@fuzdev/fuz_app 0.58.0 → 0.60.0

package/dist/actions/CLAUDE.md

@@ -71,9 +71,14 @@ resolved) and is rejected at registration when paired with
 `auth.account !== 'required'` (no account to key on); `'both'` runs
 both checks. **Throttle-requests semantics** — every invocation records,
 regardless of outcome (different from REST login's throttle-failures
-that resets on success). The motivating threat is admin mutation oracles
-(`invite_create` account-existence probe) where the _successful_
-invocation is the threat. Limiters are configured at server-assembly
+that resets on success). The originally motivating threat is admin
+mutation oracles (`invite_create` account-existence probe) where the
+_successful_ invocation is the threat; the same shape extends to
+authed-spam oracles (`role_grant_offer_create` iterating
+`to_account_id` to probe `ERROR_ACCOUNT_NOT_FOUND`) and to paginated
+cross-account reads (`admin_account_list`, `audit_log_list`,
+`audit_log_role_grant_history`) where every successful page is an
+enumeration step. Limiters are configured at server-assembly
 time via `AppServerOptions.action_ip_rate_limiter` /
 `action_account_rate_limiter` and threaded into both dispatchers
 automatically; consumers wiring `register_action_ws` directly forward
@@ -459,7 +464,7 @@ persistence + rehydration by the consumer.
 wireable via `CreateAppBackendOptions.on_audit_event`. Mirrors the SSE
 guard in `realtime/sse_auth_guard.ts` but targets the WS transport.
 
-`WS_DISCONNECT_EVENT_TYPES` (ReadonlySet): `session_revoke`,
+`ws_disconnect_event_types` (ReadonlySet): `session_revoke`,
 `token_revoke`, `session_revoke_all`, `token_revoke_all`, `password_change`.
 `role_grant_revoke` is intentionally **omitted** — the WS transport does not
 track per-connection role requirements, so role-scoped disconnection would
@@ -479,7 +484,7 @@ caller close another user's socket by guessing a session hash or token id.
 
 `create_ws_logout_closer(transport, log)` is the sibling helper for
 user-initiated `logout` events — kept separate because
-`WS_DISCONNECT_EVENT_TYPES` deliberately omits `logout` (admin-initiated
+`ws_disconnect_event_types` deliberately omits `logout` (admin-initiated
 revocations use `session_revoke`, while `logout` is the user-initiated
 case). Compose the two on `on_audit_event`:
 
@@ -595,9 +600,9 @@ an action through its lifecycle.
 
 - `ActionExecutor` — `'frontend' | 'backend'`
 - `ActionEventStep` — `'initial' | 'parsed' | 'handling' | 'handled' | 'failed'`
-- `ACTION_EVENT_STEP_TRANSITIONS` — valid next-steps: `initial → parsed | failed`, `parsed → handling | failed`, `handling → handled | failed`, `handled`/`failed` terminal.
-- `ACTION_EVENT_PHASE_BY_KIND` — valid phases per kind (`request_response` has 6, `remote_notification` has 2, `local_call` has 1).
-- `ACTION_EVENT_PHASE_TRANSITIONS` — chained phases: `send_request → receive_response`; `receive_request → send_response`; everything else terminal.
+- `action_event_step_transitions` — valid next-steps: `initial → parsed | failed`, `parsed → handling | failed`, `handling → handled | failed`, `handled`/`failed` terminal.
+- `action_event_phase_by_kind` — valid phases per kind (`request_response` has 6, `remote_notification` has 2, `local_call` has 1).
+- `action_event_phase_transitions` — chained phases: `send_request → receive_response`; `receive_request → send_response`; everything else terminal.
 - `ActionEventEnvironment` — `{executor, lookup_action_handler, lookup_action_spec, log?}`. The ambient registry + handler resolver for an `ActionEvent`.
 
 ### `action_event_data.ts`

package/dist/actions/action_codegen.d.ts

@@ -182,7 +182,7 @@ export declare const generate_actions_api_method_signature: (spec: ActionSpecUni
 /** Discriminator for `generate_action_method_enums` — which method-set enums to emit. */
 export type ActionMethodEnumKind = 'all' | 'request_response' | 'remote_notification' | 'local_call' | 'frontend' | 'backend' | 'frontend_handled' | 'backend_handled' | 'broadcast';
 /** Default emit set — every enum kind. */
-export declare const ACTION_METHOD_ENUM_KINDS_ALL: ReadonlySet<ActionMethodEnumKind>;
+export declare const action_method_enum_kinds_all: ReadonlySet<ActionMethodEnumKind>;
 /**
  * Resolve a per-spec identifier qualifier with the standard default-vs-callback
  * dance. When `qualify_spec` is set, returns the caller's callback verbatim

package/dist/actions/action_codegen.js

@@ -416,7 +416,7 @@ ${lines}
 export type ${name} = z.infer<typeof ${name}>;`;
 };
 /** Default emit set — every enum kind. */
-export const ACTION_METHOD_ENUM_KINDS_ALL = new Set([
+export const action_method_enum_kinds_all = new Set([
     'all',
     'request_response',
     'remote_notification',
@@ -483,7 +483,7 @@ export const resolve_spec_qualifier = (imports, options) => {
  *   `cancel` in the emitted enums. Default `false`.
  */
 export const generate_action_method_enums = (specs, imports, options) => {
-    const emit = options?.emit ?? ACTION_METHOD_ENUM_KINDS_ALL;
+    const emit = options?.emit ?? action_method_enum_kinds_all;
     const filtered = filter_protocol_actions(specs, options?.include_protocol_actions);
     const registry = new ActionRegistry([...filtered]);
     const blocks = [];

package/dist/actions/action_event_helpers.d.ts

@@ -59,20 +59,20 @@ export declare const is_notification_send_with_parsed_input: <TMethod extends st
     input: unknown;
 };
 /**
- * Validate that a step transition is legal per `ACTION_EVENT_STEP_TRANSITIONS`.
+ * Validate that a step transition is legal per `action_event_step_transitions`.
  *
  * @throws Error if `from → to` is not a permitted transition
  */
 export declare const validate_step_transition: (from: ActionEventStep, to: ActionEventStep) => void;
 /**
  * Validate that `phase` is one of the phases allowed for `kind` per
- * `ACTION_EVENT_PHASE_BY_KIND`.
+ * `action_event_phase_by_kind`.
  *
  * @throws Error if `phase` is not valid for `kind`
  */
 export declare const validate_phase_for_kind: (kind: ActionKind, phase: ActionEventPhase) => void;
 /**
- * Validate that a phase chain is legal per `ACTION_EVENT_PHASE_TRANSITIONS`.
+ * Validate that a phase chain is legal per `action_event_phase_transitions`.
  *
  * @throws Error if `from → to` is not the permitted next phase (or `from` is terminal)
  */

package/dist/actions/action_event_helpers.js

@@ -3,7 +3,7 @@
  *
  * @module
  */
-import { ACTION_EVENT_STEP_TRANSITIONS, ACTION_EVENT_PHASE_BY_KIND, ACTION_EVENT_PHASE_TRANSITIONS, } from './action_event_types.js';
+import { action_event_step_transitions, action_event_phase_by_kind, action_event_phase_transitions, } from './action_event_types.js';
 // Type guards for action kinds
 export const is_request_response = (data) => data.kind === 'request_response';
 export const is_remote_notification = (data) => data.kind === 'remote_notification';
@@ -28,33 +28,33 @@ export const is_failed = (data) => data.step === 'failed';
 export const is_send_request_with_parsed_input = (data) => is_send_request(data) && (data.step === 'parsed' || data.step === 'handling');
 export const is_notification_send_with_parsed_input = (data) => is_notification_send(data) && (data.step === 'parsed' || data.step === 'handling');
 /**
- * Validate that a step transition is legal per `ACTION_EVENT_STEP_TRANSITIONS`.
+ * Validate that a step transition is legal per `action_event_step_transitions`.
  *
  * @throws Error if `from → to` is not a permitted transition
  */
 export const validate_step_transition = (from, to) => {
-    if (!ACTION_EVENT_STEP_TRANSITIONS[from].includes(to)) {
+    if (!action_event_step_transitions[from].includes(to)) {
         throw new Error(`Invalid step transition from '${from}' to '${to}'`);
     }
 };
 /**
  * Validate that `phase` is one of the phases allowed for `kind` per
- * `ACTION_EVENT_PHASE_BY_KIND`.
+ * `action_event_phase_by_kind`.
  *
  * @throws Error if `phase` is not valid for `kind`
  */
 export const validate_phase_for_kind = (kind, phase) => {
-    if (!ACTION_EVENT_PHASE_BY_KIND[kind].includes(phase)) {
+    if (!action_event_phase_by_kind[kind].includes(phase)) {
         throw new Error(`Invalid phase '${phase}' for ${kind} action`);
     }
 };
 /**
- * Validate that a phase chain is legal per `ACTION_EVENT_PHASE_TRANSITIONS`.
+ * Validate that a phase chain is legal per `action_event_phase_transitions`.
  *
  * @throws Error if `from → to` is not the permitted next phase (or `from` is terminal)
  */
 export const validate_phase_transition = (from, to) => {
-    const expected = ACTION_EVENT_PHASE_TRANSITIONS[from];
+    const expected = action_event_phase_transitions[from];
     if (expected !== to) {
         throw new Error(`Invalid phase transition from '${from}' to '${to}'`);
     }
@@ -79,7 +79,7 @@ export const is_action_complete = (data) => {
     if (data.step !== 'handled')
         return false;
     // Check if in terminal phase
-    const next_phase = ACTION_EVENT_PHASE_TRANSITIONS[data.phase];
+    const next_phase = action_event_phase_transitions[data.phase];
     return next_phase === null;
 };
 export const create_initial_data = (kind, phase, method, executor, input) => ({

package/dist/actions/action_event_types.d.ts

@@ -19,9 +19,9 @@ export declare const ActionEventStep: z.ZodEnum<{
     failed: "failed";
 }>;
 export type ActionEventStep = z.infer<typeof ActionEventStep>;
-export declare const ACTION_EVENT_STEP_TRANSITIONS: Record<ActionEventStep, ReadonlyArray<ActionEventStep>>;
-export declare const ACTION_EVENT_PHASE_BY_KIND: Record<ActionKind, ReadonlyArray<ActionEventPhase>>;
-export declare const ACTION_EVENT_PHASE_TRANSITIONS: Record<ActionEventPhase, ActionEventPhase | null>;
+export declare const action_event_step_transitions: Record<ActionEventStep, ReadonlyArray<ActionEventStep>>;
+export declare const action_event_phase_by_kind: Record<ActionKind, ReadonlyArray<ActionEventPhase>>;
+export declare const action_event_phase_transitions: Record<ActionEventPhase, ActionEventPhase | null>;
 export interface ActionEventEnvironment {
     readonly executor: ActionExecutor;
     lookup_action_handler: (method: string, phase: ActionEventPhase) => ((event: any) => any) | undefined;

package/dist/actions/action_event_types.js

@@ -12,14 +12,14 @@ export const ActionEventStep = z.enum(['initial', 'parsed', 'handling', 'handled
 // value types on the object literal) without narrowing lookups to literal
 // tuple types — a `satisfies` shape forces every `X[k]` reader to widen
 // back to `ReadonlyArray<V>` themselves to call `.includes(...)`.
-export const ACTION_EVENT_STEP_TRANSITIONS = {
+export const action_event_step_transitions = {
     initial: ['parsed', 'failed'],
     parsed: ['handling', 'failed'],
     handling: ['handled', 'failed'],
     handled: [],
     failed: [],
 };
-export const ACTION_EVENT_PHASE_BY_KIND = {
+export const action_event_phase_by_kind = {
     request_response: [
         'send_request',
         'receive_request',
@@ -31,7 +31,7 @@ export const ACTION_EVENT_PHASE_BY_KIND = {
     remote_notification: ['send', 'receive'],
     local_call: ['execute'],
 };
-export const ACTION_EVENT_PHASE_TRANSITIONS = {
+export const action_event_phase_transitions = {
     send_request: 'receive_response',
     receive_request: 'send_response',
     send_response: null,

package/dist/actions/transports_ws_auth_guard.d.ts

@@ -36,7 +36,7 @@ export type AuditEventHandler = (event: AuditLogEvent) => void;
  * require either closing all sockets (too aggressive) or new tracking
  * (out of scope). Consumers that need it compose their own callback.
  */
-export declare const WS_DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
+export declare const ws_disconnect_event_types: ReadonlySet<string>;
 /**
  * Create an audit event handler that closes WebSocket connections on auth changes.
  *
@@ -56,7 +56,7 @@ export declare const create_ws_auth_guard: (transport: BackendWebsocketTransport
  * user-initiated logout.
  *
  * Sibling helper to `create_ws_auth_guard` — kept separate because
- * `WS_DISCONNECT_EVENT_TYPES` deliberately omits `logout` (admin-initiated
+ * `ws_disconnect_event_types` deliberately omits `logout` (admin-initiated
  * revocations use `session_revoke`, while `logout` is the user-initiated
  * case). Three consumers (tx, undying, zzz) hand-rolled this same branch
  * before extraction.

package/dist/actions/transports_ws_auth_guard.js

@@ -23,7 +23,7 @@
  * require either closing all sockets (too aggressive) or new tracking
  * (out of scope). Consumers that need it compose their own callback.
  */
-export const WS_DISCONNECT_EVENT_TYPES = new Set([
+export const ws_disconnect_event_types = new Set([
     'session_revoke',
     'token_revoke',
     'session_revoke_all',
@@ -45,7 +45,7 @@ export const WS_DISCONNECT_EVENT_TYPES = new Set([
  */
 export const create_ws_auth_guard = (transport, log) => {
     return (event) => {
-        if (!WS_DISCONNECT_EVENT_TYPES.has(event.event_type))
+        if (!ws_disconnect_event_types.has(event.event_type))
             return;
         // Failed mutations carry attacker-controlled metadata — never act on them.
         if (event.outcome === 'failure')
@@ -90,7 +90,7 @@ export const create_ws_auth_guard = (transport, log) => {
  * user-initiated logout.
  *
  * Sibling helper to `create_ws_auth_guard` — kept separate because
- * `WS_DISCONNECT_EVENT_TYPES` deliberately omits `logout` (admin-initiated
+ * `ws_disconnect_event_types` deliberately omits `logout` (admin-initiated
  * revocations use `session_revoke`, while `logout` is the user-initiated
  * case). Three consumers (tx, undying, zzz) hand-rolled this same branch
  * before extraction.