@fuzdev/fuz_app 0.59.0 → 0.60.0

package/dist/auth/migrations.js

@@ -17,7 +17,7 @@
  *
  * To add a migration in the pre-stable phase, prefer extending an existing
  * entry's body (consumers will re-bootstrap on upgrade). If you do append
- * a new entry to `AUTH_MIGRATIONS`, the runner will apply it on existing
+ * a new entry to `auth_migrations`, the runner will apply it on existing
  * tracker rows — the same shape that will become mandatory once the
  * schema stabilizes:
  *
@@ -36,7 +36,7 @@
  *
  * @module
  */
-import { ACCOUNT_SCHEMA, ACCOUNT_EMAIL_INDEX, ACCOUNT_USERNAME_CI_INDEX, ACTOR_SCHEMA, ACTOR_INDEX, ROLE_GRANT_SCHEMA, ROLE_GRANT_INDEXES, AUTH_SESSION_SCHEMA, AUTH_SESSION_INDEXES, API_TOKEN_SCHEMA, API_TOKEN_INDEX, BOOTSTRAP_LOCK_SCHEMA, BOOTSTRAP_LOCK_SEED, INVITE_SCHEMA, INVITE_INDEXES, APP_SETTINGS_SCHEMA, APP_SETTINGS_SEED, } from './auth_ddl.js';
+import { ACCOUNT_SCHEMA, ACCOUNT_EMAIL_INDEX, ACCOUNT_USERNAME_CI_INDEX, ACTOR_SCHEMA, ACTOR_INDEX, ACTOR_NAME_LOWER_INDEX, ROLE_GRANT_SCHEMA, ROLE_GRANT_INDEXES, AUTH_SESSION_SCHEMA, AUTH_SESSION_INDEXES, API_TOKEN_SCHEMA, API_TOKEN_INDEX, BOOTSTRAP_LOCK_SCHEMA, BOOTSTRAP_LOCK_SEED, INVITE_SCHEMA, INVITE_INDEXES, APP_SETTINGS_SCHEMA, APP_SETTINGS_SEED, } from './auth_ddl.js';
 import { AUDIT_LOG_SCHEMA, AUDIT_LOG_INDEXES } from './audit_log_ddl.js';
 import { ROLE_GRANT_OFFER_SCHEMA, ROLE_GRANT_OFFER_PENDING_UNIQUE_INDEX, ROLE_GRANT_OFFER_INBOX_INDEX, ROLE_GRANT_OFFER_SCOPE_SENTINEL_UUID, ROLE_GRANT_OFFER_SCOPE_KIND_GLOBAL_TOKEN, } from './role_grant_offer_ddl.js';
 /** Namespace identifier for fuz_app auth migrations. */
@@ -48,7 +48,7 @@ export const AUTH_MIGRATION_NAMESPACE = 'fuz_auth';
  * as `ReadonlyArray<string>` (not a literal tuple) so `.includes()` accepts
  * any consumer-supplied namespace string without a cast.
  */
-export const RESERVED_MIGRATION_NAMESPACES = [AUTH_MIGRATION_NAMESPACE];
+export const reserved_migration_namespaces = [AUTH_MIGRATION_NAMESPACE];
 /**
  * Auth schema migrations in order.
  *
@@ -69,7 +69,7 @@ export const RESERVED_MIGRATION_NAMESPACES = [AUTH_MIGRATION_NAMESPACE];
  *   (registry-membership validation against `create_scope_kind_schema`);
  *   v2 may add INSERT-time `(role, scope_kind)` enforcement.
  */
-export const AUTH_MIGRATIONS = [
+export const auth_migrations = [
     // v0: full auth schema — all IF NOT EXISTS, safe for existing databases
     {
         name: 'full_auth_schema',
@@ -79,6 +79,7 @@ export const AUTH_MIGRATIONS = [
             await db.query(ACCOUNT_USERNAME_CI_INDEX);
             await db.query(ACTOR_SCHEMA);
             await db.query(ACTOR_INDEX);
+            await db.query(ACTOR_NAME_LOWER_INDEX);
             await db.query(ROLE_GRANT_SCHEMA);
             for (const sql of ROLE_GRANT_INDEXES) {
                 await db.query(sql);
@@ -150,7 +151,7 @@ export const AUTH_MIGRATIONS = [
     },
 ];
 /** Pre-composed migration namespace for auth tables. */
-export const AUTH_MIGRATION_NS = {
+export const auth_migration_ns = {
     namespace: AUTH_MIGRATION_NAMESPACE,
-    migrations: AUTH_MIGRATIONS,
+    migrations: auth_migrations,
 };

package/dist/auth/role_grant_offer_actions.js

@@ -40,7 +40,7 @@
 import { rpc_action, } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
 import { emit_after_commit } from '../http/pending_effects.js';
-import { BUILTIN_ROLE_SPECS_BY_NAME, ROLE_ADMIN, role_has_grant_path, } from './role_schema.js';
+import { builtin_role_specs_by_name, ROLE_ADMIN, role_has_grant_path, } from './role_schema.js';
 import { GRANT_PATH_ADMIN } from './grant_path_schema.js';
 import { ROLE_GRANT_OFFER_DEFAULT_TTL_MS, to_role_grant_offer_json, } from './role_grant_offer_schema.js';
 import { query_role_grant_offer_create, query_role_grant_offer_decline, query_role_grant_offer_retract, query_role_grant_offer_list, query_role_grant_offer_history_for_account, query_accept_offer, RoleGrantOfferActorAccountMismatchError, RoleGrantOfferActorMismatchError, RoleGrantOfferAlreadyTerminalError, RoleGrantOfferExpiredError, RoleGrantOfferNotFoundError, RoleGrantOfferSelfTargetError, } from './role_grant_offer_queries.js';
@@ -108,7 +108,7 @@ export const authorize_admin_or_holder = async (auth, input, _deps, _ctx) => {
  */
 export const create_role_grant_offer_actions = (deps, options = {}) => {
     const { log, audit, notification_sender = null } = deps;
-    const role_specs = options.roles?.role_specs ?? BUILTIN_ROLE_SPECS_BY_NAME;
+    const role_specs = options.roles?.role_specs ?? builtin_role_specs_by_name;
     const default_ttl_ms = options.default_ttl_ms ?? ROLE_GRANT_OFFER_DEFAULT_TTL_MS;
     const authorize = options.authorize ?? default_authorize;
     // Four denial paths (admin-grant-path gate, authorize, self-target,

package/dist/auth/role_grant_offer_notifications.d.ts

@@ -23,7 +23,7 @@
  * `NotificationSender.send_to_account` argument), not in the payload.
  *
  * The specs surface as `EventSpec`s via `create_action_event_spec` — callers
- * append `ROLE_GRANT_OFFER_NOTIFICATION_SPECS` to their `event_specs` on
+ * append `role_grant_offer_notification_specs` to their `event_specs` on
  * `create_app_server` so the surface reflects them and DEV-mode broadcast
  * validation catches payload drift.
  *
@@ -376,7 +376,7 @@ export declare const role_grant_revoke_notification_spec: {
  * Pass to `create_app_server`'s `event_specs` so the attack surface reflects
  * them and DEV-mode `create_validated_broadcaster` catches payload drift.
  */
-export declare const ROLE_GRANT_OFFER_NOTIFICATION_SPECS: Array<EventSpec>;
+export declare const role_grant_offer_notification_specs: Array<EventSpec>;
 export declare const build_role_grant_offer_received_notification: (params: RoleGrantOfferReceivedParams) => JsonrpcNotification;
 export declare const build_role_grant_offer_retracted_notification: (params: RoleGrantOfferRetractedParams) => JsonrpcNotification;
 export declare const build_role_grant_offer_accepted_notification: (params: RoleGrantOfferAcceptedParams) => JsonrpcNotification;

package/dist/auth/role_grant_offer_notifications.js

@@ -23,7 +23,7 @@
  * `NotificationSender.send_to_account` argument), not in the payload.
  *
  * The specs surface as `EventSpec`s via `create_action_event_spec` — callers
- * append `ROLE_GRANT_OFFER_NOTIFICATION_SPECS` to their `event_specs` on
+ * append `role_grant_offer_notification_specs` to their `event_specs` on
  * `create_app_server` so the surface reflects them and DEV-mode broadcast
  * validation catches payload drift.
  *
@@ -165,7 +165,7 @@ export const role_grant_revoke_notification_spec = {
  * Pass to `create_app_server`'s `event_specs` so the attack surface reflects
  * them and DEV-mode `create_validated_broadcaster` catches payload drift.
  */
-export const ROLE_GRANT_OFFER_NOTIFICATION_SPECS = [
+export const role_grant_offer_notification_specs = [
     create_action_event_spec(role_grant_offer_received_notification_spec),
     create_action_event_spec(role_grant_offer_retracted_notification_spec),
     create_action_event_spec(role_grant_offer_accepted_notification_spec),

package/dist/auth/role_grant_queries.d.ts

@@ -113,6 +113,27 @@ export declare const query_role_grant_find_active_for_actor: (deps: QueryDeps, a
  * The `IS NOT DISTINCT FROM` comparison handles the NULL case uniformly.
  */
 export declare const query_role_grant_has_role: (deps: QueryDeps, actor_id: string, role: string, scope_id?: string | null) => Promise<boolean>;
+/**
+ * Account-grain check: does any actor on `account_id` hold an active
+ * global role_grant for `role`?
+ *
+ * Symmetric with `query_role_grant_has_role` but keyed on the account
+ * instead of a single actor — for surfaces with `auth: actor: 'none'`
+ * that don't load `auth.role_grants` and can't use the in-memory
+ * `has_scoped_role` predicate. Joins `role_grant` → `actor`; matches
+ * only global role_grants (`scope_id IS NULL`) since the use case is
+ * "is the caller's account broadly admin", not scope-aware.
+ *
+ * Fast under the existing `idx_role_grant_actor` index — the inner
+ * `actor_id IN (...)` subquery is index-scan, and the outer EXISTS
+ * stops at the first match.
+ *
+ * @param deps - query dependencies
+ * @param account_id - the account to check
+ * @param role - the role to check for (e.g. `ROLE_ADMIN`)
+ * @returns `true` if any actor on the account has an active global role_grant for `role`
+ */
+export declare const query_account_has_global_role: (deps: QueryDeps, account_id: string, role: string) => Promise<boolean>;
 /**
  * List all role_grants for an actor (including revoked/expired).
  */

package/dist/auth/role_grant_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAE,oBAAoB,EAAC,MAAM,qBAAqB,CAAC;AAMzE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,8BAA8B,CAAC;AAElE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,SAAS,CAmCnB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,2CAA2C,GACvD,MAAM,SAAS,EACf,eAAe,MAAM,EACrB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,qHAAqH;AACrH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,IAAI,EACnB,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CA+CtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAS1B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAK1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,8IAA8I;AAC9I,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,IAAI,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA8C9B,CAAC;AAEF,iIAAiI;AACjI,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA4C1B,CAAC"}
+{"version":3,"file":"role_grant_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAE,oBAAoB,EAAC,MAAM,qBAAqB,CAAC;AAMzE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,8BAA8B,CAAC;AAElE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,SAAS,CAmCnB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,2CAA2C,GACvD,MAAM,SAAS,EACf,eAAe,MAAM,EACrB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,qHAAqH;AACrH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,IAAI,EACnB,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CA+CtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAS1B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAK1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,8IAA8I;AAC9I,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,IAAI,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA8C9B,CAAC;AAEF,iIAAiI;AACjI,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA4C1B,CAAC"}

package/dist/auth/role_grant_queries.js

@@ -180,6 +180,37 @@ export const query_role_grant_has_role = async (deps, actor_id, role, scope_id)
 		 ) AS exists`, [actor_id, role, scope_id ?? null]);
     return row?.exists ?? false;
 };
+/**
+ * Account-grain check: does any actor on `account_id` hold an active
+ * global role_grant for `role`?
+ *
+ * Symmetric with `query_role_grant_has_role` but keyed on the account
+ * instead of a single actor — for surfaces with `auth: actor: 'none'`
+ * that don't load `auth.role_grants` and can't use the in-memory
+ * `has_scoped_role` predicate. Joins `role_grant` → `actor`; matches
+ * only global role_grants (`scope_id IS NULL`) since the use case is
+ * "is the caller's account broadly admin", not scope-aware.
+ *
+ * Fast under the existing `idx_role_grant_actor` index — the inner
+ * `actor_id IN (...)` subquery is index-scan, and the outer EXISTS
+ * stops at the first match.
+ *
+ * @param deps - query dependencies
+ * @param account_id - the account to check
+ * @param role - the role to check for (e.g. `ROLE_ADMIN`)
+ * @returns `true` if any actor on the account has an active global role_grant for `role`
+ */
+export const query_account_has_global_role = async (deps, account_id, role) => {
+    const row = await deps.db.query_one(`SELECT EXISTS(
+			SELECT 1 FROM role_grant
+			WHERE actor_id IN (SELECT id FROM actor WHERE account_id = $1)
+			  AND role = $2
+			  AND scope_id IS NULL
+			  AND revoked_at IS NULL
+			  AND (expires_at IS NULL OR expires_at > NOW())
+		 ) AS exists`, [account_id, role]);
+    return row?.exists ?? false;
+};
 /**
  * List all role_grants for an actor (including revoked/expired).
  */

package/dist/auth/role_schema.d.ts

@@ -63,7 +63,7 @@ export type BuiltinRole = z.infer<typeof BuiltinRole>;
  *   flows. Only useful for diagnostic snapshotting.
  *
  * Builtins (`keeper`, `admin`) ship preconfigured in
- * `BUILTIN_ROLE_SPECS_BY_NAME`.
+ * `builtin_role_specs_by_name`.
  */
 export interface RoleSpec {
     /** Unique role name. Must match `RoleName` regex; collisions with builtins throw. */
@@ -105,7 +105,7 @@ export interface RoleSpec {
  * no effect on already-built role schemas (the factory copies entries
  * into a fresh `Map`).
  */
-export declare const BUILTIN_ROLE_SPECS_BY_NAME: ReadonlyMap<string, RoleSpec>;
+export declare const builtin_role_specs_by_name: ReadonlyMap<string, RoleSpec>;
 /** Optional registries to validate `RoleSpec` cross-axis fields against at construction time. */
 export interface CreateRoleSchemaOptions {
     /** Pass `create_credential_type_schema()` to validate `RoleSpec.required_credential_types` entries. */

package/dist/auth/role_schema.js

@@ -44,7 +44,7 @@ export const BuiltinRole = z.enum(BUILTIN_ROLES);
  * no effect on already-built role schemas (the factory copies entries
  * into a fresh `Map`).
  */
-export const BUILTIN_ROLE_SPECS_BY_NAME = new Map([
+export const builtin_role_specs_by_name = new Map([
     [
         ROLE_KEEPER,
         {
@@ -139,7 +139,7 @@ export const create_role_schema = (consumer_roles, options = {}) => {
         if (!parsed.success) {
             throw new Error(`Invalid role name "${spec.name}": ${parsed.error.issues[0].message}`);
         }
-        if (BUILTIN_ROLE_SPECS_BY_NAME.has(spec.name)) {
+        if (builtin_role_specs_by_name.has(spec.name)) {
             throw new Error(`App role "${spec.name}" collides with builtin role`);
         }
         if (seen.has(spec.name)) {
@@ -150,7 +150,7 @@ export const create_role_schema = (consumer_roles, options = {}) => {
         validate_registry_membership(spec.name, 'applicable_scope_kinds', spec.applicable_scope_kinds, scope_kinds_registry);
         validate_registry_membership(spec.name, 'grant_paths', spec.grant_paths, grant_paths_registry);
     }
-    const role_specs = new Map(BUILTIN_ROLE_SPECS_BY_NAME);
+    const role_specs = new Map(builtin_role_specs_by_name);
     for (const spec of consumer_roles) {
         role_specs.set(spec.name, spec);
     }

package/dist/auth/self_service_role_actions.d.ts

@@ -44,7 +44,7 @@ export interface SelfServiceRoleActionsOptions {
     /**
      * Optional override allowlist of role strings eligible for
      * self-service. When omitted, eligibility is derived from
-     * `roles.role_specs` (or `BUILTIN_ROLE_SPECS_BY_NAME` when `roles`
+     * `roles.role_specs` (or `builtin_role_specs_by_name` when `roles`
      * is also omitted) by selecting every role whose
      * `RoleSpec.grant_paths` includes `'self_service'`. Pass an empty
      * array to lock the surface down (every call comes back as

package/dist/auth/self_service_role_actions.js

@@ -38,7 +38,7 @@
  */
 import { rpc_action } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
-import { BUILTIN_ROLE_SPECS_BY_NAME, list_roles_with_grant_path, } from './role_schema.js';
+import { builtin_role_specs_by_name, list_roles_with_grant_path, } from './role_schema.js';
 import { GRANT_PATH_SELF_SERVICE } from './grant_path_schema.js';
 import { query_create_role_grant, query_revoke_role_grant } from './role_grant_queries.js';
 import { is_role_grant_active } from './account_schema.js';
@@ -55,7 +55,7 @@ import { ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE, self_service_role_set_action_spec
  * @throws Error at factory time if any `eligible_roles` entry is missing from `options.roles.role_specs`
  */
 export const create_self_service_role_actions = (deps, options = {}) => {
-    const role_specs = options.roles?.role_specs ?? BUILTIN_ROLE_SPECS_BY_NAME;
+    const role_specs = options.roles?.role_specs ?? builtin_role_specs_by_name;
     const eligible = options.eligible_roles
         ? new Set(options.eligible_roles)
         : new Set(list_roles_with_grant_path(role_specs, GRANT_PATH_SELF_SERVICE));

package/dist/auth/session_cookie.d.ts

@@ -38,7 +38,7 @@ export interface SessionCookieOptions {
  * - `sameSite: 'strict'` - Prevents CSRF
  * - `httpOnly: true` - Prevents XSS access to cookie
  */
-export declare const SESSION_COOKIE_OPTIONS: SessionCookieOptions;
+export declare const session_cookie_options: SessionCookieOptions;
 /**
  * Configuration for a session cookie format.
  *

package/dist/auth/session_cookie.js

@@ -31,7 +31,7 @@ const EXPIRES_AT_INTEGER_RE = /^\d+$/;
  * - `sameSite: 'strict'` - Prevents CSRF
  * - `httpOnly: true` - Prevents XSS access to cookie
  */
-export const SESSION_COOKIE_OPTIONS = {
+export const session_cookie_options = {
     path: '/',
     httpOnly: true,
     secure: true,

package/dist/auth/session_middleware.d.ts

@@ -18,7 +18,7 @@ export declare const get_session_cookie: <T>(c: Context, options: SessionOptions
  * `options.max_age` is the single source of truth for cookie lifetime: it
  * drives both the embedded `expires_at` (via `create_session_cookie_value`)
  * and the cookie's HTTP `Max-Age` attribute set here. Falls back to
- * `SESSION_COOKIE_OPTIONS.maxAge` (= `SESSION_AGE_MAX`) when unset.
+ * `session_cookie_options.maxAge` (= `SESSION_AGE_MAX`) when unset.
  * `options.cookie_options` cannot carry `maxAge` (omitted in the type) so
  * the two values can't drift.
  */

package/dist/auth/session_middleware.js

@@ -5,7 +5,7 @@
  * @module
  */
 import { getCookie, setCookie, deleteCookie } from 'hono/cookie';
-import { SESSION_COOKIE_OPTIONS, process_session_cookie, create_session_cookie_value, } from './session_cookie.js';
+import { session_cookie_options, process_session_cookie, create_session_cookie_value, } from './session_cookie.js';
 import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, query_create_session, query_session_enforce_limit, } from './session_queries.js';
 /**
  * Read the session cookie value from a request.
@@ -19,15 +19,15 @@ export const get_session_cookie = (c, options) => {
  * `options.max_age` is the single source of truth for cookie lifetime: it
  * drives both the embedded `expires_at` (via `create_session_cookie_value`)
  * and the cookie's HTTP `Max-Age` attribute set here. Falls back to
- * `SESSION_COOKIE_OPTIONS.maxAge` (= `SESSION_AGE_MAX`) when unset.
+ * `session_cookie_options.maxAge` (= `SESSION_AGE_MAX`) when unset.
  * `options.cookie_options` cannot carry `maxAge` (omitted in the type) so
  * the two values can't drift.
  */
 export const set_session_cookie = (c, value, options) => {
     const cookie_options = {
-        ...SESSION_COOKIE_OPTIONS,
+        ...session_cookie_options,
         ...options.cookie_options,
-        maxAge: options.max_age ?? SESSION_COOKIE_OPTIONS.maxAge,
+        maxAge: options.max_age ?? session_cookie_options.maxAge,
     };
     setCookie(c, options.cookie_name, value, cookie_options);
 };
@@ -36,7 +36,7 @@ export const set_session_cookie = (c, value, options) => {
  */
 export const clear_session_cookie = (c, options) => {
     const cookie_options = {
-        ...SESSION_COOKIE_OPTIONS,
+        ...session_cookie_options,
         ...options.cookie_options,
     };
     deleteCookie(c, options.cookie_name, cookie_options);

package/dist/rate_limiter.d.ts

@@ -43,9 +43,9 @@ export interface RateLimiterOptions {
     max_keys?: number | null;
 }
 /** Default options for per-IP login rate limiting: 5 attempts per 15 minutes. */
-export declare const DEFAULT_LOGIN_IP_RATE_LIMIT: RateLimiterOptions;
+export declare const default_login_ip_rate_limit: RateLimiterOptions;
 /** Default options for per-account login rate limiting: 10 attempts per 30 minutes. */
-export declare const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT: RateLimiterOptions;
+export declare const default_login_account_rate_limit: RateLimiterOptions;
 /**
  * Default options for per-IP action-dispatcher rate limiting: 600 attempts
  * per 15 minutes. Shared by the HTTP RPC and WebSocket action dispatchers
@@ -53,7 +53,7 @@ export declare const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT: RateLimiterOptions;
  * scripts and egregious oracle probes, but well above human or normal
  * automation pace. Tighten downstream for stricter deployments.
  */
-export declare const DEFAULT_ACTION_IP_RATE_LIMIT: RateLimiterOptions;
+export declare const default_action_ip_rate_limit: RateLimiterOptions;
 /**
  * Default options for per-actor action-dispatcher rate limiting: 1200
  * attempts per 15 minutes. Shared by the HTTP RPC and WebSocket action
@@ -61,7 +61,7 @@ export declare const DEFAULT_ACTION_IP_RATE_LIMIT: RateLimiterOptions;
  * admin workflow; an oracle probing 10k addresses still finishes in
  * ~2 hours, slow enough to surface in audit. Tighten downstream.
  */
-export declare const DEFAULT_ACTION_ACCOUNT_RATE_LIMIT: RateLimiterOptions;
+export declare const default_action_account_rate_limit: RateLimiterOptions;
 /**
  * Result of a rate limit check or record operation.
  */
@@ -139,7 +139,7 @@ export declare class RateLimiter {
 /**
  * Create a `RateLimiter` with sensible defaults for per-IP login protection.
  *
- * @param options - override individual options; unset fields use `DEFAULT_LOGIN_IP_RATE_LIMIT`
+ * @param options - override individual options; unset fields use `default_login_ip_rate_limit`
  */
 export declare const create_rate_limiter: (options?: Partial<RateLimiterOptions>) => RateLimiter;
 /**

package/dist/rate_limiter.js

@@ -17,14 +17,14 @@ import { ERROR_RATE_LIMIT_EXCEEDED } from './http/error_schemas.js';
  */
 export const DEFAULT_RATE_LIMITER_MAX_KEYS = 100_000;
 /** Default options for per-IP login rate limiting: 5 attempts per 15 minutes. */
-export const DEFAULT_LOGIN_IP_RATE_LIMIT = {
+export const default_login_ip_rate_limit = {
     max_attempts: 5,
     window_ms: 15 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
     max_keys: DEFAULT_RATE_LIMITER_MAX_KEYS,
 };
 /** Default options for per-account login rate limiting: 10 attempts per 30 minutes. */
-export const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT = {
+export const default_login_account_rate_limit = {
     max_attempts: 10,
     window_ms: 30 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
@@ -37,7 +37,7 @@ export const DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT = {
  * scripts and egregious oracle probes, but well above human or normal
  * automation pace. Tighten downstream for stricter deployments.
  */
-export const DEFAULT_ACTION_IP_RATE_LIMIT = {
+export const default_action_ip_rate_limit = {
     max_attempts: 600,
     window_ms: 15 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
@@ -50,7 +50,7 @@ export const DEFAULT_ACTION_IP_RATE_LIMIT = {
  * admin workflow; an oracle probing 10k addresses still finishes in
  * ~2 hours, slow enough to surface in audit. Tighten downstream.
  */
-export const DEFAULT_ACTION_ACCOUNT_RATE_LIMIT = {
+export const default_action_account_rate_limit = {
     max_attempts: 1200,
     window_ms: 15 * 60_000,
     cleanup_interval_ms: 5 * 60_000,
@@ -203,10 +203,10 @@ export class RateLimiter {
 /**
  * Create a `RateLimiter` with sensible defaults for per-IP login protection.
  *
- * @param options - override individual options; unset fields use `DEFAULT_LOGIN_IP_RATE_LIMIT`
+ * @param options - override individual options; unset fields use `default_login_ip_rate_limit`
  */
 export const create_rate_limiter = (options) => {
-    return new RateLimiter({ ...DEFAULT_LOGIN_IP_RATE_LIMIT, ...options });
+    return new RateLimiter({ ...default_login_ip_rate_limit, ...options });
 };
 /**
  * Build a 429 rate-limit-exceeded JSON response with `Retry-After` header.

package/dist/realtime/sse_auth_guard.d.ts

@@ -27,7 +27,7 @@ export declare const AUDIT_LOG_CHANNEL = "audit_log";
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
  */
-export declare const DISCONNECT_EVENT_TYPES: ReadonlySet<string>;
+export declare const disconnect_event_types: ReadonlySet<string>;
 /**
  * Create an audit event handler that closes SSE streams on auth changes.
  *
@@ -69,7 +69,7 @@ export interface AuditLogSse {
  * One spec per `AUDIT_EVENT_TYPES` entry, all sharing the `AuditLogEventJson` params schema.
  * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
  */
-export declare const AUDIT_LOG_EVENT_SPECS: Array<EventSpec>;
+export declare const audit_log_event_specs: Array<EventSpec>;
 /**
  * Default max concurrent SSE subscribers per session scope for the audit log.
  *
@@ -102,7 +102,7 @@ export declare const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
  * create_audit_log_route_specs({stream: audit_sse});
  *
  * // In create_app_server options:
- * event_specs: AUDIT_LOG_EVENT_SPECS,
+ * event_specs: audit_log_event_specs,
  * ```
  */
 export declare const create_audit_log_sse: (options: {

package/dist/realtime/sse_auth_guard.js

@@ -25,7 +25,7 @@ export const AUDIT_LOG_CHANNEL = 'audit_log';
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
  */
-export const DISCONNECT_EVENT_TYPES = new Set([
+export const disconnect_event_types = new Set([
     'role_grant_revoke', // role revoked — user lost access
     'session_revoke', // single session revoked — close only that stream
     'session_revoke_all', // all sessions invalidated — user should be kicked
@@ -51,7 +51,7 @@ export const DISCONNECT_EVENT_TYPES = new Set([
  */
 export const create_sse_auth_guard = (registry, required_role, log) => {
     return (event) => {
-        if (!DISCONNECT_EVENT_TYPES.has(event.event_type))
+        if (!disconnect_event_types.has(event.event_type))
             return;
         // Only act on successful revocations. Failed attempts carry
         // attacker-controlled identifiers (e.g., session_revoke with outcome=failure
@@ -98,7 +98,7 @@ export const create_sse_auth_guard = (registry, required_role, log) => {
  * One spec per `AUDIT_EVENT_TYPES` entry, all sharing the `AuditLogEventJson` params schema.
  * Pass to `create_app_server`'s `event_specs` for surface generation and DEV validation.
  */
-export const AUDIT_LOG_EVENT_SPECS = AUDIT_EVENT_TYPES.map((event_type) => ({
+export const audit_log_event_specs = AUDIT_EVENT_TYPES.map((event_type) => ({
     method: event_type,
     params: AuditLogEventJson,
     description: `Audit log: ${event_type.replaceAll('_', ' ')}`,
@@ -136,7 +136,7 @@ export const AUDIT_LOG_SSE_MAX_PER_SCOPE = 10;
  * create_audit_log_route_specs({stream: audit_sse});
  *
  * // In create_app_server options:
- * event_specs: AUDIT_LOG_EVENT_SPECS,
+ * event_specs: audit_log_event_specs,
  * ```
  */
 export const create_audit_log_sse = (options) => {

package/dist/server/app_backend.d.ts

@@ -66,7 +66,7 @@ export interface CreateAppBackendOptions {
      * Audit-log config for consumer event-type extensions. Built once at
      * startup via `create_audit_log_config({extra_events})` and captured
      * inside `AppDeps.audit` so consumer handlers cannot silently fall
-     * back to the builtin config. Omit to use `BUILTIN_AUDIT_LOG_CONFIG`
+     * back to the builtin config. Omit to use `builtin_audit_log_config`
      * (no extra events).
      */
     audit_log_config?: AuditLogConfig;
@@ -76,7 +76,7 @@ export interface CreateAppBackendOptions {
      * (`namespace`, `name`, `sequence`); order is append-only so forward-only
      * guarantees hold per-namespace.
      *
-     * Names in `RESERVED_MIGRATION_NAMESPACES` (currently `['fuz_auth']`) are
+     * Names in `reserved_migration_namespaces` (currently `['fuz_auth']`) are
      * rejected at startup. Omit for no extra namespaces. This is the only
      * place to splice consumer migrations — DB init belongs to the backend
      * lifecycle, not server assembly.
@@ -92,7 +92,7 @@ export interface CreateAppBackendOptions {
  *
  * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
  * @returns app backend with deps, database metadata, and combined migration results
- * @throws Error if `migration_namespaces` contains a namespace in `RESERVED_MIGRATION_NAMESPACES`
+ * @throws Error if `migration_namespaces` contains a namespace in `reserved_migration_namespaces`
  */
 export declare const create_app_backend: (options: CreateAppBackendOptions) => Promise<AppBackend>;
 //# sourceMappingURL=app_backend.d.ts.map

package/dist/server/app_backend.js

@@ -13,7 +13,7 @@
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { run_migrations } from '../db/migrate.js';
-import { AUTH_MIGRATION_NS, RESERVED_MIGRATION_NAMESPACES } from '../auth/migrations.js';
+import { auth_migration_ns, reserved_migration_namespaces } from '../auth/migrations.js';
 import { create_db } from '../db/create_db.js';
 /**
  * Initialize the backend: database + auth migrations + deps.
@@ -24,7 +24,7 @@ import { create_db } from '../db/create_db.js';
  *
  * @param options - keyring, password deps, optional database URL, and optional `migration_namespaces`
  * @returns app backend with deps, database metadata, and combined migration results
- * @throws Error if `migration_namespaces` contains a namespace in `RESERVED_MIGRATION_NAMESPACES`
+ * @throws Error if `migration_namespaces` contains a namespace in `reserved_migration_namespaces`
  */
 export const create_app_backend = async (options) => {
     const { database_url, keyring, password, stat, read_text_file, delete_file } = options;
@@ -32,13 +32,13 @@ export const create_app_backend = async (options) => {
     const { db, close, db_type, db_name } = await create_db(database_url);
     if (options.migration_namespaces?.length) {
         for (const ns of options.migration_namespaces) {
-            if (RESERVED_MIGRATION_NAMESPACES.includes(ns.namespace)) {
+            if (reserved_migration_namespaces.includes(ns.namespace)) {
                 throw new Error(`Migration namespace "${ns.namespace}" is reserved by fuz_app — choose a different namespace`);
             }
         }
     }
     const migration_results = await run_migrations(db, [
-        AUTH_MIGRATION_NS,
+        auth_migration_ns,
         ...(options.migration_namespaces ?? []),
     ]);
     const audit = create_audit_emitter({

package/dist/server/app_server.d.ts

@@ -136,7 +136,7 @@ export interface AppServerOptions {
      * When truthy, creates an `AuditLogSse` instance internally, appends the SSE
      * listener to `backend.deps.audit.on_event_chain` (composing with the
      * consumer's `on_audit_event` callback rather than rebuilding `AppDeps`), and
-     * auto-includes `AUDIT_LOG_EVENT_SPECS` in the surface. The result is exposed
+     * auto-includes `audit_log_event_specs` in the surface. The result is exposed
      * on `AppServerContext` (for route factories) and `AppServer` (for the caller).
      *
      * Pass `true` for defaults (admin role), or `{role: 'custom'}` for a custom role.

package/dist/server/app_server.js

@@ -11,10 +11,10 @@ import { Hono } from 'hono';
 import { logger } from 'hono/logger';
 import { bodyLimit } from 'hono/body-limit';
 import { z } from 'zod';
-import { SESSION_COOKIE_OPTIONS, } from '../auth/session_cookie.js';
-import { create_audit_log_sse, AUDIT_LOG_EVENT_SPECS, } from '../realtime/sse_auth_guard.js';
+import { session_cookie_options, } from '../auth/session_cookie.js';
+import { create_audit_log_sse, audit_log_event_specs, } from '../realtime/sse_auth_guard.js';
 import { query_app_settings_load } from '../auth/app_settings_queries.js';
-import { create_rate_limiter, DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT, DEFAULT_ACTION_ACCOUNT_RATE_LIMIT, DEFAULT_ACTION_IP_RATE_LIMIT, } from '../rate_limiter.js';
+import { create_rate_limiter, default_login_account_rate_limit, default_action_account_rate_limit, default_action_ip_rate_limit, } from '../rate_limiter.js';
 // Side-effect import: augments Hono's ContextVariableMap so consumers
 // that import app_server get type-safe c.get('auth_session_id') etc.
 import '../hono_context.js';
@@ -53,19 +53,19 @@ export const create_app_server = async (options) => {
     // Rate limiter defaults (undefined = default, null = disable)
     const ip_rate_limiter = options.ip_rate_limiter === undefined ? create_rate_limiter() : options.ip_rate_limiter;
     const login_account_rate_limiter = options.login_account_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT)
+        ? create_rate_limiter(default_login_account_rate_limit)
         : options.login_account_rate_limiter;
     const signup_account_rate_limiter = options.signup_account_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT)
+        ? create_rate_limiter(default_login_account_rate_limit)
         : options.signup_account_rate_limiter;
     const bearer_ip_rate_limiter = options.bearer_ip_rate_limiter === undefined
         ? create_rate_limiter()
         : options.bearer_ip_rate_limiter;
     const action_ip_rate_limiter = options.action_ip_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_ACTION_IP_RATE_LIMIT)
+        ? create_rate_limiter(default_action_ip_rate_limit)
         : options.action_ip_rate_limiter;
     const action_account_rate_limiter = options.action_account_rate_limiter === undefined
-        ? create_rate_limiter(DEFAULT_ACTION_ACCOUNT_RATE_LIMIT)
+        ? create_rate_limiter(default_action_account_rate_limit)
         : options.action_account_rate_limiter;
     // Factory-managed audit SSE — appends a listener to the bound emitter's
     // chain so SSE fan-out runs alongside the consumer's `on_audit_event`
@@ -156,7 +156,7 @@ export const create_app_server = async (options) => {
         : middleware_specs;
     const all_event_specs = [
         ...(options.event_specs ?? []),
-        ...(audit_sse ? AUDIT_LOG_EVENT_SPECS : []),
+        ...(audit_sse ? audit_log_event_specs : []),
     ];
     const surface_spec = create_app_surface_spec({
         middleware_specs: surface_middleware,
@@ -176,11 +176,11 @@ export const create_app_server = async (options) => {
                 message: 'Session cookie secure=false — cookies sent over HTTP',
             });
         }
-        if (cookie_opts.sameSite && cookie_opts.sameSite !== SESSION_COOKIE_OPTIONS.sameSite) {
+        if (cookie_opts.sameSite && cookie_opts.sameSite !== session_cookie_options.sameSite) {
             config_diagnostics.push({
                 level: 'warning',
                 category: 'security',
-                message: `Session cookie sameSite='${cookie_opts.sameSite}' — weakened from default '${SESSION_COOKIE_OPTIONS.sameSite}'`,
+                message: `Session cookie sameSite='${cookie_opts.sameSite}' — weakened from default '${session_cookie_options.sameSite}'`,
             });
         }
         if (cookie_opts.httpOnly === false) {