@fuzdev/fuz_app 0.61.0 → 0.63.0

package/dist/actions/CLAUDE.md

@@ -12,12 +12,13 @@ server-authoritative dispatch, role-grant-offer UI integration) see
 ../../docs/usage.md §Deriving Route/Event Specs, §Single JSON-RPC 2.0 Endpoint,
 §WebSocket Endpoint. For DEV-only output validation semantics see
 ../../docs/architecture.md §DEV-only Output Validation. For the SAES
-binding matrix and middleware ordering see the root `../../CLAUDE.md`
+binding matrix and middleware ordering see the root ../../CLAUDE.md
 §Action Spec System (SAES) and §Middleware Ordering.
 
 IMPORTANT: Every exported Zod schema is paired with a same-named `z.infer`
-type export. When adding new schemas, keep the pair invariant — it is the
-convention callers rely on for type imports.
+type export — the convention callers rely on for type imports. When adding
+new schemas, keep the pair invariant (ecosystem-wide rule; see
+Skill(fuz-stack) zod-schemas).
 
 NOTE: `ActionRegistry` keeps a few pre-built getters (auth filters,
 initiator-direction filters) that codegen doesn't consume today — kept
@@ -53,10 +54,10 @@ declarative metadata for consumers (codegen, UI form-state matching, docs)
 to read off the spec instead of scanning handler code. No runtime
 enforcement — drift between declared reasons and what handlers actually
 throw is caught per-module by source-scanning unit tests (see
-`../../test/auth/role_grant_offer_actions.error_reasons.test.ts`). Reuses
+../../test/auth/role*grant_offer_actions.error_reasons.test.ts). Reuses
 the same `as const` string constants the handler throws (e.g.
-`ERROR_ROLE_GRANT_OFFER_*` from `../auth/role_grant_offer_action_specs.ts`,
-`ERROR_ROLE_GRANT_NOT_FOUND` from `../http/error_schemas.ts`) so call
+`ERROR_ROLE_GRANT_OFFER*\*`from`auth/role_grant_offer_action_specs.ts`,
+`ERROR_ROLE_GRANT_NOT_FOUND`from`http/error_schemas.ts`) so call
 sites can import either side. Standard transport errors (validation,
 auth, rate-limit) stay implicit.
 
@@ -119,7 +120,7 @@ The remaining asymmetry today is runtime: there is no
 `Promise<Result<{value}, {error}>>` shape `FrontendActionsApi` methods
 return. Closing those gaps is on the deferred follow-up set in the
 [SAES RPC closeout](https://github.com/ryanatkn/grimoire/blob/main/quests/HISTORY.md#saes-rpc-direction-2026-04)
-(grimoire `lore/fuz_app/TODO.md` § Future Directions tracks the symmetric
+(grimoire `lore/fuz_app/TODO.md` §Future Directions tracks the symmetric
 backend signature, backend RPC client, and local-call symmetry items) —
 wait for a second backend runtime case.
 
@@ -217,7 +218,7 @@ and `FrontendActionHandlers`.
 - `generate_action_event_datas(specs, imports, {same_file?, collections_path?, include_protocol_actions?})` — `ActionEventDatas` interface; per-spec variant by kind (`ActionEventRequestResponseData` / `ActionEventRemoteNotificationData` / `ActionEventLocalCallData`). `same_file` (default `true`) is the file-layout switch: when `true`, assumes `ActionInputs` / `ActionOutputs` are in the same module and adds no import (the zzz pattern); when `false`, adds the type imports from `collections_path` (default `'./action_collections.js'`). `collections_path` alone is a no-op — the surprising omit-vs-default behavior of earlier versions has been replaced.
 - `generate_frontend_actions_api(specs, imports, {interface_name?, method_filter?, collections_path?, sync_returns_value?, include_protocol_actions?})` — emits the typed `FrontendActionsApi` interface (configurable via `interface_name`, default `'FrontendActionsApi'`). One method signature per spec via `generate_actions_api_method_signature`. Protocol actions filtered by default; `method_filter: (spec) => boolean` runs after the protocol-action filter. Renamed from `generate_actions_api` in API review III to make the side-of-the-wire intent visible at every consumer site.
 - `generate_frontend_action_handlers(specs, imports, {collections_path?, include_protocol_actions?})` — `FrontendActionHandlers` interface (Tier 2 only — wraps `generate_phase_handlers` with `action_event_type: 'TypedActionEvent'`). Pair with `generate_typed_action_event_alias`.
-- `generate_backend_actions_api(specs, imports, {interface_name?, spec_array_name?, specs_module?, collections_path?, qualify_spec?, include_protocol_actions?})` — `BackendActionsApi` interface AND `broadcast_action_specs: ReadonlyArray<ActionSpecUnion>` array (both names configurable). Filter: `kind === 'remote_notification' && initiator !== 'frontend'`, with `streams`-target methods (request-scoped progress notifications invoked via `ctx.notify`) excluded — the discriminator is `ActionSpec.streams`, not a manual list. Adds `ActionInputs` (from `collections_path`) + `ActionSpecUnion`, plus `* as specs` from `specs_module` unless `qualify_spec` is set. Method shape today is `(input) => Promise<void>` (matches `create_broadcast_api`'s fire-and-forget runtime); generalizing to per-kind shapes via `generate_actions_api_method_signature` is deferred until a second backend runtime constructor lands (tracked in grimoire `lore/fuz_app/TODO.md` § Future Directions, _Symmetric backend signature shape_).
+- `generate_backend_actions_api(specs, imports, {interface_name?, spec_array_name?, specs_module?, collections_path?, qualify_spec?, include_protocol_actions?})` — `BackendActionsApi` interface AND `broadcast_action_specs: ReadonlyArray<ActionSpecUnion>` array (both names configurable). Filter: `kind === 'remote_notification' && initiator !== 'frontend'`, with `streams`-target methods (request-scoped progress notifications invoked via `ctx.notify`) excluded — the discriminator is `ActionSpec.streams`, not a manual list. Adds `ActionInputs` (from `collections_path`) + `ActionSpecUnion`, plus `* as specs` from `specs_module` unless `qualify_spec` is set. Method shape today is `(input) => Promise<void>` (matches `create_broadcast_api`'s fire-and-forget runtime); generalizing to per-kind shapes via `generate_actions_api_method_signature` is deferred until a second backend runtime constructor lands (tracked in grimoire `lore/fuz_app/TODO.md` §Future Directions, _Symmetric backend signature shape_).
 - `generate_backend_action_handlers_map(imports, options?)` — emits the `BackendActionHandlers` mapped type (`{[K in BackendRequestResponseMethod]: (input: ActionInputs[K], ctx: BackendHandlerContext) => ActionOutputs[K] | Promise<ActionOutputs[K]>}`). Replaces the hand-maintained `Exclude<>` + parallel mapped-type pattern (zzz had this at `zzz/src/lib/server/zzz_action_handlers.ts:42-66`). Configurable type name, method enum name, and context type name; configurable `collections_path` / `metatypes_path` for the type imports.
 
 ### Wrapper + multi-source helper
@@ -225,6 +226,24 @@ and `FrontendActionHandlers`.
 - `compose_gen_file({origin_path, imports, blocks})` — encapsulates the per-`*.gen.ts` boilerplate (banner + `imports.build()` + blocks join + template literal). Returns the full file body. Each consumer producer collapses to one `compose_gen_file` call wrapping the helper invocations.
 - `create_namespace_qualifier(sources, imports)` — multi-source consumer helper. Takes `ReadonlyArray<{ns, module, specs}>`, registers `import * as ns from module` for each on `imports`, builds the `method_to_ns` lookup with duplicate-method detection, returns `{qualify_spec, all_specs}` ready to thread through the high-level helpers. Closes the per-file boilerplate gap that kept zap + visiones on hand-rolled template strings even after the `qualify_spec?` callback landed (the per-call callback wasn't enough — the import dance + dup-check was the real boilerplate).
 
+## Registry compile (`compile_action_registry.ts`)
+
+Shared registration loop called by both `create_rpc_endpoint` and
+`register_action_ws`. Validates four invariants and returns the
+`Map<method, RpcAction>` the dispatchers use:
+
+1. Auth-shape biconditional (`assert_route_auth_acting_biconditional` —
+   `auth.actor !== 'none' ⟺ input declares acting?: ActingActor`).
+2. Rate-limit / account axis — `rate_limit: 'account' | 'both'` requires
+   `auth.account === 'required'`.
+3. JSON-RPC §4.2 wire validity — `request_response` specs with a handler
+   may not use `z.null()` for input (use `z.void()` for nullary).
+4. Unique `method` across the array.
+
+Only `request_response` specs with a handler reach the dispatch map;
+`remote_notification` / handler-less specs (e.g. WS `cancel`) stay
+registry-only.
+
 ## HTTP bridge (`action_bridge.ts`)
 
 Derives transport-specific specs from action specs. HTTP-specific concerns
@@ -256,7 +275,7 @@ surface is published in `library.json` codegen anyway.
 Shim responsibilities:
 
 1. **Parse envelope** — POST body as `JsonrpcRequest` (parse errors → JSON-RPC `parse_error` 400). GET reads `method`, `id`, `params` from query string; missing `method`/`id` → 400 `invalid_request`. Integer `id` normalization: `?id=42` matches `{id: 42}`.
-2. **Lookup method** — `Map<method, RpcAction>`. Unknown method → `method_not_found`. Duplicate methods throw at construction. Registration also runs `assert_route_auth_acting_biconditional(spec.auth, {input: spec.input}, ...)` to enforce invariant 2 — the helper takes a `{input, query?}` slot set so REST (input + query bi-located) and actions (input-only) share one entry point with surface-appropriate error messages.
+2. **Lookup method** — `Map<method, RpcAction>` built via `compile_action_registry` (which runs the registry-time invariants — see §Registry compile above). Unknown method → `method_not_found`.
 3. **GET read restriction** — GET is rejected for `side_effects: true` actions (`invalid_request` with "must use POST"). HTTP-only.
 4. **Build PerformActionInput** — read `account_id` / `credential_type` from `c.var`, resolve `client_ip` via `get_client_ip`, pass `c.req.raw.signal` as `signal`, build a DEV-warn-and-drop `notify`. Test-preset escape hatch reads `TEST_CONTEXT_PRESET_KEY` + `REQUEST_CONTEXT_KEY` and forwards as `preset.request_context`.
 5. **Call `perform_action`** — runs steps 1–6 of the shared pipeline (see §Shared dispatch core below).
@@ -301,6 +320,7 @@ interface ActionContext {
 	pending_effects: Array<Promise<void>>; // eager pool writes already in flight — see http/CLAUDE.md §Pending Effects
 	post_commit_effects: Array<() => void | Promise<void>>; // deferred — push via `emit_after_commit`
 	client_ip: string;
+	credential_type: CredentialType | null; // session | api_token | daemon_token (or null for anonymous) — same value the credential_types gate consumed
 	log: Logger;
 	notify: (method, params) => void; // HTTP: DEV-mode warn + drop (no streaming channel); WS: socket-scoped
 	signal: AbortSignal; // HTTP: client-disconnect; WS: AbortSignal.any([socket_close, request_cancel])
@@ -358,19 +378,8 @@ narrowing — ideal when handlers are stateless free functions. fuz_app's
 handlers close over factory-captured deps (`log`, `audit`,
 `options.app_settings`, `options.max_tokens`), so per-pair typing via
 `rpc_action()` is the right shape here: the binding happens at
-construction time and the handler keeps its closure. Applied across
-all four registries — `admin_actions.ts`,
-`role_grant_offer_actions.ts`, `self_service_role_actions.ts` (every
-spec there is actor-implying), and `account_actions.ts` (account-grain).
-The conditional auto-selects the right tier per spec; consumers don't
-pick a binder.
-
-The earlier two-binder split (`rpc_action` + `rpc_actor_action`) was
-collapsed once the symmetric account-grain narrowing landed. Same
-runtime; the second symbol no longer added information the spec
-literal didn't already carry. Uniform binding keeps a future handler
-that gains `ctx.auth.actor` reads from accidentally landing on a
-looser narrow — the spec literal drives the type either way.
+construction time and the handler keeps its closure. The conditional
+auto-selects the right tier per spec; consumers don't pick a binder.
 
 ## Transports (`transports.ts`, `transports_http.ts`, `transports_ws.ts`, `transports_ws_backend.ts`)
 
@@ -451,7 +460,7 @@ Fan-out:
 
 - `send(notification)` — broadcasts to every connection (current `send(request)` returns an internal_error "not yet implemented" — backend cannot initiate request-response).
 - `broadcast_filtered(message, predicate)` — per-connection predicate over `ConnectionIdentity`; skips non-matching. Returns count.
-- `send_to_account(account_id, message)` — targeted wrapper over `broadcast_filtered`. Mirrors `close_sockets_for_account` on the send side (every connection for the account). Structurally satisfies the `NotificationSender` interface from `auth/role_grant_offer_notifications.ts` (see `../auth/CLAUDE.md` §WS notifications).
+- `send_to_account(account_id, message)` — targeted wrapper over `broadcast_filtered`. Mirrors `close_sockets_for_account` on the send side (every connection for the account). Structurally satisfies the `NotificationSender` interface from `auth/role_grant_offer_notifications.ts` (see `auth/CLAUDE.md` §WS notifications).
 - `get_connection_count()` — telemetry counter over the connection map.
 
 Return values are bookkeeping, not delivery receipts — `0` means no live
@@ -520,7 +529,7 @@ and optional `required_role: RoleName`. Returns `{transport}`. Note:
 `required_role` is a **coarse upgrade-time gate** — per-action `auth` in
 each spec still applies at dispatch time via `perform_action`.
 (`verify_request_source` and `require_auth` / `require_role` are from
-`../auth/`; see `../auth/CLAUDE.md` §Middleware for their semantics.)
+`auth/`; see `auth/CLAUDE.md` §Middleware for their semantics.)
 
 ### `register_action_ws` (`register_action_ws.ts`) — lower-level
 
@@ -529,11 +538,11 @@ dispatcher without the origin/auth front-stack.
 
 Actions are passed as `ReadonlyArray<Action>` — the composable
 `{spec, handler?}` tuple shared with `create_rpc_client`. The dispatcher
-fans the array into a `spec_by_method` map (drives envelope-shape
-validation) and an `action_map: Map<string, RpcAction>` (drives
-invocation, only request_response specs with a handler). Specs without
-a handler (client-only / dispatcher-handled like `cancel`) miss
-`action_map` and surface as `method_not_found` if the wire targets them.
+builds its `action_map: Map<string, RpcAction>` via `compile_action_registry`
+(see §Registry compile above) — only `request_response` specs with a
+handler land in the map. Specs without a handler (client-only /
+dispatcher-handled like `cancel`) surface as `method_not_found` if the
+wire targets them.
 
 Required deps: `db: Db` (pool-level, used by `perform_action` for both the
 per-message authorization phase and the transactional dispatch wrap when
@@ -577,7 +586,7 @@ Per-message side-effect queues: `pending_effects: Array<Promise<void>>`
 `flush_post_commit_effects`. Both flush in the same `try/finally` that
 releases the request controller, so fire-and-forget audit / notification
 effects pushed by the handler complete (or reject visibly) before the
-next message dispatches. See `../http/CLAUDE.md` §Pending Effects.
+next message dispatches. See `http/CLAUDE.md` §Pending Effects.
 
 Lifecycle hooks on `RegisterActionWsOptions`:
 
@@ -943,9 +952,9 @@ wiring (zzz-style reactive Cells observing `ActionEvent` lifecycle)
 don't have to drop down to manual `create_rpc_client` construction
 (which forfeits the bundled `api` / `api_result` pair).
 
-`all_standard_action_specs` (in `../auth/standard_action_specs.ts`) is
+`all_standard_action_specs` (in `auth/standard_action_specs.ts`) is
 the matching aggregate spec list mirroring `create_standard_rpc_actions`
-on the backend — see `../auth/CLAUDE.md` §`standard_rpc_actions.ts`.
+on the backend — see `auth/CLAUDE.md` §`standard_rpc_actions.ts`.
 
 ## Broadcast API (`broadcast_api.ts`)
 
@@ -988,9 +997,8 @@ transport; `ActionHandler` is the single handler signature.
 
 `RpcAction = Action<RequestResponseActionSpec> & {handler: ActionHandler}`
 is the narrowing the HTTP RPC dispatcher accepts (`create_rpc_endpoint`)
-and the `rpc_action` binder produces (the actor-axis narrowing now lives
-in `HandlerForSpec<TSpec>` — there's no longer a separate
-`rpc_actor_action`).
+and the `rpc_action` binder produces (the actor-axis narrowing lives
+in `HandlerForSpec<TSpec>`).
 
 ## Shared dispatch core (`perform_action.ts`)
 

package/dist/actions/action_rpc.d.ts

@@ -17,6 +17,7 @@ import type { Uuid } from '@fuzdev/fuz_util/id.js';
 import type { RequestResponseActionSpec } from './action_spec.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RequestActorContext, type RequestContext } from '../auth/request_context.js';
+import { type CredentialType } from '../hono_context.js';
 import type { Db } from '../db/db.js';
 import { type JsonrpcRequestId } from '../http/jsonrpc.js';
 import type { RateLimiter } from '../rate_limiter.js';
@@ -72,6 +73,15 @@ export interface ActionContext {
      * `role_grant_offer_expire` cleanup sweep in `auth/cleanup.ts`).
      */
     client_ip: string;
+    /**
+     * Credential channel the request arrived on (`'session'` | `'api_token'` |
+     * `'daemon_token'`), or `null` for anonymous requests. Same value the
+     * dispatcher's `credential_types` gate consumed at step 4 — exposed here
+     * so handlers can record it in audit metadata (defense in depth: the
+     * gate may be loosened or bypassed in a future refactor, but the audit
+     * row preserves what actually authenticated the request).
+     */
+    credential_type: CredentialType | null;
     /** Logger instance. */
     log: Logger;
     /**

package/dist/actions/action_rpc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAEN,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAErB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAGpD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B;;;;OAIG;IACH,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;;OAKG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;OAKG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;;OAKG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;;GASG;AACH,MAAM,WAAW,iBAAkB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACrE,IAAI,EAAE,cAAc,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC5D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,iBAAiB,KAClB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAmB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACtE,IAAI,EAAE,mBAAmB,CAAC;CAC1B;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC7D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,kBAAkB,KACnB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,CAAC,KAAK,SAAS,yBAAyB,IAAI;IACrE,KAAK,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;CACtB,SAAS,CAAC,UAAU,CAAC,GACnB,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACrE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,GAC9C,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACpE,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,cAAc,CAAC,KAAK,CAAC,KAC5B,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;OAOG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAoMtF,CAAC"}
+{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAEN,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAIN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAErB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAGpD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B;;;;OAIG;IACH,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;;OAKG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;OAKG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;;;OAOG;IACH,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;;OAKG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;;GASG;AACH,MAAM,WAAW,iBAAkB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACrE,IAAI,EAAE,cAAc,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC5D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,iBAAiB,KAClB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAmB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACtE,IAAI,EAAE,mBAAmB,CAAC;CAC1B;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC7D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,kBAAkB,KACnB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,CAAC,KAAK,SAAS,yBAAyB,IAAI;IACrE,KAAK,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;CACtB,SAAS,CAAC,UAAU,CAAC,GACnB,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACrE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,GAC9C,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACpE,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,cAAc,CAAC,KAAK,CAAC,KAC5B,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;OAOG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAoMtF,CAAC"}

package/dist/actions/action_rpc.js

@@ -16,7 +16,7 @@ import { DEV } from 'esm-env';
 import {} from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { get_request_context, } from '../auth/request_context.js';
-import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY } from '../hono_context.js';
+import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY, } from '../hono_context.js';
 import { compile_action_registry } from './compile_action_registry.js';
 import { JSONRPC_VERSION, JsonrpcRequest, } from '../http/jsonrpc.js';
 import { jsonrpc_error_messages, jsonrpc_error_code_to_http_status, JSONRPC_ERROR_CODES, } from '../http/jsonrpc_errors.js';

package/dist/actions/action_spec.d.ts

@@ -42,7 +42,7 @@ export declare const ActionSpec: z.ZodObject<{
      * `null` for `remote_notification` and `local_call` — those don't
      * dispatch through the request/response auth gate.
      *
-     * See `../http/auth_shape.ts` for the design rationale (orthogonal
+     * See `http/auth_shape.ts` for the design rationale (orthogonal
      * authentication / account-resolution / actor-resolution / role-and-
      * credential authorization axes).
      */

package/dist/actions/action_spec.js

@@ -25,7 +25,7 @@ export const ActionSpec = z.strictObject({
      * `null` for `remote_notification` and `local_call` — those don't
      * dispatch through the request/response auth gate.
      *
-     * See `../http/auth_shape.ts` for the design rationale (orthogonal
+     * See `http/auth_shape.ts` for the design rationale (orthogonal
      * authentication / account-resolution / actor-resolution / role-and-
      * credential authorization axes).
      */

package/dist/actions/perform_action.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"perform_action.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/perform_action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAC,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAEN,KAAK,gBAAgB,EAErB,KAAK,kBAAkB,EACvB,MAAM,oBAAoB,CAAC;AAW5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,EAA+B,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,MAAM,EAAE,SAAS,CAAC;IAClB,mGAAmG;IACnG,UAAU,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;IAClB,oGAAoG;IACpG,MAAM,EAAE,WAAW,CAAC;IACpB,sFAAsF;IACtF,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,uDAAuD;IACvD,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QAAC,eAAe,EAAE,cAAc,GAAG,IAAI,CAAA;KAAC,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IACjC,gGAAgG;IAChG,EAAE,EAAE,EAAE,CAAC;IACP;;;OAGG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,uEAAuE;IACvE,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC5B;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAC1B,OAAO,kBAAkB,EACzB,MAAM,iBAAiB,KACrB,OAAO,CAAC,mBAAmB,CAuJ7B,CAAC;AA4EF;;;GAGG;AACH,eAAO,MAAM,iCAAiC,GAC7C,IAAI,gBAAgB,EACpB,QAAQ,mBAAmB,KACzB;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,gBAAgB,CAAA;CAAC,GAAG,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAC,CAK5F,CAAC"}
+{"version":3,"file":"perform_action.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/perform_action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAC,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAEN,KAAK,gBAAgB,EAErB,KAAK,kBAAkB,EACvB,MAAM,oBAAoB,CAAC;AAW5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,EAA+B,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,MAAM,EAAE,SAAS,CAAC;IAClB,mGAAmG;IACnG,UAAU,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;IAClB,oGAAoG;IACpG,MAAM,EAAE,WAAW,CAAC;IACpB,sFAAsF;IACtF,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,uDAAuD;IACvD,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QAAC,eAAe,EAAE,cAAc,GAAG,IAAI,CAAA;KAAC,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IACjC,gGAAgG;IAChG,EAAE,EAAE,EAAE,CAAC;IACP;;;OAGG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,uEAAuE;IACvE,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC5B;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAC1B,OAAO,kBAAkB,EACzB,MAAM,iBAAiB,KACrB,OAAO,CAAC,mBAAmB,CAwJ7B,CAAC;AA4EF;;;GAGG;AACH,eAAO,MAAM,iCAAiC,GAC7C,IAAI,gBAAgB,EACpB,QAAQ,mBAAmB,KACzB;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,gBAAgB,CAAA;CAAC,GAAG,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAC,CAK5F,CAAC"}

package/dist/actions/perform_action.js

@@ -144,6 +144,7 @@ export const perform_action = async (input, deps) => {
             pending_effects,
             post_commit_effects,
             client_ip,
+            credential_type,
             log,
             notify,
             signal,

package/dist/auth/CLAUDE.md

@@ -2,16 +2,18 @@
 
 > Auth domain: identity, crypto primitives, schema + DDL, queries, middleware, routes, RPC actions, cleanup.
 
-Forty source files, grouped below by theme. For design rationale and threat
-model, see `../../../docs/identity.md` and `../../../docs/security.md`. For the
+Grouped below by theme. For design rationale and threat model, see
+../../../docs/identity.md and ../../../docs/security.md. For the
 subsystem's place in server assembly and middleware ordering, see
-`../../../docs/architecture.md` and the root `../../../CLAUDE.md`.
+../../../docs/architecture.md and the root ../../../CLAUDE.md. For
+the workspace-wide DI vocabulary (capabilities / options / runtime
+state), see Skill(fuz-stack) dependency-injection.
 
-The DI vocabulary is the stack standard: stateless capabilities in
-`AppDeps` / `RouteFactoryDeps`; static config in `*Options`; runtime state
-(e.g. `DaemonTokenState`, mutable `AppSettings` ref, `BootstrapStatus`) is
-inline, never in `deps`. All `query_*` functions take `deps: QueryDeps = {db}`
-as their first arg.
+Auth-specific instances: stateless capabilities in `AppDeps` /
+`RouteFactoryDeps`; static config in `*Options`; runtime state
+(`DaemonTokenState`, mutable `AppSettings` ref, `BootstrapStatus`) is
+inline, never in `deps`. All `query_*` functions take
+`deps: QueryDeps = {db}` as their first arg.
 
 ## Crypto primitives
 
@@ -789,7 +791,7 @@ Per-call `ctx` shape:
 - `emit` requires `{pending_effects: Array<Promise<void>>}` — the eager
   queue only. Both `RouteContext` and `ActionContext` satisfy this
   structurally; `audit.emit` pushes its in-flight pool-write promise
-  onto the eager queue. See `../http/CLAUDE.md` §Pending Effects for
+  onto the eager queue. See `http/CLAUDE.md` §Pending Effects for
   the eager / deferred split.
 - `emit_role_grant_target` adds `client_ip: string` (also on `ActionContext`;
   REST handlers pass `{pending_effects, client_ip: get_client_ip(c)}`).
@@ -919,7 +921,7 @@ consciously violate the contract.
 
 ## Middleware
 
-See the root `../../../CLAUDE.md` §Middleware Ordering for the canonical
+See the root ../../../CLAUDE.md §Middleware Ordering for the canonical
 assembly order. Two-phase identity:
 
 - **Authentication** runs in middleware (session / bearer / daemon
@@ -974,7 +976,7 @@ assembly order. Two-phase identity:
   actor row was deleted between credential validation and the
   follow-up read). The named per-error shape `AuthorizationFailureBody`
   is still exported for callers that want to bind the failure body
-  by type. See the root `../../../CLAUDE.md` § Cleanest architecture
+  by type. See the root ../../../CLAUDE.md §Cleanest architecture
   takes priority for the rationale.
 
 Session parsing is separate from auth enforcement — login / bootstrap
@@ -1141,6 +1143,8 @@ Session-based auth route specs. Factory: `create_account_route_specs(deps, optio
 - `POST /logout` — revokes session by hash, clears cookie.
 - **`POST /password`** — `current_password: PasswordProvided` +
   `new_password: Password`. Per-IP + per-account rate limited.
+  Declares `credential_types: ['session']` (see
+  `docs/security.md` §Credential-channel gating).
   **Revokes all sessions + all API tokens** (force re-auth everywhere);
   clears cookie.
 - **`GET /verify`** — empty-body session-validity probe for nginx
@@ -1212,7 +1216,7 @@ gets `require_auth` when `account === 'required'` or `actor === 'required'`;
 `post_authorization` gets `require_credential_types(types)` when
 `credential_types?.length` and `require_role(roles)` when `roles?.length`.
 Injected into `apply_route_specs` so the generic HTTP framework stays
-auth-agnostic (see `../http/CLAUDE.md` §Validation pipeline for where it plugs in).
+auth-agnostic (see `http/CLAUDE.md` §Validation pipeline for where it plugs in).
 
 ### `audit_log_routes.ts`
 
@@ -1232,7 +1236,7 @@ module produces is now just the optional SSE stream:
 ## RPC actions (SAES)
 
 Three action surfaces that mount on a consumer's JSON-RPC endpoint via
-`create_rpc_endpoint` (see `../actions/CLAUDE.md` §Single JSON-RPC 2.0 endpoint).
+`create_rpc_endpoint` (see `actions/CLAUDE.md` §Single JSON-RPC 2.0 endpoint).
 Each surface is split across two files:
 
 - `*_action_specs.ts` — Input/Output Zod schemas (paired with `z.infer` type
@@ -1413,16 +1417,16 @@ Error reason constants (exported as `as const` literals):
 - `ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH` (`'role_grant_offer_actor_mismatch'` —
   actor-targeted offer was accepted by an actor other than `to_actor_id`)
 
-Plus re-uses from `../http/error_schemas.ts`: `ERROR_ROLE_GRANT_NOT_FOUND`,
+Plus re-uses from `http/error_schemas.ts`: `ERROR_ROLE_GRANT_NOT_FOUND`,
 `ERROR_ROLE_NOT_WEB_GRANTABLE`, `ERROR_INSUFFICIENT_PERMISSIONS`,
 `ERROR_ACCOUNT_NOT_FOUND`.
 
 Each spec declares the reason codes its handler may surface (see
-`../actions/CLAUDE.md` §Action specs for the field semantics). Only
+`actions/CLAUDE.md` §Action specs for the field semantics). Only
 domain reasons returned via `error.data.reason` are listed; standard
 transport errors (validation, auth, rate-limit) stay implicit. Drift
 between declared reasons and handler throws is caught by
-`../../test/auth/role_grant_offer_actions.error_reasons.test.ts`.
+../../test/auth/role_grant_offer_actions.error_reasons.test.ts.
 
 Failure-outcome audit events emitted (success and failure rows both carry
 `ip: ctx.client_ip` — uniform with the admin and self-service surfaces):
@@ -1442,8 +1446,8 @@ Failure-outcome audit events emitted (success and failure rows both carry
   role_grant).
 
 WS notifications (post-commit via `emit_after_commit` from
-`../http/pending_effects.js` — swallows exceptions so one failed send
-can't starve others; see `../http/CLAUDE.md` §Pending Effects):
+`http/pending_effects.js` — swallows exceptions so one failed send
+can't starve others; see `http/CLAUDE.md` §Pending Effects):
 
 - Create → `role_grant_offer_received` to recipient.
 - Retract → `role_grant_offer_retracted` to recipient.
@@ -1506,7 +1510,7 @@ Pair this with `create_app_server`'s `rpc_endpoints` factory form
 (`(ctx) => Array<RpcEndpointSpec>`) so the combined action list gets
 `ctx.deps` + `ctx.app_settings` — `create_app_server` auto-mounts the
 endpoint via `create_rpc_endpoint`, so consumers don't need to mount it
-again in `create_route_specs`. See `../../../docs/usage.md` §Server
+again in `create_route_specs`. See ../../../docs/usage.md §Server
 Assembly.
 
 Pre-bundle consumers spread `create_admin_actions` and
@@ -1519,7 +1523,7 @@ consumer wiring the admin surface without account actions will hit
 `method not found` on first admin-suite run.
 
 Frontend mirror: `all_standard_action_specs` (in
-`./standard_action_specs.ts`) bundles `all_admin_action_specs +
+`auth/standard_action_specs.ts`) bundles `all_admin_action_specs +
 all_role_grant_offer_action_specs + all_account_action_specs` into one
 `ReadonlyArray<RequestResponseActionSpec>` for typed-client codegen
 and `create_frontend_rpc_client({specs})` wiring. Self-service role
@@ -1530,9 +1534,9 @@ spread `all_self_service_role_action_specs` separately when needed.
 
 `all_fuz_auth_action_spec_registries` — walker/codegen entry for every
 fuz-auth action-spec bundle (`admin`, `role_grant_offer`, `account`,
-`self_service_role`, `actor_lookup`). Not a mounting surface; protocol
-specs are excluded. Iterated by `../../test/auth/action_spec_input_invariants.test.ts`
-and `../../test/auth/all_action_spec_registries.acting_biconditional.test.ts`.
+`self_service_role`, `actor_lookup`, `actor_search`). Not a mounting
+surface; protocol specs are excluded. Iterated by registry-wide
+invariant tests in ../../test/auth/.
 
 ### `account_action_specs.ts` + `account_actions.ts` — seven self-service RPC actions
 
@@ -1553,6 +1557,18 @@ operations are account-scoped via `query_session_revoke_for_account` /
 or token id returns `revoked: false` rather than revealing whether the id
 exists.
 
+**Credential-channel gating** — `account_token_create`,
+`account_token_revoke`, `account_session_revoke`, and
+`account_session_revoke_all` declare `credential_types: ['session']`
+on their `auth` axis (same gate as REST `POST /password`).
+`account_session_revoke` is gated alongside `_revoke_all` because a
+leaked bearer can otherwise compose `account_session_list` + N×revoke
+to reach the same lockout. Admin token/session revoke specs in
+`admin_action_specs.ts` deliberately stay unrestricted (admin
+scripting from CLI/bearer is legitimate operator workflow). For the
+threat model, the trust-bar rationale, and the defense-in-depth audit
+metadata see `docs/security.md` §Credential-channel gating.
+
 | Spec                                     | Side effects | Rate limit  | Input          | Output                  |
 | ---------------------------------------- | ------------ | ----------- | -------------- | ----------------------- |
 | `account_verify_action_spec`             | false        |             | `z.void()`     | `SessionAccountJson`    |
@@ -1577,7 +1593,12 @@ vector, so rate caps are symmetry-only and skipped.
 Audit events emitted (via `deps.audit.emit` with `ip: ctx.client_ip`):
 `session_revoke`, `session_revoke_all`, `token_create`, `token_revoke`. The
 IP is the resolved trusted-proxy value from `ActionContext.client_ip`,
-matching the REST handler convention.
+matching the REST handler convention. Every gated event additionally
+records `credential_type` (read from `ActionContext.credential_type`)
+in metadata — defense in depth so forensics survive if the
+`credential_types: ['session']` spec gate is ever loosened or bypassed.
+The REST `password_change` audit row mirrors the same field on all
+three outcomes (success, wrong-password, concurrent-change).
 
 Deps: `Pick<RouteFactoryDeps, 'log' | 'audit'>`.
 Options: `{max_tokens?: number | null}` — defaults to `DEFAULT_MAX_TOKENS`
@@ -1698,7 +1719,7 @@ One static `request_response` action — `actor_search({query, scope_ids?, limit
 powers person-target pickers. Sibling to `actor_lookup`: that resolves a
 batch of known ids to labels; this resolves a partial name to candidate
 actors. Reuses `ActorLookupEntryJson` from
-`./actor_lookup_action_specs.ts` so the labels arc on the consumer side
+`auth/actor_lookup_action_specs.ts` so the labels arc on the consumer side
 stays uniform. Default limit `ACTOR_SEARCH_LIMIT_DEFAULT = 20`, hard cap
 `ACTOR_SEARCH_LIMIT_MAX = 50`. Query string capped at
 `ACTOR_SEARCH_QUERY_LENGTH_MAX = 50`.
@@ -1805,5 +1826,5 @@ resulting role_grant.
 Action factories take `Pick<RouteFactoryDeps, 'log' | 'audit'>` directly
 (role-grant-offer adds `notification_sender?` inline).
 
-See root `../../../CLAUDE.md` §AppDeps Vocabulary for the
+See root ../../../CLAUDE.md §AppDeps Vocabulary for the
 capability / options / runtime-state split across the whole project.

package/dist/auth/account_action_specs.d.ts

@@ -135,6 +135,7 @@ export declare const account_session_revoke_action_spec: {
     auth: {
         account: "required";
         actor: "none";
+        credential_types: string[];
     };
     side_effects: true;
     input: z.ZodObject<{
@@ -154,6 +155,7 @@ export declare const account_session_revoke_all_action_spec: {
     auth: {
         account: "required";
         actor: "none";
+        credential_types: string[];
     };
     side_effects: true;
     input: z.ZodVoid;
@@ -165,6 +167,8 @@ export declare const account_session_revoke_all_action_spec: {
     description: string;
 };
 /**
+ * `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+ *
  * `rate_limit: 'account'` bounds the burn rate of API-token creates. The
  * outstanding-token count is already capped by `max_tokens` (via
  * `query_api_token_enforce_limit`), but the per-account *rate* of churn
@@ -179,6 +183,7 @@ export declare const account_token_create_action_spec: {
     auth: {
         account: "required";
         actor: "none";
+        credential_types: string[];
     };
     side_effects: true;
     input: z.ZodPrefault<z.ZodObject<{
@@ -225,6 +230,7 @@ export declare const account_token_revoke_action_spec: {
     auth: {
         account: "required";
         actor: "none";
+        credential_types: string[];
     };
     side_effects: true;
     input: z.ZodObject<{

package/dist/auth/account_action_specs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;mBAOf,CAAC;AACf,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;CAUd,CAAC;AAEtC;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,KAAK,CAAC,yBAAyB,CAQrE,CAAC"}
+{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;mBAOf,CAAC;AACf,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAKtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;CAUV,CAAC;AAGtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;;CAUd,CAAC;AAEtC;;;;;;;;;GASG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAGtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,KAAK,CAAC,yBAAyB,CAQrE,CAAC"}

package/dist/auth/account_action_specs.js

@@ -90,22 +90,26 @@ export const account_session_list_action_spec = {
     async: true,
     description: 'List auth sessions for the current account.',
 };
+// `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+// A leaked bearer can otherwise compose `account_session_list` + N×revoke to
+// reach the same effect as `account_session_revoke_all`.
 export const account_session_revoke_action_spec = {
     method: 'account_session_revoke',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: SessionRevokeInput,
     output: SessionRevokeOutput,
     async: true,
     description: 'Revoke a single auth session for the current account (IDOR-guarded).',
 };
+// `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
 export const account_session_revoke_all_action_spec = {
     method: 'account_session_revoke_all',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: SessionRevokeAllInput,
     output: SessionRevokeAllOutput,
@@ -113,6 +117,8 @@ export const account_session_revoke_all_action_spec = {
     description: 'Revoke every auth session for the current account.',
 };
 /**
+ * `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+ *
  * `rate_limit: 'account'` bounds the burn rate of API-token creates. The
  * outstanding-token count is already capped by `max_tokens` (via
  * `query_api_token_enforce_limit`), but the per-account *rate* of churn
@@ -124,7 +130,7 @@ export const account_token_create_action_spec = {
     method: 'account_token_create',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: TokenCreateInput,
     output: TokenCreateOutput,
@@ -143,11 +149,12 @@ export const account_token_list_action_spec = {
     async: true,
     description: 'List API tokens for the current account. Hashes are never returned.',
 };
+// `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
 export const account_token_revoke_action_spec = {
     method: 'account_token_revoke',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: { account: 'required', actor: 'none' },
+    auth: { account: 'required', actor: 'none', credential_types: ['session'] },
     side_effects: true,
     input: TokenRevokeInput,
     output: TokenRevokeOutput,

package/dist/auth/account_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAe5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CAsGjB,CAAC"}
+{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAe5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CA2GjB,CAAC"}

package/dist/auth/account_actions.js

@@ -54,7 +54,8 @@ export const create_account_actions = (deps, options = {}) => {
             outcome: revoked ? 'success' : 'failure',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { session_id: input.session_id },
+            // `credential_type` defense in depth — see `docs/security.md` §Credential-channel gating.
+            metadata: { session_id: input.session_id, credential_type: ctx.credential_type ?? undefined },
         });
         return { ok: true, revoked };
     };
@@ -64,7 +65,7 @@ export const create_account_actions = (deps, options = {}) => {
             event_type: 'session_revoke_all',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { count },
+            metadata: { count, credential_type: ctx.credential_type ?? undefined },
         });
         return { ok: true, count };
     };
@@ -78,7 +79,11 @@ export const create_account_actions = (deps, options = {}) => {
             event_type: 'token_create',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { token_id: id, name: input.name },
+            metadata: {
+                token_id: id,
+                name: input.name,
+                credential_type: ctx.credential_type ?? undefined,
+            },
         });
         return { ok: true, token, id, name: input.name };
     };
@@ -93,7 +98,7 @@ export const create_account_actions = (deps, options = {}) => {
             outcome: revoked ? 'success' : 'failure',
             account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
-            metadata: { token_id: input.token_id },
+            metadata: { token_id: input.token_id, credential_type: ctx.credential_type ?? undefined },
         });
         return { ok: true, revoked };
     };