@ -254,17 +255,18 @@ export const assert_no_sensitive_fields_in_json = (body, blocklist, context) =>
  * - `keeper` — the test app's daemon token
  */
 export const pick_auth_headers = (spec, test_app, authed_account, admin_account) => {
-    switch (spec.auth.type) {
-        case 'none':
-            return { host: 'localhost', origin: 'http://localhost:5173' };
-        case 'authenticated':
-            return authed_account.create_session_headers();
-        case 'role':
-            if (spec.auth.role === ROLE_ADMIN) {
-                return admin_account.create_session_headers();
-            }
-            return test_app.create_session_headers();
-        case 'keeper':
-            return test_app.create_daemon_token_headers();
+    const { auth } = spec;
+    if (is_public_auth(auth)) {
+        return { host: 'localhost', origin: 'http://localhost:5173' };
+    }
+    if (auth.credential_types?.includes('daemon_token')) {
+        return test_app.create_daemon_token_headers();
+    }
+    if (auth.roles?.length) {
+        if (auth.roles.includes(ROLE_ADMIN)) {
+            return admin_account.create_session_headers();
+        }
+        return test_app.create_session_headers();
     }
+    return authed_account.create_session_headers();
 };

package/dist/testing/middleware.d.ts CHANGED Viewed

@@ -27,8 +27,8 @@ export interface BearerAuthTestOptions {
     mock_find_by_id_result?: unknown;
     /** What `query_actor_by_id()` returns. */
     mock_find_actor_by_id_result?: unknown;
-    /** What `query_permit_find_active_for_actor()` returns. */
-    mock_permits_result?: unknown;
+    /** What `query_role_grant_find_active_for_actor()` returns. */
+    mock_role_grants_result?: unknown;
     /** Expected HTTP status, or `'next'` if the middleware should call `next()`. */
     expected_status: number | 'next';
     /** Expected `error` field in JSON response body. */
@@ -63,12 +63,12 @@ export interface BearerAuthMocks {
  * Create mock dependencies for `create_bearer_auth_middleware`, configured per test case.
  *
  * Configures the module-level mocks for `query_validate_api_token`,
- * `query_account_by_id`, `query_actor_by_id`, and `query_permit_find_active_for_actor`
+ * `query_account_by_id`, `query_actor_by_id`, and `query_role_grant_find_active_for_actor`
  * so each test case controls return values independently.
  *
  * @returns mocks bundle with spy references
  * @mutates module-level `vi.mock` registrations for `api_token_queries`,
- *   `account_queries`, and `permit_queries` — each call resets and re-binds
+ *   `account_queries`, and `role_grant_queries` — each call resets and re-binds
  *   the four spies, so cases run in sequence without bleeding state.
  */
 export declare const create_bearer_auth_mocks: (tc: BearerAuthTestOptions) => BearerAuthMocks;

package/dist/testing/middleware.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,EAAE,EAAyB,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC1B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAc3B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AA2BpF,gEAAgE;AAChE,MAAM,WAAW,qBAAqB;IACrC,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,oEAAoE;IACpE,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,4CAA4C;IAC5C,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,0CAA0C;IAC1C,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC~~,2DAA2D~~;~~IAC3D~~,~~mBAAmB~~,CAAC,EAAE,OAAO,CAAC;~~IAC9B~~,gFAAgF;IAChF,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;CAClC;AAED,gEAAgE;AAChE,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAChE,+EAA+E;IAC/E,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;IAC9C,2FAA2F;IAC3F,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,yEAAyE;IACzE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mGAAmG;IACnG,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mGAAmG;IACnG,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,uEAAuE;IACvE,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;CAChD;AAID,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,qBAAqB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAChD,2BAA2B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAKD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,wBAAwB,GAAI,IAAI,qBAAqB,KAAG,eAoCpE,CAAC;AAEF,4DAA4D;AAC5D,eAAO,MAAM,cAAc,cAAc,CAAC;AAE1C;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,GACvC,IAAI,qBAAqB,EACzB,kBAAiB,WAAW,GAAG,IAAW,KACxC;IAAC,GAAG,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;~~CAwDpC~~,CAAC;AAIF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,GACtC,YAAY,MAAM,EAClB,OAAO,KAAK,CAAC,kBAAkB,CAAC,EAChC,kBAAiB,WAAW,GAAG,IAAW,KACxC,IAyEF,CAAC;AAIF,yEAAyE;AACzE,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAEhD,sDAAsD;AACtD,MAAM,WAAW,0BAA0B;IAC1C,iDAAiD;IACjD,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC;IACpD,oDAAoD;IACpD,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACrC;AAED,yDAAyD;AACzD,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,IAAI,CAAC;IACV,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,qBAAqB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAChD,2BAA2B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,gCAAgC,GAC5C,UAAU,0BAA0B,KAClC,sBA4DF,CAAC"}
1	+ {"version":3,"file":"middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;;GAQG;AAEH,OAAO,EAAC,EAAE,EAAyB,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC1B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAc3B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AA2BpF,gEAAgE;AAChE,MAAM,WAAW,qBAAqB;IACrC,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,oEAAoE;IACpE,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,4CAA4C;IAC5C,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,0CAA0C;IAC1C,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC,+DAA+D;IAC/D,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,gFAAgF;IAChF,eAAe,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+GAA+G;IAC/G,qBAAqB,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC;CAClC;AAED,gEAAgE;AAChE,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAChE,+EAA+E;IAC/E,oBAAoB,EAAE,QAAQ,GAAG,YAAY,CAAC;IAC9C,2FAA2F;IAC3F,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,yEAAyE;IACzE,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,mGAAmG;IACnG,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,mGAAmG;IACnG,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,uEAAuE;IACvE,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;CAChD;AAID,2DAA2D;AAC3D,MAAM,WAAW,eAAe;IAC/B,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,qBAAqB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAChD,2BAA2B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAKD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,wBAAwB,GAAI,IAAI,qBAAqB,KAAG,eAoCpE,CAAC;AAEF,4DAA4D;AAC5D,eAAO,MAAM,cAAc,cAAc,CAAC;AAE1C;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,GACvC,IAAI,qBAAqB,EACzB,kBAAiB,WAAW,GAAG,IAAW,KACxC;IAAC,GAAG,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;CAyDpC,CAAC;AAIF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,GACtC,YAAY,MAAM,EAClB,OAAO,KAAK,CAAC,kBAAkB,CAAC,EAChC,kBAAiB,WAAW,GAAG,IAAW,KACxC,IAyEF,CAAC;AAIF,yEAAyE;AACzE,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAEhD,sDAAsD;AACtD,MAAM,WAAW,0BAA0B;IAC1C,iDAAiD;IACjD,eAAe,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,aAAa,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC;IACpD,oDAAoD;IACpD,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACrC;AAED,yDAAyD;AACzD,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,IAAI,CAAC;IACV,aAAa,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACxC,eAAe,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAC1C,qBAAqB,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IAChD,2BAA2B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,0BAA0B,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;CACrD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,gCAAgC,GAC5C,UAAU,0BAA0B,KAClC,sBA4DF,CAAC"}

package/dist/testing/middleware.js CHANGED Viewed

@@ -14,7 +14,7 @@ import { Logger } from '@fuzdev/fuz_util/log.js';
 import { create_bearer_auth_middleware } from '../auth/bearer_auth.js';
 import { query_validate_api_token } from '../auth/api_token_queries.js';
 import { query_account_by_id, query_actor_by_id, query_actors_by_account, } from '../auth/account_queries.js';
-import { query_permit_find_active_for_actor } from '../auth/permit_queries.js';
+import { query_role_grant_find_active_for_actor } from '../auth/role_grant_queries.js';
 import { create_proxy_middleware, get_client_ip } from '../http/proxy.js';
 import { verify_request_source, parse_allowed_origins } from '../http/origin.js';
 import { REQUEST_CONTEXT_KEY } from '../auth/request_context.js';
@@ -30,8 +30,8 @@ vi.mock('../auth/account_queries.js', () => ({
     query_actor_by_id: vi.fn(),
     query_actors_by_account: vi.fn(),
 }));
-vi.mock('../auth/permit_queries.js', () => ({
-    query_permit_find_active_for_actor: vi.fn(),
+vi.mock('../auth/role_grant_queries.js', () => ({
+    query_role_grant_find_active_for_actor: vi.fn(),
 }));
 /** Stub `QueryDeps` for bearer auth tests (no real DB needed). */
 const STUB_DEPS = { db: {} };
@@ -39,12 +39,12 @@ const STUB_DEPS = { db: {} };
  * Create mock dependencies for `create_bearer_auth_middleware`, configured per test case.
  *
  * Configures the module-level mocks for `query_validate_api_token`,
- * `query_account_by_id`, `query_actor_by_id`, and `query_permit_find_active_for_actor`
+ * `query_account_by_id`, `query_actor_by_id`, and `query_role_grant_find_active_for_actor`
  * so each test case controls return values independently.
  *
  * @returns mocks bundle with spy references
  * @mutates module-level `vi.mock` registrations for `api_token_queries`,
- *   `account_queries`, and `permit_queries` — each call resets and re-binds
+ *   `account_queries`, and `role_grant_queries` — each call resets and re-binds
  *   the four spies, so cases run in sequence without bleeding state.
  */
 export const create_bearer_auth_mocks = (tc) => {
@@ -52,7 +52,7 @@ export const create_bearer_auth_mocks = (tc) => {
     const mock_find_by_id = vi.mocked(query_account_by_id);
     const mock_find_actor_by_id = vi.mocked(query_actor_by_id);
     const mock_find_actors_by_account = vi.mocked(query_actors_by_account);
-    const mock_find_active_for_actor = vi.mocked(query_permit_find_active_for_actor);
+    const mock_find_active_for_actor = vi.mocked(query_role_grant_find_active_for_actor);
     mock_validate
         .mockReset()
         .mockImplementation(() => Promise.resolve(tc.mock_validate_result));
@@ -73,7 +73,7 @@ export const create_bearer_auth_mocks = (tc) => {
     });
     mock_find_active_for_actor
         .mockReset()
-        .mockImplementation(() => Promise.resolve(tc.mock_permits_result ?? []));
+        .mockImplementation(() => Promise.resolve(tc.mock_role_grants_result ?? []));
     return {
         mock_validate,
         mock_find_by_id,
@@ -97,9 +97,10 @@ export const create_bearer_auth_test_app = (tc, ip_rate_limiter = null) => {
     // inject pre-existing session identity if the test case specifies one.
     // `pre_context` simulates the session middleware having authenticated
     // the caller — sets `ACCOUNT_ID_KEY` (the account-grain identity bearer
-    // auth checks) and the legacy `REQUEST_CONTEXT_KEY` (preserved through
-    // the bearer middleware unchanged so consumer expectations on the full
-    // context shape stay testable).
+    // auth checks) and pre-populates `REQUEST_CONTEXT_KEY` as a test
+    // escape-hatch (production bearer middleware is account-only and never
+    // sets this key — see `auth/CLAUDE.md` Production-middleware invariant)
+    // so consumer expectations on the full context shape stay testable.
     if (tc.pre_context) {
         const pre_context = tc.pre_context;
         app.use('*', async (c, next) => {
@@ -210,7 +211,7 @@ export const create_test_middleware_stack_app = (options) => {
     const mock_find_by_id = vi.mocked(query_account_by_id);
     const mock_find_actor_by_id = vi.mocked(query_actor_by_id);
     const mock_find_actors_by_account = vi.mocked(query_actors_by_account);
-    const mock_find_active_for_actor = vi.mocked(query_permit_find_active_for_actor);
+    const mock_find_active_for_actor = vi.mocked(query_role_grant_find_active_for_actor);
     mock_validate.mockReset().mockImplementation(() => Promise.resolve(undefined));
     mock_find_by_id.mockReset().mockImplementation(() => Promise.resolve(undefined));
     mock_find_actor_by_id.mockReset().mockImplementation(() => Promise.resolve(undefined));

package/dist/testing/rpc_attack_surface.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rpc_attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rpc_attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAA6C,cAAc,EAAC,MAAM,oBAAoB,CAAC;~~AAoBnG~~,uDAAuD;AACvD,MAAM,WAAW,uBAAuB;IACvC,+FAA+F;IAC/F,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;~~AAodD~~;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,uBAAuB,KAAG,IAOpF,CAAC"}
1	+ {"version":3,"file":"rpc_attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rpc_attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAA6C,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAqBnG,uDAAuD;AACvD,MAAM,WAAW,uBAAuB;IACvC,+FAA+F;IAC/F,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AA0dD;;;;;;;;;GASG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,uBAAuB,KAAG,IAOpF,CAAC"}

package/dist/testing/rpc_attack_surface.js CHANGED Viewed

@@ -13,18 +13,23 @@ import './assert_dev_env.js';
  * @module
  */
 import { test, assert, describe } from 'vitest';
+import { is_keeper_auth, is_public_auth, is_role_auth } from '../http/auth_shape.js';
 import { JSONRPC_ERROR_CODES } from '../http/jsonrpc_errors.js';
 import { create_auth_test_apps, create_test_app_from_specs, create_test_request_context, select_auth_app, } from './auth_apps.js';
 import { generate_input_test_cases } from './adversarial_input.js';
+import { generate_valid_body } from './schema_generators.js';
 import { ERROR_INVALID_JSON_BODY } from '../http/error_schemas.js';
 import { create_rpc_post_init, create_rpc_get_url, assert_jsonrpc_error_response, } from './rpc_helpers.js';
 // --- Helpers ---
 /** Filter RPC methods that require any form of authentication. */
-const filter_protected_rpc_methods = (endpoint) => endpoint.methods.filter((m) => m.auth.type !== 'none');
-/** Filter RPC methods that require a specific role. */
-const filter_role_rpc_methods = (endpoint) => endpoint.methods.filter((m) => m.auth.type === 'role');
-/** Filter RPC methods that require keeper auth (daemon_token + keeper role). */
-const filter_keeper_rpc_methods = (endpoint) => endpoint.methods.filter((m) => m.auth.type === 'keeper');
+const filter_protected_rpc_methods = (endpoint) => endpoint.methods.filter((m) => !is_public_auth(m.auth));
+/** Filter RPC methods that declare a role gate (`auth.roles?.length`). */
+const filter_role_rpc_methods = (endpoint) => endpoint.methods.filter((m) => is_role_auth(m.auth));
+/**
+ * Filter RPC methods that require daemon-token credentials. Today this
+ * is the keeper bucket; future credential gates will widen the filter.
+ */
+const filter_keeper_rpc_methods = (endpoint) => endpoint.methods.filter((m) => is_keeper_auth(m.auth));
 /** Find the `RpcAction` source spec for a surface method. */
 const find_rpc_action = (rpc_endpoint_specs, endpoint_path, method_name) => {
     const ep = rpc_endpoint_specs.find((e) => e.path === endpoint_path);
@@ -47,7 +52,7 @@ const find_rpc_action = (rpc_endpoint_specs, endpoint_path, method_name) => {
  */
 const describe_rpc_auth = (options) => {
     const { build, roles } = options;
-    const { surface, route_specs } = build();
+    const { surface, route_specs, rpc_endpoints: rpc_endpoint_specs } = build();
     if (surface.rpc_endpoints.length === 0)
         return;
     const apps = create_auth_test_apps(route_specs, roles);
@@ -71,13 +76,18 @@ const describe_rpc_auth = (options) => {
                 if (role_methods.length > 0) {
                     describe('wrong role → forbidden', () => {
                         for (const method of role_methods) {
-                            const wrong_roles = roles.filter((r) => r !== method.auth.role);
+                            const required_roles = method.auth.roles ?? [];
+                            const wrong_roles = roles.filter((r) => !required_roles.includes(r));
                             for (const wrong_role of wrong_roles) {
-                                test(`${method.name} (${wrong_role} instead of ${method.auth.role})`, async () => {
+                                test(`${method.name} (${wrong_role} instead of ${required_roles.join('|')})`, async () => {
                                     const app = apps.by_role.get(wrong_role);
                                     if (!app)
                                         throw new Error(`No test app for role '${wrong_role}'`);
-                                    const res = await app.request(endpoint.path, create_rpc_post_init(method.name));
+                                    // Send valid params so we trip the role gate (403), not input
+                                    // validation (400). Dispatcher ordering: 401 → 400 → 403.
+                                    const action = find_rpc_action(rpc_endpoint_specs, endpoint.path, method.name);
+                                    const params = action ? generate_valid_body(action.spec.input) : undefined;
+                                    const res = await app.request(endpoint.path, create_rpc_post_init(method.name, params));
                                     assert.strictEqual(res.status, 403, `${method.name} should return 403`);
                                     const body = await res.json();
                                     assert_jsonrpc_error_response(body, JSONRPC_ERROR_CODES.forbidden);
@@ -87,8 +97,12 @@ const describe_rpc_auth = (options) => {
                     });
                     describe('authenticated without role → forbidden', () => {
                         for (const method of role_methods) {
-                            test(`${method.name} (${method.auth.role})`, async () => {
-                                const res = await apps.authed.request(endpoint.path, create_rpc_post_init(method.name));
+                            test(`${method.name} (${(method.auth.roles ?? []).join('|')})`, async () => {
+                                // Send valid params so we trip the role gate (403), not input
+                                // validation (400).
+                                const action = find_rpc_action(rpc_endpoint_specs, endpoint.path, method.name);
+                                const params = action ? generate_valid_body(action.spec.input) : undefined;
+                                const res = await apps.authed.request(endpoint.path, create_rpc_post_init(method.name, params));
                                 assert.strictEqual(res.status, 403, `${method.name} should return 403`);
                                 const body = await res.json();
                                 assert_jsonrpc_error_response(body, JSONRPC_ERROR_CODES.forbidden);
@@ -102,14 +116,16 @@ const describe_rpc_auth = (options) => {
                         const session_app = create_test_app_from_specs(route_specs, create_test_request_context('keeper'), 'session');
                         const api_token_app = create_test_app_from_specs(route_specs, create_test_request_context('keeper'), 'api_token');
                         for (const method of keeper_methods) {
+                            const action = find_rpc_action(rpc_endpoint_specs, endpoint.path, method.name);
+                            const valid_params = action ? generate_valid_body(action.spec.input) : undefined;
                             test(`${method.name} rejects session credential`, async () => {
-                                const res = await session_app.request(endpoint.path, create_rpc_post_init(method.name));
+                                const res = await session_app.request(endpoint.path, create_rpc_post_init(method.name, valid_params));
                                 assert.strictEqual(res.status, 403, `${method.name} should reject session credential`);
                                 const body = await res.json();
                                 assert_jsonrpc_error_response(body, JSONRPC_ERROR_CODES.forbidden);
                             });
                             test(`${method.name} rejects api_token credential`, async () => {
-                                const res = await api_token_app.request(endpoint.path, create_rpc_post_init(method.name));
+                                const res = await api_token_app.request(endpoint.path, create_rpc_post_init(method.name, valid_params));
                                 assert.strictEqual(res.status, 403, `${method.name} should reject api_token credential`);
                                 const body = await res.json();
                                 assert_jsonrpc_error_response(body, JSONRPC_ERROR_CODES.forbidden);
@@ -279,7 +295,7 @@ const describe_rpc_adversarial_envelopes = (options) => {
                         return;
                     // valid JSON but not an object — hits dispatcher's params validation
                     const res = await apps.public.request(`${endpoint.path}?method=${read_method.name}&id=test&params=42`);
-                    // should reject: either invalid_params (step 4) or auth error (step 3)
+                    // should reject: either invalid_params (validation) or auth error
                     assert.ok(res.status >= 400, `expected error status for non-object params, got ${res.status}`);
                     const body = await res.json();
                     assert_jsonrpc_error_response(body);
@@ -362,16 +378,16 @@ const describe_rpc_adversarial_params = (options) => {
 // --- Helpers (formatting) ---
 /** Format a `RouteAuth` as a human-readable label. */
 const format_auth = (auth) => {
-    switch (auth.type) {
-        case 'none':
-            return 'public';
-        case 'authenticated':
-            return 'authenticated';
-        case 'role':
-            return `role: ${auth.role}`;
-        case 'keeper':
-            return 'keeper';
-    }
+    if (is_public_auth(auth))
+        return 'public';
+    const parts = [];
+    parts.push(`account:${auth.account}`);
+    parts.push(`actor:${auth.actor}`);
+    if (auth.roles?.length)
+        parts.push(`roles:${auth.roles.join('|')}`);
+    if (auth.credential_types?.length)
+        parts.push(`creds:${auth.credential_types.join('|')}`);
+    return parts.join(' ');
 };
 // --- Public API ---
 /**

package/dist/testing/rpc_round_trip.d.ts CHANGED Viewed

@@ -27,7 +27,7 @@ export interface RpcRoundTripTestOptions {
     app_options?: SuiteAppOptions;
     /** Database factories to run tests against. Default: pglite only. */
     db_factories?: Array<DbFactory>;
-    /** Methods to skip, by name (e.g., `'tx_plan'`). */
+    /** Methods to skip, by name (e.g., `'zap_plan'`). */
     skip_methods?: Array<string>;
     /** Override generated params for specific methods (method name → params). */
     input_overrides?: Map<string, Record<string, unknown>>;

package/dist/testing/rpc_round_trip.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rpc_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rpc_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAEN,KAAK,eAAe,EAGpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;~~AAM9D~~,OAAO,EAMN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAE1B,mDAAmD;AACnD,MAAM,WAAW,uBAAuB;IACvC,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;OAUG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,~~oDAAoD~~;~~IACpD~~,YAAY,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,6EAA6E;IAC7E,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACvD;AA2BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,6BAA6B,GAAI,SAAS,uBAAuB,KAAG,IA8IhF,CAAC"}
1	+ {"version":3,"file":"rpc_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/rpc_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,OAAO,EAEN,KAAK,eAAe,EAGpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAO9D,OAAO,EAMN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAE1B,mDAAmD;AACnD,MAAM,WAAW,uBAAuB;IACvC,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;OAUG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,qDAAqD;IACrD,YAAY,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,6EAA6E;IAC7E,eAAe,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACvD;AA2BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,6BAA6B,GAAI,SAAS,uBAAuB,KAAG,IA8IhF,CAAC"}

package/dist/testing/rpc_round_trip.js CHANGED Viewed

@@ -16,25 +16,26 @@ import { create_pglite_factory } from './db.js';
 import { generate_valid_body } from './schema_generators.js';
 import { run_migrations } from '../db/migrate.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { is_public_auth } from '../http/auth_shape.js';
 import { create_rpc_post_init, create_rpc_get_url, assert_jsonrpc_error_response, assert_jsonrpc_success_response, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
 /**
  * Pick auth headers matching an RPC method's auth requirement.
  */
 const pick_rpc_auth_headers = (method, test_app, authed_account, admin_account) => {
-    switch (method.auth.type) {
-        case 'none':
-            return { host: 'localhost', origin: 'http://localhost:5173' };
-        case 'authenticated':
-            return authed_account.create_session_headers();
-        case 'role':
-            if (method.auth.role === ROLE_ADMIN) {
-                return admin_account.create_session_headers();
-            }
-            // keeper role uses the bootstrapped account
-            return test_app.create_session_headers();
-        case 'keeper':
-            return test_app.create_daemon_token_headers();
+    const { auth } = method;
+    if (is_public_auth(auth)) {
+        return { host: 'localhost', origin: 'http://localhost:5173' };
     }
+    if (auth.credential_types?.includes('daemon_token')) {
+        return test_app.create_daemon_token_headers();
+    }
+    if (auth.roles?.length) {
+        if (auth.roles.includes(ROLE_ADMIN)) {
+            return admin_account.create_session_headers();
+        }
+        return test_app.create_session_headers();
+    }
+    return authed_account.create_session_headers();
 };
 /**
  * Run schema-driven round-trip validation for RPC endpoints.

package/dist/testing/sse_round_trip.d.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import { type DbFactory } from './db.js';
 import { type RpcEndpointsSuiteOption } from './rpc_helpers.js';
 /** Config for a single SSE route under test. */
 export interface SseRouteTestSpec {
-    /** Full HTTP path of the SSE endpoint (e.g., `'/api/tx/subscribe'`). */
+    /** Full HTTP path of the SSE endpoint (e.g., `'/api/zap/subscribe'`). */
     path: string;
     /**
      * Fire an event matching one of the declared `event_specs` that should
@@ -51,9 +51,8 @@ export interface SseRouteTestOptions {
     on_audit_event?: (event: AuditLogEvent) => void;
     /**
      * RPC endpoint specs — required so the close-on-revoke assertion can
-     * dispatch `account_session_revoke_all` via RPC (the former REST route
-     * `POST /api/account/sessions/revoke-all` was removed in the 2026-04-23
-     * migration). Hard-fails via `require_rpc_endpoint_path` on setup.
+     * dispatch `account_session_revoke_all` via RPC (there is no REST
+     * equivalent). Hard-fails via `require_rpc_endpoint_path` on setup.
      *
      * Accepts either an array (eager) or a factory
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form

package/dist/testing/sse_round_trip.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sse_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/sse_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAmB7B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAwB,KAAK,SAAS,EAAuB,MAAM,oBAAoB,CAAC;AAE/F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAEN,KAAK,eAAe,EACpB,KAAK,OAAO,EACZ,KAAK,WAAW,EAChB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAE9D,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAM1B,gDAAgD;AAChD,MAAM,WAAW,gBAAgB;IAChC,~~wEAAwE~~;~~IACxE~~,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,OAAO,EAAE,CAAC,GAAG,EAAE;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,WAAW,CAAA;KAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E;;;OAGG;IACH,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,8CAA8C;AAC9C,MAAM,WAAW,mBAAmB;IACnC,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,qDAAqD;IACrD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD~~;;;;;;;;;;;;;OAaG~~;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,8BAA8B;IAC9B,MAAM,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;CAChC;AAyHD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,GAAI,SAAS,mBAAmB,KAAG,IA2HvE,CAAC"}
1	+ {"version":3,"file":"sse_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/sse_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAmB7B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAwB,KAAK,SAAS,EAAuB,MAAM,oBAAoB,CAAC;AAE/F,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,EAEN,KAAK,eAAe,EACpB,KAAK,OAAO,EACZ,KAAK,WAAW,EAChB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAE9D,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAM1B,gDAAgD;AAChD,MAAM,WAAW,gBAAgB;IAChC,yEAAyE;IACzE,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,OAAO,EAAE,CAAC,GAAG,EAAE;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,WAAW,CAAA;KAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E;;;OAGG;IACH,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,8CAA8C;AAC9C,MAAM,WAAW,mBAAmB;IACnC,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,qDAAqD;IACrD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,8BAA8B;IAC9B,MAAM,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAC;CAChC;AAyHD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,wBAAwB,GAAI,SAAS,mBAAmB,KAAG,IA2HvE,CAAC"}

package/dist/testing/sse_round_trip.js CHANGED Viewed

@@ -229,18 +229,14 @@ export const describe_sse_route_tests = (options) => {
  * (keeper, other roles) uses the bootstrapped keeper account.
  */
 const pick_account_for_auth = (spec, test_app, authed_account, admin_account) => {
-    switch (spec.auth.type) {
-        case 'authenticated':
-            return authed_account;
-        case 'role':
-            if (spec.auth.role === ROLE_ADMIN)
-                return admin_account;
-            // keeper role — bootstrapped account is the keeper; model it as a TestAccount
-            return bootstrap_as_account(test_app);
-        case 'keeper':
-        case 'none':
-            return bootstrap_as_account(test_app);
+    const { auth } = spec;
+    if (auth.roles?.includes(ROLE_ADMIN))
+        return admin_account;
+    if (auth.account === 'required' && !auth.roles?.length && !auth.credential_types?.length) {
+        return authed_account;
     }
+    // keeper / other-role / public — bootstrapped account
+    return bootstrap_as_account(test_app);
 };
 /**
  * Treat the bootstrapped `TestApp` account as a `TestAccount` for revocation.

package/dist/testing/standard.d.ts CHANGED Viewed

@@ -36,7 +36,7 @@ export interface StandardTestOptions {
     /**
      * RPC endpoint specs — required. The standard integration tests drive
      * `account_verify`, `account_session_*`, `account_token_*` through the
-     * RPC surface (and admin tests, when wired, drive permit grant/revoke
+     * RPC surface (and admin tests, when wired, drive role_grant grant/revoke
      * through it too).
      *
      * Accepts either an array (eager) or a factory

package/dist/testing/stubs.d.ts CHANGED Viewed

@@ -3,11 +3,13 @@ import type { z } from 'zod';
 import type { SessionOptions } from '../auth/session_cookie.js';
 import type { MiddlewareSpec } from '../http/middleware_spec.js';
 import type { AppDeps } from '../auth/deps.js';
+import type { AuditEmitter } from '../auth/audit_emitter.js';
 import type { AppServerContext } from '../server/app_server.js';
 import { Db } from '../db/db.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type AppSurfaceSpec, type RpcEndpointSpec } from '../http/surface.js';
 import type { EventSpec } from '../realtime/sse.js';
+import { type AuditLogSse } from '../realtime/sse_auth_guard.js';
 /**
  * Create a Proxy that throws descriptive errors on any property access or method call.
  *
@@ -51,6 +53,29 @@ export declare const create_stub_db: () => Db;
 export declare const stub_handler: () => Response;
 /** Stub middleware that passes through. */
 export declare const stub_mw: (_c: any, next: any) => Promise<void>;
+/**
+ * Build a no-op `AuditEmitter` for tests that don't assert on audit fan-out.
+ *
+ * `emit` / `emit_role_grant_target` are no-ops; `emit_pool` resolves
+ * immediately; `notify` is a no-op; `on_event_chain` is a frozen empty
+ * array — pushing onto it throws at runtime, so a test that wires a
+ * listener fails loudly instead of silently never firing. Tests asserting
+ * on real audit-row persistence (or on listener fan-out) build a real
+ * emitter via `create_audit_emitter` against a stub or real DB —
+ * `create_test_app` already does this on the test backend.
+ */
+export declare const create_test_audit_emitter: () => AuditEmitter;
+/**
+ * Build a no-op `AuditLogSse` for tests that wire `audit_sse` into the
+ * surface helper but don't assert on SSE fan-out or subscriber state.
+ *
+ * `subscribe` returns a no-op cleanup; `on_audit_event` is a no-op; the
+ * `registry` is a fresh `SubscriberRegistry` instance (call sites that
+ * inspect `.size` or call `.close_*` see a real registry, so writes are
+ * isolated per test). Tests that need real SSE plumbing build it via
+ * `create_audit_log_sse` against `create_test_app`.
+ */
+export declare const create_stub_audit_sse: () => AuditLogSse;
 /** Stub `AppDeps` for auth surface tests — throws on any method access. */
 export declare const stub_app_deps: AppDeps;
 /**

package/dist/testing/stubs.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"stubs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/stubs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAa7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE/D,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAC/B,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAGzE,OAAO,EAEN,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,SAAS,~~EAAC~~,MAAM,oBAAoB,CAAC;~~AAKlD~~;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB,GAAI,CAAC,GAAG,GAAG,EAAE,OAAO,MAAM,KAAG,CAqBtD,CAAC;AAET;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAI,CAAC,GAAG,GAAG,EAAE,QAAQ,MAAM,EAAE,YAAY,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,CAOxF,CAAC;AAET,iEAAiE;AACjE,eAAO,MAAM,IAAI,EAAE,GAAkC,CAAC;AAEtD;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,QAAO,EAI/B,CAAC;AAEJ,gDAAgD;AAChD,eAAO,MAAM,YAAY,QAAO,QAAgC,CAAC;AAEjE,2CAA2C;AAC3C,eAAO,MAAM,OAAO,GAAU,IAAI,GAAG,EAAE,MAAM,GAAG,KAAG,OAAO,CAAC,IAAI,CAAW,CAAC;AAI3E,2EAA2E;AAC3E,eAAO,MAAM,aAAa,EAAE,OAS3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAAO,OAStC,CAAC;AAEH,2FAA2F;AAC3F,eAAO,MAAM,0BAA0B,GAAI,UAAU;IACpD,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAC/B,KAAG,KAAK,CAAC,cAAc,CAqBvB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,gBAqBF,CAAC;AAEF,kDAAkD;AAClD,MAAM,WAAW,+BAA+B;IAC/C,6DAA6D;IAC7D,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,qFAAqF;IACrF,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,oEAAoE;IACpE,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACzB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAC7F,iFAAiF;IACjF,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAC/E,0DAA0D;IAC1D,sBAAsB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,+BAA+B,KACtC,cA2CF,CAAC"}
1	+ {"version":3,"file":"stubs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/stubs.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAa7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE/D,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,0BAA0B,CAAC;AAE3D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAC/B,OAAO,EAAqB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAGzE,OAAO,EAEN,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,SAAS,EAAkB,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAA8B,KAAK,WAAW,EAAC,MAAM,+BAA+B,CAAC;AAM5F;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB,GAAI,CAAC,GAAG,GAAG,EAAE,OAAO,MAAM,KAAG,CAqBtD,CAAC;AAET;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAI,CAAC,GAAG,GAAG,EAAE,QAAQ,MAAM,EAAE,YAAY,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,CAOxF,CAAC;AAET,iEAAiE;AACjE,eAAO,MAAM,IAAI,EAAE,GAAkC,CAAC;AAEtD;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,QAAO,EAI/B,CAAC;AAEJ,gDAAgD;AAChD,eAAO,MAAM,YAAY,QAAO,QAAgC,CAAC;AAEjE,2CAA2C;AAC3C,eAAO,MAAM,OAAO,GAAU,IAAI,GAAG,EAAE,MAAM,GAAG,KAAG,OAAO,CAAC,IAAI,CAAW,CAAC;AAI3E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,QAAO,YAM3C,CAAC;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,QAAO,WAUxC,CAAC;AAEF,2EAA2E;AAC3E,eAAO,MAAM,aAAa,EAAE,OAS3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAAO,OAStC,CAAC;AAEH,2FAA2F;AAC3F,eAAO,MAAM,0BAA0B,GAAI,UAAU;IACpD,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAC/B,KAAG,KAAK,CAAC,cAAc,CAqBvB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,iBAAiB,cAAc,CAAC,MAAM,CAAC,KACrC,gBAqBF,CAAC;AAEF,kDAAkD;AAClD,MAAM,WAAW,+BAA+B;IAC/C,6DAA6D;IAC7D,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,qFAAqF;IACrF,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,oEAAoE;IACpE,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACzB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B;;;;;;;;OAQG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAC7F,iFAAiF;IACjF,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAC/E,0DAA0D;IAC1D,sBAAsB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,+BAA+B,KACtC,cA2CF,CAAC"}