@fuzdev/fuz_app 0.55.0 → 0.57.0

package/dist/auth/signup_routes.js

@@ -8,16 +8,15 @@
  * @module
  */
 import { z } from 'zod';
-import { create_session_and_set_cookie } from './session_lifecycle.js';
+import { create_session_and_set_cookie } from './session_middleware.js';
 import { query_create_account_with_actor } from './account_queries.js';
-import { query_invite_find_unclaimed_match, query_invite_claim } from './invite_queries.js';
-import { Username, Email } from './account_schema.js';
+import { query_invite_find_unclaimed_match, query_invite_claim_unscoped } from './invite_queries.js';
+import { Username, Email } from '../primitive_schemas.js';
 import { Password } from './password.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
 import { ERROR_NO_MATCHING_INVITE, ERROR_SIGNUP_CONFLICT, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
 import { is_pg_unique_violation } from '../db/pg_error.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
@@ -44,7 +43,7 @@ export const create_signup_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/signup',
-            auth: { type: 'none' },
+            auth: { account: 'none', actor: 'none' },
             description: 'Create account (invite-gated or open signup)',
             transaction: false, // manages its own transaction for TOCTOU safety
             input: SignupInput,
@@ -75,24 +74,41 @@ export const create_signup_route_specs = (deps, options) => {
                         return rate_limit_exceeded_response(c, check.retry_after);
                     }
                 }
-                // Check for matching invite (unless open signup is enabled)
+                // Check for matching invite (unless open signup is enabled).
+                // `transaction: false` makes `route.db` the pool, which is
+                // what the pre-tx invite lookup wants.
                 let invite;
                 if (!app_settings.open_signup) {
-                    invite = await query_invite_find_unclaimed_match({ db: route.background_db }, email ?? null, username);
-                    if (!invite) {
-                        if (ip_rate_limiter && ip)
-                            ip_rate_limiter.record(ip);
-                        if (signup_account_rate_limiter)
-                            signup_account_rate_limiter.record(account_key);
-                        return c.json({ error: ERROR_NO_MATCHING_INVITE }, 403);
-                    }
+                    invite = await query_invite_find_unclaimed_match({ db: route.db }, email ?? null, username);
+                }
+                const emit_failure_audit = (reason) => {
+                    deps.audit.emit(route, {
+                        event_type: 'signup',
+                        outcome: 'failure',
+                        ip: get_client_ip(c),
+                        metadata: {
+                            username,
+                            reason,
+                            ...(invite && { invite_id: invite.id }),
+                            ...(email != null && { email }),
+                            ...(app_settings.open_signup && { open_signup: true }),
+                        },
+                    });
+                };
+                if (!app_settings.open_signup && !invite) {
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (signup_account_rate_limiter)
+                        signup_account_rate_limiter.record(account_key);
+                    emit_failure_audit('no_match');
+                    return c.json({ error: ERROR_NO_MATCHING_INVITE }, 403);
                 }
                 // Create account, optionally claim invite, and create session atomically.
                 // Username/email uniqueness enforced by DB unique constraints.
                 const password_hash = await password.hash_password(pw);
                 let result;
                 try {
-                    result = await route.background_db.transaction(async (tx) => {
+                    result = await route.db.transaction(async (tx) => {
                         const tx_deps = { db: tx };
                         const { account } = await query_create_account_with_actor(tx_deps, {
                             username,
@@ -100,9 +116,20 @@ export const create_signup_route_specs = (deps, options) => {
                             email,
                         });
                         if (invite) {
-                            const claimed = await query_invite_claim(tx_deps, invite.id, account.id);
+                            const claimed = await query_invite_claim_unscoped(tx_deps, invite.id, account.id);
                             if (!claimed) {
-                                // Race: invite was claimed between the find and this claim
+                                // Race: invite was claimed between the find and this claim.
+                                //
+                                // SECURITY NOTE: this branch is largely shadowed by the account
+                                // unique constraints. Because `query_invite_find_unclaimed_match`
+                                // returns at most one invite for the (username, email) tuple, two
+                                // concurrent signups satisfying the same find share the same
+                                // username and/or email — and the case-insensitive partial uniques
+                                // on `account.username` / `account.email` (`ACCOUNT_USERNAME_CI_INDEX`
+                                // / `ACCOUNT_EMAIL_INDEX`) fire on the second `query_create_account_with_actor`
+                                // before the claim runs. The audit emit is kept for defense-in-depth
+                                // in case those constraints are loosened or the find query starts
+                                // returning multiple invites for a single signup tuple.
                                 throw new SignupConflictError(ERROR_NO_MATCHING_INVITE);
                             }
                         }
@@ -122,6 +149,7 @@ export const create_signup_route_specs = (deps, options) => {
                             ip_rate_limiter.record(ip);
                         if (signup_account_rate_limiter)
                             signup_account_rate_limiter.record(account_key);
+                        emit_failure_audit('race_lost');
                         return c.json({ error: e.error }, 403);
                     }
                     // Unique constraint violation: username or email already exists.
@@ -130,6 +158,7 @@ export const create_signup_route_specs = (deps, options) => {
                             ip_rate_limiter.record(ip);
                         if (signup_account_rate_limiter)
                             signup_account_rate_limiter.record(account_key);
+                        emit_failure_audit('signup_conflict');
                         return c.json({ error: ERROR_SIGNUP_CONFLICT }, 409);
                     }
                     throw e;
@@ -139,12 +168,12 @@ export const create_signup_route_specs = (deps, options) => {
                     ip_rate_limiter.reset(ip);
                 if (signup_account_rate_limiter)
                     signup_account_rate_limiter.reset(account_key);
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'signup',
                     account_id: result.id,
                     ip: get_client_ip(c),
                     metadata: invite ? { invite_id: invite.id, username } : { open_signup: true, username },
-                }, deps);
+                });
                 return c.json({ ok: true });
             },
         },

package/dist/auth/standard_action_specs.d.ts

@@ -2,7 +2,7 @@
  * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
  *
  * `create_standard_rpc_actions` (in `auth/standard_rpc_actions.ts`) bundles three
- * action registries into one mounted RPC surface: admin + permit_offer +
+ * action registries into one mounted RPC surface: admin + role_grant_offer +
  * account. Frontends mounting that surface need the matching spec list to
  * feed `create_rpc_client` so the typed Proxy knows about every standard
  * method.
@@ -22,7 +22,7 @@
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /**
  * Combined spec registry for the standard RPC surface (admin +
- * permit_offer + account). Symmetric with `create_standard_rpc_actions`.
+ * role_grant_offer + account). Symmetric with `create_standard_rpc_actions`.
  *
  * Spec count is the sum of the three sub-registries. Adding a method to
  * any sub-registry surfaces here automatically.

package/dist/auth/standard_action_specs.js

@@ -2,7 +2,7 @@
  * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
  *
  * `create_standard_rpc_actions` (in `auth/standard_rpc_actions.ts`) bundles three
- * action registries into one mounted RPC surface: admin + permit_offer +
+ * action registries into one mounted RPC surface: admin + role_grant_offer +
  * account. Frontends mounting that surface need the matching spec list to
  * feed `create_rpc_client` so the typed Proxy knows about every standard
  * method.
@@ -20,17 +20,17 @@
  * @module
  */
 import { all_admin_action_specs } from './admin_action_specs.js';
-import { all_permit_offer_action_specs } from './permit_offer_action_specs.js';
+import { all_role_grant_offer_action_specs } from './role_grant_offer_action_specs.js';
 import { all_account_action_specs } from './account_action_specs.js';
 /**
  * Combined spec registry for the standard RPC surface (admin +
- * permit_offer + account). Symmetric with `create_standard_rpc_actions`.
+ * role_grant_offer + account). Symmetric with `create_standard_rpc_actions`.
  *
  * Spec count is the sum of the three sub-registries. Adding a method to
  * any sub-registry surfaces here automatically.
  */
 export const all_standard_action_specs = [
     ...all_admin_action_specs,
-    ...all_permit_offer_action_specs,
+    ...all_role_grant_offer_action_specs,
     ...all_account_action_specs,
 ];

package/dist/auth/standard_rpc_actions.d.ts

@@ -1,16 +1,16 @@
 /**
- * Combined admin + permit-offer + account RPC actions for fuz_app consumers.
+ * Combined admin + role-grant-offer + account RPC actions for fuz_app consumers.
  *
  * The canonical "standard" RPC surface: every stock fuz_app RPC action a
  * typical web consumer wants on one endpoint. Consumers that want a
  * narrower surface drop down to the per-domain factories directly
- * (`create_admin_actions` / `create_permit_offer_actions` /
+ * (`create_admin_actions` / `create_role_grant_offer_actions` /
  * `create_account_actions`).
  *
- * Option routing: shared `roles` flows to both admin and permit-offer;
+ * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
- * to permit-offer only; `max_tokens` goes to account only;
- * `notification_sender` reaches permit-offer transparently (admin + account
+ * to role-grant-offer only; `max_tokens` goes to account only;
+ * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *
  * Paired with `create_admin_rpc_adapters` on the UI side.
@@ -18,39 +18,43 @@
  * @module
  */
 import { type AdminActionOptions } from './admin_actions.js';
-import { type PermitOfferActionDeps, type PermitOfferActionOptions } from './permit_offer_actions.js';
+import { type RoleGrantOfferActionOptions } from './role_grant_offer_actions.js';
 import { type AccountActionOptions } from './account_actions.js';
+import type { RouteFactoryDeps } from './deps.js';
+import type { NotificationSender } from './role_grant_offer_notifications.js';
 import type { RpcAction } from '../actions/action_rpc.js';
 /**
  * Options for `create_standard_rpc_actions`.
  *
  * Composes `AdminActionOptions` (`roles`, `app_settings`),
- * `PermitOfferActionOptions` (`roles`, `default_ttl_ms`, `authorize`), and
+ * `RoleGrantOfferActionOptions` (`roles`, `default_ttl_ms`, `authorize`), and
  * `AccountActionOptions` (`max_tokens`). `roles` is shared between admin
- * and permit-offer — the caller supplies it once and the helper threads
+ * and role-grant-offer — the caller supplies it once and the helper threads
  * the same reference to both.
  */
-export interface StandardRpcActionsOptions extends AdminActionOptions, PermitOfferActionOptions, AccountActionOptions {
+export interface StandardRpcActionsOptions extends AdminActionOptions, RoleGrantOfferActionOptions, AccountActionOptions {
 }
 /**
  * Dependencies for `create_standard_rpc_actions`.
  *
- * Same shape as `PermitOfferActionDeps` — `log`, `on_audit_event`, and an
- * optional `notification_sender` for permit-offer WS fan-out. Admin and
- * account factories only read `log` + `on_audit_event`; the extra field
- * is harmless.
+ * Stack-standard `RouteFactoryDeps` slice (`log`, `audit`) plus an optional
+ * `notification_sender` consumed only by the role-grant-offer sub-factory
+ * for WS fan-out. Admin and account sub-factories ignore
+ * `notification_sender`.
  */
-export type StandardRpcActionsDeps = PermitOfferActionDeps;
+export interface StandardRpcActionsDeps extends Pick<RouteFactoryDeps, 'log' | 'audit'> {
+    notification_sender?: NotificationSender | null;
+}
 /**
- * Build the combined admin + permit-offer + account RPC action set.
+ * Build the combined admin + role-grant-offer + account RPC action set.
  *
  * Spreads `create_admin_actions(deps, {roles, app_settings})`,
- * `create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
+ * `create_role_grant_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
- * option flows to admin + permit-offer.
+ * option flows to admin + role-grant-offer.
  *
- * @param deps - `StandardRpcActionsDeps` (`log`, `on_audit_event`, optional `audit_log_config` from `AppDeps`; optional `notification_sender` for WS fan-out)
- * @param options - role schema, optional app-settings ref, permit-offer config, account config
+ * @param deps - `StandardRpcActionsDeps` (`log`, `audit` from `RouteFactoryDeps`; optional `notification_sender` for WS fan-out)
+ * @param options - role schema, optional app-settings ref, role-grant-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */
 export declare const create_standard_rpc_actions: (deps: StandardRpcActionsDeps, options?: StandardRpcActionsOptions) => Array<RpcAction>;

package/dist/auth/standard_rpc_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,qBAAqB,EAC1B,KAAK,wBAAwB,EAC7B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,wBAAwB,EAAE,oBAAoB;CAAG;AAE9E;;;;;;;GAOG;AACH,MAAM,MAAM,sBAAsB,GAAG,qBAAqB,CAAC;AAE3D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}
+{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,2BAA2B,EAChC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,2BAA2B,EAAE,oBAAoB;CAAG;AAEjF;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAuB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC;IACtF,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}

package/dist/auth/standard_rpc_actions.js

@@ -1,16 +1,16 @@
 /**
- * Combined admin + permit-offer + account RPC actions for fuz_app consumers.
+ * Combined admin + role-grant-offer + account RPC actions for fuz_app consumers.
  *
  * The canonical "standard" RPC surface: every stock fuz_app RPC action a
  * typical web consumer wants on one endpoint. Consumers that want a
  * narrower surface drop down to the per-domain factories directly
- * (`create_admin_actions` / `create_permit_offer_actions` /
+ * (`create_admin_actions` / `create_role_grant_offer_actions` /
  * `create_account_actions`).
  *
- * Option routing: shared `roles` flows to both admin and permit-offer;
+ * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
- * to permit-offer only; `max_tokens` goes to account only;
- * `notification_sender` reaches permit-offer transparently (admin + account
+ * to role-grant-offer only; `max_tokens` goes to account only;
+ * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *
  * Paired with `create_admin_rpc_adapters` on the UI side.
@@ -18,22 +18,22 @@
  * @module
  */
 import { create_admin_actions } from './admin_actions.js';
-import { create_permit_offer_actions, } from './permit_offer_actions.js';
+import { create_role_grant_offer_actions, } from './role_grant_offer_actions.js';
 import { create_account_actions } from './account_actions.js';
 /**
- * Build the combined admin + permit-offer + account RPC action set.
+ * Build the combined admin + role-grant-offer + account RPC action set.
  *
  * Spreads `create_admin_actions(deps, {roles, app_settings})`,
- * `create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
+ * `create_role_grant_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
- * option flows to admin + permit-offer.
+ * option flows to admin + role-grant-offer.
  *
- * @param deps - `StandardRpcActionsDeps` (`log`, `on_audit_event`, optional `audit_log_config` from `AppDeps`; optional `notification_sender` for WS fan-out)
- * @param options - role schema, optional app-settings ref, permit-offer config, account config
+ * @param deps - `StandardRpcActionsDeps` (`log`, `audit` from `RouteFactoryDeps`; optional `notification_sender` for WS fan-out)
+ * @param options - role schema, optional app-settings ref, role-grant-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */
 export const create_standard_rpc_actions = (deps, options = {}) => [
     ...create_admin_actions(deps, options),
-    ...create_permit_offer_actions(deps, options),
+    ...create_role_grant_offer_actions(deps, options),
     ...create_account_actions(deps, options),
 ];

package/dist/db/migrate.d.ts

@@ -24,7 +24,7 @@
  * **Chain idempotency, not migration idempotency**: the chain-tx wraps every
  * migration replayed in a single boot, so an individual migration may
  * temporarily produce intermediate state that a later migration reverses
- * (e.g. v0's `PERMIT_INDEXES` recreates an index that v1 drops; chain-tx
+ * (e.g. v0's `ROLE_GRANT_INDEXES` recreates an index that v1 drops; chain-tx
  * hides this from observers). What matters is that the *committed end state*
  * matches; the in-tx steps may not be individually idempotent against an
  * arbitrary mid-chain target.

package/dist/db/migrate.js

@@ -24,7 +24,7 @@
  * **Chain idempotency, not migration idempotency**: the chain-tx wraps every
  * migration replayed in a single boot, so an individual migration may
  * temporarily produce intermediate state that a later migration reverses
- * (e.g. v0's `PERMIT_INDEXES` recreates an index that v1 drops; chain-tx
+ * (e.g. v0's `ROLE_GRANT_INDEXES` recreates an index that v1 drops; chain-tx
  * hides this from observers). What matters is that the *committed end state*
  * matches; the in-tx steps may not be individually idempotent against an
  * arbitrary mid-chain target.

package/dist/dev/setup.d.ts

@@ -173,7 +173,7 @@ export interface SeedDevAccountInput {
     username: string;
     /** Account password. Policy is bypassed — any non-empty string is accepted. */
     password: string;
-    /** Roles to grant via permit (idempotent). */
+    /** Roles to grant via role_grant (idempotent). */
     roles?: ReadonlyArray<string>;
 }
 /** Result of `seed_dev_account`. */
@@ -197,7 +197,7 @@ export interface SeedDevAccountDeps extends QueryDeps {
  *
  * Intended for `scripts/dev_setup.ts` — do not call in production.
  *
- * @mutates database - inserts an account/actor pair when missing and grants any requested role permits
+ * @mutates database - inserts an account/actor pair when missing and grants any requested role role_grants
  * @throws Error if an existing account is found without an associated actor row
  */
 export declare const seed_dev_account: (deps: SeedDevAccountDeps, input: SeedDevAccountInput, options?: {

package/dist/dev/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/dev/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACX,WAAW,EACX,aAAa,EACb,OAAO,EACP,UAAU,EACV,YAAY,EACZ,WAAW,EACX,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAQnD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC1B,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC5B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,2CAA2C;AAC3C,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF,kCAAkC;AAClC,MAAM,WAAW,cAAc;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;CACb;AAED,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAChC,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,aAAa;IAC7B,+CAA+C;IAC/C,KAAK,EAAE,OAAO,CAAC;IACf,wEAAwE;IACxE,OAAO,EAAE,OAAO,CAAC;IACjB,0CAA0C;IAC1C,OAAO,EAAE,UAAU,GAAG,QAAQ,GAAG,MAAM,CAAC;CACxC;AAED,oCAAoC;AACpC,MAAM,WAAW,eAAe;IAC/B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;IACrD,qEAAqE;IACrE,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,2CAA2C;AAC3C,MAAM,WAAW,0BAA0B;IAC1C,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,qCAAqC;AACrC,MAAM,WAAW,qBAAqB;IACrC,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,iDAAiD;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAID;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,MAAM,GAAG,IAQpD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAAU,MAAM,WAAW,KAAG,OAAO,CAAC,MAAM,CAI3E,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY,GACxB,MAAM,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,gBAAgB,CAAC,EACjD,UAAU,MAAM,EAChB,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,SAAS,CAU5B,CAAC;AAIF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,EAC5C,UAAU,MAAM,EAChB,cAAc,MAAM,EACpB,UAAU,eAAe,KACvB,OAAO,CAAC,cAAc,CAiDxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,EACtD,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CA0B1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,GAAG,OAAO,EACrE,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CAoB1B,CAAC;AAIF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,GAC3B,MAAM,WAAW,EACjB,SAAS,MAAM,EACf,UAAU,qBAAqB,KAC7B,OAAO,CAAC,aAAa,CAgBvB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,WAAW,GAAG,UAAU,GAAG,YAAY,EAC7C,cAAc,MAAM,EACpB,UAAU,oBAAoB,KAC5B,OAAO,CAAC,aAAa,CA8CvB,CAAC;AAIF,mCAAmC;AACnC,MAAM,WAAW,mBAAmB;IACnC,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,OAAO,EAAE,OAAO,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACpD,oEAAoE;IACpE,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,gBAAgB,GAC5B,MAAM,kBAAkB,EACxB,OAAO,mBAAmB,EAC1B,UAAU;IAAC,GAAG,CAAC,EAAE,WAAW,CAAA;CAAC,KAC3B,OAAO,CAAC,oBAAoB,CAwC9B,CAAC"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/dev/setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EACX,WAAW,EACX,aAAa,EACb,OAAO,EACP,UAAU,EACV,YAAY,EACZ,WAAW,EACX,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAQnD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC1B,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC5B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,2CAA2C;AAC3C,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF,kCAAkC;AAClC,MAAM,WAAW,cAAc;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;CACb;AAED,yCAAyC;AACzC,MAAM,WAAW,gBAAgB;IAChC,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,aAAa;IAC7B,+CAA+C;IAC/C,KAAK,EAAE,OAAO,CAAC;IACf,wEAAwE;IACxE,OAAO,EAAE,OAAO,CAAC;IACjB,0CAA0C;IAC1C,OAAO,EAAE,UAAU,GAAG,QAAQ,GAAG,MAAM,CAAC;CACxC;AAED,oCAAoC;AACpC,MAAM,WAAW,eAAe;IAC/B;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;IACrD,qEAAqE;IACrE,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,2CAA2C;AAC3C,MAAM,WAAW,0BAA0B;IAC1C,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,qCAAqC;AACrC,MAAM,WAAW,qBAAqB;IACrC,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,iDAAiD;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,GAAG,CAAC,EAAE,WAAW,CAAC;CAClB;AAID;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,MAAM,GAAG,IAQpD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,GAAU,MAAM,WAAW,KAAG,OAAO,CAAC,MAAM,CAI3E,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY,GACxB,MAAM,IAAI,CAAC,UAAU,EAAE,MAAM,GAAG,gBAAgB,CAAC,EACjD,UAAU,MAAM,EAChB,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,SAAS,CAU5B,CAAC;AAIF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,EAC5C,UAAU,MAAM,EAChB,cAAc,MAAM,EACpB,UAAU,eAAe,KACvB,OAAO,CAAC,cAAc,CAiDxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,EACtD,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CA0B1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,UAAU,GAAG,WAAW,GAAG,YAAY,GAAG,WAAW,GAAG,OAAO,EACrE,UAAU,MAAM,EAChB,UAAU,0BAA0B,KAClC,OAAO,CAAC,gBAAgB,CAoB1B,CAAC;AAIF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,eAAe,GAC3B,MAAM,WAAW,EACjB,SAAS,MAAM,EACf,UAAU,qBAAqB,KAC7B,OAAO,CAAC,aAAa,CAgBvB,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,WAAW,GAAG,UAAU,GAAG,YAAY,EAC7C,cAAc,MAAM,EACpB,UAAU,oBAAoB,KAC5B,OAAO,CAAC,aAAa,CA8CvB,CAAC;AAIF,mCAAmC;AACnC,MAAM,WAAW,mBAAmB;IACnC,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,oCAAoC;AACpC,MAAM,WAAW,oBAAoB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,uEAAuE;IACvE,OAAO,EAAE,OAAO,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACpD,oEAAoE;IACpE,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACrD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,gBAAgB,GAC5B,MAAM,kBAAkB,EACxB,OAAO,mBAAmB,EAC1B,UAAU;IAAC,GAAG,CAAC,EAAE,WAAW,CAAA;CAAC,KAC3B,OAAO,CAAC,oBAAoB,CAwC9B,CAAC"}

package/dist/dev/setup.js

@@ -9,7 +9,7 @@
  * @module
  */
 import { query_account_by_username, query_actors_by_account, query_create_account_with_actor, } from '../auth/account_queries.js';
-import { query_grant_permit } from '../auth/permit_queries.js';
+import { query_create_role_grant } from '../auth/role_grant_queries.js';
 /** Default logger using bracket format. */
 export const default_setup_logger = {
     ok: (msg) => console.log(`  [ok] ${msg}`),
@@ -284,7 +284,7 @@ export const reset_database = async (deps, database_url, options) => {
  *
  * Intended for `scripts/dev_setup.ts` — do not call in production.
  *
- * @mutates database - inserts an account/actor pair when missing and grants any requested role permits
+ * @mutates database - inserts an account/actor pair when missing and grants any requested role role_grants
  * @throws Error if an existing account is found without an associated actor row
  */
 export const seed_dev_account = async (deps, input, options) => {
@@ -300,7 +300,7 @@ export const seed_dev_account = async (deps, input, options) => {
         // Dev seed is single-actor by construction; pick the first.
         const actor = actors[0];
         for (const role of input.roles ?? []) {
-            await query_grant_permit(query_deps, {
+            await query_create_role_grant(query_deps, {
                 actor_id: actor.id,
                 role,
                 granted_by: null,
@@ -316,7 +316,7 @@ export const seed_dev_account = async (deps, input, options) => {
         password_hash,
     });
     for (const role of input.roles ?? []) {
-        await query_grant_permit(query_deps, {
+        await query_create_role_grant(query_deps, {
             actor_id: actor.id,
             role,
             granted_by: null,

package/dist/env/load.d.ts

@@ -35,7 +35,7 @@ export declare class EnvValidationError extends Error {
  * `error.all_undefined` before calling this.
  *
  * @param error - the env validation error
- * @param label - optional prefix for log lines (e.g., 'tx daemon', 'env')
+ * @param label - optional prefix for log lines (e.g., 'zap daemon', 'env')
  */
 export declare const log_env_validation_error: (error: EnvValidationError, label?: string) => void;
 /**

package/dist/env/load.js

@@ -42,7 +42,7 @@ export class EnvValidationError extends Error {
  * `error.all_undefined` before calling this.
  *
  * @param error - the env validation error
- * @param label - optional prefix for log lines (e.g., 'tx daemon', 'env')
+ * @param label - optional prefix for log lines (e.g., 'zap daemon', 'env')
  */
 export const log_env_validation_error = (error, label) => {
     const prefix = label ? `[${label}] ` : '';

package/dist/hono_context.d.ts

@@ -12,13 +12,20 @@
  */
 import { z } from 'zod';
 import type { RequestContext } from './auth/request_context.js';
-/** The credential types that can authenticate a request. */
+/**
+ * The credential types that can authenticate a request — the closed set
+ * of fuz_app builtins. The open registry on top
+ * (`create_credential_type_schema(consumer_types)`) is consulted at
+ * registry time by `create_role_schema` for `RoleSpec.required_credential_types`
+ * validation; the wire-validated `CredentialType` enum here stays
+ * narrow because middleware only ever sets one of the three builtins.
+ */
 export declare const CREDENTIAL_TYPES: readonly ["session", "api_token", "daemon_token"];
 /** Credential type — how a request was authenticated. */
 export declare const CredentialType: z.ZodEnum<{
+    daemon_token: "daemon_token";
     session: "session";
     api_token: "api_token";
-    daemon_token: "daemon_token";
 }>;
 export type CredentialType = z.infer<typeof CredentialType>;
 /** Hono context variable name for the credential type. */
@@ -49,39 +56,6 @@ export declare const ACCOUNT_ID_KEY = "auth_account_id";
  * silently bypass the live build.
  */
 export declare const TEST_CONTEXT_PRESET_KEY = "test_context_preset";
-/**
- * Cached parsed JSON request body, keyed by `'cached_request_body'`.
- *
- * Written by `read_raw_acting` (in the dispatcher's authorization
- * phase) when it pre-parses the body to extract the `acting` field;
- * read by `create_input_validation` so the input-validation step does
- * not pay for a second `JSON.parse` on the same Hono-cached body text.
- *
- * Decouples our pipeline from Hono's internal `bodyCache` shape: Hono
- * caches the body *text* (so a second `c.req.json()` call doesn't
- * re-read the request stream), but each call still re-runs
- * `JSON.parse(text)`. Storing the parsed value here saves the second
- * parse and keeps fuz_app from depending on undocumented Hono
- * implementation details.
- *
- * Three states:
- *
- * - Key absent — body has not been pre-parsed yet (the route had no
- *   `acting` to extract, or the request is GET).
- * - `{ok: true, body: unknown}` — pre-parse succeeded; the parsed
- *   value (object, primitive, or array) is in `body`.
- * - `{ok: false}` — pre-parse threw (malformed JSON). The downstream
- *   input-validation step short-circuits with `ERROR_INVALID_JSON_BODY`
- *   instead of re-parsing.
- */
-export declare const CACHED_REQUEST_BODY_KEY = "cached_request_body";
-/** The shape stored under `CACHED_REQUEST_BODY_KEY`. */
-export type CachedRequestBody = {
-    ok: true;
-    body: unknown;
-} | {
-    ok: false;
-};
 declare module 'hono' {
     interface ContextVariableMap {
         /** Resolved client IP, set by the trusted proxy middleware. */
@@ -116,24 +90,32 @@ declare module 'hono' {
          */
         auth_api_token_id: string | null;
         /**
-         * Pending fire-and-forget effects for this request (audit logs, usage tracking, etc.).
-         * Initialized by `create_app_server`. In test mode (`await_pending_effects: true`),
-         * all effects are awaited before the response returns.
+         * Eager fire-and-forget pool writes for this request — audit emits,
+         * session-touch UPDATE, api-token usage tracking. Producers push the
+         * in-flight `Promise<void>` directly. The flush middleware drains via
+         * `flush_pending_effects` after the handler returns. Initialized by
+         * `create_app_server`. In test mode (`await_pending_effects: true`),
+         * every promise resolves before the response returns.
          */
         pending_effects: Array<Promise<void>>;
+        /**
+         * Post-commit thunks pushed via `emit_after_commit(ctx, fn)`. The
+         * flush middleware invokes each thunk after the handler returns —
+         * never inline — so notifications (WS sends, etc.) cannot fire
+         * mid-transaction. Producers do not push raw thunks directly. The
+         * flush owns per-thunk `try/catch` + `log.error` so a directly-pushed
+         * thunk (tests included) cannot escape the safety net.
+         * Initialized by `create_app_server`. In test mode
+         * (`await_pending_effects: true`), every thunk completes before the
+         * response returns.
+         */
+        post_commit_effects: Array<() => void | Promise<void>>;
         /**
          * Set to `true` by test harnesses that pre-populate `request_context`
          * to bypass the dispatcher's DB-backed actor resolution. Read by
          * `apply_authorization_phase`. Production middleware never sets this.
          */
         test_context_preset: boolean;
-        /**
-         * Pre-parsed JSON request body cache. Written by `read_raw_acting`
-         * (the dispatcher's `acting` extractor) and read by
-         * `create_input_validation` so the same body is not parsed twice.
-         * See `CACHED_REQUEST_BODY_KEY` for state semantics.
-         */
-        cached_request_body: CachedRequestBody;
     }
 }
 //# sourceMappingURL=hono_context.d.ts.map

package/dist/hono_context.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAE9D,4DAA4D;AAC5D,eAAO,MAAM,gBAAgB,mDAAoD,CAAC;AAElF,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAE7D;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAE7D,wDAAwD;AACxD,MAAM,MAAM,iBAAiB,GAAG;IAAC,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,EAAE,EAAE,KAAK,CAAA;CAAC,CAAC;AAExE,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;WAIG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC;;;;WAIG;QACH,mBAAmB,EAAE,OAAO,CAAC;QAC7B;;;;;WAKG;QACH,mBAAmB,EAAE,iBAAiB,CAAC;KACvC;CACD"}
+{"version":3,"file":"hono_context.d.ts","sourceRoot":"../src/lib/","sources":["../src/lib/hono_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAO9D;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,mDAInB,CAAC;AAEX,yDAAyD;AACzD,eAAO,MAAM,cAAc;;;;EAA2B,CAAC;AACvD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,sBAAsB,CAAC;AAEzD;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAE7D,OAAO,QAAQ,MAAM,CAAC;IACrB,UAAU,kBAAkB;QAC3B,+DAA+D;QAC/D,SAAS,EAAE,MAAM,CAAC;QAClB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC,eAAe,EAAE,OAAO,CAAC;QACzB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,eAAe,EAAE,OAAO,CAAC;QACzB,2FAA2F;QAC3F,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;QACvC;;;;;WAKG;QACH,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;QAC/B;;;;;WAKG;QACH,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;QACvC;;;;;;WAMG;QACH,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;QACjC;;;;;;;WAOG;QACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACtC;;;;;;;;;;WAUG;QACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACvD;;;;WAIG;QACH,mBAAmB,EAAE,OAAO,CAAC;KAC7B;CACD"}

package/dist/hono_context.js

@@ -11,8 +11,20 @@
  * @module
  */
 import { z } from 'zod';
-/** The credential types that can authenticate a request. */
-export const CREDENTIAL_TYPES = ['session', 'api_token', 'daemon_token'];
+import { CREDENTIAL_TYPE_API_TOKEN, CREDENTIAL_TYPE_DAEMON_TOKEN, CREDENTIAL_TYPE_SESSION, } from './auth/credential_type_schema.js';
+/**
+ * The credential types that can authenticate a request — the closed set
+ * of fuz_app builtins. The open registry on top
+ * (`create_credential_type_schema(consumer_types)`) is consulted at
+ * registry time by `create_role_schema` for `RoleSpec.required_credential_types`
+ * validation; the wire-validated `CredentialType` enum here stays
+ * narrow because middleware only ever sets one of the three builtins.
+ */
+export const CREDENTIAL_TYPES = [
+    CREDENTIAL_TYPE_SESSION,
+    CREDENTIAL_TYPE_API_TOKEN,
+    CREDENTIAL_TYPE_DAEMON_TOKEN,
+];
 /** Credential type — how a request was authenticated. */
 export const CredentialType = z.enum(CREDENTIAL_TYPES);
 /** Hono context variable name for the credential type. */
@@ -43,29 +55,3 @@ export const ACCOUNT_ID_KEY = 'auth_account_id';
  * silently bypass the live build.
  */
 export const TEST_CONTEXT_PRESET_KEY = 'test_context_preset';
-/**
- * Cached parsed JSON request body, keyed by `'cached_request_body'`.
- *
- * Written by `read_raw_acting` (in the dispatcher's authorization
- * phase) when it pre-parses the body to extract the `acting` field;
- * read by `create_input_validation` so the input-validation step does
- * not pay for a second `JSON.parse` on the same Hono-cached body text.
- *
- * Decouples our pipeline from Hono's internal `bodyCache` shape: Hono
- * caches the body *text* (so a second `c.req.json()` call doesn't
- * re-read the request stream), but each call still re-runs
- * `JSON.parse(text)`. Storing the parsed value here saves the second
- * parse and keeps fuz_app from depending on undocumented Hono
- * implementation details.
- *
- * Three states:
- *
- * - Key absent — body has not been pre-parsed yet (the route had no
- *   `acting` to extract, or the request is GET).
- * - `{ok: true, body: unknown}` — pre-parse succeeded; the parsed
- *   value (object, primitive, or array) is in `body`.
- * - `{ok: false}` — pre-parse threw (malformed JSON). The downstream
- *   input-validation step short-circuits with `ERROR_INVALID_JSON_BODY`
- *   instead of re-parsing.
- */
-export const CACHED_REQUEST_BODY_KEY = 'cached_request_body';