@fuzdev/fuz_app 0.59.0 → 0.61.0

package/dist/ui/admin_sessions_state.svelte.js

@@ -6,71 +6,54 @@
  * `token_revoke_all`); the listing wraps the `admin_session_list` RPC
  * method.
  *
+ * Holds one fetch `AsyncSlot` (`list`) plus two `KeyedAsyncSlot`s keyed by
+ * `account_id` — `revoke_sessions` and `revoke_tokens`. Per-account
+ * concurrent revokes are independent (clicking row B does not abort row A)
+ * and per-row errors surface via `revoke_sessions.error(account_id)` /
+ * `revoke_tokens.error(account_id)`.
+ *
  * @module
  */
-import { SvelteSet } from 'svelte/reactivity';
-import { Loadable } from './loadable.svelte.js';
-export class AdminSessionsState extends Loadable {
+import { AsyncSlot } from './async_slot.svelte.js';
+import { KeyedAsyncSlot } from './keyed_async_slot.svelte.js';
+export class AdminSessionsState {
     #get_rpc;
+    list = new AsyncSlot();
+    revoke_sessions = new KeyedAsyncSlot();
+    revoke_tokens = new KeyedAsyncSlot();
     sessions = $state.raw([]);
-    revoking_account_ids = new SvelteSet();
-    revoking_token_account_ids = new SvelteSet();
     active_count = $derived(this.sessions.length);
     constructor(options) {
-        super();
         this.#get_rpc = options?.get_rpc ?? (() => null);
     }
     /** True when an RPC adapter is wired. `fetch` and the revoke controls no-op without it. */
     get has_rpc() {
         return this.#get_rpc() !== null;
     }
-    async fetch() {
+    #require_rpc() {
         const rpc = this.#get_rpc();
-        if (!rpc) {
-            this.error = 'rpc adapter not wired';
-            return;
-        }
-        await this.run(async () => {
-            const { sessions } = await rpc.list_sessions();
+        if (!rpc)
+            throw new Error('rpc adapter not wired');
+        return rpc;
+    }
+    async fetch() {
+        await this.list.run(async () => {
+            const { sessions } = await this.#require_rpc().list_sessions();
             this.sessions = sessions;
         });
     }
-    async revoke_all_for_account(account_id) {
-        const rpc = this.#get_rpc();
-        if (!rpc) {
-            this.error = 'rpc adapter not wired';
-            return;
-        }
-        this.revoking_account_ids.add(account_id);
-        try {
-            await rpc.session_revoke_all({ account_id });
-            this.error = null;
+    async submit_revoke_sessions(account_id) {
+        await this.revoke_sessions.run(account_id, async () => {
+            await this.#require_rpc().session_revoke_all({ account_id });
+        });
+        if (this.revoke_sessions.succeeded(account_id))
             await this.fetch();
-        }
-        catch (e) {
-            this.error = e instanceof Error ? e.message : 'Failed to revoke sessions';
-        }
-        finally {
-            this.revoking_account_ids.delete(account_id);
-        }
     }
-    async revoke_all_tokens_for_account(account_id) {
-        const rpc = this.#get_rpc();
-        if (!rpc) {
-            this.error = 'rpc adapter not wired';
-            return;
-        }
-        this.revoking_token_account_ids.add(account_id);
-        try {
-            await rpc.token_revoke_all({ account_id });
-            this.error = null;
+    async submit_revoke_tokens(account_id) {
+        await this.revoke_tokens.run(account_id, async () => {
+            await this.#require_rpc().token_revoke_all({ account_id });
+        });
+        if (this.revoke_tokens.succeeded(account_id))
             await this.fetch();
-        }
-        catch (e) {
-            this.error = e instanceof Error ? e.message : 'Failed to revoke tokens';
-        }
-        finally {
-            this.revoking_token_account_ids.delete(account_id);
-        }
     }
 }

package/dist/ui/app_settings_state.svelte.d.ts

@@ -5,9 +5,13 @@
  * `AdminInvitesRpc` / `AuditLogRpc`. Tests can inject plain-function stubs
  * and consumers adapt their typed RPC client to the same shape.
  *
+ * Holds two `AsyncSlot`s — `list` (the initial fetch) and `update` (the
+ * `app_settings_update` write). Slots track status/error; the canonical
+ * `settings` lives on the class so consumers don't unwrap `slot.data`.
+ *
  * @module
  */
-import { Loadable } from './loadable.svelte.js';
+import { AsyncSlot } from './async_slot.svelte.js';
 import type { AppSettingsWithUsernameJson } from '../auth/app_settings_schema.js';
 import type { AppSettingsGetOutput, AppSettingsUpdateInput, AppSettingsUpdateOutput } from '../auth/admin_action_specs.js';
 /**
@@ -35,10 +39,11 @@ export interface AppSettingsStateOptions {
      */
     get_rpc?: () => AppSettingsRpc | null;
 }
-export declare class AppSettingsState extends Loadable {
+export declare class AppSettingsState {
     #private;
+    readonly list: AsyncSlot<void, string>;
+    readonly update: AsyncSlot<void, string>;
     settings: AppSettingsWithUsernameJson | null;
-    updating: boolean;
     constructor(options?: AppSettingsStateOptions);
     /** True when an RPC adapter is wired. All ops require it. */
     get has_rpc(): boolean;

package/dist/ui/app_settings_state.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_settings_state.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/app_settings_state.svelte.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EAAC,QAAQ,EAAC,MAAM,sBAAsB,CAAC;AAC9C,OAAO,KAAK,EAAC,2BAA2B,EAAC,MAAM,gCAAgC,CAAC;AAChF,OAAO,KAAK,EACX,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,MAAM,+BAA+B,CAAC;AAEvC;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC9B,GAAG,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,MAAM,EAAE,sBAAsB,KAAK,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAC7E;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;qBAAwB,cAAc,GAAG,IAAI;yBAArB,cAAc,GAAG,IAAI,wBAArB,cAAc,GAAG,IAAI;CAEjF,CAAC;AAEF,MAAM,WAAW,uBAAuB;IACvC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,cAAc,GAAG,IAAI,CAAC;CACtC;AAED,qBAAa,gBAAiB,SAAQ,QAAQ;;IAG7C,QAAQ,EAAE,2BAA2B,GAAG,IAAI,CAAoB;IAChE,QAAQ,UAAqB;gBAEjB,OAAO,CAAC,EAAE,uBAAuB;IAK7C,6DAA6D;IAC7D,IAAI,OAAO,IAAI,OAAO,CAErB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAYtB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAiBvD"}
+{"version":3,"file":"app_settings_state.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/app_settings_state.svelte.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,EAAC,SAAS,EAAC,MAAM,wBAAwB,CAAC;AACjD,OAAO,KAAK,EAAC,2BAA2B,EAAC,MAAM,gCAAgC,CAAC;AAChF,OAAO,KAAK,EACX,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,MAAM,+BAA+B,CAAC;AAEvC;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC9B,GAAG,EAAE,MAAM,OAAO,CAAC,oBAAoB,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,MAAM,EAAE,sBAAsB,KAAK,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAC7E;AAED;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;qBAAwB,cAAc,GAAG,IAAI;yBAArB,cAAc,GAAG,IAAI,wBAArB,cAAc,GAAG,IAAI;CAEjF,CAAC;AAEF,MAAM,WAAW,uBAAuB;IACvC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,cAAc,GAAG,IAAI,CAAC;CACtC;AAED,qBAAa,gBAAgB;;IAG5B,QAAQ,CAAC,IAAI,0BAAyB;IACtC,QAAQ,CAAC,MAAM,0BAAyB;IAExC,QAAQ,EAAE,2BAA2B,GAAG,IAAI,CAAoB;gBAEpD,OAAO,CAAC,EAAE,uBAAuB;IAI7C,6DAA6D;IAC7D,IAAI,OAAO,IAAI,OAAO,CAErB;IAQK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAOtB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAMvD"}

package/dist/ui/app_settings_state.svelte.js

@@ -5,56 +5,48 @@
  * `AdminInvitesRpc` / `AuditLogRpc`. Tests can inject plain-function stubs
  * and consumers adapt their typed RPC client to the same shape.
  *
+ * Holds two `AsyncSlot`s — `list` (the initial fetch) and `update` (the
+ * `app_settings_update` write). Slots track status/error; the canonical
+ * `settings` lives on the class so consumers don't unwrap `slot.data`.
+ *
  * @module
  */
 import { create_context } from '@fuzdev/fuz_ui/context_helpers.js';
-import { Loadable } from './loadable.svelte.js';
+import { AsyncSlot } from './async_slot.svelte.js';
 /**
  * Svelte context carrying the reactive `AppSettingsRpc` accessor. Mirrors
  * `admin_accounts_rpc_context`. Unset context falls back to `() => null` so
  * `OpenSignupToggle` mounted outside a provisioner hides gracefully.
  */
 export const app_settings_rpc_context = create_context(() => () => null);
-export class AppSettingsState extends Loadable {
+export class AppSettingsState {
     #get_rpc;
+    list = new AsyncSlot();
+    update = new AsyncSlot();
     settings = $state.raw(null);
-    updating = $state.raw(false);
     constructor(options) {
-        super();
         this.#get_rpc = options?.get_rpc ?? (() => null);
     }
     /** True when an RPC adapter is wired. All ops require it. */
     get has_rpc() {
         return this.#get_rpc() !== null;
     }
-    async fetch() {
+    #require_rpc() {
         const rpc = this.#get_rpc();
-        if (!rpc) {
-            this.error = 'rpc adapter not wired';
-            return;
-        }
-        await this.run(async () => {
-            const { settings } = await rpc.get();
+        if (!rpc)
+            throw new Error('rpc adapter not wired');
+        return rpc;
+    }
+    async fetch() {
+        await this.list.run(async () => {
+            const { settings } = await this.#require_rpc().get();
             this.settings = settings;
         });
     }
     async update_open_signup(value) {
-        const rpc = this.#get_rpc();
-        if (!rpc) {
-            this.error = 'rpc adapter not wired';
-            return;
-        }
-        this.updating = true;
-        this.error = null;
-        try {
-            const { settings } = await rpc.update({ open_signup: value });
+        await this.update.run(async () => {
+            const { settings } = await this.#require_rpc().update({ open_signup: value });
             this.settings = settings;
-        }
-        catch (e) {
-            this.error = e instanceof Error ? e.message : 'Failed to update settings';
-        }
-        finally {
-            this.updating = false;
-        }
+        });
     }
 }

package/dist/ui/async_slot.svelte.d.ts

@@ -0,0 +1,173 @@
+/**
+ * Composable async-operation slot for Svelte 5 reactive state classes.
+ *
+ * A state class HOLDS one or more `AsyncSlot`s via composition — one slot
+ * per distinct async operation (e.g. `list` + `create` + `revoke`). Each
+ * slot tracks the status, payload, and error of its operation
+ * independently, so state classes with multiple write paths don't accumulate
+ * ad-hoc `creating` / `updating` fields beside a single shared
+ * `loading` / `error` pair.
+ *
+ * Core surface:
+ *
+ * - **Explicit four-value `status`** — `AsyncStatus` from
+ *   `@fuzdev/fuz_util/async.js`: `'initial' | 'pending' | 'success' |
+ *   'failure'`. `loading: false, error: null` would be ambiguous
+ *   between "never tried" and "succeeded once and now resting"; the
+ *   four-value status removes the need for a per-class `submitted` /
+ *   `hydrated` flag.
+ * - **Owns `data: T | undefined`** — the success payload persists
+ *   across retries (stale-while-revalidate). The sentinel is
+ *   `undefined` (not `null`) so `null` stays available as a legitimate
+ *   success value for nullable `T`s. Pass `T = void` for write-only
+ *   actions whose response isn't worth keeping.
+ * - **Supersession via internal `AbortController`** — a second `run()`
+ *   aborts the first, and superseded results are silently discarded
+ *   without writing to state. Removes the "in-flight call resolves
+ *   after the locator advanced" race that locator-style state classes
+ *   would otherwise need to compensate for.
+ * - **`AbortSignal` threaded to the callback** — RPC clients that accept
+ *   a signal (or `fetch`) get cancellation for free; callers can also
+ *   pass an external `signal` via {@link RunOptions} to bind the slot's
+ *   lifetime to a component / page.
+ * - **`preserve_error_on_retry`** — opt-in to keeping the previous error
+ *   visible while a retry is pending (default clears at the start of
+ *   each `run()`).
+ * - **Per-slot `map_error`** — set once in the constructor
+ *   (`{map_error: to_rpc_error_message}`); every `run()` gets the right
+ *   normalization without re-passing per call.
+ * - **Public `run()`** — slots are composed, not subclassed, so call
+ *   sites can invoke `state.list.run(...)` directly.
+ *
+ * @example
+ * ```ts
+ * class CellsState {
+ *   readonly list = new AsyncSlot<{cells: ReadonlyArray<CellJson>}>();
+ *   readonly create = new AsyncSlot<{cell: CellJson}>({map_error: to_rpc_error_message});
+ *
+ *   async fetch() {
+ *     await this.list.run((signal) => this.#api.cell_list({}, {signal}));
+ *   }
+ *
+ *   async submit_new(input: CellCreateInput) {
+ *     const result = await this.create.run(() => this.#api.cell_create(input));
+ *     if (result) await this.fetch();
+ *   }
+ * }
+ * ```
+ *
+ * @module
+ */
+import type { AsyncStatus } from '@fuzdev/fuz_util/async.js';
+export interface AsyncSlotOptions<T, E = string> {
+    /**
+     * Seed `data` and put the slot in `'success'` before any `run()`. Useful
+     * when the page already has the resource in hand (SSR hydration, a
+     * mutation response, hand-off from a parent slot).
+     */
+    initial?: T;
+    /**
+     * Convert a caught throw into the error value stored in
+     * {@link AsyncSlot.error}. Default extracts `Error.message` (falling
+     * back to `'Request failed'` for non-Error throws). Pass
+     * `to_rpc_error_message` to unwrap JSON-RPC `data.reason` codes.
+     */
+    map_error?: (e: unknown) => E;
+    /**
+     * When `true`, the previous `error` / `error_data` survive the start
+     * of a new `run()` until the next success (or another failure
+     * overwrites them). Useful for retry UX that wants to keep the
+     * failure message visible alongside an inline spinner. Default `false`
+     * — `run()` clears the error at the start so the pending state reads
+     * "no current error."
+     */
+    preserve_error_on_retry?: boolean;
+}
+export interface RunOptions {
+    /**
+     * External signal chained into the slot's internal controller. Aborts
+     * the in-flight run when fired (alongside automatic supersession by
+     * the next `run()` and manual {@link AsyncSlot.abort} calls).
+     */
+    signal?: AbortSignal;
+}
+/**
+ * Reactive container for a single async operation.
+ *
+ * @typeParam T - The success payload type. Use `void` for write-only
+ *   actions whose response isn't worth retaining.
+ * @typeParam E - The shape of {@link AsyncSlot.error}. Defaults to
+ *   `string` (set by the default `map_error`). Narrow to a structured
+ *   type by providing a `map_error` that returns it.
+ */
+export declare class AsyncSlot<T = void, E = string> {
+    #private;
+    status: AsyncStatus;
+    data: T | undefined;
+    error: E | null;
+    /** The raw caught value from the last failed `run()`, for programmatic inspection. */
+    error_data: unknown;
+    /** Convenience derived: `status === 'initial'`. */
+    readonly initial: boolean;
+    /** Convenience derived: `status === 'pending'`. */
+    readonly loading: boolean;
+    /** Convenience derived: `status === 'success'`. */
+    readonly succeeded: boolean;
+    /** Convenience derived: `status === 'failure'`. */
+    readonly failed: boolean;
+    constructor(options?: AsyncSlotOptions<T, E>);
+    /**
+     * Run an async operation. The callback receives an `AbortSignal` it
+     * can forward to fetch / RPC clients that support cancellation; the
+     * slot also discards superseded results internally even if the
+     * callback ignores the signal.
+     *
+     * Supersession rule: a second `run()` aborts the first's signal AND
+     * silently drops its commit if it resolves anyway. So
+     * back-to-back-to-back `run()` calls leave only the last call's
+     * result in `data`.
+     *
+     * Abort rule: a `run()` that throws because of its own signal (manual
+     * `abort()`, external `options.signal`, OR supersession by another
+     * `run()`) does NOT promote to `'failure'`. Manual / external aborts
+     * revert status to the previous resolved state (`'initial'` if no
+     * `run()` has ever succeeded, `'success'` otherwise). Supersession is
+     * handled by the bail-on-mismatch check, leaving the second run's
+     * `'pending'` standing.
+     *
+     * @returns the resolved value on success; `undefined` on failure,
+     *   abort, or supersession
+     */
+    run(fn: (signal: AbortSignal) => Promise<T>, options?: RunOptions): Promise<T | undefined>;
+    /**
+     * Manually abort the in-flight run, if any. Reverts `status`
+     * synchronously to the prior resolved state — `'initial'` if no
+     * `run()` (or `set()`) has ever succeeded on this slot, `'success'`
+     * otherwise. The aborted run's eventual resolution / rejection is
+     * dropped without writing to state (the run's `Promise` resolves to
+     * `undefined`).
+     */
+    abort(reason?: unknown): void;
+    /**
+     * Replace `data` directly and mark the slot `'success'`. For
+     * post-mutation hydration where the calling RPC already returned the
+     * canonical row (parallels `CellState.set_cell`).
+     *
+     * Aborts any in-flight `run()` first — without this, the in-flight
+     * callback could resolve after `set()` and overwrite the explicit
+     * value (the bail-on-mismatch check only fires when `#controller`
+     * was rotated).
+     *
+     * @mutates `this`
+     */
+    set(data: T): void;
+    /**
+     * Reset to `'initial'`, clear `data` / `error` / `error_data`, and
+     * abort any in-flight run. After `reset()` the slot looks like a
+     * fresh instance with no `initial` option.
+     *
+     * @mutates `this`
+     */
+    reset(): void;
+}
+//# sourceMappingURL=async_slot.svelte.d.ts.map

package/dist/ui/async_slot.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"async_slot.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/async_slot.svelte.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,2BAA2B,CAAC;AAE3D,MAAM,WAAW,gBAAgB,CAAC,CAAC,EAAE,CAAC,GAAG,MAAM;IAC9C;;;;OAIG;IACH,OAAO,CAAC,EAAE,CAAC,CAAC;IACZ;;;;;OAKG;IACH,SAAS,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,CAAC,CAAC;IAC9B;;;;;;;OAOG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,UAAU;IAC1B;;;;OAIG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,qBAAa,SAAS,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,MAAM;;IAC1C,MAAM,EAAE,WAAW,CAAyB;IAC5C,IAAI,EAAE,CAAC,GAAG,SAAS,CAAwC;IAC3D,KAAK,EAAE,CAAC,GAAG,IAAI,CAAoB;IACnC,sFAAsF;IACtF,UAAU,EAAE,OAAO,CAAoB;IAEvC,mDAAmD;IACnD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAuC;IAChE,mDAAmD;IACnD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAuC;IAChE,mDAAmD;IACnD,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAuC;IAClE,mDAAmD;IACnD,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAuC;gBAcnD,OAAO,GAAE,gBAAgB,CAAC,CAAC,EAAE,CAAC,CAAM;IAUhD;;;;;;;;;;;;;;;;;;;;;OAqBG;IACG,GAAG,CACR,EAAE,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,CAAC,CAAC,EACvC,OAAO,GAAE,UAAe,GACtB,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC;IA8DzB;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI;IAM7B;;;;;;;;;;;OAWG;IACH,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI;IASlB;;;;;;OAMG;IACH,KAAK,IAAI,IAAI;CAQb"}

package/dist/ui/async_slot.svelte.js

@@ -0,0 +1,241 @@
+/**
+ * Composable async-operation slot for Svelte 5 reactive state classes.
+ *
+ * A state class HOLDS one or more `AsyncSlot`s via composition — one slot
+ * per distinct async operation (e.g. `list` + `create` + `revoke`). Each
+ * slot tracks the status, payload, and error of its operation
+ * independently, so state classes with multiple write paths don't accumulate
+ * ad-hoc `creating` / `updating` fields beside a single shared
+ * `loading` / `error` pair.
+ *
+ * Core surface:
+ *
+ * - **Explicit four-value `status`** — `AsyncStatus` from
+ *   `@fuzdev/fuz_util/async.js`: `'initial' | 'pending' | 'success' |
+ *   'failure'`. `loading: false, error: null` would be ambiguous
+ *   between "never tried" and "succeeded once and now resting"; the
+ *   four-value status removes the need for a per-class `submitted` /
+ *   `hydrated` flag.
+ * - **Owns `data: T | undefined`** — the success payload persists
+ *   across retries (stale-while-revalidate). The sentinel is
+ *   `undefined` (not `null`) so `null` stays available as a legitimate
+ *   success value for nullable `T`s. Pass `T = void` for write-only
+ *   actions whose response isn't worth keeping.
+ * - **Supersession via internal `AbortController`** — a second `run()`
+ *   aborts the first, and superseded results are silently discarded
+ *   without writing to state. Removes the "in-flight call resolves
+ *   after the locator advanced" race that locator-style state classes
+ *   would otherwise need to compensate for.
+ * - **`AbortSignal` threaded to the callback** — RPC clients that accept
+ *   a signal (or `fetch`) get cancellation for free; callers can also
+ *   pass an external `signal` via {@link RunOptions} to bind the slot's
+ *   lifetime to a component / page.
+ * - **`preserve_error_on_retry`** — opt-in to keeping the previous error
+ *   visible while a retry is pending (default clears at the start of
+ *   each `run()`).
+ * - **Per-slot `map_error`** — set once in the constructor
+ *   (`{map_error: to_rpc_error_message}`); every `run()` gets the right
+ *   normalization without re-passing per call.
+ * - **Public `run()`** — slots are composed, not subclassed, so call
+ *   sites can invoke `state.list.run(...)` directly.
+ *
+ * @example
+ * ```ts
+ * class CellsState {
+ *   readonly list = new AsyncSlot<{cells: ReadonlyArray<CellJson>}>();
+ *   readonly create = new AsyncSlot<{cell: CellJson}>({map_error: to_rpc_error_message});
+ *
+ *   async fetch() {
+ *     await this.list.run((signal) => this.#api.cell_list({}, {signal}));
+ *   }
+ *
+ *   async submit_new(input: CellCreateInput) {
+ *     const result = await this.create.run(() => this.#api.cell_create(input));
+ *     if (result) await this.fetch();
+ *   }
+ * }
+ * ```
+ *
+ * @module
+ */
+/**
+ * Reactive container for a single async operation.
+ *
+ * @typeParam T - The success payload type. Use `void` for write-only
+ *   actions whose response isn't worth retaining.
+ * @typeParam E - The shape of {@link AsyncSlot.error}. Defaults to
+ *   `string` (set by the default `map_error`). Narrow to a structured
+ *   type by providing a `map_error` that returns it.
+ */
+export class AsyncSlot {
+    status = $state.raw('initial');
+    data = $state.raw(undefined);
+    error = $state.raw(null);
+    /** The raw caught value from the last failed `run()`, for programmatic inspection. */
+    error_data = $state.raw(null);
+    /** Convenience derived: `status === 'initial'`. */
+    initial = $derived(this.status === 'initial');
+    /** Convenience derived: `status === 'pending'`. */
+    loading = $derived(this.status === 'pending');
+    /** Convenience derived: `status === 'success'`. */
+    succeeded = $derived(this.status === 'success');
+    /** Convenience derived: `status === 'failure'`. */
+    failed = $derived(this.status === 'failure');
+    #controller = null;
+    /**
+     * Tracks whether any `run()` or `set()` has ever produced a success
+     * result. Used by {@link abort} to revert to `'success'` (vs `'initial'`)
+     * — explicit flag instead of inspecting `data` so the discriminator
+     * stays correct for `T = void` (where success-`data` is `undefined`)
+     * and for nullable `T`s where `null` is a legitimate success value.
+     */
+    #has_succeeded = false;
+    #map_error;
+    #preserve_error;
+    constructor(options = {}) {
+        if (options.initial !== undefined) {
+            this.data = options.initial;
+            this.status = 'success';
+            this.#has_succeeded = true;
+        }
+        this.#map_error = options.map_error ?? default_map_error;
+        this.#preserve_error = options.preserve_error_on_retry ?? false;
+    }
+    /**
+     * Run an async operation. The callback receives an `AbortSignal` it
+     * can forward to fetch / RPC clients that support cancellation; the
+     * slot also discards superseded results internally even if the
+     * callback ignores the signal.
+     *
+     * Supersession rule: a second `run()` aborts the first's signal AND
+     * silently drops its commit if it resolves anyway. So
+     * back-to-back-to-back `run()` calls leave only the last call's
+     * result in `data`.
+     *
+     * Abort rule: a `run()` that throws because of its own signal (manual
+     * `abort()`, external `options.signal`, OR supersession by another
+     * `run()`) does NOT promote to `'failure'`. Manual / external aborts
+     * revert status to the previous resolved state (`'initial'` if no
+     * `run()` has ever succeeded, `'success'` otherwise). Supersession is
+     * handled by the bail-on-mismatch check, leaving the second run's
+     * `'pending'` standing.
+     *
+     * @returns the resolved value on success; `undefined` on failure,
+     *   abort, or supersession
+     */
+    async run(fn, options = {}) {
+        this.#controller?.abort();
+        const controller = new AbortController();
+        this.#controller = controller;
+        const external = options.signal;
+        let external_handler;
+        if (external) {
+            if (external.aborted) {
+                this.abort(external.reason);
+                return undefined;
+            }
+            // Route external abort through the slot's own abort() so the
+            // controller-null + status-revert + signal-fire happens
+            // atomically (same path as manual abort). Listener is
+            // removed in the finally so successful / failing runs don't
+            // leak listeners on long-lived external signals.
+            external_handler = () => {
+                if (this.#controller === controller)
+                    this.abort(external.reason);
+            };
+            external.addEventListener('abort', external_handler, { once: true });
+        }
+        this.status = 'pending';
+        if (!this.#preserve_error) {
+            this.error = null;
+            this.error_data = null;
+        }
+        try {
+            const result = await fn(controller.signal);
+            // Bail if this run was superseded or manually aborted —
+            // `abort()` nulls `#controller`, so the mismatch fires in
+            // both cases. A callback that ignored its signal and
+            // resolved anyway has its result dropped silently.
+            if (this.#controller !== controller)
+                return undefined;
+            this.data = result;
+            this.error = null;
+            this.error_data = null;
+            this.status = 'success';
+            this.#has_succeeded = true;
+            return result;
+        }
+        catch (e) {
+            if (this.#controller !== controller)
+                return undefined;
+            this.error = this.#map_error(e);
+            this.error_data = e;
+            this.status = 'failure';
+            return undefined;
+        }
+        finally {
+            if (external_handler)
+                external?.removeEventListener('abort', external_handler);
+            if (this.#controller === controller)
+                this.#controller = null;
+        }
+    }
+    /**
+     * Abort the in-flight run (if any) and null out the controller field.
+     * Shared by {@link abort}, {@link set}, and {@link reset}.
+     */
+    #clear_controller(reason) {
+        this.#controller?.abort(reason);
+        this.#controller = null;
+    }
+    /**
+     * Manually abort the in-flight run, if any. Reverts `status`
+     * synchronously to the prior resolved state — `'initial'` if no
+     * `run()` (or `set()`) has ever succeeded on this slot, `'success'`
+     * otherwise. The aborted run's eventual resolution / rejection is
+     * dropped without writing to state (the run's `Promise` resolves to
+     * `undefined`).
+     */
+    abort(reason) {
+        if (!this.#controller)
+            return;
+        this.#clear_controller(reason);
+        this.status = this.#has_succeeded ? 'success' : 'initial';
+    }
+    /**
+     * Replace `data` directly and mark the slot `'success'`. For
+     * post-mutation hydration where the calling RPC already returned the
+     * canonical row (parallels `CellState.set_cell`).
+     *
+     * Aborts any in-flight `run()` first — without this, the in-flight
+     * callback could resolve after `set()` and overwrite the explicit
+     * value (the bail-on-mismatch check only fires when `#controller`
+     * was rotated).
+     *
+     * @mutates `this`
+     */
+    set(data) {
+        this.#clear_controller();
+        this.data = data;
+        this.status = 'success';
+        this.#has_succeeded = true;
+        this.error = null;
+        this.error_data = null;
+    }
+    /**
+     * Reset to `'initial'`, clear `data` / `error` / `error_data`, and
+     * abort any in-flight run. After `reset()` the slot looks like a
+     * fresh instance with no `initial` option.
+     *
+     * @mutates `this`
+     */
+    reset() {
+        this.#clear_controller();
+        this.status = 'initial';
+        this.data = undefined;
+        this.error = null;
+        this.error_data = null;
+        this.#has_succeeded = false;
+    }
+}
+const default_map_error = (e) => e instanceof Error ? e.message : 'Request failed';

package/dist/ui/audit_log_state.svelte.d.ts

@@ -6,9 +6,13 @@
  * stream continues to use `EventSource` directly — streams aren't an RPC
  * concern.
  *
+ * Holds two `AsyncSlot`s — `list` (the main event stream) and
+ * `role_grant_history` (the dedicated role-grant history endpoint). Data
+ * lives on the class so SSE pushes and gap-fill calls update it directly.
+ *
  * @module
  */
-import { Loadable } from './loadable.svelte.js';
+import { AsyncSlot } from './async_slot.svelte.js';
 import type { AuditLogEventWithUsernamesJson, RoleGrantHistoryEventJson } from '../auth/audit_log_schema.js';
 import type { AuditLogListInput, AuditLogListOutput, AuditLogRoleGrantHistoryInput, AuditLogRoleGrantHistoryOutput } from '../auth/admin_action_specs.js';
 /**
@@ -38,8 +42,10 @@ export interface AuditLogStateOptions {
     /** SSE stream URL. Defaults to the shipped admin audit-log stream route. */
     stream_url?: string;
 }
-export declare class AuditLogState extends Loadable {
+export declare class AuditLogState {
     #private;
+    readonly list: AsyncSlot<void, string>;
+    readonly role_grant_history: AsyncSlot<void, string>;
     events: Array<AuditLogEventWithUsernamesJson>;
     role_grant_history_events: Array<RoleGrantHistoryEventJson>;
     readonly count: number;

package/dist/ui/audit_log_state.svelte.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_state.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/audit_log_state.svelte.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,EAAC,QAAQ,EAAC,MAAM,sBAAsB,CAAC;AAC9C,OAAO,KAAK,EAEX,8BAA8B,EAC9B,yBAAyB,EACzB,MAAM,6BAA6B,CAAC;AACrC,OAAO,KAAK,EACX,iBAAiB,EACjB,kBAAkB,EAClB,6BAA6B,EAC7B,8BAA8B,EAC9B,MAAM,+BAA+B,CAAC;AAGvC;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACjE,kBAAkB,EAAE,CACnB,KAAK,CAAC,EAAE,6BAA6B,KACjC,OAAO,CAAC,8BAA8B,CAAC,CAAC;CAC7C;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB;qBAAwB,WAAW,GAAG,IAAI;yBAAlB,WAAW,GAAG,IAAI,wBAAlB,WAAW,GAAG,IAAI;CAAmB,CAAC;AAEhG,MAAM,WAAW,oBAAoB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,WAAW,GAAG,IAAI,CAAC;IACnC,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,aAAc,SAAQ,QAAQ;;IAG1C,MAAM,EAAE,KAAK,CAAC,8BAA8B,CAAC,CAAkB;IAC/D,yBAAyB,EAAE,KAAK,CAAC,yBAAyB,CAAC,CAAkB;IAE7E,QAAQ,CAAC,KAAK,SAAgC;IAE9C,qDAAqD;IACrD,SAAS,UAAqB;gBAWlB,OAAO,CAAC,EAAE,oBAAoB;IAM1C,8FAA8F;IAC9F,IAAI,OAAO,IAAI,OAAO,CAErB;IAEK,KAAK,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAajD,wBAAwB,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAY9E;;;;;;;;OAQG;IACH,SAAS,IAAI,MAAM,IAAI;IA0CvB;;;;OAIG;IACH,UAAU,IAAI,IAAI;CAiClB"}
+{"version":3,"file":"audit_log_state.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/audit_log_state.svelte.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAKH,OAAO,EAAC,SAAS,EAAC,MAAM,wBAAwB,CAAC;AACjD,OAAO,KAAK,EAEX,8BAA8B,EAC9B,yBAAyB,EACzB,MAAM,6BAA6B,CAAC;AACrC,OAAO,KAAK,EACX,iBAAiB,EACjB,kBAAkB,EAClB,6BAA6B,EAC7B,8BAA8B,EAC9B,MAAM,+BAA+B,CAAC;AAGvC;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,iBAAiB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACjE,kBAAkB,EAAE,CACnB,KAAK,CAAC,EAAE,6BAA6B,KACjC,OAAO,CAAC,8BAA8B,CAAC,CAAC;CAC7C;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB;qBAAwB,WAAW,GAAG,IAAI;yBAAlB,WAAW,GAAG,IAAI,wBAAlB,WAAW,GAAG,IAAI;CAAmB,CAAC;AAEhG,MAAM,WAAW,oBAAoB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,WAAW,GAAG,IAAI,CAAC;IACnC,4EAA4E;IAC5E,UAAU,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,aAAa;;IAGzB,QAAQ,CAAC,IAAI,0BAAyB;IACtC,QAAQ,CAAC,kBAAkB,0BAAyB;IAEpD,MAAM,EAAE,KAAK,CAAC,8BAA8B,CAAC,CAAkB;IAC/D,yBAAyB,EAAE,KAAK,CAAC,yBAAyB,CAAC,CAAkB;IAE7E,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAgC;IAEtD,qDAAqD;IACrD,SAAS,UAAqB;gBAWlB,OAAO,CAAC,EAAE,oBAAoB;IAK1C,8FAA8F;IAC9F,IAAI,OAAO,IAAI,OAAO,CAErB;IAQK,KAAK,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjD,wBAAwB,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO9E;;;;;;;;OAQG;IACH,SAAS,IAAI,MAAM,IAAI;IA0CvB;;;;OAIG;IACH,UAAU,IAAI,IAAI;CAiClB"}